Are You Ready for 8-Digit Credit Card BINs? Ready or Not, They’re Coming in April 2022.

The payments ecosystem is growing at a breakneck pace. As a result, the industry is running out of available Bank Identification Numbers (BINs), which identify the payment brand and financial institution issuing a credit or debit card and make up the first six digits of each card number[1]. To address this BIN shortage, the International Organization for Standardization (ISO) is expanding the length of BINs from six to eight digits.

ISO first announced the eight-digit BIN expansion in 2015, and it will become effective in April 2022, at which time all merchants and payment processors must be able to support the new BIN length. Financial institutions may begin issuing cards with the new eight-digit BINs at any time after April 2022.

Making the systems and process changes required to support eight-digit BINs can be a major effort for merchants and payment processors, and the consequences of not having support in place by April 2022 will be significant. If you haven’t launched a project to make this important change, we recommend you start now.

How Will 8-Digit BINs Change Credit Card Number Formats?

While ISO-compliant credit and debit card numbers can range from 8-19 digits, most are 16 digits. When the eight-digit BIN change takes effect, the length of most credit and debit card numbers will continue to be 16 digits. Two digits will be added to the sub-field allocated for BINs, and the sub-field used to identify the cardholder’s account will be reduced by two digits. The layouts of sub-fields before and after the change are summarized below.

The information contained in each sub-field can be summarized as follows:

  • Major Industry Identifier: Identifies the card brand or the type of business in which the organization that issued the card is involved. For example, card numbers beginning with “4” are Visa cards, and numbers beginning with “1” are issued by airlines.
  • Bank Identification Number (BIN) or Issuer Identification Number (IIN): Identifies the institution that issued the card (e.g., Wells Fargo, Bank of America, Toronto-Dominion Bank). This institution is also known as the card issuer.
  • Account Identifier/Number: A number identifying the individual cardholder’s account.
  • Validator Digit: Also known as Check Digit. A number, based on the Luhn algorithm, that is used to check the validity of the card number. The validator digit can be positioned in any of the last four positions of the card number, but is typically in the last position.

How Will Merchant and Processor Systems Need To Change To Handle 8-Digit BINS?

Identifying the card issuer and the cardholder without requiring the whole card number is important for running business processes such as payment transaction routing, chargebacks, refunds, and fraud detection while minimizing the risk of card data breach. These processes and supporting systems will need to be updated to recognize and act on eight-digit BINs. This may include updates to:

  • Point of Sale (POS) hardware and software
  • BIN tables and associated processing logic
  • Payment application logic (e.g., transaction routing, chargebacks, refunds, fraud management)
  • Merchant loyalty and discount programs
  • PIN bypass logic for mag-stripe transactions
  • Reporting systems

Because both six- and eight-digit BINS will exist after April 2022, merchant and processor systems will need to be able to handle both BIN lengths.

Third-party services and applications such as legacy POS systems and applications must also be reviewed to ensure they can support eight-digit BINs.

What Are the Security Implications of 8-Digit BINs?

Payment brands such as Visa and MasterCard worked with the Payment Card Industry Security Standards Council (PCI SSC) to develop the PCI Data Security Standard (PCI DSS). Among other things, this standard enables businesses to perform important payment processes (e.g., authorization, authentication, fraud management, chargebacks, refunds) while maintaining the privacy and security of card numbers.

PCI DSS allows the first six and last four digits of a card number to be displayed on a receipt, stored without encryption, or used for transaction routing purposes. This approach to protecting cardholder data has been widely adopted in the payments industry and is an integral part of many payment processes, audit standards, and software applications. These will all need to be updated to accommodate 8-digit BINS.

Because both six- and eight-digit BINS will be in use after April 2022, organizations will need to update their systems to display only the appropriate number of digits for the BIN portion of each card number (either six or eight digits). For example, displaying the first eight digits of a card number containing a six-digit BIN is a violation of regulatory compliance because it exposes components of account information.

Security Tools and Solutions

Security tools and solutions that rely on detecting sensitive information (e.g., Data Loss Prevention (DLP) and Data Discovery tools) may require algorithm updates to continue operating effectively.

What Happens if We Can’t Make the 8-Digit BIN Changes by April 2022?

The consequences of not being able to support eight-digit BINS by April 2022 will likely be substantial and may cause significant disruptions in your business operations. Here are some of the ways you could be impacted:

  • API failures
  • Misrouted payment transactions
  • Inaccurate data queries
  • Incorrect input validation logic
  • Non-compliance with data security and privacy standards

How Do We Start?

If you have not already launched an effort to support 8-digit BINS, we suggest starting right away. The first step is to identify the resources you’ll need to assess the impacts of 8-digit BINs on your organization. If you have not started yet, it may be prudent to partner with an experienced firm that has deep experience with payments and security to help you identify and implement the needed changes before April 2022.

Once you’ve identified resources, we suggest starting with a thorough impact assessment and architecture review to identify the changes you’ll need to make. Next, we recommend developing a project plan for implementing the changes, assigning a project manager and appropriate subject matter experts, and launching the project.

Additional Resources

Here are additional resources that can help you gain a deeper understanding of the 8-digit BIN change and implications for your business.

We Can Help

If you have questions about the 8-Digit BIN change or its security and compliance implications for your business, Tevora’s team of payments and security specialists can help. Just give us a call at (833) 292-1609 or email us at sales@tevora.com.

[1] Known in the payments industry as a Primary Account Number (PAN).

About the Authors

Jason Pieters is the Managing Director of Payments at Tevora.

Bill Nguyen is an Information Security Consultant at Tevora.