
Japan facing credit card number shortage - steve_g
https://mainichi.jp/english/articles/20200821/p2a/00m/0bu/025000c
======
joshfraser
What's crazy is that we've had public key encryption for over 40 years, and
we're still publishing magic numbers on little pieces of plastic that give
whoever sees them the power to take all our money without our consent.

~~~
remote_phone
Why on earth would we want this?

Right now all of the burden is on the credit card companies. Any fraud is
their liability.

If we switch things up, and implement something like passwords or pins, WE get
the liability. That’s worse than our current situation. And given how badly
people get hacked or phished, all it means is that consumers lose.

Right now, those “magic little numbers” work great, and in the case of fraud,
we are protected. I don’t want the situation to reverse itself and have us the
first to suffer from fraud.

~~~
nip180
Fraud results in higher prices for consumers through higher prices and credit
card interest/fees.

~~~
mauvehaus
Sure, but this is fundamentally the same deal as insurance: we distribute the
cost across the whole population at a constant, low cost rather than ask
individuals to take a big hit with low probability.

Unless you can eliminate fraud, those are basically your two choices.

~~~
Slartie
> Unless you can eliminate fraud

Which is exactly the purpose of good security measures.

Bad or nonexistent measures and an insurance against fraud slapped on all
prices is a local maximum. Good security measures which really push back the
fraud and allow prices to drop the insurance premium is obviously a better
local maximum.

You also don't have to eliminate 100% of fraud, just make it so rare that you
can basically ignore the risk because it happening to you is as unlikely as
being struck by lightning (or any other risk of life that people are
comfortable to ignore due to it being vanishingly small). The classic credit
card fraud with magstripes was the exact opposite of that: there was almost no
credit card owner who didn't get hit by it, and while people generally didn't
lose money due to reimbursement by the cc companies, they still lost time and
nerves over some stupid interruption in their lives that was entirely
unnecessary in the first place.

I myself had one of my cards suddenly deactivated by the bank because of
alleged fraud (it wasn't even real fraud, just some heuristic going crazy over
an actually intended payment). I was on a cruise ship in the Caribbean sea
when it happened and all of a sudden couldn't pay my beers with my ship card
anymore. Fortunately I had a second card with me that was working so I
continued using that, but in order to switch my onboard expenses account over
to it I had to spend some time at the customer service desk on the ship, where
there was a row of passengers standing at phones, occasionally speaking with
someone in various languages, but most of the time they seemed to be waiting
in silence for some kind of response. It took me a few minutes of overheard
conversation until I realized that these guys were in the same spot that I
was, but less well prepared; they didn't have another credit card with them
and thus had to call their banks back home in order to get them to unlock
their accounts again.

------
viraptor
Something not clear from the article: The tech already supports longer
numbers. Diners, Discover, UnionPay cards already allow up to 19 digits
officially. The problem could be in the custom forms which think 4x4 is the
right format, but the back-end should "just work" with them.

What I really don't understand is why the article makes it seem like a
national problem given the prefix is assigned to the companies, rather than
countries as such. (Although companies will get ranges and then assign
specific IINs countries normally)

It seems that IINs are undergoing changes anyway and April 2022 is a deadline
for everyone to support 8-digit prefixes correctly.

~~~
snuxoll
I’ve run into multiple issues already with poorly designed forms on sites that
claim to accept Amex that freak out when I enter my 15-digit card number, I
would love to see the mess that adding longer numbers would cause.

~~~
badwolf
Or forms that accept the 15 digit Amex number, but then freak out when there's
a 4 digit cvv :|

------
gruez
>the company decided to take makeshift measures such as reusing credit card
numbers of discontinued cards after a certain period had passed since
cardholders canceled their memberships. However, there are considerable risks
of fraudulent usage

What are the risks here, and why aren't they already present by someone
generating credit card numbers with a RNG? AFAIK credit card transactions are
authenticated by at least expiration date and cvv, so there isn't a risk of
reusing credit card numbers.

>and a source close to the credit card industry said, "Increasing the number
of digits is the only real way to deal with the problem. There will likely be
a shift toward increasing the number of digits in the first half of this
decade."

ipv6 deployment all over again

~~~
saas_sam
What if they switched CC numbers TO IPV6 addresses? Insane or genius?

~~~
Slartie
Only slightly more insane than keeping the handy 4x4 format, but extending it
from base 10 numbers to base 16, which I would really love to see :D

~~~
dqv
They would need to EOL over-the-phone payments to do this. People have
horrible diction and it's hard to tell the difference between b, c, d, and e
when a particularly lazy lipped person says these letters (in addition to non-
hex letters like g, p, t, and v). Then they use their own ambiguous phonetic
system (b as in ball, c as in call, d as in doll will confuse anyone trying to
distinguish between the three). Oh and this compounds on ambiguous sounding
digits like 13 and 30; 14 and 40; 15, 16, 50 and 60; 17 and 70; 18 and 80; 19
and 90). It can't be done with DTMF digits anymore either.

All in all not a bad direction to go in. I wouldn't really miss phone
payments.

