Skip to main content

Major credit cards are rolling out 19-Digit credit cards. Is your commerce site ready?

A change is coming to the credit card industry that could become the Y2K of online billing if ecommerce companies don’t take steps to be prepare.

Although many major credit card companies have technically allowed for longer 19-digit payment account numbers (PANs) since at least the 1990s, rumor has it that this month will see Visa roll out the first mainstream 19 digit cards. Visa (and a few other issuer’s) card number length possibilities will now range from 12 to 19-digits.

For those who might be too young to have experienced the Y2K scare as part of a development organization, the threat of a bug caused by the use of two-digit as opposed to four-digit year fields caused companies to rush to audit and upgrade their systems. It wasn’t an incredibly complicated changeover, but it still required careful QA to prevent downtime.

Below I’ve outlined some important design, UX, and development areas that could be impacted by the extra digits. Don’t wait! Make sure your site is ready to go now.

Important areas to consider when looking at preparing commerce systems:

Input validation: Will your input fields reject the new longer card numbers? This is likely to result in end-user frustration.

Display fields: Will card numbers display correctly when stored? Are the actual input fields long enough to show all the digits of the card number as it is being input? How will this affect the user experience tools that you might have implemented to improve the checkout process?

A great outline of some credit card ecommerce user experience findings is outlines tips for improving the usability of credit card forms.

Internal field length: Is the underlying code built to store the longer field length? A basic, but still very important factor to consider.

Billing logic: How will the longer account numbers affect the actual transaction logic? Are there card type specific rules that will be affected? 19-digit card numbers should still pass the basic Luhn (Mod 10) credit card validation algorithm.

CI compliance: In addition to user experience and back-end logic issues, it’s important to think about the potential impact on PCI compliance.

The Payment Card Industry Data Security Standard (PCI DSS) administered by the credit card industry details the step that must be taken to protect cardholder data. Any company or organization that accepts card payments, and stores, processes and transmits cardholder data must be PCI compliant.

Although the overall impact of the 19-digit cards on PCI compliance shouldn’t be big, some small areas, such as card truncation may be impacted. That is, only the first six and last four digits of the card number can be stored. Depending on how this is coded, the last digits of a 19-digit card may be missed.

The PCI Council provides guidance for the storage of card numbers greater than 16 digits.  For example, the maximum amount of digits which may be retained include: for a 17-digit card: “First 6, any other 5”; for an 18-digit card: “First 6, any other 6”; and for a 19-digit card: “First 6, any other 7.”

Although it may be a while before your ecommerce site sees a real 19-digit card, we’d strongly suggest reviewing the questions above and testing your system today. Don’t forget to check your logs for any transactions that might have already failed due to cards already in circulation!