rand() + rand() does not give normal. If there is any statistical difference between the timings, it's in theory possible to break.

An easy mitigation would be to just drop the card number into a queue and process asynchronously without waiting and returning to the user.