Utilizing Extended BIN numbers



The payment industry is currently facing a major challenge: the supply of BINs cannot keep up with the industry’s growth.


A BIN (or IIN) is the first 6 digits of the primary account number (PAN), the 8 to 19 digits long card identifier found on payment cards, such as credit cards, debit cards, stored-value cards, gift cards, virtual cards, and other similar cards. The BIN is sometimes also referred to as the issuer identification number (IIN), in particular by Visa.


Two largest payment processors, Mastercard and Visa, have already been forced to take steps to combat the diminishing supply of BINs. Mastercard introduced its 2-series BINs, while Visa mandated on 9-digits account ranges. While effective in the short term, such moves do not address the core issue, which is only being exacerbated by tokenization, driven by online and mobile payments.


To prepare the BIN for the future, the international standard ISO/IEC 7812-1, which specifies a numbering system for the identification of the card issuers, the format of the bank account number and the primary account number, is undergoing a major revision to expand the BIN to at least 8 digits.



Eight-Digit Issuer BIN and Its Implementation



The American National Standards Institute (ANSO), a private non-profit organization that oversees the development of voluntary consensus standards, has announced its plan to expand the BIN to 8 digits in July 2016.


Within the current version of ISO/IEC 7812-1, an IIN is defined as a fixed-length numeric of 6 digits,” the organization stated. “ISO/IEC 7812-1 is currently undergoing revision to expand the IIN to an 8-digit numeric value from the current 6-digit numeric value … This change is being driven by an expected shortage in the available supply of IINs … The potential target for final publication of ISO/IEC 7812-1 by ISO is in early 2017.



ANSI strongly advises all users of ISO/IEC 7812-1 to begin planning immediately and analysis to identify any potential system and process impacts associated with their plans to adopt the new standard, called  ISO/IEC 7812-2, to ensure that the transition goes as smoothly as possible.


April 2022 has been set as the deadline for agents to fully adapt to the new BIN system. “Clients will face the risk of misrouted transactions if they are unable to meet the April 2022 deadline. They may also experience unnecessary and avoidable costs if they delay planning in a timely manner,” states Visa in its FAQ. “Visa plans to complete the necessary changes to all client-facing systems and applications by 2019. This will allow clients more than two years before the April 2022 deadline for testing and implementation.”



Impacts of ISO/IEC 7812-2



It is important to note that the extension of the BIN will not affect the PAN, which will remain composed of 8 to 19 digits. Still, the change is expected to send ripples through the payment industry and affect stakeholders across the industry's many segments in a number of different ways. 



Platform Support



Many existing payment platforms have been developed and configured with the 6-digit numbering scheme in mind. To prevent data loss and compatibility issues, organizations will have to reconfigure their applications and databases, which may even entail source code modifications.


In case the system supports tokenization or Mobile/Digital wallet solutions, the issuer must accommodate all scenarios of tokens and solutions for the accounts being used, for either 6-digit or 8-digit IINs. For ATM networks, verification of adding new IINs must be done and,  if expanded IINs from other issuers are used at an ATM, it should be identified and routed correctly for authorization,” explains UL’s Transaction Security division.



The preparation for 8-digit BINs may prove to be problematic for organizations that still rely on legacy systems that are no longer maintained by their vendors. In some cases, an upgrade to a newer solution will likely be less costly and time-consuming. 



Card Truncation and PCI DSS Compliance



Today, PAN truncation is used by point-of-sale (POS) terminals, and mandated by many governments, prevent fraud or identity theft in case a customer loses a printed receipt or discards it carelessly. 


The Payment Card Industry (PCI) Data Security Standard (DSS) specifies PAN truncation rules for organizations to adhere to. “The only cardholder data that may be stored after authorization is the primary account number or PAN (rendered unreadable), expiration date, cardholder name, and service code.”



In practice, this means that the PCI DSS allows organizations to store only the first six and last four digits of the PAN. Should an organization fail to comply with the standard, it may face hefty fines. For example, Microsoft was fined $1.2 million last year because the company’s physical store receipts displayed too many digits of their credit card numbers submitted details.



Because the PAN will remain composed of 8 to 19 digits even after the industry moves on to 8-digit BINs, we could see a number of implementation and compliance arise from the combination of 8-digit BINs with 16-digit PANs. Organizations might expect a PAN of a different length and accidentally store the wrong digits because of it, completely missing the last three digits of a 19-digit PAN. 






Merchants must thoroughly assess their POS terminals and websites to ensure that they are ready to accept the new 8-digit BINs in both card-present and card-not-present payment acceptance channels. This assessment should be carried out in close cooperation with the vendors of the respective solutions as it is still necessary to maintain compliance with the PCI DSS standard so that transactions with expanded BINs are managed correctly.


Any failure to properly utilize the extended BIN numbers could result in a significant loss of business and the inability to provide value-added services such as cash backing, loyalty programs, and various discounts since merchants typically use the BIN to identify whether a BIN is domestic or belongs to a specific issuer.






Many security processes and systems have been put in place with 6-digit BINs and up to 16-digit PANs in mind, and they need to be expanded to work with 8-digit BINs and 19-digit PANs. Organizations should keep in mind that the risk of hash cracking using brute force techniques will still be in place even after the payments industry moves to 8-digit BINs. Organizations without the means to adequately secure their data should avoid storing Card Holder Data (CHD). Helps You Utilize Extended BIN Numbers



We at BinBase are ready to help you utilize the extended BIN. A well-designed BIN system allows you to instantly analyze customer purchase and electronic transactions, increasing the efficiency of your operations. 


Our flagship product is our new Extended License, which includes all the benefits of our popular Universal License plus a database of extended BINs delivered in the CSV file format for maximum compatibility and accessibility. Extended License additionally comes with 24 months of free updates, delivered on a monthly basis, our standard 6-digit BIN database in CSV format including Personal/Commercial flag, Regulated/Unregulated flag, the full version of our lookup and filtering software, access to our IP to Location database, and many other features. 


About 31% of all 6 BIN numbers are already split into different account ranges.


Current breakdown:


Total: ~1.1M records
-- 6 digit BIN file 35%
-- 7 digit BIN file 9%
-- 8 digit BIN file 20%
-- 9 digit BIN file 33%
-- 10 digit BIN file 2%
-- 11 digit BIN file <1%


Below are some examples of a 6 digit BIN being split:


7 digit account range. Countries are different:






8 digit account range. Card categories are different:





9 digit account range. Countries, card types and card categories are different: