There is a lot of information going around about an eight-digit BIN mandate, and we wanted to give some clarity on what a BIN is, why it is important, how it relates to PCI DSS compliance, and why a shift to an eight-digit BIN is happening.
What is a BIN?
A bank identification number (BIN) is a term used to reference the first set of numbers that appear on payments cards. This is generally four to six numbers and is used to identify the institution that issues the card, among other things. BINs are key in the process of matching transactions to the issuer of the charge card.
Why are BINs important?
BIN ranges are crucial for the payment process because they not only allow merchants to accept multiple forms of payments quickly, but they also help merchants assess their card transactions. This provides value because it allows for in-depth cost analysis to take place and enables merchants to perform real-time analytics with their BIN ranges to identify theft or fraud, as well as origination. Merchants can determine other crucial information from the BIN range of a payment card as well, such as their card mix which can help in understanding the cost impact of interchange based on the types of cards they accept.
What does a BIN range have to do with PCI DSS compliance?
The Payment Card Industry Data Security Standard (PCI DSS) is an industry requirement for securing cardholder data around the world. A category of the PCI DSS requires organizations to protect cardholder data. This includes the primary account number (PAN). To maintain compliance with the PCI DSS, organizations are only allowed to utilize the first six and last four digits of a PAN, which would include the BIN. A shift from six-digit BINs to eight-digit BINs has predictably generated questions regarding scope implications with PCI DSS.
If BINs are necessary for the payment process and other critical business operations, how does the shift to eight-digit BINs affect merchants when the PCI DSS only allows the first six and last four digits of a PAN to be revealed? The short answer is that it makes merchants choose between being compliant with the PCI DSS or having access to the full eight-digit BIN range for business operations. Due to the International Organization of Standards (ISO) expansion of BIN ranges, merchants are placed in an uncomfortable position unless the PCI DSS decides to accommodate the use of the first eight digits of the PAN.
The reason it isn’t as simple for the PCI DSS to allow eight-digit BINs as opposed to six-digit BINs is because the length of the PAN is not changing. So, the masked portion of a PAN (the number between the first six and last four) becomes a lot less secure as you are losing two digits of masking that would provide protection for the PAN in order to accommodate an eight-digit BIN range as opposed to the original six-digit BIN.
Why is there a push to change to eight-digit BINs if it causes friction with the PCI DSS?
The primary reason for the shift to 8-digit bins is due to an insufficient number of BINs available with only a six-digit range. Simply put, we are running out of six-digit numbers with which to continue providing BINs. To ensure a sufficient supply of BINs for future product innovation, card brands are looking to evolve to an eight-digit format for all future BINs. Visa and Mastercard have already begun the transition, and Visa is requiring newly issued BINs be eight digits after April of 2022, though the use of current six-digit BINs will still be supported after this deadline.
What does TokenEx offer?
This scenario is particularly unique for merchants because the ISO and the PCI DSS currently conflict with each other. Whether you pick to utilize all the data from the new eight-digit BIN ranges or decide to remain out of scope until the PCI DSS catches up to the new eight-digit BIN mandate, TokenEx has you covered with whatever path you deem to be the most beneficial to your organization.
Also, because TokenEx built our platform as a tokenization solution from the ground up, we have maximum flexibility with our token schemes, which allows us to pivot more quickly and efficiently than other third-party security solutions or payment processors can to accommodate any shift with BIN ranges or future updates to the PCI DSS.