Magnetic Stripe Track Data Explained: Track 1 & Track 2 Format Guide
Swipe a credit card through a reader and in under 200 milliseconds, a thin strip of iron oxide particles has delivered your complete payment credentials — account number, name, expiration date, and a cryptographic verification value — all encoded as magnetic flux reversals on a piece of plastic. That strip has been the backbone of card payments since the 1960s, and understanding its data format is still essential for anyone working in payment processing today.
What is Magnetic Stripe Data?
Magnetic stripe data (commonly called track data) is the information encoded on the magnetic stripe found on the back of payment cards. The stripe contains up to three tracks of data defined by ISO/IEC 7811 and ISO/IEC 7813, each with a specific format, character set, and purpose.
When a card is swiped at a point-of-sale terminal, the reader captures the magnetic flux transitions and converts them into the digital characters that make up Track 1 and Track 2 data. This data flows through the payment network inside ISO 8583 messages, ultimately reaching the card issuer for authorization.
Track data is considered Sensitive Authentication Data (SAD) under PCI DSS — it must never be stored after authorization, making it one of the most protected data elements in the entire payment ecosystem.
Try it yourself: Paste a raw ISO 8583 message containing Fields 35 or 45 into our ISO 8583 Studio to see track data parsed in context.
Also Known As…
Magnetic stripe data goes by many names across different documentation:
| Name | Context |
|---|---|
| Track data | Universal industry shorthand |
| Magstripe data | Casual abbreviation |
| Swipe data | Merchant/POS terminology |
| Stripe data | Generic usage |
| Track 1 / Track 2 | Referring to specific tracks |
| Full track data | When both tracks are captured unaltered |
| SAD (Sensitive Authentication Data) | PCI DSS classification |
| ISO 7813 data | Standards reference |
How the Magnetic Stripe Works
The magnetic stripe on a payment card consists of three separate tracks, each recorded at a different position on the stripe. The encoding uses a technique called F2F (Frequency/double Frequency) encoding, where data is represented as magnetic flux transitions.
Physical Layout
Card Back (magnetic stripe area):
┌──────────────────────────────────────────────────┐
│ Track 1 (IATA) — 210 bpi — 79 chars max │ ← Top
│ Track 2 (ABA) — 75 bpi — 40 chars max │ ← Middle
│ Track 3 (THRIFT) — 210 bpi — 107 chars max │ ← Bottom
└──────────────────────────────────────────────────┘
| Track | Standard | Density | Max Characters | Character Set | Used For |
|---|---|---|---|---|---|
| Track 1 | ISO/IEC 7813 (IATA) | 210 bpi | 79 | Alphanumeric (A-Z, 0-9, special) | Primary payment data + cardholder name |
| Track 2 | ISO/IEC 7813 (ABA) | 75 bpi | 40 | Numeric only (0-9, separators) | Primary payment data (no name) |
| Track 3 | ISO/IEC 4909 (THRIFT) | 210 bpi | 107 | Numeric only | Rarely used (originally for ATM/debit) |
Coercivity: HiCo vs. LoCo
The magnetic stripe itself comes in two strengths:
| Type | Coercivity | Stripe Color | Durability | Usage |
|---|---|---|---|---|
| HiCo (High Coercivity) | 2750-4000 Oe | Dark brown/black | High — resists demagnetization | Credit/debit cards, hotel keys |
| LoCo (Low Coercivity) | 300 Oe | Light brown | Low — easily overwritten | Gift cards, loyalty cards |
Payment cards universally use HiCo stripes because they resist accidental demagnetization from proximity to magnets, phones, or other cards.
Track 1 Data Format (IATA)
Track 1 is the most information-rich track. Originally defined by the International Air Transport Association (IATA) for airline ticketing, it was adopted by the banking industry because it includes the cardholder’s name — critical for card-present verification.
Field-by-Field Breakdown
%B4111111111111111^DOE/JOHN Q^26012011000000000000?
│ │ │ │ │
│ │ │ │ └── End Sentinel: ?
