In an era of unprecedented growth, some payment industry standards needed to change. However, the move to 8-digit bank identification numbers has increased the chances of processing disruptions, including but not limited to incorrect routing, fraud issues, and unnecessary declines.
One year has passed since Visa and Mastercard announced the move to 8-digit BIN. Nonetheless, announced changes are still relevant, and there are a few points to underscore. At the beginning of April, Visa started assigning 8-digit bank identification numbers within the same 6-digit prefix previously assigned and returned from an issuers' BIN.
But before we move forward, let's briefly explain what BIN stands for.
Bank identification number, or BIN, is an industry-standard term used by Visa, Mastercard and other payment systems. It identifies the payment card issuer and attributes forming the first part of the primary account number. The length of the digits included in BIN could vary across payment systems.
So why does it matter?
The main idea behind switching to 8-digit bank identification numbers is to get more BINs for new issuers and products. In essence, it creates a situation where the 6-digit BIN assigned to the specific issuer is decommissioned, subdivided into an 8-digit BIN, and then split up across other issuers with the new card products assigned. For a more illustrative explanation, please consider the scheme below:
Consequently, it may create a situation where an assigned BIN associated with the specific issuing bank, issuer country and issuing bank is no longer the case since the unused range of newly created 8-digit BIN was returned by the issuer bank to the payment system, with the latter reassigning those across other issuers.
So what are the potential risks?
While 8-digit BINs are being assigned to new issuers and card products, ignoring the enrolling update could bear potential risks, which you must consider as long as you have BINs-based payment processing and fraud rules, especially with a host-to-host integration implementation. Therefore let's consider some of them to make them obvious:
Loss of revenue
As the new 8-digit BIN may be assigned with the new issuer within the new country, you may encounter declines, as the specific card product type is not processed or there is a regional limitation for different operation types by your acquirer. Consequently, you may lose customers with failed payment attempts, resulting in a decrease in the CLTV.
Another example could be routing specific product types or countries to the specific acquirer as part of the Interchange costs optimisation. However, you may get a reverse result with the expanded BIN range.
Fraud management
Suppose you are managing the blacklist or whitelist as a part of the fraud management practices based on the BIN. In that case, you may encounter potential risks for determining the correct outcome and risk rule processing, entailing a fraud case.
Compliance
You may erroneously process the transactions from a BIN blocked due to regulatory or compliance restrictions. Even though this is the primary responsibility of the acquirer to block such transactions, merchants may have implemented effective controls on their end as well.
What about PCI DSS?
While reviewing your systems and controls, it is important to remember PCI DSS requirements and how they are affected by 8-digit BIN implementation. As for now, PCI maintains that a minimum of six digits must be truncated or encrypted to protect data at rest.
Clients that use truncation as their only method of complying with the PCI requirements for protecting data at rest and who would like to expose the full eight-digit BIN, as well as the last four digits, will need to add one or more of the other acceptable methods for data protection, such as encryption, hashing or tokenisation.
However, we strongly recommend consulting a qualified security assessor or external consultant if you decide to implement any changes to the card data truncation and storage.
A few last words on 8-digit BIN
The transition to the 8-digit BIN has been effectively accommodated in the payment card industry. We have now passed a whole year since the transition to the 8-digit BIN, and reviewing your organisational processes and controls may still be relevant so that you can eliminate possible unnecessary disruptions, declines and complications with fraud and compliance.
And while changes should be coordinated with your acquirer and other partners responsible for payment card processing, it is essential to remember that BIN table information must only be retrieved from reliable sources such as your acquirer or International Payment System services.
In any case, Ecommpay is always near and ready to provide assistance and advice.
