8-Digit BIN: How Does It Affect PCI DSS Compliance?

The PCI SSC and payment brands recently signed an agreement about how to manage the new 8-Digit BIN (which will become effective in April 2022) in terms of visualizing and truncating PAN. In this article, we summarize the implications of this change in PCI DSS compliance as well as other important considerations.

History
To optimize service management for bank customers, each entity assigned its customers a number through which they could access their account information (income, expenses, interest, etc.). This number was the main identifier of the contract and represented it for any transaction. However, each bank assigns its unique number, so a user with multiple accounts in different banks would have multiple identification numbers.

Due to the need to establish a common means of payment in stores and the appearance and subsequent massification of credit and debit cards as payment methods at a local and international level, it was necessary to allow the flow of banking information between the different entities involved to make the place of payment independent of the type of card used.

With this concept in mind, banks began to look for partners in different geographic locations that would accept payments with their cards, allowing the mobility of their customers. The idea of "associates" began to bear fruit and among the affiliated banks they opted to manage a shared account number among themselves so that a customer of their services could make use of that number in any of the affiliated banks without any problems.

As a result, organizations such as VISA, MasterCard, American Express, JCB, and Discover (among others) emerged, allowing interbank transactions among their members, usually using payment cards. This interbank account number was called PAN (Primary Account Number) and is printed and/or embossed on payment card plastics.

According to the ISO/IEC 7812 standard "Identification cards - Identification of issuers", the digits of the Primary Account Number (PAN) are schematized as follows:

Major Industry Identifier (MII)
This is the first digit of the PAN and identifies the type of system with which the card is associated:

0: ISO/TC 68 and others
1: Airlines
2: Airlines and others
3: Travel, Entertainment, and Finance (American Express, JCB, and Diners Club)
4: Banking and Finance (VISA)
5: Banking & Finance (MasterCard)
6: Marketing and banking/finance (Discover)
7: Oil companies and others
8: Health, telecommunications, and others
9: Future allocations

Issuer Identifier Number (IIN) or Bank Identification Number (BIN):
It is composed of the first six digits of the card (including the MII). It allows the identification of the card-issuing bank to route interbank transactions. It is currently managed by the American National Standards Institute (ANSI). A list of IIN/BIN can be found here. 

Individual Account Identification (IAI): this number is composed of the digits from the seventh to the penultimate digit and identifies the account number associated with the cardholder.

Check DigitThis is the last digit of the card and is calculated using Luhn's algorithm.

The length of the PAN often depends on the card brand that manages it and the issuing area:

• Visa and Visa Electron: 13 or 16 digits
• Mastercard: 16 digits
• Discover: 16 digits
• American Express: 15 digits
• Diner's Club: 14 digits
• Maestro: 12 to 19 digits (for international debit cards)
• JCB: 15 or 16 digits (for Japan)

Exhaustion of BIN ranges:As indicated above, the structure of the first six numbers of the PAN (called "Issuer Identification Number (IIN) or Bank Identification Number (BIN)") is defined in the ISO/IEC 7812-1 standard, "Identification cards - Identification of issuers - Part 1: Numbering system". This numerical structure allows each card issuer to be assigned a range of digits that will allow it to identify the cards issued under its responsibility. The process of this assignment is described in the ISO/IEC 7812-2:2015 standard, "Identification cards - Identification of issuers - Part 2: Application and registration procedures".

However, these ranges are running out, so the International Organization for Standardization (ISO) - the entity in charge of managing this standard - has planned a series of changes. To this end:

• It has begun assigning 8-digit BIN/IIN blocks to card issuers to expand the initial 6-digit range.
• The PAN length (which can be from 8 to 19 digits) will remain the same.

What is the BIN/IIN used for? The BIN/IIN of a PAN is used to route a transaction from the acquirer to the corresponding issuing bank for authorization, as shown below:

Each payment card has a Primary Account Number (PAN) assigned to it, which explicitly identifies its issuing bank using the BIN (6 or 8 digits). In a normal payment transaction the following steps occur:

• When the cardholder makes a face-to-face transaction (at an ATM, payment terminal or via e-commerce), the acquirer captures the card data.
• To authorize the transaction, it is necessary to validate whether the account has funds or credit available. In this case, it is essential to contact the issuer (the cardholder's bank that issued the card).
• To do this, the first 6 or 8 numbers of the PAN (BIN) are extracted, a search is performed in a database of BINs, and the issuer is identified. 
• The sender receives the transaction data and returns the response (authorized or not).In this sense, the BIN database works similarly to a domain name resolution system (DNS): It obtains numerical data from the PAN and converts it into issuing bank information so that the transaction can be routed and authorized. Because the current six (6) digit BIN ranges are running out, issuer identification will now be done with the first eight (8) digits of the PAN.
  
  

How does this change affect the visualization of PAN when it is displayed?
Based on the criteria of the payment marks, the display of the BIN, and the last four digits of the PAN will be allowed, regardless of the length of the BIN (6 or 8 digits). The remaining digits must be masked out.

