With the phenomenal growth of the payment card industry, major card brands have decided to migrate from six-digit BINs to eight-digit BINs, with a completion date set for April 2022.
How does the change from six to eight-digit BINs impact PCI DSS compliance?
It doesn’t. There is no change in the display of PAN numbers on the card. PANs will remain the same at 16 digits. There will be no impact to card embossing either. PCI DSS version 3.2.1, and the 4.0 draft version, talks about masking the PAN so that staff without a business need can see no more than the first six and/or last four digits of the PAN. If a business requirement needs access to BIN for routing purposes, you can unmask only the BIN digits (first 8 digits) for that requirement. The business justification in this case should be documented.
Note that PCI DSS requirement 3.3 talks about masking while requirement 3.4 talks about truncation.
These are two different terms.
- Masking refers to the concealment of PAN digits during display or printing, even when the entire PAN may be stored on the system.
- This is different from truncation, in which the truncated digits are permanently removed and cannot be retrieved with the system.
The masked PAN can be ‘unmasked’ but there is no reversing truncation.
The acceptable truncation format has not changed because of the eight-digit BIN expansion mandate. If you need to store more than ‘first six and last four’, then truncation cannot be used to meet requirement 3.4. You will have to employ one way hash, tokenization, or strong cryptography to store the PAN in a compliant manner. The PCI SSC also states that any questions about the eight-digit BINs should be referred to the payment brands.
Card brands will continue to support six-digit issuing BINs after the April 2022 deadline.
Issuers can set their own timeline for the expansion as both six and eight-digit BINs will exist. However, the card brands will assign only eight-digit BINs after April 2022
Is there a business need at your company to access BINs? If yes, talk to your Qualified Security Assessor (QSA) and look at options.
For a more detailed explanation, please see the white paper released by Visa entitled Preparing for the Eight-Digit BIN.
Evaluate your company’s security posture with SecureTrust compliance, privacy and risk assessment services.
Prateek is a Managing Consultant at SecureTrust in the Asia-Pacific region and is responsible for the delivery of all compliance and assessment services. During his career of 20 years in IT security, Prateek has managed global security assignments for medium and large enterprises. He is well versed with generally accepted IT security standards like PCI DSS, ISO 27001, ITIL, BS 25999 and industry best practices.
Prateek holds QSA, CISA, CISSP and CCSK certifications. He has presented at a number of conferences in association with Visa, MasterCard and Indian Payment Card Risk Council.