info@3dsecurempi.com
+44.(0).870.490.8278

Visa & Mastercard Mandate: Impacts of the 8-Digit BINs Extension

Posted On: Monday, February 28th, 2022

Important changes to BIN codes, the lynch pin of credit card payments.

Article reproduced with the kind permission of Charles Mon. Originally published under https://charlieccmon.medium.com/

Introduction — BIN

Bank Identification Number (BIN), also knowns as Issuer Identification Number (IIN), is the number (generally six digits) that the payment industry uses to identify an issuing bank.

The BIN is assigned to issuers by each card scheme. For example, if the bank wants to participate in the Visa network, Visa would give a six-digit BIN to the bank. Similarly, the Mastercard would assign a unique BIN to the issuer if it plans to issue credit cards in the network. Then, the bank would issues cards to cardholders using the BIN as the first six digits of the Primary Account Number (PAN).

Fun Fact: You can use the online tool offered by BIN Codes to identify the issuer behind a specific BIN. Try it out with the first 6-digit of your card!

The BIN is vital to correctly route a transaction from the merchant to the issuing bank. Often, merchants, PSP, acquirers would also use BIN info to evaluate payment risk or to decide which specific channel to route a transaction that may provide a better approval rate.

Eight-Digit BIN Mandate

With the bank industry growth and increasing demands of BIN, it leads to the need to extend the BINs from six to eight digits. The emerging payment technologies that use tokenization have also impacted BIN demand, as tokenization requires multiple PANs for a single account.

In 2017, the International Organization for Standardization (ISO) published a new 8-digit IIN standard (ISO/IEC 7812–1, Identification cards — Identification of issuers — Part 1: Numbering system). This new standard will ensure an adequate global supply of BINs for the card payments industry.

With the new ISO standard, Visa and Mastercard mandated its payment network to support eight-digit BINs starting from April 2022.

Visa Mandate: Effective with the April 2022 VisaNet Business Enhancements release, Visa will only assign 8-digit issuing BINs for new requests; 6-digit BINs will no longer be assigned. All acquirers and processors must be ready to support the new 8-digit BIN standard adopted by the International Organization for Standardization.

Mastercard Mandate: Mastercard will adopt the ISO 8-digit BIN standard and will begin assigning 8-digit BINs to issuers by request, effective April 2022. To help ensure ecosystem readiness, Mastercard is mandating that all acquirers and their third party processors (TPPs) be able to support 11-digit account ranges and the 8-digit BIN standard by April 2022. Acquirers are responsible for ensuring that their merchants, payment facilitators, payment gateways, third party vendors, and all other service providers be able to support account range processing and the 8-digit BIN standard by April 2022.

Impacts: Primary Account Number (PAN)

While ISO-compliant credit and debit card numbers can range from 8–19 digits, most credit and debit cards are issued with a sixteen-digit number. This sixteen-digit number is knowns as the primary account number (PAN), the number that identifies the cardholder and his account.

Fortunately, the length of the PANs will continue to be sixteen-digit after the mandate takes effect. Given that the PAN length remains, issuers do not have to reissue existing cards in the market.

However, the sub-field used to identify the cardholder’s account for all new eight-digit BIN cards will be reduced by two digits. These two digits will be added to the BIN’s sub-field, hence extending the BIN to eight-digit.

Each sub-field is defined as follows:

  • Major Industry Identifier (MII): The first digit of the INN identifies the major industry of the issuer, ranging from 0 to 9. For example, the PAN with numbers beginning with “1” are issued by airlines, “4” allocated for the Visa network, and “5” for the Mastercard network. See the full list of MII.
  • Bank Identification Number (BIN): Identifies the institution that issued the card. This institution is also known as the card issuer. For example, 407110 is a Visa BIN assigned to Wells Fargo Bank.
  • Account Number: A number identifying the individual cardholder’s account.
  • Validator Digit: Also known as Check Digit. A number based on the Luhn algorithm, that is used to check the validity of the card number. The validator digit can be positioned in any of the last four positions of the card number but is typically in the last position.

Impacts: Mastercard Account Ranges

In 2017, Mastercard introduced account ranges to help issuers maximize the efficient use of a BIN. Account ranges is used as a segmentation tool to support different markets, product codes, and other parameters. Account range is the first eleven digits of a PAN, including the six-digit BIN.

While ISO extends the BIN to eight-digit, the account ranges will remain eleven digits. The consistent account range length allows the seamless transition from a six-digit to an eight-digit BIN. However, this will reduce the usable range from five digits to only three.

Assigned BINs can be split into multiple products using account ranges. Product families may be differentiated by each region — guided by local rules, regulations, and regional practices.

Within a given BIN, issuers can use the account ranges to define:

  • Different product codes within a product family (represented by each region) within Mastercard
  • Different countries of issuance (where central issuing is allowed) within Mastercard
  • Different rewards and loyalty offerings

Impacts: Existing Six-Digit BINs

Starting April 2022, the existing six-digit BINs will be regarded as eight-digit BINs. It means that each six-digit BIN will become 100 of eight-digit BINs on paper, as shown in the diagram below:

Following this ISO update, issuers may expand their current six-digit BINs and use the new eight-digit BINs to manage their business portfolio. They can begin issuing cards with the eight-digit BINs at any time after April 2022.

