Most people don’t realize, but there is a 3 digit code encoded into the magnetic stripe on the back of your credit and debit cards. This value is the card service code, and it’s not like the CVC or CVV value that you use when making an online purchase. Those values are effectively random, and are used to verify that the person making the transaction has a real card in front of them.
The service code is different because it has a structure. Each number in the service code has a specific meaning, known to the card brands. The purpose of this service code is to tell merchant terminals and acquiring networks what restrictions the issuer has placed on this card. Of course you can’t encode all possible restrictions in these 3 numbers, so they’re quite course-grained. But if you can read the service code from a card, as a merchant terminal would, you have some idea of any restrictions placed on this card.
Service Code Usage
The original use for the Card Service Code is the usage restrictions mentioned above. Good examples of these: the issuer can specify whether the card is intended for international use, or domestic only. And is a PIN required for all transactions? Or more subtly, is a PIN required, but only when the card is used at a terminal with a PIN pad?
But beyond the usage restrictions, the card service code is also used as one of the inputs for the CVC/CVV algorithm. In practice this is the more important use of this field today. Basically all card transactions online are verified using the CVC2/CVC2 on the back of the card.
For this, the card service code is one of the values sent to a payment HSM, along with the PAN and an encryption key. These values are used to calculate what the CVC/CVV for the card should be. The issuer then compares the calculated value to the CVC/CVV value presented by the merchant. If the numbers match, the card is valid. If they don’t, either the number was entered wrong, or it’s a stolen card number.
You can decode a card service code using the following table. Note that many of these are effectively N/A, meaning that you won’t see all such service codes in the wild.
|Position 1||Position 2||Position 3|
|Value||Interchange||Technology||Authorization Processing||Allowed Services||PIN Requirements|
|0||N/A||N/A||Normal||No restrictions||PIN Required|
|2||International||Integrated Circuit Card||By Issuer||Goods and services only||N/A|
|3||N/A||N/A||N/A||ATM only||PIN Required|
|4||N/A||N/A||By Issuer unless explicit bilateral agreement applies||Cash only||N/A|
|5||National||N/A||N/A||Goods and services only||PIN Required|
|6||National||Integrated Circuit Card||N/A||No restrictions||Prompt for PIN if PED present|
|7||Private||N/A||N/A||Goods and services only||Prompt for PIN if PED present|
These service codes are intended to be the same across card brands. Whether you have a Mastercard, Visa, or one of the others, the definition of the service code should be the same. The same is true whether you are using a prepaid, debit, or credit card – they all use these same definitions.