Back in 2016, the International Standards Organization (ISO) announced a forthcoming change to the length of the Issuer Identification Number, also known as IIN or Bank Identification Number (BIN), due to the increasing number of card issuers in the market and the expectation that there would eventually be a shortage in the available supply of BINs. While the standard change had several impacts, the most prominent for merchants is that the existing fixed-length 6-digit BIN standard will be converted to 8-digits.
Although some 8-digit BINs already exist in the market, beginning in April 2022 Visa and Mastercard will require all newly-issued card products have 8-digit BINs.
Merchants, and the industry overall, will experience significant challenges if there is not a solution to properly identify the BIN at the point of sale (POS). The PCI Security Standards Council recently updated their FAQ#1091 in January 2022 to allow visibility to the first eight digits of a PAN on 16-digit cards. The update to the FAQs is extremely tight with the April 2022 requirements.
Modifications to encrypt the appropriate number of digits, depending on the BIN length and the network, will be necessary. All encryption technology today is built on the legacy standard that a BIN is a fixed length of six digits and a minimum of six digits must be masked in all 16-digit PAN card transactions. This allows merchants to see the full BIN as well as the last four digits in customer identification for reasons such as returns. Updating that underlying infrastructure, to not only recognize what the BIN length is, but also to mask a minimum of only four digits on 8-digit BIN cards is a change that would normally require months or even years of development and testing in all environments. Hardware providers we have discussed this with have not received any guidance from the industry on how to proceed with this change. The image below depicts where challenges still exist.
Merchants use the BIN for a variety of reasons today, and the repercussions of not having the visibility to it will absolutely be harmful to overall processing as well as affect the customer experience. The industry will face numerous complex challenges if merchants are not able to properly identify and secure all payment transactions, regardless of BIN length. Some of these include:
- Merchant rules to properly identify the card product type to drive the most appropriate / optimized user experience for scenarios such as determining whether to prompt for cash back, identifying commercial cardholders, recognizing loyalty members, prompting for PIN, etc.
- Merchant business rules in place that restrict or add additional risk assessment on certain BINs based on geography or high fraud rates – meaning most dispute and fraud management tools will need to be updated
- Routing logic within payments platforms to appropriately send transactions to specific networks to adhere to agreements and maintain pricing and optimum approval rates
- Internal reporting solutions that rely on the BIN to segregate issuer volume, tracking against excessive fraud programs and approval rates
- Data integrity within merchant reporting, reconciliation tools, and downstream systems
- Tokenization – existing token formats will not allow merchants to properly identify the BIN
- Health Care FSA and HSA cards for the next health plan year were issued for use starting January 1, 2022. If merchants cannot identify these cards properly at the point of sale, they will not be able to provide critical information in the authorization message that is required by these card products
- Surcharging – some merchants surcharge based on the BIN today. Without a way to identify what the BIN is in real time at the time of the transaction this will create issues at the POS
- No test cards available – merchants have been told by their processors that do not plan on producing test cards until Q1 or Q2 of 2022 – which leaves no room for error. That is the only way for merchants to fully test end to end that retail POS solutions can properly accept, process, and report on new 8-digit BIN cards
It is impossible to assess the level of effort it will take to update every active payments terminal at U.S. merchant locations within the entire system; and frankly, it is impractical to assume this could be completed by April 2022 given that terminal providers have shared that in certain cases they will not expose any more than the first six / last four digits and exploration to expose the first eight is not on their docket.
MAG has requested the timeline for 8-digit BINs be suspended until the industry can fully understand the new PCI standards, how merchants will integrate them into their environment, and work with their providers to understand their roadmaps. A reasonable timeline in which the requested changes can be implemented without merchants losing the ability to identify the card type from the new BIN configuration is crucial for the success of the 8-Digit BIN implementation. It is unreasonable to have a timeline in place which requires merchants’ POS changes be made until the industry collaborates to an agreed-upon solution that can be implemented, taking into consideration the complexity of merchants’ infrastructures and the unfeasibility of major changes being made during the recent holiday season.
We have also created and collected a suite of resources available to MAG merchant members regarding the move to 8-Digit BINs.