The BIN, which is used to identify the institution that issued the card, has traditionally composed the first six digits of the Primary Account Number (PAN). The International Organization for Standardization (ISO) standard1 that specifies how PANs are structured now also defines a format for the use of 8-digit BINs as an alternative to 6-digit BINs. Some payment brands have already started using the first eight digits as the BIN instead of the first six.
To help understand the impacts of these types of changes and address common questions from PCI SSC stakeholders, the PCI SSC Frequently Asked Questions (FAQ) resource is updated regularly. This searchable tool includes a library of questions and answers on a variety of topics across PCI Security Standards and programs.
FAQ #1492 explains how to meet the PCI DSS masking and truncation requirements when using 8-digit BINs. This FAQ highlights the need for entities to understand the business purpose for displaying or retaining PAN. The truncation and masking formats used should always ensure that only the minimum number of digits are displayed or retained as necessary for the specific business need. For example, a customer service agent may only need to view the last four digits to verify a card number, whilst a payment system may require access to only the BIN for routing purposes.
FAQ #1091 identifies the acceptable truncation formats as defined by each payment brand. Formats for 8-digit BINs were initially added to this FAQ in 2017, and the FAQ has been regularly updated since then to reflect recent payment brand changes to their truncation formats.
While truncation formats vary according to PAN length and payment brand requirements, the format of the first six/last four remains the common format accepted by all payment brands. Where it is necessary to retain more than the first six/last four digits of the PAN for business functions, entities should consult the table in FAQ #1091 for the acceptable formats.
Because each payment brand has different PAN/BIN lengths and different requirements, questions on payment brand truncation requirements, including how to determine whether a PAN has a 6- or 8-digit BIN, should be directed to the applicable acquirer or payment brand.
It is important to remember that the formats in FAQ #1091 are the maximum permissible values and are intended for use only when needed to support a legitimate business need. Having PAN with larger ranges of digits available could expose more PAN data to attacks, allowing attackers to more easily deduce the full PAN.
When determining the appropriate masking and truncation formats, each entity should assess their business needs and display or retain only those digits that are necessary. For example, in the customer service example above, the introduction of 8-digit BIN is unlikely to affect those systems which have traditionally displayed only the last four digits. In that use case, no changes would be necessary when migrating to the use of 8-digit BINs.
Entities also need to be mindful of the risks associated with using different truncation formats for the same PAN. Attackers will often correlate data between different data stores, and having PANs with different truncation ranges can result in the exposure of more PAN digits than the allowed maximum. Where an entity’s business needs require different truncation formats, entities should ensure that the different formats cannot be correlated to reconstruct additional digits of the PAN.
In summary, the increase of BIN range from six to eight digits may impact how businesses handle PAN data in different ways, and each entity will need to determine how the change to 8-digit BINs will affect their business and security needs. Entities are encouraged to begin planning for this change now, by understanding their business needs for retaining and displaying PAN, and ensuring that only the minimum needed number of PAN digits is exposed.
PCI SSC will be providing more information on the considerations and impacts of 8-digit BINs over this series of blog posts. Subscribe to the PCI Perspectives blog to be alerted when new posts are published.
Links to FAQ Resources:
- 1091 What are acceptable formats for truncation of primary account numbers?
- 1146 What is the difference between masking and truncation?
- 1492 How can an entity meet PCI DSS requirements for PAN masking and truncation if it has migrated to 8-digit BINs?
The original post "8-digit BINs and PCI DSS: What You Need to Know" can be found on the PCI Security Standards Council Blog.