│ │ │ └── Discretionary Data + Check (LRC)
│ │ └── Field Separator: ^
│ └── PAN (Primary Account Number)
└── Start Sentinel + Format Code: %B
| Field | Characters | Description | Example |
|---|---|---|---|
| Start Sentinel | % | Marks beginning of data | % |
| Format Code | B | Financial card format | B |
| PAN | Up to 19 digits | Primary Account Number | 4111111111111111 |
| Field Separator | ^ | Delimits fields | ^ |
| Cardholder Name | 2-26 chars | Last/First Middle (slash-separated) | DOE/JOHN Q |
| Field Separator | ^ | Delimits fields | ^ |
| Expiration Date | 4 digits (YYMM) | Card expiry | 2601 (Jan 2026) |
| Service Code | 3 digits | Interchange and authorization rules | 201 |
| Discretionary Data | Variable | Issuer-defined (contains CVV, PVV, etc.) | 1000000000000 |
| End Sentinel | ? | Marks end of data | ? |
| LRC | 1 char | Longitudinal Redundancy Check | (calculated) |
Worked Example
Let’s parse this complete Track 1 string character by character:
%B4111111111111111^DOE/JOHN Q^26012011000000000000?
| Extracted Field | Value | Interpretation |
|---|---|---|
| Format Code | B | Financial/banking card |
| PAN | 4111111111111111 | Visa test card (starts with 4, passes Luhn) |
| Cardholder Name | DOE/JOHN Q | Last name: DOE, First: JOHN, Middle initial: Q |
| Expiration Date | 2601 | January 2026 |
| Service Code | 201 | International, normal auth, normal services |
| Discretionary Data | 1000000000000 | Issuer-specific (CVV embedded here) |
Validate the PAN: Paste
4111111111111111into our Luhn Validator to confirm it passes the Luhn check.
Name Encoding Rules
The cardholder name follows specific formatting conventions:
| Component | Separator | Example |
|---|---|---|
| Last name | / before first name | DOE/JOHN |
| First name | After / | JOHN |
| Middle initial | Space after first name | Q |
| Title/suffix | Space or period | DOE/JOHN Q MR |
| Multiple surnames | Space-separated | VAN DER BERG/ANNA |
The name field is padded with spaces to fill its allocated space (up to 26 characters). Characters are limited to uppercase A-Z, spaces, periods, and a few special characters.
Track 2 Data Format (ABA)
Track 2 is the workhorse of payment processing. Defined by the American Bankers Association (ABA), it carries the same critical payment data as Track 1 but in a more compact, numeric-only format. Most modern payment systems rely on Track 2 as the primary data source.
Field-by-Field Breakdown
;4111111111111111=26012011000000000000?
│ │ │
│ │ └── End Sentinel: ?
│ │
│ └── Separator: =
└── Start Sentinel + PAN: ;4111111111111111
| Field | Characters | Description | Example |
|---|---|---|---|
| Start Sentinel | ; | Marks beginning of data | ; |
| PAN | Up to 19 digits | Primary Account Number | 4111111111111111 |
| Field Separator | = | Delimits fields | = |
| Expiration Date | 4 digits (YYMM) | Card expiry | 2601 (Jan 2026) |
| Service Code | 3 digits | Interchange and authorization rules | 201 |
| Discretionary Data | Variable | Issuer-defined (contains CVV, PVV, PIN offset) | 1000000000000 |
| End Sentinel | ? | Marks end of data | ? |
| LRC | 1 digit | Longitudinal Redundancy Check | (calculated) |
Worked Example
Parse this Track 2 string:
;4111111111111111=26012011000000000000?
| Extracted Field | Value | Interpretation |
|---|---|---|
| PAN | 4111111111111111 | Visa test card |
| Expiration Date | 2601 | January 2026 |
| Service Code | 201 | International, normal auth, normal services |
| Discretionary Data | 1000000000000 | Issuer-specific data |
Key difference from Track 1: Track 2 has no cardholder name. This is why some legacy systems that require name verification must read Track 1.
Track 3 Data Format
Track 3 was originally designed by the Thrift Industry for ATM and debit transactions. It supports read/write operations, allowing the stripe to be updated after each transaction — a concept that was eventually replaced by online authorization.
| Feature | Track 3 Detail |
|---|---|
| Standard | ISO/IEC 4909 |
| Density | 210 bpi |
| Max Characters | 107 numeric |
| Read/Write | Yes (unlike Tracks 1 and 2) |
| Current Usage | Virtually unused in modern payment processing |
| Why abandoned | Online authorization made offline balance tracking unnecessary |
Track 3 is not included in ISO 8583 messaging. If you encounter it, you’re likely dealing with a legacy closed-loop system.