~~~
labster
Why don’t we teach schoolchildren the NATO phonetic alphabet? Seems like it
wouldn’t take that long, and it would be a useful skill for their whole life.

~~~
dqv
We should. There are so many adults who think it's cute to make up their own
phonetics not realizing the whole purpose is to reduce ambiguity, not make it
fun to spell things aloud.

~~~
jessriedel
As an adult who tries to remember the NATO phonetic alphabet but can't because
I only use it once per month, I don't make up words "for fun" or "to be cute".
I do it because I can't remember the NATO word. Compared to just saying the
letters, the words I choose certainly _do_ reduce ambiguity, even if using the
NATO alphabet would go even further.

~~~
PowerBar
Some good advice I got from a HAM was to read license plates in your head
using the NATO alphabet. Their letters are mostly random so you tend to see
each letter at roughly the same frequency and it can be done daily without
taking away time from your schedule. Being random also prevents you from just
remembering the order of the words and actually associating them with their
respective letters.

After doing that for a week or two (I was bike commuting at the time), I had
it pretty much memorized.

------
jandrese
Assuming the last digit is a checksum and the first six are taken by the
routing information, that leaves them 9 digits or a billion possible numbers
per credit card issuer. Japan has a population of about 125 million. Are
Japanese people cycling their numbers so frequently? Or are they big on
ephemeral card numbers?

Is it not possible for an issuer to get a second prefix if they run out of
digits?

I also wonder if credit card numbers aren't living on borrowed time anyway.
Instead of adding more digits it might make sense to remove the digits
entirely and only allow token based transactions. This does assume we figure
out a way to do online purchases not using the digits.

~~~
lmm
> Assuming the last digit is a checksum and the first six are taken by the
> routing information, that leaves them 9 digits or a billion possible numbers
> per credit card issuer. Japan has a population of about 125 million. Are
> Japanese people cycling their numbers so frequently? Or are they big on
> ephemeral card numbers?

Credit cards - and payment methods generally - are in their Cambrian explosion
phase right now in Japan, particularly given the pandemic. Every company, big
or small, is pushing their own. I recently had to open a new credit card
because the gym I wanted to join only accepts payment via their partnered
credit cards. It came with a linked electronic money card (as well as having
native integration for a different electronic money format) that has what
looks like its own 16 digit credit card number, presumably for internal
payment infrastructure reasons, and an offer to apply for a separate linked
credit card for shopping in China, three other kinds of linked electronic
money cards (one for a supermarket chain, one for a local transport
network)...

Every shopping mall is pushing their card. My phone provider offered two
olympic tie-in cards and a regular version (that would actually save me money
if I could face going through the application). A theatre troupe I follow has
a deep partnership with a card issuer and has their own branded cards. Bands
have their own cards. Virtually any outfit with a loyalty/membership card is
trying to turn it into a credit card. And so people can easily have multiple
cards that they never use, because their loyalty card became a credit card but
they're still only using it as a loyalty card.

~~~
rswail
Most of these "branded" cards will have an underlying issuing bank/acquirer,
not their own identification on the card.

The way that the 16 digits are allocated is defined as per
[https://en.wikipedia.org/wiki/Payment_card_number#Structure](https://en.wikipedia.org/wiki/Payment_card_number#Structure)

So of the 16 digits for the majority of cards:

Digit 1-6(8): Scheme and issuer identification Digits 7-15: Account
identification Digit 16: Check digit (Luhn algorithm)

So most issuers have 10 digits to "play with" to identify the account.

So Japan is either running out of issuer identifiers, which sounds excessive,
or they have been allocating them badly.

~~~
lmm
Sure, but if I have 8 different cards issued by SMBC then that's still 8
cards.

~~~
rtpg
Seconding this. I have multiple cards by SMCC, some basically given to me.

There's also a lot of "virtual credit card" offerings right now to pair with
peer-to-peer payment apps. I imagine that those need to get cycled through
frequently.

8 is not an exageration.

------
owenversteeg
Semi-off-topic, but does anyone know about the "churning" culture in Japan vs
the US? What are the numbers? Here in the US you can generally expect sign up
bonuses of a few hundred dollars, and a return of around 2% on your
transactions, with category bonuses up to 5%. What do people get in Japan?
I've just Googled it, and apparently some cards get 1 mile per 100 JPY
(approximately 1%) - do some get more than that? What about sign up bonuses?

To give the European perspective, there's much less "churning", available,
partly because of laws that limit transaction fees. Sign up bonuses are
usually around $50-$150, and many cards have no benefits _and_ an annual fee.
Cashback, if you do get it, is usually 1% or less, with exceptions going up to
1.5% or so.

