CVV Algorithm

May 14, 2013 at 12:07 AM
I'm looking at the code for generating a CVV, it seems to me that in some unlikely cases, when the ciphertext results in a block with less than 3 numerical digits, the while loop will run until it gives an index out of range error. To test this out I brute forced the following working example.

with CVK key: 0123456789ABCDEF FEDCBA9876543210

Account Number: 0000000000032597

Service Code: 201

Expiration Date: "1212"

I can't find the official VISA specification for CVV calculation, but I can't imagine they designed such a flawed algorithm. Do you know how the algorithm is supposed to handle these cases?
May 14, 2013 at 1:00 AM
I figured it out by playing with an HSM. Apparently if the last block of cyphertext does not contain 3 digits, it gathers all the ones it has and for the remaining digits it decimalizes the letter characters A->0, B->1, C->2, etc... and circles back around.