Preparing for the Era of the 8-Digit BIN
When there are too many financial institutions that want to issue credit cards, the unthinkable happens: you start running out of numbers. To be more specific, Bank Identification Numbers (BINs) are in short supply. These numbers are a required element of credit card account numbers, and increasing demand has caused the available pool of six-digit BINs to dwindle.
The industry’s solution is to add two digits to the minimum required BIN length. While this change mostly affects issuers, it has implications for every stakeholder in the payments ecosystem that handles card numbers. How will merchants be affected when the minimum BIN length expands from six to eight digits?
Children of the 90s (and their parents) will remember the YK2 Bug, a hypothesized crisis that was expected to paralyze computer systems, shut down networks, and bring all sorts of infrastructure to a crashing halt when the calendar rolled over from 1999 to 2000 and software that had been encoded with two-digit year fields would encounter a number they had not been programmed to accommodate.
In the end, there was no crisis—partly because lots of analysts and programmers diligently updated their systems in time. Now, something similar is happening in the payments industry. While eight-digit BINs have been supported for some time, in April 2022 they are going to become the standard. Per the new guidelines from the International Standards Organization (ISO), all BINs issued by Visa and Mastercard after that date will conform to the new length requirement.
For issuers who are stuck upgrading legacy systems that have been happily chugging away with six-digit BINs for decades, that date is not far away at all. While banks are scrambling to make the necessary fixes in time, merchants may be under the assumption that this change doesn’t require any particular action on their part.
That may be the case for some, but any merchant who stores customer account numbers must know that the regulations protecting that data have gotten stricter in recent years, and any change to the composition of card numbers must be evaluated in that light.
What Is a BIN?
A BIN is a number that identifies the card brand and issuing bank of a payment card. BINs are also known as Issuer Identification Numbers, which is actually the more correct term—acquirers use a different numbering scheme.
The BIN itself is made up of smaller sub-numbers: the first digit is the Major Industry Identifier, which specifies both the card brand and the type of industry the issuer is servicing. The rest of it is used to identify the issuing bank.
Tens of thousands of issuers can be accommodated by a six-digit BIN, but that’s still a finite number in a global economy with billions of credit cards in use.
The ISO started taking steps to address the problem years ago, when it first became apparent that BINs were going to run out, by revising the ISO/IEC 7812-1 standard to call for eight-digit BINs. Some banks are already using them. The standard does not call for existing six-digit BINs to be phased out, so they are likely to exist alongside the longer versions for the foreseeable future.
What Will Happen When the 8-Digit BIN Takes Effect?
April 2022 was chosen by Visa and Mastercard as the deadline for their issuers, acquirers, and processors to get in full compliance with the new ISO standard. The main requirement is that all of the systems and processes used by these organizations must be able to handle the longer BINs.
Visa will begin exclusively issuing eight-digit BINs after April 2020, while Mastercard intends to continue issuing both lengths for now. The card networks are also encouraging their issuers to migrate their existing shorter BINs to eight-digit versions, but this has not yet been mandated.
While the BINs are getting longer, the primary account numbers (PAN) displayed on payment cards will stay at sixteen digits. For now, American Express, Discover, and other networks have not yet announced when they will switch over to eight-digit BINs.
How Are Merchants Impacted by the Switch to 8-Digit BINs?
Most of the work involved in preparing for eight-digit BINs will fall on acquirers, payment processors, and other industry partners, not merchants themselves. However, merchants who store their customers’ PANs should take the time to ensure that they won’t fall out of compliance with any data protection regulations once the changes take effect.
These potential concerns mostly apply to merchants who use truncation as their way of complying with the regulations. The primary danger is that inconsistent truncation could enable cybercriminals to deduce PANs if they have access to multiple truncated versions. Fortunately, the PCI Security Standards Council has issued guidelines for how eight-digit BINs can be safely stored in compliance with PCI DSS requirements.
The alternative is to use encryption, tokenization, or some other compliant method of protection instead of truncation.
This is true whether the BIN is six or eight digits long, but it’s also worth noting that if you haven’t been tracking issuer BINs as part of your chargeback analytics before, now is a good time to start. It can be extremely useful to know if particular issuers are experiencing higher levels of fraud or accepting illegitimate dispute scenarios as chargebacks.
Lastly, merchants should keep an eye out for a spike in BIN fraud. These attacks involve appending randomly-generated numbers to a known BIN in an attempt to generate a valid account number.
The dream of starting a retail empire doesn’t often include anything about following payments industry news and reading up on Visa and Mastercard rule changes, but it’s important for merchants to understand how the card networks are frequently changing the rules that govern their transactions and other payment-related practices.
The expansion of the BIN is a big deal in the payments industry overall, but most of the action will be taking place outside of the merchant domain. As long as merchants are careful to follow data protection regulations, the transition should be a painless one.
Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions, or requests for advice to: firstname.lastname@example.org