Shifting from six to eight-digit BINS


21 Jun 2021

The forthcoming BIN range changes - your questions answered

8 digit BIN 900

For a few months there have been reminders from card providers about extending their Bank Identification Number (BIN) range from the first six to the first eight numbers on a payment card. So, we wanted to clarify a few questions that you may have about it namely:

  • What is a BIN?
  • Why is the BIN important?
  • How does Eckoh use BIN data?
  • Why is it shifting from six to eight-digit BINs?
  • What does this mean to PCI DSS compliance?
  • What is Eckoh doing in response to the change?

What is a BIN?

A bank identification number (BIN) is the first four to six-digits of a payment card number. Among other things, it is used to identify and match the card scheme and whether the card is a debit or credit card.

8 digit BIN 1

Current BIN range

Why are BINs important?

BIN ranges are vital for any organization taking payments for two reasons: it allows you to accept multiple forms of payments quickly, and they also help you assess your card transactions. This enables you to make in-depth cost analysis and perform real-time analytics to identify theft or fraud, as well as origination. You can determine other crucial information from the BIN range of a payment card as well, such as your card mix which can help you understand the cost impact of interchange based on the types of cards you accept.

How does Eckoh use BIN data?

Eckoh uses both BIN and Luhn (card number) checks to validate that the card is valid and is a card type a client accepts, e.g. not all clients accept American Express, and regulations prevent certain clients from accepting payments by credit cards. By validating the card in this way, we ensure that the payment is less likely to be declined by the Payment Service Provider (PSP) and this has two major benefits, especially if a contact center is taking payments over the phone with agents:

  1. A much better customer experience as there are fewer failures or resulting chargebacks during the payment process, and
  2. It means the call is shorter, so keeps caller Average Handling Time (AHT) down - a major KPI for customer services functions.

Why are BINs changing from six digits to eight?

The main reason for shifting from six to eight-digit BINs is simple, BIN numbers are running out. To ensure a sufficient supply of BINs for future product innovation, card brands are extending the number range to an eight-digit format. Visa and Mastercard have set a deadline that all processors and acquirers need to support 8-digit BINs from April 2022, which will need to be accommodated along with the existing six-digit BINs.

What does a BIN range have to do with PCI DSS compliance?

The Payment Card Industry Data Security Standard (PCI DSS) is an industry requirement for securing cardholder data around the world. A category of the PCI DSS requires organizations to protect cardholder data. This includes the primary account number (PAN). To maintain compliance with the PCI DSS, organizations are only allowed to use the first six and last four digits of a PAN, which would include the BIN. A shift from six-digit BINs to eight-digit BINs has therefore (unsurprisingly) generated questions regarding scope implications with PCI DSS.

The main question being asked is, if PCI DSS only allows the first six and last four digits of the PAN to be revealed, how will this affect the critical business operations that need to see the full BIN range?

8 digit BIN 2

New BIN range

The short answer is that it is making many businesses, who need to perform their own BIN checks, choose between being compliant with the PCI DSS or having access to the full eight-digit BIN range for business operations. Due to the International Organization of Standards (ISO) expansion of BIN ranges, organizations are placed in an uncomfortable position unless the Payment Card Industry Security Standards Council PCI (SSC) decides to accommodate the use of the first eight digits of the PAN in its Standard. But as the length of the PAN is not increasing, this isn't a simple thing to allow.

So, where they currently have six digits masked for protection, this will become four which makes it a lot less secure as you are losing two digits of secured data.

What is Eckoh's response to the change?

Eckoh already performs BIN checks for our services but we're making some key changes to accommodate the new BIN range. Firstly, we are updating all the databases and solutions that use the BIN data to ensure we always have the latest and most comprehensive data available. Secondly, to help maintain PCI DSS compliance without impacting existing processes, we are providing the means for existing and new clients to update the existing digit masking in their solutions, with the strong recommendation that they either:

  • mask all digits, or only expose the last four digits of a payment card in their solutions; or
  • if there is a business requirement to see partial BIN data, expose the first six, last four digits of a payment card

Eckoh is a PCI Level 1 Service Provider, and our payment solutions are the most flexible on the market, so we can fully support your organization's payment needs. Our payment solutions have also been built from the ground up, which allows us to pivot more quickly and efficiently than other third-party security solutions or payment processors to accommodate any shift with BIN ranges or future updates to the PCI DSS.