~~~
fomine3
In Japan:

For no annual fee card, Signup bonus without paying is around 1000-9000 JPY
depending on running campaign. Some cards also offers bonus with paying, rate
is vary but around 4-20% and max bonus is around 2000-10000 JPY.

I'm not very familiar but for annual fee card, signup bonus without paying is
around 5000-30000 JPY and bonus with paying is similar rate and max is around
10000-100000 JPY.

To get max bonus, you should use cashback sites.

For transaction bonus, 0.5% return is basic (card from bank, gold card, random
shop's card), 1.0% is standard for return-oriented card (like Rakuten,
d-card), 1.2%-1.5% is top return-oriented card (like Recruit). Most return-
oriented card is no annual fee.

* Now 3% is super prominent top return rate by LINE Pay card (that's no annual fee) but it's run by campaign until 2021/05.

Cards for airline is different story, maybe 1mile/100 JPY is good return on
annual fee card (I'm not familiar but IMO airline card isn't majority due to
less people travel to overseas).

Transaction fee for merchant is rumored below 2% for big player (like 7-11),
around 3% is standard for real shops. Old contract may charges much more fee.

Big difference with US is that Most cards is monthly-clear style so less
revenue from revolving credit fee. Card issuers trying hard customers to using
revolving payment.

------
JMTQp8lwXL
Beyond assigning IINs more judiciously, credit rating systems could drop the
concept of "more accounts = better credit". It would discourage people from
opening 7 credit cards to raise scores, when 1 or 2 would do.

~~~
x87678r
I have 4 unused cards I keep open just for this, seems a complete waste for
every body.

~~~
JMTQp8lwXL
Make sure to use them every once in awhile, otherwise the issuer may close
them.

~~~
smegger001
I have mine with automatic payments on setup on them and a couple reoccuring
bills on each so there is consistent activity and is paid in full before the
end of the billing period for just this reason.

------
azhenley
Can Japan not obtain another country code from Visa/Mastercard (part of the
first 6 digits)?

~~~
BelleOfTheBall
I assume that it could work as a temporary solution but the article hints that
this problem will likely become global soon. So, instead of moving numbers,
it's easier to add some and increase the possible combinations.

~~~
spiznnx
I think it's better (for Japan) to force it into a global problem than a
domestic problem. Then more people will care about fixing it and the issuers
will retain international interoperability.

~~~
GoblinSlayer
No, let's first see how Japan fixes it.

------
pcurve
SUrely, there's some inefficiency in how numbers are used... 10 quadrillion
for 7.5 billion people isn't enough?

~~~
henearkr
The first digits are a header identifying the type of the card, (visa,
mastercard...) and probably other characteristics.

The main problem is that in Japan everybody has like 5 credit cards, because
every big company has its own financial branch and issues cards (maybe to
profit from a "reservoir" effect of the accounts?). So you have a credit card
linked to your clothes shop, one from your supermarket, one from Rakuten
(Japan's Amazon), etc. You get points when you buy things from the company
linked to your card. I don't know how it is in US, but it certainly isn't like
that in France for example.

~~~
viraptor
"everyone" may be a bit extreme. There seems to be a national goal of going
more cashless, but right now they're one of the most cash-based countries:
[https://www.statista.com/chart/19868/share-of-cash-
payments-...](https://www.statista.com/chart/19868/share-of-cash-payments-in-
different-countries/) Japan had 82% cash transactions compared to 14% in South
Korea. From personal experience it's relatively normal to find a food place in
Tokyo which has no card reader at all.

~~~
henearkr
Yeah, lots of credit cards does not mean one can use cashless payment
everywhere, paradoxically...

It's more 5 cards than 15, I admit... I edited my comment accordingly. It
still seems a lot to me, why not just one?

~~~
viraptor
I was going to agree it's a lot... but then realised every one of my grocery
gift cards has a PAN attached, which means I'm going through 2-3 numbers a
month myself. (Not in Japan) Then again, I expect the shop to recycle those
faster than Visa.

------
gumby
Seems like companies not using all of theirs (and defunct or quasi-defunct
companies) could sell off unused chunks.

------
donor20
This is a ridiculous story.

Japan has a population of 150M.

If you can't give folks a number from SIXTEEN digits - something is wrong with
the folks giving out the numbers.

Some answers to the excuses. The 6 digits at front, if a company legit runs
out of numbers, ask for another prefix.

