This article sheds some light on just what credit card numbers are....in terms of what criteria are necessary for them to meet and whether there exist built-in protections preventing fraud and the ability of fraudsters to come up with arbitrarily generated numbers to use for illegitimate transactions.
Most credit card numbers are 13, 15 or 16 digits in length. Specifically, Visa cards' may be 13 or 16 digits long. American Express' are 15 digits long. Discover and materCard are 16 long. AmEx numbers begin with "3", Visa with "4"; Mastercard with "5"; DiscoverCard with "6". This is the MII or Major Industry Identifier and are based on preassigned numbers -allowed for issuers in particular classes of industries- by the International Standards Organization (ISO) and the American National Standards Institute (ANSI).
The first 6 digits (from the left to the right) are the Issuer Identifier Number. The remaining digits up to and excluding the final digit form the actual identifying code for a specific card. So for a 16 digit variant, 9 digits are available for the individual card value. In theory, this means 109 possible cards can be issued. However, the question arises: Are all these potential values legitimate? This is where the standardization used to create valid numbers becomes relevant.
Credit Card numbers have to conform to the Luhn Algorithm, named after Hans Peter Luhn (1896-1964), a scientist at IBM. Using this algorithm a number of operations are performed with the values of individual digits of a specific card number. At the end of this the Luhn Algorithm states that the final value obtained is tested to see whether it is divisible by 10. The result of this test determines the value of the last digit of a credit card.....which we have not as yet discussed. This final value is a check bit, in effect. It has the unique function of being assigned in such a way that it assures that the final value of the number obtained by performing the Luhn Algorithm on the credit card number is divisible by 10. In other words, it is a number that when added to the Luhn Algorithm derived value (obtained from the numbers to its left) results in a number divisible by ten.
The last digit therefore has a 1 in 10 chance of being legitimate and is a built-in basic validity test for any arbitrary credit card number. Of course, there are other values that must be validated before any credit card transaction is processed in real-world commerce. These values (cardholder name, expiration date, billing address, CCV code, etc.) can be processed both at the originating point and the end point of the transaction. it means that a number of levels of validity checking take place before the transaction is allowed to occur and essentially removes the possibility of fraud outside of a compromising or disclosure of these values themselves.