Visa Europe revealed important stats about the usage of Contactless Cards. Poland, Spain and the UK use this payment methd the most, with UK usage growing by 300% year over year.
Visa Europe revealed important stats about the usage of Contactless Cards. Poland, Spain and the UK use this payment methd the most, with UK usage growing by 300% year over year.
The PCI SSC and payment brands recently signed an agreement about how to manage the new 8-Digit BIN (which will become effective in April 2022) in terms of visualizing and truncating PAN. In this article, we summarize the implications of this change in PCI DSS compliance as well as other important considerations.
History
To optimize service management for bank customers, each entity assigned its customers a number through which they could access their account information (income, expenses, interest, etc.). This number was the main identifier of the contract and represented it for any transaction. However, each bank assigns its unique number, so a user with multiple accounts in different banks would have multiple identification numbers.
Due to the need to establish a common means of payment in stores and the appearance and subsequent massification of credit and debit cards as payment methods at a local and international level, it was necessary to allow the flow of banking information between the different entities involved to make the place of payment independent of the type of card used.
With this concept in mind, banks began to look for partners in different geographic locations that would accept payments with their cards, allowing the mobility of their customers. The idea of "associates" began to bear fruit and among the affiliated banks they opted to manage a shared account number among themselves so that a customer of their services could make use of that number in any of the affiliated banks without any problems.
As a result, organizations such as VISA, MasterCard, American Express, JCB, and Discover (among others) emerged, allowing interbank transactions among their members, usually using payment cards. This interbank account number was called PAN (Primary Account Number) and is printed and/or embossed on payment card plastics.
According to the ISO/IEC 7812 standard "Identification cards - Identification of issuers", the digits of the Primary Account Number (PAN) are schematized as follows:
Major Industry Identifier (MII)
This is the first digit of the PAN and identifies the type of system with which the card is associated:
0: ISO/TC 68 and others
1: Airlines
2: Airlines and others
3: Travel, Entertainment, and Finance (American Express, JCB, and Diners Club)
4: Banking and Finance (VISA)
5: Banking & Finance (MasterCard)
6: Marketing and banking/finance (Discover)
7: Oil companies and others
8: Health, telecommunications, and others
9: Future allocations
Issuer Identifier Number (IIN) or Bank Identification Number (BIN):
It is composed of the first six digits of the card (including the MII). It allows the identification of the card-issuing bank to route interbank transactions. It is currently managed by the American National Standards Institute (ANSI). A list of IIN/BIN can be found here.
Individual Account Identification (IAI): this number is composed of the digits from the seventh to the penultimate digit and identifies the account number associated with the cardholder.
Check DigitThis is the last digit of the card and is calculated using Luhn's algorithm.
The length of the PAN often depends on the card brand that manages it and the issuing area:
Exhaustion of BIN ranges:As indicated above, the structure of the first six numbers of the PAN (called "Issuer Identification Number (IIN) or Bank Identification Number (BIN)") is defined in the ISO/IEC 7812-1 standard, "Identification cards - Identification of issuers - Part 1: Numbering system". This numerical structure allows each card issuer to be assigned a range of digits that will allow it to identify the cards issued under its responsibility. The process of this assignment is described in the ISO/IEC 7812-2:2015 standard, "Identification cards - Identification of issuers - Part 2: Application and registration procedures".
However, these ranges are running out, so the International Organization for Standardization (ISO) - the entity in charge of managing this standard - has planned a series of changes. To this end:
What is the BIN/IIN used for? The BIN/IIN of a PAN is used to route a transaction from the acquirer to the corresponding issuing bank for authorization, as shown below:
Each payment card has a Primary Account Number (PAN) assigned to it, which explicitly identifies its issuing bank using the BIN (6 or 8 digits). In a normal payment transaction the following steps occur:
How does this change affect the visualization of PAN when it is displayed?
Based on the criteria of the payment marks, the display of the BIN, and the last four digits of the PAN will be allowed, regardless of the length of the BIN (6 or 8 digits). The remaining digits must be masked out.
In this way, a generic PAN (16 digits) with a 6-digit BIN is protected in the following way for display (masking or "asterisking") on screens, paper receipts, printouts, etc.:
454881******0004 Similarly, a generic PAN (16 digits) with an 8-digit BIN would have to be protected as follows:
45488133*****0004
Any role that requires additional digits to be displayed will require a business justification.
How does this change affect the truncation of the PAN when it is stored?
