
Hello,
I'm looking at the code for generating a CVV, it seems to me that in some unlikely cases, when the ciphertext results in a block with less than 3 numerical digits, the while loop will run until it gives an index out of range error. To test this out I brute
forced the following working example.
with CVK key: 0123456789ABCDEF FEDCBA9876543210
Account Number: 0000000000032597
Service Code: 201
Expiration Date: "1212"
I can't find the official VISA specification for CVV calculation, but I can't imagine they designed such a flawed algorithm. Do you know how the algorithm is supposed to handle these cases?



I figured it out by playing with an HSM. Apparently if the last block of cyphertext does not contain 3 digits, it gathers all the ones it has and for the remaining digits it decimalizes the letter characters A>0, B>1, C>2, etc... and circles
back around.

