6 min read
Visa 8-Digit BINs are Just Around the Corner and Many Questions Remain
If your business processes or stores the full-BIN, you need to know if you will be impacted by Visa's Numerics Initiative (i.e., the 8-Digit BIN...
2 min read
David Gamey : Apr 23, 2021 10:07:00 PM
The adoption of 8-digit BINs in 2022 has already created many transitional challenges for organizations needing access to the full BIN numbers (see 8-Digit BINs are Just Around the Corner). For entities that must comply with PCI DSS and need access to the full BIN, there are well documented issues with masking, truncation, and DSS scope. Many organizations will focus on their data-at-rest. However, don't overlook the PCI implications of data-in-transit as well.
Update: In December 2021, the PCI DSS truncation rules were changed to mitigated many issues identified in this article, for more details please see https://controlgap.com/blog/8-Digit-BINs-Great-PCI-Truncation-Reset
In the old 6-digit BIN world, the card BIN and last 4 digits were not considered cardholder data and did not require protection under PCI DSS. While systems receiving the full 16-digit PAN were in scope, properly truncated 6-and-4-data was considered innocuous and outside of scope and could be forwarded outside of the entity’s cardholder data environment without further safeguards.
In the new 8-digit BIN world, the old format 6-and-4-data is still safe but any organization needing access to the full 8-digit BIN will need to safeguard the data as 8-and-4-data is considered in-scope. Any system and network storing or transmitting this data will now be in the organizations new expanded PCI DSS scope. Furthermore, any connected-to, or security-impacting systems and networks will also be drawn into this new scope.
It might be easy to think that this stops with data-at-rest, but unfortunately it doesn’t. In the old BIN world, an organization could send 6-and-4-data over any network in the clear without any protection or concern. In the new 8-digit BIN world, you need to consider everywhere all 8-and-4-data is transmitted, including:
To illustrate how this could cause problems, consider a scenario where transaction data is sent in the clear through an internal network. Further, assume all PAN and SAD was sent in encrypted fields. Under current rules, this traffic could pass through multiple systems and networks without any PCI implications as long as the keys were only accessible to the endpoints. In the new 8-digit BIN world where the BIN must be treated like cardholder data, all intermediate systems and networks would suddenly be pulled into scope for the full weight of PCI DSS.
To recap:
Note: We've talked to several Canadian Acquirers who arent sharing full BIN with merchants. Those merchant's are unlikely to be at risk unless they have their own payment applications and are using the BIN for purposes such as analytics, or are also Issuers. However for due diligence, merchants should seek confirmation from their Acquirers to ensure they aren't impacted.
6 min read
If your business processes or stores the full-BIN, you need to know if you will be impacted by Visa's Numerics Initiative (i.e., the 8-Digit BIN...
3 min read
New 8-digit Bank Identification Numbers (BIN) could complicate PCI truncation rules and create compliance headaches for those required to maintain...
2 min read
Last month we wrote this article about issues arising from the addition of new BIN ranges and the lack of clear guidance specifically with 16-digit...