PCI DSSMigration to Eight-Digit Bank Identification Numbers (BINs) and the Impact to PCI Compliance
With the phenomenal growth of the payment card industry, major card brands have decided to migrate from six-digit BINs to eight-digit BINs, with a completion date set for April 2022.
How does the change from six to eight-digit BINs impact PCI DSS compliance?
It doesn’t. There is no change in the display of PAN numbers on the card. PANs will remain the same at 16 digits.
There will be no impact to card embossing either. PCI DSS version 3.2.1, and the 4.0 draft version, talks about masking the PAN so that staff without a business need can see no more than the first six and/or last four digits of the PAN.
Note that PCI DSS requirement 3.3 talks about masking while requirement 3.4 talks about truncation.
These are two different terms.
- Masking refers to the concealment of PAN digits during display or printing, even when the entire PAN may be stored on the system.
- This is different from truncation, in which the truncated digits are permanently removed and cannot be retrieved with the system.
The masked PAN can be ‘unmasked’ but there is no reversing truncation.
A maximum of first 6 and last 4 digits of the PAN should be retained after truncation. When more digits of the PAN are required for business functions, entities can refer to the table below for acceptable format. This varies depending on the length of the PAN and specific payment brand requirement.
| PAN / BIN Length | Payment Brand | Acceptable PAN Truncation Formats |
| >16-digit PAN with 8-digit BIN |
UnionPay | At least 6 digits removed. Maximum digits which may be retained: 17-digit PAN: “First 6, any other 5” 18-digit PAN: “First 6, any other 6” 19-digit PAN: “First 6, any other 7” |
| >16-digit PAN with 6-digit BIN |
Mastercard UnionPay Visa |
At least 6 digits removed. Maximum digits which may be retained: 17-digit PAN: “First 6, any other 5” 18-digit PAN: “First 6, any other 6” 19-digit PAN: “First 6, any other 7” |
| 16-digit PAN with 8-digit BIN |
Discover UnionPay |
At least 6 digits removed. Maximum digits which may be retained: “First 6, any other 4” |
| Mastercard Visa |
At least 4 digits removed. Maximum digits which may be retained: “First 8, any other 4″ |
|
| 16-digit PAN with 6-digit BIN |
Discover Mastercard JCB UnionPay Visa |
At least 6 digits removed. Maximum digits which may be retained: “First 6, any other 4” |
| 15-digit PAN | American Express | At least 5 digits removed. Maximum digits which may be retained: “First 6, last 4”” |
| Mastercard | At least 5 digits removed. Maximum digits which may be retained: “First 6, any other 4” |
|
| <15 digit PAN | Discover Mastercard |
Maximum digits which may be retained: “First 6, any other 4” |
*Above table is published by PCI SSC on their FAQ section.
Card brands will continue to support six-digit issuing BINs after the April 2022 deadline.
Issuers can set their own timeline for the expansion as both six and eight-digit BINs will exist. However, the card brands will assign only eight-digit BINs after April 2022.
Is there a business need at your company to access BINs? If yes, talk to your Qualified Security Assessor (QSA) and look at options.
For a more detailed explanation, please see the white paper released by Visa entitled Preparing for the Eight-Digit BIN.
_______________________
Evaluate your company’s security posture with SecureTrust compliance, privacy and risk assessment services.
_______________________
Written by Prateek Rastogi
Prateek is a Managing Consultant at SecureTrust in the Asia-Pacific region and is responsible for the delivery of all compliance and assessment services. During his career of 20 years in IT security, Prateek has managed global security assignments for medium and large enterprises. He is well versed with generally accepted IT security standards like PCI DSS, ISO 27001, ITIL, BS 25999 and industry best practices.
Prateek holds QSA, CISA, CISSP and CCSK certifications. He has presented at a number of conferences in association with Visa, MasterCard and Indian Payment Card Risk Council.
Prateek can be reached for additional questions on prastogi@securetrust.com as well as on LinkedIn.