With the eight-digit BIN mandate now in effect, it’s important to understand the implications for the bankcard industry and its players. While the BIN change doesn’t alter card length, it reassigns using some digits to make space for the shift. This has a wide variety of implications for PCI DSS compliance.
In this article, you’ll learn why the BIN digit change was implemented, how it affects PCI DSS compliance, and how organizations can adapt to the changes.
The BIN Digit Range and Why It Affects PCI DSS Compliance
BINs have traditionally been the first six digits of the Primary Account Number (PAN), which identifies the issuing institution. Now, the International Organization for Standardization (ISO) standard describing the structure of PANs explicitly specifies that 8-digit BINs may be used in place of 6-digit BINs. A few payment brands have already begun using the first eight digits of the BIN instead of the first six.
The Payment Card Industry Data Security Standard (PCI DSS) is an industry mandate for protecting cardholder information worldwide. A PCI DSS category mandates that enterprises protect cardholder data. Firms may only utilize the first six and last four digits of a PAN. The transition from six-digit BINs has prompted inquiries over PCI DSS’s scope implications.
If BINs are essential to the payment process and other crucial company processes, how does the transition to eight-digit BINs affect retailers, given that the PCI DSS only permits the first six and last four digits of a PAN to be disclosed? It forces merchants to choose between PCI DSS compliance and access to the entire eight-digit BIN range for commercial operations. Because of the BIN range expansion mandated by the International Organization for Standardization (ISO), merchants are placed in an awkward situation unless the PCI DSS accommodates using the first eight digits of the PAN.
One issue for the PCI DSS with the eight-digit BINs change is that the length of the PAN is not changing. To support the new eight-digit BIN range, the security of the masked section of a PAN (the number between the first six and last four digits) is significantly compromised by the loss of two masking digits that protect the PAN, at least when compared to the previous six-digit version.
Why Are BINs Being Changed If This Causes Issues with the PCI DSS?
The fundamental reason for the change to eight-digit bins is the lack of six-digit BINs. Card manufacturers are looking to implement this new format for all BINS to ensure an adequate supply for future product innovation. Visa and Mastercard started their shift to eight digits, and Visa began requiring that all newly issued BINs have eight digits from April 2022. Existing six-digit BINs will continue to be supported after this date.
Even though truncation formats differ depending on PAN length and payment brand requirements, all payment brands accept the basic format of the first six/last four.
For inquiries related to payment brands truncation requirements, such as identifying whether a PAN has an 8- or 6-digit BIN, corresponding acquirers or payment brands should be contacted.
PCI DSS Requirements
When 8-digit BINs are considered, two PCI DSS criteria may be affected. Requirement 3.3 applies to masking (concealing) digits of the PAN so that the complete PAN is not displayed, and Requirement 3.4 pertains to making the PAN unreadable when it is stored. It is essential to comprehend each requirement and how it relates to the entity’s implementation, given that these requirements are unique and distinct.
PCI DSS Requirement 3.3 mandates that only the first six or last four digits of the PAN may be displayed on computer screens, reports, etc., unless there is a documented business purpose for displaying more digits. This purpose should explain why that individual (or job) requires access to more PAN digits, be approved by management, and be available for an assessor to evaluate as part of the PCI DSS assessment.
PAN storage is subject to PCI DSS Requirement 3.4. (i.e., data at rest). This standard outlines four approved techniques for making PAN unreadable during storage. One approach is truncation, which removes the middle digits of a PAN and leaves the rest to be stored. However, truncation is only one option for rendering PAN unreadable during storage; you could also utilize index tokens, one-way hashes, or encrypt the entire PAN. Since each payment brand has distinct PAN/BIN lengths and restrictions, questions regarding payment brand truncation should be directed to the applicable payment brands.
Acceptable Truncation Formats
Acceptable truncation formats vary based on the length of the PAN and the criteria of the Participating Payment Brand.
Entities must maintain a minimum of the first six and last four digits of the PAN after truncation, taking into account the business demands and purposes for which the PAN is utilized.
The permissible PAN truncation formats for each payment brand, dependent on PAN length, are as follows:
- Less than 15 digits (Discover): The first six digits may be retained, and any other 4.
- 15 Digits (American Express): 5 digits need to be removed, and the first six and last four digits may be retained.
- 16 Digits (Visa and Mastercard): 4 digits need to be removed, and the first eight need to be retained. 4 other digits can be retained.
Organizations must ensure that their format is compatible with all applicable Participating Payment Brands when employing truncation formats for reasons other than storage or for PAN lengths not listed below.
Despite the fact that truncation formats vary based on PAN length and payment brand criteria, the first six/last four format is still the standard format accepted by all payment brands.
Since each payment brand has various PAN/BIN lengths and standards, concerns regarding payment brand truncation requirements, such as how to identify whether a PAN has a 6- or 8-digit BIN, should be directed to the corresponding acquirer or payment brand.
When establishing the proper masking and truncation formats, each company should evaluate its business requirements and only display or preserve the actual numbers.
Entities must also be cognizant of the dangers of employing distinct truncation formats for the same PAN. Attackers frequently correlate data across many data stores, and having PANs with varying truncation ranges can expose more PAN digits than the limit allowed. When an entity’s business requirements necessitate using alternative truncation forms, the entity must ensure that the different formats cannot be connected to rebuild additional PAN digits.
In conclusion, expanding the BIN range from six to eight digits may have varying effects on how organizations manage PAN data. Each entity must decide how the transition to 8-digit BINs will impact its business and security needs. Entities are encouraged to begin planning for this shift immediately by determining their business requirements for maintaining and displaying PAN and ensuring that only the minimum number of PAN digits required for business purposes are exposed.