With how fast fintech moves it’s important to stay in front of industry changes. The transition from the traditional 6-digit Bank Identification Number (BIN) to the 8-digit system that started in 2022 is one such significant change that impacts merchants. This is a detailed exploration on the BIN transition, who it impacts, and how you can adjust your payments strategy.
What are 8 Digit BINS?
The first several digits of every credit card identify the issuing bank, which is commonly referred to as the Bank Identification Number (BIN), but also generically known as Issuer Identification Number (IIN). As fintech services have proliferated, more issuers have come online. Historically the first 6 digits have been reserved for BINs, but quickly the major card brands realized that they would run out of possible combinations.
As a result, the major card brands decided that the first 8 digits should be used to represent BINs and would provide a wider range of combinations. However, a transition from 6 to 8 digits is going to be complex and take time.
Several years ago, the major card brands agreed that April 2022 would be the date in which all new BINs would only be issued with 8 digits. 8 digit BINs had been issued prior to April 2022, but there was no rule enforcing it; as a result 6 digit BINs could have also been issued.
To be clear, April 2022 was not a hard deadline to move from 6 to 8 digit bins; a vast majority of BINs in existence will remain 6 digits for the foreseeable future, but April 2022 represents a point where 8 digit BINs need to be taken more seriously.
What is the impact for merchants?
While 8 digit BINs have become more common after April 2022, transactions will remain the same for merchants. For example, because Spreedly distributes the full 16 digits to PSPs, gateways, and receivers, the distinction of 6 vs 8 digits does not matter with regard to Spreedly transmitting the data.
BINs are used by merchants to tell them information about the issuing bank, such as country, and card type (prepaid, gift, credit, etc). Spreedly has always offered the first 6 digits of credit cards for merchants to perform their own BIN analysis (this is in the API response as `first_six_digits). The analysis has historically been the merchant's responsibility, meaning we supply the digits and then some merchants use a BIN Lookup Service to determine the issuer of a card.
The introduction of 8 digit BINs can complicate this process, since a BIN is no longer guaranteed to be only the first 6 digits of a PAN.
PCI rules have made it permissible for Spreedly to share more digits with the merchant. Spreedly offers a field on the payment_method called `issuer_identification_number` that will return the maximum allowable digits under PCI guidelines.
This will not replace `first_six_digits` as doing so could break merchants' applications that are relying on that element. This new element is now available. However, if a merchant has concerns, we can disable the element per environment until they are ready to consume the new field.
It is important to note that returning the maximum digits is not the same as determining if it’s 6 or 8. The card processing networks will still support both possible values. A vast majority of cards were still 6 digits in April 2022, but that will change over time as networks only issue 8 digits going forward.
Want to see how Spreedly’s API works? Check out our 8 digit BIN documentation.
What Are The PCI Implications?
The introduction of 8-digit BINs introduces a new layer of complexity to PCI compliance. As the length of the BIN extends from the traditional 6 digits to 8, businesses must re-evaluate their data handling and storage practices to adhere to the Payment Card Industry Data Security Standard (PCI DSS). Specifically, they must ensure that truncation and masking methods align with the updated requirements. The PCI DSS emphasizes retaining only the essential digits of the PAN, based on specific business needs, to mitigate risks.
The most common instance is a company's system previously masked a card number by showing only the last four digits and retaining the first six for identification purposes. Consequently, businesses must review and potentially modify their systems to accommodate the longer BIN, ensuring that only the necessary digits are exposed or stored.
The overarching principle remains: Only the bare minimum of PAN digits, vital for business operations, should be retained. Any deviation or excessive retention exposes systems to threats, enabling malicious entities to potentially reconstruct the full PAN, especially when correlating data from varied data repositories.
Are 8 Digit BINs the Same For Debit Cards?
The transition to 8-digit BINs is not exclusive to credit cards; debit cards have embraced the same change. Much like their credit counterparts, debit cards have expanded from the traditional 6-digit Bank Identification Number (BIN) to an 8-digit system. This modification has been implemented to accommodate the growing number of issuers and to ensure a wider range of unique identifiers, maintaining consistency across both credit and debit card platforms.
Are 8 Digit BINs the Same For Debit Cards?
Because things move so fast in the payments space merchants must remain agile, especially in the face of significant changes like the transition from 6-digit to 8-digit BINs. While the mechanics of transactions may remain consistent, the intricacies of BIN analysis and PCI compliance add layers of complexity to merchant operations. By understanding and embracing these shifts, merchants can ensure they are well-prepared for the future, optimizing both security and efficiency in their payment strategies.
Reach out to our payment orchestration experts today and ensure your business is primed for the 8-digit BIN transition.