On the other hand, one of the valid options allowed by the PCI DSS v3.2.1 standard to securely store the card's PAN is through truncation:
Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches:
Truncation is the permanent removal of a group of digits (segment) from the PAN before it is stored, processed and/or transmitted.
Unlike the display, the change of BIN/IIN from six (6) digits to eight (8) does affect this requirement, because each of the payment brands has different criteria on this point. To proceed, it is important to note the following:
PAN / BIN Length | Payment Brand | Acceptable Brand Truncation Formats |
16-digit PAN (with either 6 or 8 digit BIN) |
Discover JCB Mastercard UniPay Visa |
At least 4-digits removed. Maximum digits which may be retained: "First 8, any other 4" |
15-digit PAN | American Express | At least 5-digits removed. Maximum digits which may be retained: "First 6, any other 4" |
<15-digit PAN | Discover | Maximum digits which may me retained: "First 6, any other 4" |
With the migration to 8-digit BINs, the PAN digit truncation criteria for storage are as follows:
Examples of display and truncation
Listed below are some examples of PAN display and truncation and their compliance with PCI DSS based on brand and PCI SSC criteria:
PAN (16 digits) | Display BIN and last four digits | Storage (truncation) BIN and any other four digits |
426398******9299
First six (6) and last four (4) digits |
YES, for 6 and 8-digit BINs
|
YES, for 6 and 8-digit BINs
|
42639826******99
First eight (8) and last two (2) digits |
YES, for 8-digit BINs
|
YES, for 6 and 8-digit BINs
|
42639826****9299
First eight (8) and last four (4) digits |
YES, but requires a list of roles that need access to displays of more than BIN and last four and a legitimate business need for each role to have such access.
|
YES, for 6 and 8-digit BINs
|
4263982640******
First ten (10) digits |
YES, for 8-digit BINs
|
YES, for 8-digit BINs
|
426398264026****
First twelve (12) digits |
YES, but requires a list of roles that need access to displays of more than BIN and last four and a legitimate business need for each role to have such access.
|
YES, for 6 and 8-digit BINs.
|
42639826***69299First eight (8) and last five (5) digits |
NO |
The official position of the payment brands
On the other hand, Mastercard in its document "8-Digit BIN Expansion and PCI Standards" (published on October 20, 2021) specifies that:
Additional notes
Visa and Mastercard have advised that the date on which the 8-digit BIN/IIN will become effective is April 2022. For this migration, it is important to consider the following:
Summary
Advantio’s team of QSAs and customized solutions support and help customers monitor their compliance easily and cost-effectively. We have been fortunate to work with some of the top experts in the industry.
At Advantio, we promote a risk-based methodology that is supported by the card brands themselves. We work continuously to improve our service with our QSAs and work to provide innovative solutions that help merchants and retailers achieve PCI DSS compliance, on time, and on budget.
Take an in-depth look at the special guidelines regarding payment card numbers under the next version of PCI DSS - get in touch with our experts now.
References
Column Header Text | Column Header Text | Column Header Text |
Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection. |
Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection. |
|
Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection. |
Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection. |
Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection. |
Performing a review of the media inventories at least annually |
Performing a review of the media inventories at least annually |
Performing a review of the media inventories at least annually |
Row Header Text |
Lorem ipsum dolor sit |
Lorem ipsum dolor sit |
23 |
Row Header Text |
Lorem ipsum dolor sit |
Lorem ipsum dolor sit |
23 |
Row Header Text |
Lorem ipsum dolor sit |
Lorem ipsum dolor sit |
23 |
Row Header Text |
Lorem ipsum dolor sit |
Lorem ipsum dolor sit |
23 |
Row Header Text |
Lorem ipsum dolor sit |
Lorem ipsum dolor sit |
23 |
Row Header Text |
Lorem ipsum dolor sit |
Lorem ipsum dolor sit |
23 |
Row Header Text |
Lorem ipsum dolor sit |
Lorem ipsum dolor sit |
23 |
Row Header Text |
Lorem ipsum dolor sit |
Lorem ipsum dolor sit |
23 |
I am the Senior Security Consultant in Advantio. I have more than 15 years of experience, working both in South America and Europe. My information security background includes consultancy and audit, training, implementation of security technologies and design and policy development among others.
Certifications: CISSP, CISM, CISA, CRISC, CEH, CHFI, PCI QSA, QSA (P2PE), 3DS Assessor
Comments