If you handle payments online, you know the importance of securing cardholder data, especially payment card information. What you may not know is the meaning of the numbers on your credit card, or your customer's credit card. This article will explain the first four to six numbers on a payment card, also known as the BIN (Bank Identification Number), and how to safeguard against potential BIN fraud.
What is a BIN Number?
A BIN, or a Bank Identification Number, is the first 4-6 numbers on a payment card that identifies the card issuer. The first digit is the major industry identifier, and the remaining digits communicate the financial institution that issued the card. These numbers make it easy to trace cards, and transactions, back to their issuer. BINs (Bank Identification Numbers) can be found on cards like charge cards, gift cards, credit cards, and debit cards.
The Bank Identification Number (BIN) can help identify cases of fraud, like stolen cards or identity theft. BINs can identify the type of card being used, the location of the card issuer, and which bank issued the card. This information can be compared to cardholder data to identify fraudulent charges.
Bank Identification Numbers (BINs) are sometimes also referred to as Issuer Identification Numbers (IINs) since cards can be issued by institutions other than banks.
How BINs Work
The BIN system is a global identification system created by the American National Standards Institute (ANSI) and International Organization for Standardization (ISO).
The BIN will identify the issuer that authorization requests will be sent to when a card is swiped or manually entered. When a consumer makes a purchase, the issuing bank will receive a request for authorization to confirm both the account’s legitimacy and its ability to supply the funds being charged. If everything is in order, the purchase will be approved. If not, it will be declined by the issuing institution.
How to Find Bank Identification Numbers
The Bank Identification Number will be the first four to six digits of a cardholder number. It will identify both the major industry the card is primarily used with and the issuer of that card.
The first number on the card is the MII (Major Industry Identifier), which differentiates banking cards from other cards. Most cards you encounter in your day-to-day life will be cards starting with a 3, 4, 5, or 6. These are the numbers set aside to be used primarily for banking or other financial industries.
There are, of course, other kinds of cards. Cards starting with 1 or 2 are cards to be used primarily within the airline industry. Cards starting with 7 are used in the petroleum industry. Cards starting with an 8 are used for healthcare or telecommunications industries. Finally, cards starting with a 9 or 0 are set aside for assignment by the ISO (International Organization for Standardization) or other national standards bodies.
Once the major industry is identified, it should be easy to determine the issuer of a card, especially if it is a major issuer. Visa’s IIN range covers every BIN that starts with 4. American Express’s IIN range covers BINs that start with 34 and 37. Mastercard’s IIN range covers BINs that start with 2221-2720 as well as 51-55. Discover Card's IIN range covers all BINs that start with 6011, 622126 - 622925, 624000 - 626999, 628200 - 628899, 64, or 65.
Because of how BINs work, there is a finite amount of 4–6-digit BINs. As issuers are running out of possible configurations, they are starting to create 8-digit BINs. This wouldn’t change the length of the PAN (Primary Account Number), but rather change the length of the remaining digits used to identify specific accounts.
Major brands, including Visa and Mastercard, are already beginning to transition to 8-digit BINs, with all Visa BINs assigned after April 2022 to consist of 8 digits. Relevant PCI Compliance standards, however, have not changed to accommodate this shift. Under current compliance standards, PCI DSS only allows the first six and last four digits of a PAN to be revealed. 8-digit BINS could potentially cause businesses to lose access to BINs for business operations.
How to Protect BINs Against Fraud
BIN attack fraud happens when a hacker uses a known BIN and then randomly generates the last numbers. For example, a hacker may take a BIN in the Mastercard’s IIN range, like 2221, and then generate the remaining 12 digits to create thousands of potential card numbers. They’ll then test these randomly generated numbers online to try to find an actual card number. However, knowing how BINs work can help you spot potential BIN attacks.
Keep a lookout for multiple small transactions, especially in volumes that are unusual for your business, as this may be a fraudster testing cards. Additionally, look for multiple declines in a similar timeframe. This could be evidence of a fraudster using your site to test card numbers. An unusually large quantity of transactions can also be a clue that card numbers generated in a BIN attack are being spammed, especially when they occur over a short period of time.
If you’re looking to secure payment card information, TokenEx has flexible token schemes that can retain important data, while securely storing the rest. Tokens allow parts of the payment card data, like the first or last 4 digits, to remain readable while removing the sensitive data that could be exposed in a hack or data breach. If you need to retain payment card data for internal use, consider reaching out to our team to learn more about tokenization.