Track 1 vs Track 2: Side-by-Side Comparison
| Feature | Track 1 (IATA) | Track 2 (ABA) |
|---|---|---|
| Standard | ISO/IEC 7813 | ISO/IEC 7813 |
| Recording Density | 210 bpi | 75 bpi |
| Max Characters | 79 | 40 |
| Character Set | Alphanumeric + special | Numeric only |
| Start Sentinel | % | ; |
| Field Separator | ^ | = |
| End Sentinel | ? | ? |
| Cardholder Name | Yes | No |
| PAN | Yes | Yes |
| Expiration Date | Yes | Yes |
| Service Code | Yes | Yes |
| CVV/CVC | Yes (in discretionary data) | Yes (in discretionary data) |
| ISO 8583 Field | Field 45 | Field 35 |
| Primary Use | Airline + banking (name needed) | Banking (most POS transactions) |
Both tracks contain the same financial data. The primary difference is that Track 1 includes the cardholder name and uses an alphanumeric character set, while Track 2 is purely numeric and therefore more compact and reliable to read.
Service Codes Explained
The 3-digit service code appears in both Track 1 and Track 2. Each digit controls a different aspect of how the card should be processed:
Service Code: [D1][D2][D3]
│ │ │
│ │ └── Digit 3: Allowed Services & PIN
│ └── Digit 2: Authorization Processing
└── Digit 1: Interchange & Technology
Digit 1 — Interchange and Technology
| Value | Meaning |
|---|---|
| 1 | International interchange OK |
| 2 | International interchange OK, use IC (chip) where feasible |
| 5 | National interchange only, except under bilateral agreement |
| 6 | National interchange only, except under bilateral agreement, use IC where feasible |
| 7 | No interchange except under bilateral agreement (private) |
| 9 | Test card |
Digit 2 — Authorization Processing
| Value | Meaning |
|---|---|
| 0 | Normal authorization — no restrictions |
| 2 | Contact issuer via online means (positive authorization required) |
| 4 | Contact issuer via online means (positive authorization, unless explicit bilateral agreement applies) |
Digit 3 — Allowed Services and PIN
| Value | Meaning |
|---|---|
| 0 | No restrictions, PIN required |
| 1 | No restrictions |
| 2 | Goods and services only (no cash) |
| 3 | ATM only, PIN required |
| 5 | Goods and services only, PIN required |
| 6 | No restrictions, require PIN when feasible |
| 7 | Goods and services only, require PIN when feasible |
Common Service Code Combinations
| Code | Meaning | Typical Card Type |
|---|---|---|
101 | International, normal auth, no restrictions | Standard credit card |
201 | International, chip preferred, no restrictions | EMV credit card |
221 | International, chip preferred, online auth required, no restrictions | EMV debit card |
120 | International, normal auth, PIN required | PIN-preferring debit |
501 | National only, normal auth, no restrictions | Domestic-only card |
601 | National only, chip preferred, no restrictions | Domestic EMV card |
900 | Test card, no restrictions, PIN required | Test/development card |
Look up any code: Our Reference Database has a complete, searchable service code reference with deep-linking.
CVV, CVC, and CID in Track Data
The Card Verification Value (CVV) — or CVC (Mastercard), CID (Amex/Discover) — is a cryptographic value embedded in the discretionary data portion of both tracks. Critically, the track data CVV is different from the 3-digit number printed on the back of the card.
| Verification Value | Location | Purpose |
|---|---|---|
| CVV1 / CVC1 | Encoded in Track 1 and Track 2 discretionary data | Proves the magnetic stripe was physically read |
| CVV2 / CVC2 | Printed on the card back (3 digits) | Proves the cardholder has the physical card (CNP transactions) |
| iCVV / Dynamic CVV | Generated by EMV chip per transaction | Proves the chip was present and active |
How CVV1 Works
CVV1 is calculated using:
- The PAN (Primary Account Number)
- The expiration date
- The service code
- A pair of DES keys known only to the issuer
The resulting 3-digit value is embedded in the discretionary data of both tracks. When the issuer receives the track data in an authorization request, it recalculates the CVV and compares it. If the values don’t match, the card is likely counterfeit.
Learn about cryptographic operations: Our HSM Basics for Developers guide explains how HSMs verify CVV values during authorization.