The reality. Instead of using the numbers properly (random ID to tie to a user
account) they are probably putting some kind of structure into the digits that
results in very inefficient use.

These are the 10 digits available PER PREFIX!

1,234,567,890

Even with a check digit you are at a billion numbers PER PREFIX! You can't get
125 million folks into this address space?

Absolutely pitiful.

~~~
chrisseaton
> You can't get 125 million folks into this address space?

I think some people are now using a new card number _per transaction_ , with
these disposable card numbers, aren't they?

~~~
pedroma
You're talking about services like Google/Apple Pay right? Aren't these credit
card numbers rotated by Google/Apple, and they just keep some mapping of
userIds, transactionIds, and rotated cardIds?

~~~
chrisseaton
No I think you can genuinely get disposable real credit card numbers.

[https://www.theukdomain.uk/virtual-credit-card-numbers-
every...](https://www.theukdomain.uk/virtual-credit-card-numbers-everything-
you-need-to-know/)

------
sgjohnson
>In the case that the number of card digits will be increased, it is necessary
to discuss within the industry whether the 16-digit cards that already exist
should all be changed into new cards as well, or if the two types can exist
alongside each other.

This is literally a non issue. Amex cards have 15 digits and a 4 digit CVV
I've literally never had any issues with it.

~~~
fomine3
AMEX isn't major in Japan so possibly some Visa/Master only systems causes a
problem.

~~~
sgjohnson
But they definitely operate in Japan. Doesn't matter if they are major or not.

And the acceptance was great, when I was in Japan I never had to resort to my
backup MAsterCard.

------
noisy_boy
Maybe its time to move to a uuid-type card number - prefix with country code
to increase the available space even more.

------
nottorp
Incoming credit card v6 fiasco?

------
ineedasername
Strange that systems have limitations like this. I know, there's always design
trade offs.

This is just one of those things that looks like it should be _last_number +=
1_

~~~
oehtXRwMkIs
I hear that would be insecure, just like SSNs.

~~~
ineedasername
It doesn't have to literally be incremented, my thinking was just that you
can't really run out of numbers.

But then again if they used something like a 32 bit int and don't us
sequential numbers, I suppose retrofitting for a 64 bit int might take a
decent amount of work.

------
qertoip
Time to move towards practical pubkey based payment systems like Monero. You
can never run out of cryptographic key pairs.

------
systematical
I've been saying for years we should switch to credit card numbers which are a
nice easy sha512

------
JoeAltmaier
I'd like a unique card number with every transaction, that I set online to
exactly the amount I'm spending. And it expires after that one use.

Eliminates risk of 'stealing' a credit card, mostly.

But it would use a butt-ton of numbers. Maybe a UUID?

~~~
chrisseaton
> that I set online to exactly the amount I'm spending

Sounds like it would take longer at checkout though?

~~~
JoeAltmaier
Lots of my spending is online. Like everybody else, considering Amazon's
success.

~~~
chrisseaton
Ok... sounds like it would take longer at _online_ checkout then.

~~~
JoeAltmaier
Unless somebody wrote an app, or the store cooperated like PayPal, or 100
other things.

Lets try to imagine a better future?

~~~
chrisseaton
Don't you already get this with Verified by Visa and MasterCard SecureCode?
You don't need new credit card numbers to do this.

But merchants don't implement it... because it's an extra step and consumers
don't like it. The very last thing a merchant wants to do is put an extra step
in front of someone _just about_ to buy.

~~~
JoeAltmaier
Exactly. That's why, a new number for every transaction. No merchant
requirement.

~~~
chrisseaton
I don't understand how you think you can get a new number for each transaction
without any extra step getting in the way? How does your card issuer know you
want a new number and how much to set the limit?

Do you go to an app? That's a separate step. Consumers demonstrably don't want
extra steps.

Do you integrate it with the merchant and do it automatically? Then it's no
safer as there's no authorisation.

------
EricE
IPv6 for credit cards. This should be fun!

------
dzhiurgis
Just buy them off Russians ;D

------
known
blockchain is looking for problems :)

------
rootusrootus
I wonder how this became a problem. Your CC number is not just 16 digits long.
It's 16, plus expiration, plus the 3-4 extra security digits, plus your name,
plus your zip code. That's quite a lot of entropy.

~~~
sitharus
That's not true. The number is just the number, though it can be more than 16
digits. The initial six digits identify the card issuer. Expiration and
CVC/CCV are security checks, but only work in combination with the number.
Name is generally not verified, though is often used in fraud assessment.
Address verification is uncommon, and almost unused outside the US.

~~~
sgjohnson
> Address verification is uncommon, and almost unused outside the US.

Billing address verification is extensively used in the UK.

