The Service Code is a 3 digit value encoded into the magnetic stripe on the back of your credit and debit cards. Typical cards actually have two copies of this service code in the magstripe, as it’s present in both Track 1 and Track 2. In both tracks, the service code is encoded to the immediate right of the expiration date in both cases.
The Service Code is separate to and not to be confused with the Card Security Code. The latter is the CVC or CVV value you enter to verify the card when making an online purchase. The Card Security Code is effectively random, and is used to verify that the person making the transaction has a real card in front of them. On the other hand, the Service Code has a specific, well defined structure.
Each number in the service code has a well-defined meaning, known to the card brands and other components of the interchange networks. The purpose of the service code is to tell merchant terminals and acquiring networks about usage restrictions the issuer has placed on this card.
Of course you can’t encode all possible restrictions in these 3 numbers, so they’re quite course-grained. But if you can read the service code from a card, as a merchant terminal would, you have some idea of what the issuer allows the card to be used for.
Contents
Service Code Usage
The original use for the Card Service Code is the usage restrictions mentioned above. As examples: the issuer can specify whether the card is intended for international use, or domestic only. And is a PIN required for all transactions? Or more subtly, is a PIN required, but only when the card is used at a terminal with a PIN pad?
But beyond the usage restrictions, the card service code is also used as one of the inputs for the CVC/CVV algorithm. In practice this is the more important use of this field today. Basically all card transactions online are verified using the CVC2/CVC2 on the back of the card.
For this, the card service code is one of the values sent to a payment HSM, along with the PAN and an encryption key. These values are used to calculate what the CVC/CVV for the card should be. The issuer then compares the calculated value to the CVC/CVV value presented by the merchant. If the numbers match, the card is valid. If they don’t, either the number was entered wrong, or it’s a stolen card number.
Code Table
You can decode a card service code using the following table. Note that many of these are effectively N/A, meaning that you won’t see all such service codes in the wild.
| Position 1 | Position 2 | Position 3 | |||
|---|---|---|---|---|---|
| Value | Interchange | Technology | Authorization Processing | Allowed Services | PIN Requirements |
| 0 | Normal | No restrictions | PIN Required | ||
| 1 | International | No restrictions | |||
| 2 | International | Integrated Circuit Card | By Issuer via Online | Goods and services only | |
| 3 | ATM only | PIN Required | |||
| 4 | By Issuer via Online unless explicit bilateral agreement applies | Cash only | |||
| 5 | National | Goods and services only | PIN Required | ||
| 6 | National | Integrated Circuit Card | No restrictions | Prompt for PIN if PED present | |
| 7 | Private | Goods and services only | Prompt for PIN if PED present | ||
| 8 | |||||
| 9 | Test | ||||
These service codes are intended to be the same across card brands. Whether you have a Mastercard, Visa, or another, the definition of the service code should be the same. This is true whether you are using a prepaid, debit, or credit card – all use these same definitions.
Note that the ‘PIN required’ field in the service code is not the only thing that will determine if a PIN is required. All EMV chip cards also have a list of acceptable ways to verify the card holder encoded on the chip. This list is the CVM (Cardholder Verification Method) list, and can include options such as:
- No verification required
- Signature sufficient
- PIN required
If an EMV terminal is processing an EMV card, the CVM list will determine whether a PIN is required.
Open Loop Example
A typical value for a modern open loop card is 221. Reading from left to right, this means:
- 2 – International interchange, use IC (chip) where feasible
- 2 – Contact issuer via online means
- 1 – No restrictions
The issuer issuer wants the terminal to use the IC (chip) rather than magnetic stripe, if the terminal is chip capable (should be the norm at this point!). Authorizations should be done online, which is reasonable for debit transactions. And there are no special restrictions, meaning the card is general purpose and isn’t limited to ATMs, for example.
Service Code List
The following table illustrates lists commonly used card service codes. For each, we decode the service code to show what the code requires.
| Service Code | Card Usage |
|---|---|
| 121 | International Magstripe card Authorization by issuer online No restrictions on terminal |
| 201 | International Chip card Normal authorization processing No terminal restrictions |
| 206 | International Chip card Normal authorization processing Terminal must prompt for PIN if PIN pad present |
| 220 | International Chip card Authorization by issuer online PIN required |
| 221 | International Chip card Authorization by issuer online |
| 521 | National (domestic only) Chip card Authorization by issuer online |
| 702 | Private Goods and Services only Prompt for PIN if PED present |
ISO/IEC 7813
Per the ISO 7813 payment card specification, the service code is a mandatory field in both track 1 and track 2. However, the ISO/IEC standard does not require that the service code be a 3 digit value. This field can be populated either with the numeric service code defined above, or instead by a single placeholder symbol.
A different placeholder character is specified for each track on the magnetic stripe.
- Track 1 placeholder: ^ (caret symbol)
- Track 2 placeholder: = (equals symbol)
If no service code is defined for this card, the placeholder symbol must be used instead.