Since the ISO change does not require the removal of six-digit BINs from the system, merchants, acquirers, and processors must continue to support both six-digit and eight-digit BINs.

Visa: The six-digit BINs would be considered legacy starting from Apr 2022, issuers have the option to expand any or all of their current six-digit issuing BINs to eight digits. Although Visa highly encourages issuers to migrate all current issuing BINs to the eight-digit ISO as soon as possible, issuers will have the discretion to set their own timeline for the expansion.

Mastercard: Issuers may continue to manage their portfolios using their current data structure. However, be aware that six-digit BINs will become 100 eight-digit BINs starting in April 2022.

Impacts: BIN Databases

As explained earlier, the legacy six-digit BINs will be regarded as eight-digit BINs, each extended by 00–99. The extension technically takes place on paper, and the ISO change does not require the removal of six-digit BINs from the system. Thus, issuers may continue to manage their portfolio using their six-digit BINs. If an issuer remains using the legacy BIN, they would still be identified by the six-digit BIN.

However, if an issuer chooses to expand its BIN and use the eight-digit BINs to manage its various business portfolios, then the BIN would be considered split into sub-BIN ranges. In this case, the legacy BIN in the database would be replaced by the utilized eight-digit BINs.

Impacts: PCI DSS Compliance

The following PCI Data Security Standard (PCI DSS) requirements dictate the display and storage of PANs:

Requirement 3.3: Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see more than the first six/last four digits of the PAN.

Requirement 3.4: Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches:

  • One-way hashes based on strong cryptography (hash must be of the entire PAN).
  • Truncation (hashing cannot be used to replace the truncated segment of PAN).
  • Index tokens and pads (pads must be securely stored).
  • Strong cryptography with associated key-management processes and procedures.

Display of PANs

The masking approach should always ensure that only the minimum number of digits is displayed as necessary to perform a specific business function. For example, if only the last four digits are needed to carry out a business function, mask the PAN so that individuals performing that function can view only the last four digits. While the intent of Requirement 3.3 is to display no more than the “first six and last four digits” of a PAN, an entity will be permitted to display more digits if needed but only with a documented business justification.

Storage of PANs

The maximum digits of a PAN that can be stored using truncation are “first six and any other four.” The acceptable truncation format has not changed as a result of the eight-digit BIN expansion mandate. Given the increased risk of reconstruction of full PAN that is present when decreasing the number of digits removed when storing the PAN, if an entity needs to store more than “first six and any other four,” then truncation cannot be used to meet Requirement 3.4. One of the other three approaches (such as encryption, hashing or tokenization) would need to be applied to render the PAN unreadable anywhere it is stored.

Visa recommends that merchants consult with a PCI QSA who has been trained on PCI DSS requirements. QSA are better positioned to consult merchants based on their existing controls and provide appropriate recommendations to achieve compliant implementations. This is especially important if the merchant is unfamiliar with approved technology techniques.

Impacts: Acquiring BINs

Similar to issuing BIN, the acquiring BIN is a unique identifier assigned to an acquiring bank. It identifies an acquirer during the payment process, such as authentication, authorization, clearing, and settlement. The acquirer BINs are currently issued from the ISO BINs, the same pool of BINs used for issuers.

Starting from April 2022, the card schemes will no longer support acquiring using the ISO BINs. The card schemes will reclassify and rename the numerics Acquiring Identifiers. Thus, the ISO update would not impact the existing BINs assigned to acquirers.

Also, splitting acquiring out of the ISO BINs will free up all the BINs that were previously assigned to acquirers, and each of those BINs will then be multiplied by a hundred. Meaning, there are going to be more BINs available in the payment industry.

Visa: Visa will no longer use ISO BINs to support acquiring. As a result, all numerics used for acquiring will remain at six digits. Visa will rename these numerics Acquiring Identifiers to avoid confusion with ISO issuing BINs.

Mastercard: The Acquirer BIN will be relabeled as the Acquirer Reference ID effective April 2022. The field information in clearing will not change, but the Acquirer Reference ID will no longer be considered as a Mastercard ISO BIN. Instead, Acquirer Reference IDs will remain as 6-digit numeric identifiers.

Full support for major card brands and banks

Making eCommerce Safe

Be in the know

Industry news, events and major releases.

Let’s meet at Money2020
Posted on: Friday 31st May, 2024

Let's talk payments in Amsterdam!

See you at Seamless Middle East 2024, Dubai World Trade Centre
Posted on: Thursday 9th May, 2024

Endeavour 3DSecure - Authentication done right!

Meet us at MRC in Barcelona
Posted on: Wednesday 17th April, 2024

Endeavour 3DSecure and Tokenization, your trusted companion in payments.

Here to help

Questions? We've got answers.

Kindly note that we do not support cardholders wanting to activate 3D Secure on their card. Please contact your bank directly using the phone number provided on the back of your card.