As expected, the eight-digit BIN mandate has arrived, and the bankcard industry must rush to adapt as necessary. For the longest time, the industry has worked with a six-digit format as it was more than sufficient. Unfortunately, as the number of financial service acquirers grows, the current BIN range has become too limited, and the expansion was seen as a necessary reform.
While the way this mandate affects the industry varies largely based on each player, everyone must quickly ensure that they meet the new regulations to avoid running into significant issues with their operations.
In this article, you’ll learn more about why the eight-digit BIN mandate was instituted, what it constitutes, and how to prepare for it.
Why Do Merchants Need to Prepare for the Eight-Digit BINs Mandate?
Visa and Mastercard set April 2022 as the deadline for everyone involved with their businesses to meet the new ISO standard. The primary requirement is that all systems and procedures utilized by these firms must be able to accommodate the longer BINs.
Since April 2020, Visa only provides eight-digit BINs, whereas Mastercard has continued to issue both formats, at least for the time being. Also, the card networks are urging issuers to convert their existing six-digit BINs to eight-digit ones, but this is not yet mandatory.
Although BINs are growing in length, the primary account numbers (PANs) printed on payment cards will remain at sixteen digits. American Express, Discover, and other networks have not yet specified when they will begin using eight-digit BINs.
It’s not merchants who’ll shoulder the brunt of the work but rather payment processors, acquirers, and other industry partners. However, retailers who save their customers’ PANs should make an effort to establish compliance with any applicable data protection rules once the changes take effect.
These possible difficulties primarily pertain to merchants who rely on truncation to comply with the regulations. Cybercriminals with access to various truncated versions could derive PANs if inconsistent truncation allows them to do so. Fortunately, the PCI Security Standards Council has produced rules detailing how eight-digit BINs can be secured in accordance with PCI DSS criteria.
One may employ encryption, tokenization, or another compliant type of protection as an alternative to truncation.
This applies whether the BIN has six or eight digits. It’s worth mentioning that this would be a good time to start tracking issuer BINs. This can be incredibly beneficial to determine if particular issuers are suffering a higher incidence of fraud or are accepting bogus dispute scenarios chargebacks.
Lastly, retailers should look for an increase in BIN fraud. These attacks include appending randomly-generated numbers to a known BIN to generate a valid account number.
What is the Change?
ISO-compliant credit and debit card numbers may contain 8 to 19 digits, but 16 is the norm. When the BIN modification takes effect, most credit and debit card numbers will still have 16 digits. The sub-field that identifies the cardholder’s account will lose two digits, while the sub-field designated for BINs will receive two additional digits. Here is a summary of the sub-field layouts:
- Account Identifier/Account Number: A number that identifies the cardholder’s account.
- Check Digit: Also known as Validator Digit. A number derived from the Luhn algorithm is used to validate the card number. The validator digit can appear in any of the last four positions of the card number, though it is commonly located in the last position.
- Issuer Identification Number (IIN) or Bank Identification Number (BIN): Identifies the issuing institution (e.g., Chase, Bank of America, Wells Fargo). This is what’s referred to as the card issuer.
- Major Industry Identifier: Provides information about the card brand or the kind of business the issuing corporation is involved in. For example, card numbers beginning with “4” are Visa cards, whereas card numbers beginning with “1” are airline cards.
How to Prepare for the Eight-Digit BINs Switch
Merchants and customers require most changes concerning their internal or proprietary systems. Merchants should analyze how their payment processors, acquirers, third-party agents, vendors, and any other partners who support their transaction routing, processing, and subsequent activities will be impacted by this move. Visa, for instance, encourages merchants to engage actively and analyze effects across their organization as soon as possible to maximize efficiencies and avoid surprises.
You must modify any logic related to the issuing BIN that is implemented in your downstream or processing systems if the following apply:
- You share BIN information with any third parties
- You manage your own POS environment
- Your POS terminals are programmed with hard-coded BIN logic
- Have any system logic that uses the first six digits of the card number (PAN)
- You use your BIN tables in transaction processing or use tables supplied via third parties
The PCI-DSS permits the first six and any additional four digits of a PAN to be exposed, as this is the only way of securing data at rest. If a merchant wishes to disclose the entire eight-digit BIN in addition to the final four digits, they must implement one or more of the other permitted data protection mechanisms, such as hashing, tokenization, or encryption. Changes to a merchant’s downstream and processing systems may necessitate extended timeframes. It is recommended that merchants consult a Qualified Security Assessor (QSA) before implementation.
Identifying the card issuer and cardholder without disclosing the full card number is crucial for various business applications, including payment transactions, chargebacks, refunds, and fraud detection. These procedures and supporting systems will need to be modified for the eight-digit BIN to be recognized and acted upon. Changes may be made to:
- BIN tables and associated processing logic
- POS software and hardware
- Reporting systems
- PIN bypass logic for mag-stripe transactions
- Payment application logic (such as chargebacks, refunds, transaction routing, and fraud management)
- Merchant loyalty and discount programs
Merchant and processor systems have to be able to accommodate both six- and eight-digit BINs after April 2022.
In addition, third-party services and applications, such as legacy point-of-sale (POS) systems and applications, must be tested to ensure they accept eight-digit BINs.
We recommend that you begin supporting 8-digit BINS immediately if you haven’t already. The first step is to identify the resources needed to evaluate the effects of 8-digit BINs. Identify and implement the necessary modifications with the help of a firm with extensive experience with payments and security.
Once you’ve determined the available resources, you should do a thorough impact analysis and architecture review to determine the necessary modifications. Next, we suggest drafting a project plan for executing the modifications, designating a project manager and relevant subject matter experts, and initiating the project.
What if You Don’t Change?
The failure to support eight-digit BINS by April 2022 will likely have severe repercussions and may disrupt your business operations considerably. Here are some ways in which you may be affected:
- Misrouted payment transactions
- API failures
- Inaccurate data queries
- Non-compliance with data security and privacy standards
- Incorrect input validation logic
Extra Resources on the Eight-Digit BINs
Lastly, here are some extra resources you can use to ease your adoption of eight-digit BINs:
- Numeric Initiative Page on Visa.com
- Visa BIN Attribute Sharing Service (VBASS)
- ISO article on BIN Changes
- Mastercard’s 8-Digit BIN Mandate
Conclusion
The eight-digit BIN has been coming, but because of the current system’s limitations, the change was announced years ago. If you haven’t made the necessary changes, you should contact your card processor to see how to proceed. Ensuring your business is in line with the current regulations is paramount for efficient operations.
