8-Digit BINs
Effective April 2022, the payments ecosystem will begin supporting 8-digit BINs.
Background
Bank Identification Numbers (BINs) are used throughout the payments ecosystem to identify card networks, issuers and provide information for smooth payment transactions. As the payments ecosystem has expanded, the number of available BINs has rapidly dwindled.
In order to avoid an interruption in the payments flow and to meet industry growth, the International Organization of Standards (ISO) announced an expansion of the BIN length from 6 to 8 digits, which will take effect in April 2022. Personal Account Number (PAN) lengths remain unchanged by the updated ISO standard.
Impact
Many entities do not use BINs to support their business processes and will not need to make any changes to account for the migration to 8-digit BINs.
If you are using 6-digit BINs for one or more of the following activities, BIN expansion will likely impact your systems:
- Identification of prepaid cards, fleet cards, corporate cards, benefits cards, etc.
- Issuer identification
- Fraud and/or chargeback analytics
- Routing
- Cash-back qualification
- Optimization of approval rates or authorization analysis
8-Digit BINs and PCI Scope
Although 8-digit BINs will be introduced in April 2022, displaying and storing only the first 6-digits and last 4-digits remains the most effective way to protect the primary account number (PAN).
"Because each payment brand has different PAN/BIN lengths and different requirements, questions on payment brand truncation requirements, including how to determine whether a PAN has a 6- or 8-digit BIN, should be directed to the applicable acquirer or payment brand."
For more information, see the PCI Security Standards Council blog post - 8-digit BINs and PCI DSS: What You Need to Know
TokenEx Support for 8-Digit BINs
TokenEx recognizes there are instances when our clients will have a business need to display or store the first 8-digits of a PAN as a result of the move to 8-digit BINs. Consequently, we are providing two mechanisms for clients to retrieve the first 8-digits of a tokenized card number beginning in April 2022.
- The
GetBINAndLastFourfunction of the PCI Token Services API will support an optionaluseExtendedBINparameter that when set totruewill return the first 8-digits of the supplied token. - The PCI modes of the TokenEx iFrame will support an optional
useExtendedBINconfiguration parameter that when set totruewill return afirstEightname-value pair in response to the Tokenize event.
The functionality described above does not perform a BIN lookup.
For any PAN greater than 16-digits in length.
first 8-digits are returned for both 6- and 8-digit BINs. For 15byui-digit PANs,
setting the useExtendedBIN parameter to true will only return the first 6-digits.
For more information regarding the maximum number of PAN digits that can be stored while still remaining PCI compliant, see PCI Security Standards Council FAQ 1091 - What are acceptable formats for truncation of primary account numbers?
Network Tokens and BINs
When provisioning a network token for a PAN, details regarding the issuer as well as the card account are returned in a successful response, including the BIN.
{
{
"type": "TOKEN",
"value": "4014000000006820"
},
{
"type": "TOKEN_EXP",
"value": "2401"
}
"cardMetaData": {
"cardForegroundColor": "#0D2F4C",
"labelColor": "#E0DEDC",
"shortDescription": "USAA Visa Credit Card",
"issuerData": {
"issuerName": "USAA Savings Bank",
"issuerWebsite": "https://www.usaa.com",
"customerServiceTelephone": "1-800-531-8722"
},
...
"paymentInstrument": {
"panSuffix": "2560",
"cardScheme": "VISA",
"cardAlias": "VISA",
"bankIdentificationNumber": "489537"
},
}