8-Digit Credit Card BIN: What Your Business Needs to Know (And How to Stay Compliant)
The payments industry is exploding in recent years. As a result, the payment industry is running out of available Bank Identification Numbers (BINs), which identify the payment brand and financial institution issuing a credit or debit card and make up the first six digits of each card number. To deal with this shortage of BINs, the International Organization for Standardization (ISO) is raising the number of digits in BINs from six to eight.
From April 2022, all merchants and payment processors must be able to handle the new BIN length, which means that they will have to upgrade their systems. In 2015, Visa first announced the eight-digit BIN expansion, and it will take effect in April 2022. Beginning in April 2022, banks may start issuing cards with the new eight-digit BINs at their option.
Making the changes needed to support eight-digit BINs may be a huge job for merchants and payment processors, and the consequences of not having such support in place by April 2022 will be severe. If you haven't started a project to make this crucial change, we recommend that you do so immediately.
Will 8-Digit BIN Numbers Change Credit Card Number Formats?
Although ISO-compliant credit and debit card numbers range from 8 to 19 digits, the most common length is 16 digits. When the eight-digit BIN change takes effect, the majority of credit and debit card numbers will continue to be 16 digits long. The two digits will be added to the sub-field allocated for BINs, and the sub-field that represents the cardholder's account will be reduced by two digits. The layouts of sub-fields before and after the change are shown below.
The current BIN structure:
After April 2022:
The information contained in each sub-field can be summarized as follows:
- Major Industry Identifier: Identifies the card brand or type of business in which the company that issued the card is involved. Card numbers beginning with "4" are Visa cards, "5" are MasterCard, while numbers beginning with "1" are airline-branded travel documents.
- Bank Identification Number (BIN) or Issuer Identification Number (IIN): The institution that issued the card (e.g., Wells Fargo, Bank of America, Toronto-Dominion Bank) is identified in the number. This institution is usually referred to as the card issuer.
- Account Identifier/Number: A number identifying the individual cardholder’s account.
- Validator Digit: Also known as Check Digit. The field is used to validate the card number using the Luhn algorithm. The validator digit is typically in the last position of the card number, but it can be placed in any of the previous four places.
What Do Merchant and Processor Systems Need to Change To Handle 8-Digit BINS?
Identifying the card issuer and the cardholder without requiring the entire card number is crucial for running business processes such as payment transaction routing, chargebacks, refunds, and fraud detection while reducing the risk of data breaches. These processes and supporting systems will require some updates to handle eight-digit BINs. This may include updates to:
- Point of Sale (POS) hardware and software
- BIN tables and associated processing logic
- Payment application logic (e.g., transaction routing, chargebacks, refunds, fraud management)
- Merchant loyalty and discount programs
- PIN bypass logic for mag-stripe transactions
- Reporting systems
Because both six- and eight-digit BINS will be available beginning in April 2022, merchant and processor systems must be able to process both types of BINs.
Third-party services and applications, such as legacy POS systems and applications, must also be evaluated to ensure they can handle eight-digit BINs.
What Are the Security Issues Arising From 8-Digit BINs?
Visa and MasterCard collaborated with the Payment Card Industry Security Standards Council (PCI SSC) to create the PCI Data Security Standard (PCI DSS). Among other things, this standard enables businesses to perform important payment processes (e.g., authorization, authentication, fraud management, chargebacks, refunds) while maintaining the privacy and security of card numbers.
The PCI DSS allows you to show the first six and final four digits of a card number on a receipt, save them unencrypted or use them for transaction routing. This method of securing cardholder information has long been used in the payments sector and is an important component of several payment procedures, auditing standards, and software applications. To accommodate 8-digit BINS, all of these will need to be modified.
Because both six- and eight-digit BINS will be used after April 2022, businesses must update their systems to display only the correct number of digits for the BIN component of each card number (either six or eight digits). For example, showing the first eight digits of a card number with a six-digit BIN is a regulatory compliance breach because it exposes portions of account information.
What if We Can’t Make the 8-Digit BIN Changes by April 2022?
The consequences of not being able to support eight-digit BINS by April 2022 will most likely be harsh, with potential disruptions to your business operations. Here are some of the ways you may be affected if you cannot support 8-figure BINS by April 2022:
- API failures
- Misrouted payment transactions
- Inaccurate data queries
- Incorrect input validation logic
- Non-compliance with data security and privacy standards
What Should We Do to Stay Compliant?
If you haven't already begun working on 8-digit BINs, we recommend getting started right away. The first step is to figure out what resources you'll need to evaluate the consequences of 8-digit BINs in your business. If you haven't started yet, it may be best for you if you partner with an experienced firm that has deep experience and expertise in payments and security to help you identify and implement the needed changes.
Additional Resources
Here are some additional resources to help you better understand the 8-digit BIN change and its consequences for your company.
- ISO Article on 8-Digit BIN Changes
- Preparing for the Eight-Digit BIN
- MasterCard 8-Digit BIN Expansion Mandate and PCI DSS Impact
We Can Help
If you have questions about the 8-Digit BIN change or its security and compliance implications for your business, our team of payments and security specialists can help. Contact Us