- Stop plugging these 7 devices into extension cords - even if they sound like a good idea
- I changed these 6 Samsung TV settings to give the picture quality an instant boost
- I tested a 9,000,000mAh battery pack from eBay that cost $10 - here's my verdict
- The 3 most Windows-like Linux distros to try because change is hard
- This 'unlimited battery' GPS tracker is an integral part of my hikes - and it's on sale
8-digit BINs and PCI DSS: What You Need to Know
Did you know that there are changes coming in how the Bank Identification Number (BIN, also known as Issuer Identification Number, or IIN) is encoded and used on payment cards?
This initial post in a series of blog entries will highlight some of the PCI SSC FAQs that address specific questions related to 8-digit BINs. Upcoming posts will clarify ways in which to determine how 8-digit BINs may affect your environment; the effect of 8-digit BINs on encryption, masking, and truncation formats; and how multiple truncation formats can affect scoping and security requirements.
The BIN, which is used to identify the institution that issued the card, has traditionally composed the first six digits of the Primary Account Number (PAN). The International Organization for Standardization (ISO) standard1 that specifies how PANs are structured now also defines a format for the use of 8-digit BINs as an alternative to 6-digit BINs. Some payment brands have already started using the first eight digits as the BIN instead of the first six.
To help understand the impacts of these types of changes and address common questions from PCI SSC stakeholders, the PCI SSC Frequently Asked Questions (FAQ) resource is updated regularly. This searchable tool includes a library of questions and answers on a variety of topics across PCI Security Standards and programs.
FAQ #1492 explains how to meet the PCI DSS masking and truncation requirements when using 8-digit BINs. This FAQ highlights the need for entities to understand the business purpose for displaying or retaining PAN. The truncation and masking formats used should always ensure that only the minimum number of digits are displayed or retained as necessary for the specific business need. For example, a customer service agent may only need to view the last four digits to verify a card number, whilst a payment system may require access to only the BIN for routing purposes.
FAQ #1091 identifies the acceptable truncation formats as defined by each payment brand. Formats for 8-digit BINs were initially added to this FAQ in 2017, and the FAQ has been regularly updated since then to reflect recent payment brand changes to their truncation formats.
While truncation formats vary according to PAN length and payment brand requirements, the format of first six/last four remains the common format accepted by all payment brands. Where it is necessary to retain more than the first six/last four digits of the PAN for business functions, entities should consult the table in FAQ #1091 for the acceptable formats.
Because each payment brand has different PAN/BIN lengths and different requirements, questions on payment brand truncation requirements, including how to determine whether a PAN has a 6- or 8-digit BIN, should be directed to the applicable acquirer or payment brand.
It is important to remember that the formats in FAQ #1091 are the maximum permissible values and are intended for use only when needed to support a legitimate business need. Having PAN with larger ranges of digits available could expose more PAN data to attacks, allowing attackers to more easily deduce the full PAN.
When determining the appropriate masking and truncation formats, each entity should assess their business needs and display or retain only those digits that are necessary. For example, in the customer service example above, the introduction of 8-digit BIN is unlikely to affect those systems which have traditionally displayed only the last four digits. In that use case, no changes would be necessary when migrating to the use of 8-digit BINs.
Entities also need to be mindful of the risks associated with using different truncation formats for the same PAN. Attackers will often correlate data between different data stores, and having PANs with different truncation ranges can result in the exposure of more PAN digits than the allowed maximum. Where an entity’s business needs require different truncation formats, entities should ensure that the different formats cannot be correlated to reconstruct additional digits of the PAN.
In summary, the increase of BIN range from six to eight digits may impact how businesses handle PAN data in different ways, and each entity will need to determine how the change to 8-digit BINs will affect their business and security needs. Entities are encouraged to begin planning for this change now, by understanding their business needs for retaining and displaying PAN, and ensuring that only the minimum needed number of PAN digits is exposed.
PCI SSC will be providing more information on the considerations and impacts of 8-digit BINs over this series of blog posts. Subscribe to the PCI Perspectives blog to be alerted when new posts are published.
Links to FAQ Resources:
(1) ISO/IEC 7812-1:2017, Identification cards – Identification of issuers – Part 1: Numbering system