.avif){kind=logo}
With the phenomenal growth of the payment card industry, major card brands migrated from six-digit BINs to eight-digit BINs, with implementation beginning in April 2022. Since then, the industry has been working with a mix of six and eight-digit BINs in circulation.
How does the change from six to eight-digit BINs impact PCI DSS compliance?
For most organizations, the impact has been minimal. There is no change in the display of PAN numbers on the card. PANs remain the same at 16 digits (or their respective length depending on the card brand).
There has been no impact to card embossing either. PCI DSS version 4.0.1 (the current active standard) has two key requirements that relate to BINs:
- Requirement 3.4.1 covers masking (concealing) digits of the PAN so that only authorized personnel with a documented business need can see more than the BIN and last four digits.
- Requirement 3.5.1 addresses methods for rendering PAN unreadable when stored.
It's important to understand the difference between these two concepts:
- Masking refers to the concealment of PAN digits during display or printing, even when the entire PAN may be stored on the system.
- Truncation is different, as the truncated digits are permanently removed and cannot be retrieved within the system.
- The masked PAN can be 'unmasked' with proper authorization, but there is no reversing truncation.
Acceptable Truncation Formats
When PAN data must be stored, acceptable truncation formats vary based on the PAN length and payment brand requirements. The following table outlines current acceptable formats as of 2025:
Source: PCI SSC FAQ #1091, updated for current standards
It's important to emphasize that these formats show the maximum permissible values and should only be used when needed to support legitimate business needs. Organizations should display or retain only the minimum number of digits necessary for their specific business purpose.
Alternative Protection Methods
It's worth noting that truncation is only one acceptable method for rendering PAN unreadable when stored. PCI DSS provides other options including:
- Strong one-way hash functions
- Index tokens with securely stored pads
- Strong encryption with associated key management
Additionally, all hashes generated after March 31, 2025, must be keyed cryptographic hashes according to PCI DSS Requirement 3.5.1.1.
Security Considerations
When implementing different truncation or masking formats, organizations should be aware of potential security risks:
- Avoiding Correlation: If different truncation formats of the same PAN exist in different systems, ensure they cannot be correlated to reconstruct additional PAN digits.
- Minimizing Exposure: Even when permissible to show the full 8-digit BIN, only display this information to users with a legitimate business need.
- Scope Considerations: Systems handling 8-digit BINs may fall within PCI DSS scope, particularly when combined with other account data.
Current Status of Six and Eight-digit BINs
Card brands continue to support six-digit issuing BINs, and both six and eight-digit BINs currently coexist in the payment ecosystem. However, card brands are now assigning only eight-digit BINs for new issuances.
Issuers have been setting their own timeline for the expansion based on their specific business needs and technical capabilities. If your organization needs to access BINs for business purposes, consult with your Qualified Security Assessor (QSA) to review your options and ensure continued compliance.
For more detailed information, consult the current PCI DSS standards documentation and FAQs published by the PCI Security Standards Council.
Click here to contact us for all your SMB Compliance, Merchant Risk Management, and Compliance Technology needs.
Managing Consultant
SecureTrust
More Blogs