CVV1 vs iCVV: The Fraud Detection Trick
EMV chip cards deliberately use a different CVV value (iCVV) when generating magnetic stripe equivalent data. This allows issuers to detect a specific type of fraud:
| Scenario | CVV in Data | Issuer Action |
|---|---|---|
| Genuine magnetic stripe swipe | CVV1 (from track) | Verify CVV1 → approve |
| Genuine chip transaction | iCVV (from chip) | Verify iCVV → approve |
| Cloned mag stripe from chip data | iCVV (wrong for mag stripe) | CVV mismatch → decline |
| Cloned chip data to mag stripe | CVV1 (wrong for chip) | CVV mismatch → decline |
This is why POS Entry Mode code 95 exists — it tells the issuer that the chip was read but the CVV/iCVV data may be unreliable. See our POS Entry Mode Guide for the full code breakdown.
Track Data in ISO 8583
Track data is carried in two specific ISO 8583 fields:
| ISO 8583 Field | Contains | Max Length | Format |
|---|---|---|---|
| Field 35 | Track 2 data | 37 | Numeric + = separator |
| Field 45 | Track 1 data | 76 | Alphanumeric + ^ separators |
How It Appears in a Message
In a typical ISO 8583 authorization request (MTI 0100), the track data sits alongside other familiar fields:
MTI: 0100 (Authorization Request)
Field 2 (PAN): 4111111111111111
Field 3 (Processing): 000000
Field 4 (Amount): 000000001000
Field 22 (Entry Mode): 901 ← Full mag stripe read, PIN capable
Field 35 (Track 2): 4111111111111111=26012011000000000000
Field 45 (Track 1): B4111111111111111^DOE/JOHN Q^26012011000000000000
Note that Field 22 value 90 means “Magnetic stripe — full track data, unaltered.” The presence of Fields 35/45 should be consistent with this entry mode.
Parse a full message: Paste raw hex data into the ISO 8583 Studio to see Fields 35 and 45 decoded alongside the bitmap and all other data elements.
Which Track Does the Network Use?
| Network | Primary Track | Notes |
|---|---|---|
| Visa | Track 2 (Field 35) | Track 1 optional but recommended |
| Mastercard | Track 2 (Field 35) | Track 1 required for some products |
| American Express | Track 1 (Field 45) | Requires cardholder name for verification |
| Discover | Track 2 (Field 35) | Track 1 optional |
Security and PCI DSS Requirements
Track data is classified as Sensitive Authentication Data (SAD) under PCI DSS. The rules are absolute:
| PCI DSS Rule | Requirement |
|---|---|
| Requirement 3.3.1 | Full track data must never be stored after authorization |
| Requirement 3.3.1.1 | Track data must not be stored even if encrypted |
| Requirement 3.4 | If track data traverses your systems, it must be protected during transit |
What Happens If You Store Track Data
Storing full track data post-authorization is the most serious PCI violation a merchant or processor can commit:
| Consequence | Impact |
|---|---|
| Fines | $5,000 – $500,000 per violation |
| Forensic investigation | $20,000 – $500,000 for PFI engagement |
| Account termination | Loss of ability to accept card payments |
| Breach liability | Financial responsibility for all resulting fraud |
| Brand damage | Public disclosure of the breach |
Clean your logs: Use the PCI Sanitizer to detect and mask any track data that may have leaked into log files, support tickets, or debug output.
Why Track Data Encryption Matters
When track data is captured by a terminal, it should be encrypted immediately at the point of interaction before traversing any network. This is where DUKPT comes in — the standard key management scheme for encrypting track data at POS terminals.
Card Swipe → POS Terminal → DUKPT Encrypt → Encrypted Track Data → Network → HSM Decrypt
↓
Clear Track Data
(HSM memory only)
Deep dive: Learn how DUKPT generates a unique encryption key for every swipe in our DUKPT Key Management Guide.
