A Guide to the 8-Digit BIN Mandate

What Are Bank Identification Numbers?

A BIN consists of the initial digits found on any payment card, such as debit, credit, gift, or benefits cards. And these digits—sometimes also referred to as an issuer identification number (IIN)—indicate which financial institution provided and is associated with said card. In addition, the BIN also distinguishes the industry and country of the issuer, the card brand, the card type, and the card level (e.g., corporate or platinum).

Whenever you accept a credit card payment, you don’t want guesswork to be a factor. You want to be certain that you’re dealing with a valid cardholder. You want to be certain that you’re not being tricked into participating in fraud. Ultimately, you want to be certain that you’re debiting or crediting the right amount from the right account at the right financial institution. Bank identification numbers (BINs) can help provide you with that certainty.

This rather straightforward identification scheme helps to limit the potential for fraud since payment systems can quickly and easily identify appropriate account details for a given transaction. And traditionally, these identification numbers included either 4 or 6 digits. However, there has been a recent shift to 8-digit BINs.

What is the 8-Digit BINs Mandate? 

Back in 2017, the International Standards Organization (ISO)—an agency that establishes clear policy and industry standards regarding new technologies—created a new 8-digit BIN standard for the financial community. In particular, the ISO held concerns regarding the rapid increase in financial institutions over the past decade. And it feared that the potential for running out of available BINs would soon become a reality. With two additional digits though, the industry gained access to a much larger pool of potential BINs.

Both Visa and MasterCard—two of the world’s largest credit companies and therefore two of the largest creators of BINs—have embraced this new standard and mandated that their respective payment systems be updated to accommodate the added digits. As of April 2022, Visa and MasterCard now require that all acquirers and processors in their networks be able to accommodate 8-digit codes. In addition, all new BINs assigned by either business will feature 8 digits.

How Does the 8-Digit BIN Mandate Affect Your Business?

Financial Institutions

Fortunately, Visa and MasterCard have both publicly stated that they intend to allow existing banks, credit unions, and other organizations in the financial sector to manage the transition to 8-digit BINs on their own timelines. But with two of the world’s largest financial businesses already employing the standard, it makes sense to begin transitioning sooner rather than later.

Also, both organizations structured the shift so that existing card numbers—or personal account numbers (PANs)—will keep the same length, so issuers won’t need to reissue physical cards already in the market.

Merchants and Everyone Else

For most organizations, this period of transition won’t have much of an impact. But with both 6-digit and 8-digit BINs being used simultaneously, you should verify that your payment systems can not only process both types of cards but also identify which format is being used by a specific card.

Similarly, you should review any internal business practices that rely on BINs beyond payment processing. These operations might include:

• Managing loyalty or discount programs
• Reporting and analytics
• Establishing fraud scores
• Validating buyers through geolocation
• Locating disputed transactions

There are also security concerns that every business will need to consider during this time of transition.

8-digit BINs and PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) establishes a clear set of rules and requirements to securely handle credit card transactions and corresponding payment information. And while the PCI DSS bears no legal authority, most financial agencies across the globe require compliance with this rule scheme to process any sort of credit or debit transaction.

With regards to the new 8-digit BIN model, one key area that can potentially clash with the PCI DSS involves how credit card numbers can be stored and displayed.

Traditionally, only the first 6 digits and last four digits of a card number could be displayed or made available to employees or within other business systems. For example, these limited digits might appear on a receipt or sales report or be used to track an individual customer in a loyalty system. However, recent updates to the PCI DSS now allow organizations to store the first 8 digits of a card number—as well as the final four—but only for accounts with an 8-digit BIN.

With both BIN schemes now active, you should confirm that your payment processing system can distinguish between the two types. Because if you only track the first 6 digits of an 8-digit bin, you run the risk of misidentifying the appropriate account or financial institution. And conversely, displaying or storing the first 8 digits of a card with a 6-digit BIN is a clear PCI DSS violation and exposes private account information, placing your customers at greater risk for identity theft and fraud.

Beyond your own systems, you should also verify that any third-party payment services or legacy point of sales systems can handle both BIN types.

Stay on Top of All Things Payments-Related with Invoiced

Not sure if you have everything that you need for the 8-digit BIN mandate? As card processing requirements continue to change, keeping up with the latest standards is critical.

To avoid the confusion and headache of navigating these shifts, consider scheduling a demo of Invoiced’s Payments Acceptance solution. Our modern platform can help you maintain compliance, simplify oversight of your payments and offer you and your customers a more frictionless experience.

To learn more, schedule a demo today!