The new 8-digit BIN numbers and what it means for your PCI DSS Compliance

8-digit BIN numbers explained | Total Processing | Online Payment Specialists ✔ Enhanced Reporting ✔ PCI Compliance ✔ Get A Quote Online ➔

Written by Rebekah Moss 24 Mar 2022 - 3 Minutes reading time

From April 1st 2022, Mastercard and Visa will be adopting new 8-digit BIN numbers, that will require merchants to amend their PCI compliance measures.

What is a BIN number?

A BIN number is used to identify the financial institution that issued a card - typically a card scheme such as Mastercard or Visa - and is used to correctly route transactions for payment authorisation and prevent fraud.

How do I find the BIN Number?

BIN numbers used to be comprised of the first 6 digits of the long set of numbers on the front of a credit or debit card, also known as a PAN number. An 8-digit BIN number is equally formed from the first 8 digits of the PAN number and was introduced by the ISO (International organisation for standardisation) in answer to the increasing lack of available 6-digit BIN numbers for cardholders.

6

8

How is my PCI DSS Compliance affected?

PCI DSS compliance largely concerns itself with data protection and security. With the introduction of longer BIN Numbers, there is a greater risk regarding the exposure of sensitive customer data and as a result, PCI DSS Compliance is now harder to uphold.

Two key areas of PCI DSS Compliance that payment processors and merchants need to take into consideration with the introduction of 8-digit bins are: masking and truncation. These are important processes that ensure that minimal card data is displayed and returned in the payment process.

They also pertain to the storage of payment information.

PCI DSS Requirement 3.3: Masking Digits

No more than the first 6 or last 4 digits of the 16-digit PAN number are ever requested or stored for verification or storage purposes; unless there is a valid business reason.

The introduction of 8-digit BIN numbers does not seem to compromise PCI DSS Compliance directly - but overall, it may make it easier for a malicious party to guess the whole PAN number.

PCI DSS Requirement 3.4: Truncation

Rendering the PAN number unreadable when stored - Prior to the introduction of 8-digit BIN numbers, the most ideal way to become compliant with this requirement would be to remove the middle digits of the PAN number or encrypt the entire PAN number using a method called tokenisation.

Tokenisation renders a BIN number unreadable anywhere it is stored and requires multiple PAN numbers per account that it encrypts - leading to an increasing demand for new and longer BIN numbers.

Visa tokenises cards at a 9-digit account number level, but financial institutions should be prepared to adapt their processes to encrypt this new number of digits.

What changes should I make?

Whilst Visa and Mastercard are the first to issue 8-digit BIN numbers - with Visa to exclusively do so from [April 2022](https://www.six-payment-services.com/en/shared/news/2021/8-digit-bin.html#scrollTo=what_is_the_influenceonpcidsspaymentcardindustrydatasecuritystan https://www.threedsecurempi.com/blog/visa-mastercard-mandate-impacts-of-the-8-digit-bins-extension/) - other card schemes are expected to follow in due course.

Only acquirers will need to process the first 8-digits of a PAN number to determine the length of the BIN number.

Issuers and financial institutions such as payment processors, should adapt the maximum permissible values allowed by their systems to ensure 8-digit BINs can be processed but ensure that the fewest possible digits of the PAN are retained.

However, increasing the permissible values in these processes also increases the risk of exposure to data breaches and other malicious attacks - as well as the increased likelihood of payment declines.

Investing in additional forms of fraud protection or methods of truncation can help protect customer data, but it is up to each merchant to determine their individual business need.

To learn more about the roll-out of 8-digit BIN numbers, do not hesitate to reach out to your payment processor for more information about your PCI DSS compliance and fraud solution.

Contact

Send us a message

Join Our Newsletter

Subscribe to our newsletter to stay informed. Our team of experts are at the forefront of the payment processing industry and we regularly post articles about emerging technologies and trends.