JavaScript Track Data Parser
Here’s a parser for both Track 1 and Track 2 data:
function parseTrack1(raw) {
// Track 1 format: %BPAN^NAME^YYMMSSSDDDDDDDDDDDDDD?
const match = raw.match(
/^%([A-Z])(\d{1,19})\^([^^]{2,26})\^(\d{4})(\d{3})(.+)\?$/
);
if (!match) return { error: 'Invalid Track 1 format' };
return {
formatCode: match[1],
pan: match[2],
name: match[3].trim(),
expiration: match[4], // YYMM
serviceCode: match[5],
discretionaryData: match[6]
};
}
function parseTrack2(raw) {
// Track 2 format: ;PAN=YYMMSSSDDDDDDDDDDDDDD?
const match = raw.match(
/^;(\d{1,19})=(\d{4})(\d{3})(.+)\?$/
);
if (!match) return { error: 'Invalid Track 2 format' };
return {
pan: match[1],
expiration: match[2], // YYMM
serviceCode: match[3],
discretionaryData: match[4]
};
}
// Test with standard test card data
const t1 = parseTrack1('%B4111111111111111^DOE/JOHN Q^26012011000000000000?');
console.log(t1);
// { formatCode: 'B', pan: '4111111111111111',
// name: 'DOE/JOHN Q', expiration: '2601',
// serviceCode: '201', discretionaryData: '1000000000000' }
const t2 = parseTrack2(';4111111111111111=26012011000000000000?');
console.log(t2);
// { pan: '4111111111111111', expiration: '2601',
// serviceCode: '201', discretionaryData: '1000000000000' }
100% client-side: Like all our tools, this runs entirely in your browser. No data is ever sent to a server.
Quick Reference: Track Data Fields
| Field | Track 1 | Track 2 | Purpose |
|---|---|---|---|
| Start Sentinel | % | ; | Beginning of data |
| Format Code | B | — | Card type identifier |
| PAN | Up to 19 alphanumeric | Up to 19 numeric | Account number |
| Separator | ^ | = | Field delimiter |
| Cardholder Name | Up to 26 chars | Not present | Identity verification |
| Expiration | YYMM (4 digits) | YYMM (4 digits) | Card validity |
| Service Code | 3 digits | 3 digits | Processing rules |
| Discretionary Data | Variable | Variable | CVV, PVV, issuer data |
| End Sentinel | ? | ? | End of data |
| LRC | 1 character | 1 digit | Error detection |
The Magnetic Stripe Phase-Out
The industry is actively moving away from magnetic stripes in favor of EMV chip and contactless technology:
| Year | Milestone |
|---|---|
| 2015 | EMV liability shift takes effect in the US |
| 2021 | Mastercard begins removing stripe requirement for new cards |
| 2024 | Mastercard stops requiring stripes on new cards in Europe |
| 2027 | US banks no longer required to issue Mastercard with stripes |
| 2029 | No new Mastercard credit/debit cards issued with a stripe |
| 2033 | Mastercard expects all cards globally to be stripe-free |
Despite the phase-out, magnetic stripe data formats remain foundational knowledge. EMV chip transactions still generate magnetic stripe equivalent data for backward compatibility, and the track data format is embedded in ISO 8583 field definitions that are unlikely to change.
Next Steps
Now that you understand magnetic stripe track data:
- Parse raw messages with the ISO 8583 Studio to see Fields 35 and 45 decoded in real messages
- Look up service codes in the Reference Database for quick interchange rule lookups
- Understand POS entry modes in our POS Entry Mode Guide — entry modes 02 and 90 indicate magnetic stripe reads
- Learn how track data is encrypted in our DUKPT Key Management Guide — unique key per swipe
- Protect track data with the PCI Sanitizer — mask sensitive data before sharing logs
- Validate the PAN with the Luhn Validator — confirm the account number from track data passes checksum
This post is part of the ISO 8583 Mastery series. Follow along as we explore payment messaging in depth.
Related Posts
💬 Discussion
Have a question or feedback? Leave a comment below — powered by GitHub Discussions.
What information is stored on Track 1 vs Track 2?
Track 1 contains alphanumeric data including the PAN, cardholder name, expiration date, and service code. Track 2 contains only numeric data: the PAN, expiration date, service code, and discretionary data (like CVV1).
What is a Service Code in track data?
The service code is a 3-digit number that tells the terminal how the card should be processed. For example, a service code starting with ‘2’ indicates the card has an EMV chip and must be inserted, not swiped.
Is magnetic stripe data encrypted?
No, raw magnetic stripe data is stored in plaintext. This is why skimming is so prevalent. Modern security relies on Point-to-Point Encryption (P2PE) where the terminal encrypts the track data immediately upon reading it.