Migrating from Six to Eight Digit BINs

With the breakneck growth, some payments industry standards need to change. From April 2022, payment card details will experience a change, with the BIN increasing from six to eight digits. Although the migration has been a long time coming, merchants still have many questions, which we seek to answer here.

Payment cards have 16-digit long primary account numbers (PANs). Though the digits seem random, they follow an ISO standard system where the first four or six numbers form the BIN. The BIN is a code designed to identify the card’s issuing bank, brand, and type and give more information on the card user’s geographical location.

The payments industry is growing, and six-digit BINS are fast approaching depletion. Increasing the length of BINs will increase the number of BINs available from 100,000 to 10,000,000, so card networks will have more BIN ranges to give card issuers.

The ISO announced its plans to make these changes in 2015, and the deadline to implement the new standard (ISO/IEC 7812-1) is April 2022.

ISO compliant debit and credit cards range between eight and 19 digits, with most being 16-digits long. Once the new eight-digit BIN standard is in effect, the length of most payment cards will remain at 16 digits. The two extra digits added to the BIN subfield will be taken from the account identifier/number subfield. 

The new payment card subfields will be as below:

The April 2022 deadline is more of a deadline for processors and acquirers to prepare themselves to work with eight-digit BINs in compliance with ISO’s new standard (ISO/IEC 7812-1).

Although card networks like Mastercard, Discover, and Visa will only be issuing eight-digit BINs after the deadline and encourage card issuers to shift to the new standard, six-digit BINs will not be removed. Both six- and eight-digit BINs will be supported, and issuers will set their own timelines for the expansion.

The shift to eight-digit BINs significantly will affect financial industry stakeholders, including:

• Existing and new payment card customers
• Payment card issuers
• Merchants who accept digital payments
• Online payments intermediaries

Adopting the eight-digit BINs will ensure payment service providers can adequately handle payment requirements and address customer needs. But as six-digit BINs decline and eight-digit BINs becomes the new standard, payment service providers and merchants should ready themselves for several challenges, including:

• Increased risk of incorrect or misrouted transactions

The generation of extra BIN numbers will increase the chances of misrouting payments through debit or credit cards, which will impact customers and increase the chances of financial fraud. According to VISA, merchants cannot charge back misrouted transactions caused by eight-digit BINs. 

• Administrative challenges

Card issuers use BINs to store cardholders’ information. The addition of extra BINs might generate some administrative challenges for issuers and payment service providers, including:

• Monitoring card activation and usage
• Issuing new eight-digit BIN cards while replacing old six-digit BIN cards
• Implementing the backend payment system to support the eight-digit BIN numbering standard is expensive 

• Underutilization and licensing costs

Payment card issuers pay annual licensing fees for new BINs created. At the same time, there’s a penalty for unused BINs not returned to the card network’s pool. With the shift, each 6-digit BIN licensed to a card issuer translates into 100 BINs which translates into increased licensing and underutilization costs. 

Other challenges may exist in specific situations, including:

• Merchant disputes – merchants stand to lose disputes caused by misrouted transactions. 
• Prepaid card identity – failure to upgrade hardware and software payment systems to accommodate new BIN and Account Identifier length, causes confusion in card identification. 
• Reporting – with changes to PCI DSS compliance, merchants who opt to reveal the eight BIN numbers plus the four last numbers will need a new method to protect cardholder data. 

The PCI DSS (The Payment Card Industry Data Security Standard) is a requirement that secures cardholder data. A portion of the PCI DSS tasks organizations with protecting cardholder data, including the PAN (primary account number).

To remain PCI DSS compliant, organizations can only use the first six and last four digits of the PAN, which includes the BIN. Shifting from a six-digit to an eight-digit BIN standard elicits numerous questions on PCI DSS implications.

For instance, if the PCI DSS only allows organizations to reveal the first six and last four PAN digits, how will the shift affect businesses that require the full BIN range to be revealed?

Unfortunately, unless the PCI (SCC) changes to accommodate the new full BIN range, businesses that run their BIN checks will have to choose between getting access to the full BIN range and being PCI DSS compliant.

Identifying the cardholder and card issuer without needing the full PAN is key in business processes like transaction routing, refunds, fraud detection, and chargebacks while reducing the risk of a data breach. To achieve this, process systems will need updating to recognize and act on eight-digit BINs. These updates may apply to:

• BIN tables (databases containing list of BINs, account ranges, card issuer name, card scheme name, card type and more) 
• Point of sale software and hardware
• Payment application logic
• Merchant discount and loyalty programs
• Reporting systems
• PIN bypass logic for magnetic stripe cards

If you use a third-party acquirer or payment solution, you should consult your provider about compliance. 

Unfortunately, assessing business operations is easier said than done. Consulting Justt to help identify minor errors in your processing that could be triggering chargebacks will help reduce the costs of transition.