Preparing for the 8-digit BIN shift

From April 2022, Visa and Mastercard will mandate the extension of BIN on payment cards from six to eight digits without changing the PAN. 

In this article you will find

A constant supply of Bank Identification Numbers (BINs) is essential to ensuring a secure and seamless global payments ecosystem. The proliferation of card issuers, however, has resulted in the depletion of BINs. Seeing the growing demand of BINs by issuing banks, the International Organisation for Standardisation (ISO) has revised the ISO/IEC 7812-1 standard to expand the numeric length of the BIN from six to eight digits.

The 8-digit BIN mandate will take effect in April 2022 for Visa and Mastercard. To ease you in the process of the 8-digit BIN migration, we’re running through the key details you need to know.

What is a BIN?

A Bank Identification Number (BIN) — also known as Issuer Identification Number (IIN) — is now the first eight digits of the Primary Account Number (PAN) on a payment card that helps identify the issuer.

The BIN is assigned to issuers by each card scheme, and it's composed of smaller sub-numbers – the first digit being the Major Industry Identifier (MII), which is used by payment processors to specify the card scheme (e.g. “4” for Visa, “5” for Mastercard and so on).

Let's further explore what will change in the payments landscape with the BIN extension.

8-digit BIN mandate

The main reason for the 8-digit BIN shift is that it’ll become increasingly hard to rely on 6-digit BINs for transaction authorisation and clearing, as the combinations of BINs with six digits are running low. The effect might not be immediate, yet it will become obvious once 8-digit BINs become the norm. Since the length of the PAN structure will remain the same in the follow-up of the mandate, issuers won't need to reissue existing cards across the market.

Visa mandate – account ranges

Visa will assign 8-digit issuing BINs for new requests, while 6-digit BINs will become legacy and will no longer be available from April 2022. This suggests that all acquirers and payment processors will have to update their operations and systems to support this regulatory change and safeguard cardholder protection. Although Visa urges issuers to migrate all existing issuing BINs to eight digits, the latter have the discretion to determine their own timeline for the expansion.

Visa operates on account ranges so that issuers can ensure an efficient usage of BINs. Account ranges define the first 11 digits of a PAN on a payment card, including the 8-digit BIN, with Visa's account ranges standing at nine digits. Account ranges data can be used to retrieve attributes such as the card type (e.g. debit card, credit card, gift card, prepaid card, etc.) as well as the issuer’s country. The last factor is extremely important, as it also allows to detect identity theft or potential security compromises by comparing data, such as the address of the issuer with that of the cardholder.

Mastercard mandate – account ranges

Mastercard launched its account ranges, comprised of 11 digits, in 2017. Account ranges are leveraged as a segmentation tool in support of different markets, product codes, and other parameters.

Whereas BINs will expand to eight digits, account ranges will keep their string of 11 digits for Mastercard, which will enable the seamless transition to an 8-digit BIN. To facilitate payments ecosystem consistency, Mastercard has also mandated acquirers and payment processors to adopt the 8-digit BIN standard by April this year. It should be clear that account ranges for Visa and Mastercard won't be affected with the updated ISO standard.

8-digit BINs and PCI DSS

PCI Data Security Standard (PCI DSS) is an industry requirement for organisations across the globe to help safeguard cardholder data (read more about PCI DSS in our article). The below requirements, as presented in the PCI Security Standards Council website, dictate the display and storage of PANs:

Display of PAN

“Requirement 3.3 – Mask PAN when displayed (the first six, last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see more than the first 6/last 4 digits of the PAN.”

In essence, the masking approach ensures that only the minimum number of digits will be displayed as necessary to conduct any business function. For instance, if only the last four digits are required to perform such a function, the PAN will be masked so that the involved parties can only view the last four digits on screens, paper receipts, printouts, etc. While the objective of Requirement 3.3 is to display the first eight digits of the BIN, as of April 2022, and the last four digits of a PAN, an entity will be allowed to display more digits if required but only with a documented organisation justification.

Storage of PAN

Requirement 3.4 – Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches:

  • One-way hashes based on strong cryptography, (hash must be of the entire PAN)
  • Truncation (hashing cannot be used to replace the truncated segment of PAN)
  • Index tokens and pads (pads must be securely stored)
  • Strong cryptography with associated key-management processes and procedures.”

Essentially, the maximum digits of the PAN that can be stored using truncation are the first six and any other four. The form of truncation won’t be altered with the introduction of 8-digit BINs. Now, if an entity needs to store more than the acceptable amount, then truncation cannot be deployed to meet Requirement 3.4. One of the following approaches, namely encryption, tokenisation, or hashing, would need to be implemented to make the PAN unreadable anywhere that it’s stored.

Takeaway

Although the 8-digit BIN transition mandate won't have a significant impact on merchants, it’s crucial for them to understand how the card schemes are regularly changing the rules for their payment-related practices. For those affected, it’s advisable that you're already up to speed with the shift.

Taking pride in our PCI DSS Level 1 compliance and years of experience in the payments industry as an acquirer and payment service provider, our systems at emerchantpay are up to date to support 8-digit BINs. Our fraud and risk management services can help provide a secure checkout experience that can boost your conversions and profitability.

Contact our team of experts to learn how you can prepare your payment system to facilitate 8-digit BINs and ensure optimal payment performance and seamless payment processing.

  

Related articles

What is a merchant identification number?

The Merchant identification number (MID) is not just a code. It’s crucial for identifying merchants in the payment ecosystem and affects [Read more]

What is merchant acquiring?

Did you know that, according to Statista, eCommerce market revenue in the EU is forecast to increase by $344.7 billion, reaching $977.36 [Read more]

‘In conversation with’ André Boesing, VP International Business Development

We’re delighted to launch the next instalment of our ‘In conversation with’ series. For this, we recently sat down with André [Read more]

We are using cookies to give you the best experience on our site. By continuing to use our website without changing the settings, you are agreeing to our use of cookies. For more information, check out our Cookie policy.
Change settings