Visa, MasterCard, Discover, JCB, and Union Pay hit ‘reset’ on the PCI DSS truncation rules in December 2021 and January 2022 providing an unexpected solution to the unintended consequences of the 8-digit BIN expansion! Since 2017, we’ve written four previous articles about these consequences and potential disruptions of this change. With luck, this should be the last article we will need to write on this subject. So, what’s happened?
The short answer is that some of the PCI truncation rules have been changed (see FAQ #1091) to alleviate the compliance challenges 8-digit BINs caused for most organizations that might need to keep full BINs. The universal PCI rule that truncated PAN should keep the first six and last four digits has not changed and remains the safest option. However, where an organization needs to keep the full 8-digit BIN and last four digits, there are now allowances for specific card brands. This doesn’t solve all the challenges. Issuers still have two fewer Primary Account Number (PAN) middle digits to work with and may still face forced changes. But for organization that don’t require the middle digits, keeping the BIN no longer creates major compliance headaches.
The crux of the problem was that the Bank Identification Number (BIN) or Issuer Identification Number (IIN) at the beginning of the credit card Primary Account Number (PAN) was limited to six digits and the card brands needed to increase the number of issuers. Their solution was to expand the BIN range to 8-digits. This change had far reaching implications down the line for parts of PCI that were designed around the limits of the old specification.
An option, that was not adopted, was to use the new BINs only for longer PAN. Since the standard for PAN already allowed up to 19-digits this should have been workable. We can only guess why it was not selected but we understand that significant challenges were anticipated.
The option that emerged, allowed 8-digit BINs on 16-digit PANs, which basically meant that if you needed to retain the full BIN you would need to implement other PCI controls such as encryption of the BIN at-rest (and possibly in-flight). The impact of this was huge, given the large number of organizations that had based their compliance strategy on not storing full PAN to render large portions of the PCI DSS not applicable. Any organization caught by this rule change faced significant upheaval and costs that could have resulted in a lengthy transition period of retroactive remediation and non-compliance (see Learn More). Several of the card brands revisited the PCI truncation rules, considered the progress made in the last 15 years on devaluing the PAN and detecting fraud, and decided to relax the rules to remove this additional burden. There are nearly a dozen PCI standards that may need clarification and there may still be further unintended consequences to smooth over, but overall, this decision should simplify compliance for many organizations.
This will not be the last example of the challenges faced when upgrading limits, but it may provide useful lessons about how to go about this. One of the challenges of fixed-length formats is that eventually you run into limits. Once upon a time when computers were small and memory expensive, people designed systems with limits because not doing so would have been infeasible or massively expensive. With the routine advances in technology, Moore’s Law, etc., old limits no longer make sense. Limits are everywhere in Tech. Famously there were 2-digit dates and Y2K. More currently, IPv4 addresses and credit cards are prime examples. Unfortunately, the process of upgrading limits, hunting them down and correcting them once they have become ubiquitous has costs too. Upgrades also have unintended consequences (i.e., they cause problems). Anticipating these is critical to the success of these changes.
PCI and 8-digit BINs:
Visa has created a site and provided tools for organizations to assess the impact of 8-digit BINs. However, the FAQ does not appear to have been updated to reflect the new truncation guidance and still includes the following text on page 3 under Data at Rest "Clients that use truncation as their only method of complying with the PCI requirement for protecting data at rest, and who would like to expose the full eight-digit BIN as well as the last four digits, will need to add one or more of the other acceptable methods for data protection, such as encryption, hashing or tokenization".