The Service Code is a 3 digit value encoded into the magnetic stripe on the back of your credit and debit cards. Typical cards actually have two copies of this service code in the magstripe. It’s present in both Track 1 and Track 2, encoded to the immediate right of the expiration date in both cases.
The Service Code is separate to and not to be confused with the Card Security Code. The latter is the CVC or CVV value you enter to verify the card when making an online purchase. The Card Security Code is effectively random, and is used to verify that the person making the transaction has a real card in front of them. On the other hand, the Service Code has a specific, well defined structure.
Each number in the service code has a well-defined meaning, known to the card brands and other components of the interchange networks. The purpose of the service code is to tell merchant terminals and acquiring networks about usage restrictions the issuer has placed on this card.
Of course you can’t encode all possible restrictions in these 3 numbers, so they’re quite course-grained. But if you can read the service code from a card, as a merchant terminal would, you have some idea of what the issuer allows the card to be used for.
Service Code Usage
The original use for the Card Service Code is the usage restrictions mentioned above. As examples: the issuer can specify whether the card is intended for international use, or domestic only. And is a PIN required for all transactions? Or more subtly, is a PIN required, but only when the card is used at a terminal with a PIN pad?
But beyond the usage restrictions, the card service code is also used as one of the inputs for the CVC/CVV algorithm. In practice this is the more important use of this field today. Basically all card transactions online are verified using the CVC2/CVC2 on the back of the card.
For this, the card service code is one of the values sent to a payment HSM, along with the PAN and an encryption key. These values are used to calculate what the CVC/CVV for the card should be. The issuer then compares the calculated value to the CVC/CVV value presented by the merchant. If the numbers match, the card is valid. If they don’t, either the number was entered wrong, or it’s a stolen card number.
You can decode a card service code using the following table. Note that many of these are effectively N/A, meaning that you won’t see all such service codes in the wild.
|Position 1||Position 2||Position 3|
|Value||Interchange||Technology||Authorization Processing||Allowed Services||PIN Requirements|
|0||Normal||No restrictions||PIN Required|
|2||International||Integrated Circuit Card||By Issuer via Online||Goods and services only|
|3||ATM only||PIN Required|
|4||By Issuer via Online unless explicit bilateral agreement applies||Cash only|
|5||National||Goods and services only||PIN Required|
|6||National||Integrated Circuit Card||No restrictions||Prompt for PIN if PED present|
|7||Private||Goods and services only||Prompt for PIN if PED present|
These service codes are intended to be the same across card brands. Whether you have a Mastercard, Visa, or another, the definition of the service code should be the same. This is true whether you are using a prepaid, debit, or credit card – all use these same definitions.
Open Loop Example
A typical value for a modern open loop card is 221. Reading from left to right, this means:
- 2 – International interchange, use IC (chip) where feasible
- 2 – Contact issuer via online means
- 1 – No restrictions
The issuer issuer wants the terminal to use the IC (chip) rather than magnetic stripe, if the terminal is chip capable (should be the norm at this point!). Authorizations should be done online, which is reasonable for debit transactions. And there are no special restrictions, meaning the card is general purpose and isn’t limited to ATMs, for example.