Poked around in the app to see if it was generated client side or server side. Alas, it's server side.

For me, it looks something like:

PP/<issue date in ddmmyy>/<FNAME LNAME>/<expiration date in mmyy>/<membership number>//1/<6-digit uppercase hex>

I believe the 1 is the "subscription level id", but it's unclear what that means here. One interesting thing that differs between the different ones is that the Amex/Citi issued passes have a "ConsumerType" in the app of "FULL" and the CSR issued pass has a type of "ASSOCIATE".

My guess is that Chase negotiated for a specific type of membership that didn't include this in the contract, since you also don't see unique issuer codes on that one, unlike the other two.

One thing about the hex digits is that I wouldn't necessarily say that it's a checksum. It could also be an HMAC-SHA256 digest or the like, but it's hard to tell without seeing how the code is actually validated. My guess is that it's done remotely, just like the generation.