Blogs

Migration to Eight-Digit Bank Identification Numbers (BINs) and the Impact to PCI Compliance

author
Prateek Rastogi
Published
July 15, 2021

With the phenomenal growth of the payment card industry, major card brands have decided to migrate from six-digit BINs to eight-digit BINs, with a completion date set for April 2022.

How does the change from six to eight-digit BINs impact PCI DSS compliance?

It doesn’t. There is no change in the display of PAN numbers on the card. PANs will remain the same at 16 digits.

There will be no impact to card embossing either. PCI DSS version 3.2.1, and the 4.0 draft version, talks about masking the PAN so that staff without a business need can see no more than the first six and/or last four digits of the PAN.

Note that PCI DSS requirement 3.3 talks about masking while requirement 3.4 talks about truncation.

These are two different terms.

  • Masking refers to the concealment of PAN digits during display or printing, even when the entire PAN may be stored on the system.
  • This is different from truncation, in which the truncated digits are permanently removed and cannot be retrieved with the system.

The masked PAN can be ‘unmasked’ but there is no reversing truncation.

A maximum of first 6 and last 4 digits of the PAN should be retained after truncation. When more digits of the PAN are required for business functions, entities can refer to the table below for acceptable format. This varies depending on the length of the PAN and specific payment brand requirement.

*Above table is published by PCI SSC on their FAQ section.

Migration to eight-digit Bank Identification Numbers (BINs) and the impact to PCI compliance.

Card brands will continue to support six-digit issuing BINs after the April 2022 deadline.

Issuers can set their own timeline for the expansion as both six and eight-digit BINs will exist. However, the card brands will assign only eight-digit BINs after April 2022.

Is there a business need at your company to access BINs? If yes, talk to your Qualified Security Assessor (QSA) and look at options.

For a more detailed explanation, please see the white paper released by Visa entitled Preparing for the Eight-Digit BIN.

_______________________

Evaluate your company’s security posture with SecureTrust compliance, privacy and risk assessment services.

author
Prateek Rastogi

Managing Consultant

SecureTrust

More Blogs

Stay up-to-date on the latest happenings in Cybersecurity and PCI Compliance.
View All Blogs
October 1, 2021
Becoming an Internal Security Assessor (ISA)
February 19, 2020
Clarifying Quarterly External Scans
March 25, 2020
The PCI Charter