In this way, a generic PAN (16 digits) with a 6-digit BIN is protected in the following way for display (masking or "asterisking") on screens, paper receipts, printouts, etc.: 

                                                                  454881******0004 Similarly, a generic PAN (16 digits) with an 8-digit BIN would have to be protected as follows: 

                                                                  45488133*****0004 

Any role that requires additional digits to be displayed will require a business justification. 

How does this change affect the truncation of the PAN when it is stored?

On the other hand, one of the valid options allowed by the PCI DSS v3.2.1 standard to securely store the card's PAN is through truncation:

Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches:

• One-way hashes based on strong cryptography, (hash must be of the entire PAN)
• Truncation (hashing cannot be used to replace the truncated segment of PAN)
• Index tokens and pads (pads must be securely stored)
• Strong cryptography with associated key-management processes and procedures

Truncation is the permanent removal of a group of digits (segment) from the PAN before it is stored, processed and/or transmitted.

Unlike the display, the change of BIN/IIN from six (6) digits to eight (8) does affect this requirement, because each of the payment brands has different criteria on this point. To proceed, it is important to note the following:

• If there is no business or technical restriction, the truncation should continue to be performed as before (keeping only the first six (6) and last four (4) digits of the card and permanently removing the intermediate digits).
• In case more digits are needed, please consult this table that describes the brand policies in this regard:

With the migration to 8-digit BINs, the PAN digit truncation criteria for storage are as follows:

• If there is no technical or business justification, the truncation of the intermediate digits between the first six (6) and the last four (4) digits of the PAN should be continued only.
• If there is a technical or business justification that requires the retention of additional digits in clear text, then the truncation table should be consulted to identify the number and location of digits that can be retained in clear text based on the length of the PAN.
• If multiple forms of truncation are employed that may allow more digits to be obtained in clear from the same PAN, then an additional PAN data protection strategy must be employed in storage (encryption, hashing, tokenization).

Examples of display and truncation
Listed below are some examples of PAN display and truncation and their compliance with PCI DSS based on brand and PCI SSC criteria:

The official position of the payment brands
On the other hand, Mastercard in its document "8-Digit BIN Expansion and PCI Standards" (published on October 20, 2021) specifies that:

• If there is no technical or business justification for displaying or storing the first 8 digits of the PAN, then the same criteria as above should be followed: store and/or display only the first six (6) and last four (4) digits of the PAN.
• If the display of additional digits to the BIN and the last four (4) digits is required, then a list of the roles authorized to display more digits must be available and their justification documented.
• If storage of the PAN using truncation is required, the maximum digits that can be stored are the first eight (8) and any other four (4). This is only allowed if there is a business or technical justification. Otherwise, it is recommended to continue storing only the first six (6) and the last four (4).

Additional notes
Visa and Mastercard have advised that the date on which the 8-digit BIN/IIN will become effective is April 2022. For this migration, it is important to consider the following:

• Payment brands will work with card issuers for the assignment of the new eight-digit BIN/IIN blocks and the extension of two additional digits to the current six-digit BIN/IINs.
• Payment processors and merchants will have to adapt their systems to route transactions using the first eight digits of the card. Other elements that may be affected and on which the impact of this measure should be identified are:
• Point-of-sale (POS) devices and receipt/invoice printing
• Updating of own BIN/IIN tables (if used in this way)
• Cardholders will not be affected by this measure. Existing payment cards (plastics) will continue to work without any problem (unless the issuer itself decides to change them).
• Finally, the next version of the PCI DSS standard (4.0) is expected to include special guidelines regarding the treatment of the BIN/IIN in both the display and storage of the PAN.

Summary
Advantio’s team of QSAs and customized solutions support and help customers monitor their compliance easily and cost-effectively. We have been fortunate to work with some of the top experts in the industry.

At Advantio, we promote a risk-based methodology that is supported by the card brands themselves. We work continuously to improve our service with our QSAs and work to provide innovative solutions that help merchants and retailers achieve PCI DSS compliance, on time, and on budget.

Take an in-depth look at the special guidelines regarding payment card numbers under the next version of PCI DSS - get in touch with our experts now. 

References 

• 8-digit BINs and PCI DSS: What You Need to Know 
• FAQ 1091 What are acceptable formats for truncation of primary account numbers? 
• FAQ 1146 What is the difference between masking and truncation? 

• FAQ 1492 How can an entity meet PCI DSS requirements for PAN masking and truncation if it has migrated to 8-digit BINs? 
• Preparing for the Migration to 8-Digit BIN 
• VISA: Preparing for Eight-Digit BINs - WHAT MERCHANTS NEED TO KNOW 
• VISA: Preparing for Eight-Digit BINs - WHAT SERVICE PROVIDERS NEED TO KNOW 
• Numerics Initiative Page on Visa.com 

• VISA: Preparing for the Eight-Digit BIN - Frequently Asked Questions 
• Mastercard: 8-Digit BIN Expansion Mandate and PCI DSS Impact