Estimated reading time: 2 minutes
Although some banks have already started to implement this change, in April 2022, credit cards, specifically the Bank Identification Number, will change from 6 to 8 digits. Read on to learn how this impacts c-stores and other retailers.
First, What is a BIN?
The BIN is used to identify the bank that issued the credit card. Previously, it was the first six digits of the Primary Account Number (PAN) and now it is the first eight digits. Who decides or sets the standards for the BIN? The International Organization for Standardization (ISO) sets the standard, in this case, ISO/IEC 7812-1. Although incorporated in 2017, effective April 2022, the changes impact payment and payment processor technology.
What Retailers Need To Know
This mainly impacts your payment processor or if you happen to have a propriety POS environment. These impact payment back-end systems. For example, effective April 2022, Visa acquirers and processors have to be able to support the new issuing BIN length, which can impact:
- Identification of prepaid cards
- Fraud and/or chargeback analytics
- Issuer identification
- Routing
- Unique BIN range identification, for example, Fleet Cards, specific types of Corporate cards, Benefits cards
- Cashback qualification
- Optimization of approval rates, authorization analysis
What Retailer Tech is Impacted?
According to VISA, “any logic specific to the six-digit issuing BIN that has been implemented in your processing or downstream systems must be changed, particularly if you:”
- Manage your own POS environment
- Share BIN information with any third parties
- Use proprietary BIN tables in transaction processing or supplied via third parties
- Have any system logic that uses the first six digits of the card number (PAN)
- Use hard-coded BIN logic in your POS terminals
Do You Work in IT for a Retailer and Responsible for PCI-DSS?
According to VISA, “PCI-DSS allows exposure of the first six and any other four digits in a PAN as the only method for protecting data at rest. If a merchant would like to expose the full eight-digit BIN as well as the last four digits, they will need to add one or more of the other acceptable methods for data protection, such as encryption, hashing or tokenization. Merchants should consult their Qualified Security Assessor (QSA) prior to implementation”.
Resources
https://blog.pcisecuritystandards.org/8-digit-bins-and-pci-dss-what-you-need-to-know
https://usa.visa.com/content/dam/VCOM/global/partner-with-us/documents/merchant-action-sheet.pdf