The Eight-Digit BIN Problem

Next year, a new ISO standard will expand the size of BINs by two digits, creating a security issue. Here’s an approach to a solution.

A card-identification standard set by the International Standards Organization mandated that banks switch over from the current six-digit Bank Identification Number (BIN) to eight-digit BINs on all new credit and debit cards issued after April 2022.

It’s straightforward enough for banks, credit unions, and other card-issuing institutions to shift to an eight-digit BIN. It’s not quite so simple for merchants that want to continue to enjoy the business benefits of a BIN but still need to comply with the Payment Card Industry Data Security Standard (PCI DSS).

So I wanted to bring some clarity to what a BIN is, why it is important, how it relates to PCI DSS compliance, and why a shift to an eight-digit BIN is happening.

A Tough Choice

A BIN refers to the first set of numbers that appears on payment cards. It is generally four to six digits and is used to identify the institution that issues the card, among other things. BINs are key to the process of matching transactions to the issuer of the payment card.

BIN ranges are crucial for the payment process because they not only allow merchants to accept multiple forms of payments quickly, but they also help merchants assess their card transactions. This provides value because it allows for in-depth cost analysis to take place and enables merchants to perform real-time analytics with their BIN ranges to identify theft or fraud, as well as origination.

Merchants can determine other crucial information from the BIN range as well, such as their card mix, which can help clarify the cost impact of interchange fees based on the types of cards they accept.

The PCI DSS is an industry requirement for securing cardholder data around the world. A category of the PCI DSS requires organizations to protect cardholder data, which includes the primary account number (PAN). To maintain compliance with the PCI DSS, organizations are allowed to use only the first six digits of a PAN—which contain the BIN—as well as the last four digits.

Because expanding the BIN would exceed the maximum number of visible digits allowed under the PCI DSS, organizations starting next April will no longer be able to access the entire BIN while remaining PCI-compliant.

If BINs are necessary for the payment process and other critical business operations, how will the shift to eight-digit BINs affect merchants when the PCI DSS only allows the first six and last four digits of a PAN to be revealed?

The short answer is that it makes merchants choose between being compliant with the PCI DSS or having access to the full eight-digit BIN range for business operations. Due to the International Organization of Standards’ (ISO) expansion of BIN ranges, merchants are placed in an uncomfortable position unless the PCI DSS decides to accommodate the first eight digits of the PAN.

So, why doesn’t the PCI DSS just alter its requirements to allow for the exposure of eight-digit BINs? Because that would negatively affect the security of the cards. Although the BIN is gaining two extra digits, the length of the PAN itself is not changing. As a result, the masked portion of a PAN (the numbers between the first six and last four) would be losing two digits, making it much less secure.

A Possible Solution

So it’s impossible for the PCI DSS to permit the use of an eight-digit BIN without compromising the additional protection those two extra digits provide.

But why the shift to eight-digit BINs in the first place? It’s due to an insufficient number of BINs available with only a six-digit range. Simply put, the industry is running out of six-digit numbers with which to continue providing BINs. So, to ensure a sufficient supply of BINs for future product innovation, card brands are looking to evolve to an eight-digit format for all new BINs.

Visa and Mastercard have already begun the transition, and Visa is requiring newly issued BINs to be eight digits after April of 2022, though the use of current six-digit BINs will still be supported after this deadline.

A possible solution here—and one that includes additional revenue-enhancing benefits such as reduced fraud and increased conversion rates—is the use of network tokens. Network tokens are tokens created by the card brands that can be used throughout the token life cycle and eliminate the need to expose the PAN.

Network tokens are especially useful because they contain additional details about the card (such as the issuer and card color) that can be accessed without requiring the BIN to be revealed.

However, network tokens can only be used with participating issuers and processors. So in the instance that merchants are trying to process a payment for or with an entity that doesn’t accept network tokens, eight-digit BINs could still present an issue.

Regardless of how merchants choose to handle this shift, they need companies to support them with whatever solution they deem to be the most beneficial to their organization. I recommend partnering with a vendor that offers a solution built for maximum flexibility.

It is true that, today, these types of providers won’t be able to completely resolve the conflict between the PCI DSS and ISO. But they can help organizations that want to maintain control over how they navigate the evolving landscape of security and compliance.

John Noltensmeyer, chief technology officer at TokenEx, contributed to this article.

—Alex Pezold is the chief executive of TokenEx, Edmond, Okla.