Skip to the main content.
Contact
Contact

2 min read

Another Way 8-Digit Bins Complicate PCI Compliance: It's Not Just Data-at-Rest

Another Way 8-Digit Bins Complicate PCI Compliance: It's Not Just Data-at-Rest

The adoption of 8-digit BINs in 2022 has already created many transitional challenges for organizations needing access to the full BIN numbers (see 8-Digit BINs are Just Around the Corner). For entities that must comply with PCI DSS and need access to the full BIN, there are well documented issues with masking, truncation, and DSS scope. Many organizations will focus on their data-at-rest. However, don't overlook the PCI implications of data-in-transit as well.

Update: In December 2021, the PCI DSS truncation rules were changed to mitigated many issues identified in this article, for more details please see https://controlgap.com/blog/8-Digit-BINs-Great-PCI-Truncation-Reset

In the old 6-digit BIN world, the card BIN and last 4 digits were not considered cardholder data and did not require protection under PCI DSS. While systems receiving the full 16-digit PAN were in scope, properly truncated 6-and-4-data was considered innocuous and outside of scope and could be forwarded outside of the entity’s cardholder data environment without further safeguards.

In the new 8-digit BIN world, the old format 6-and-4-data is still safe but any organization needing access to the full 8-digit BIN will need to safeguard the data as 8-and-4-data is considered in-scope. Any system and network storing or transmitting this data will now be in the organizations new expanded PCI DSS scope. Furthermore, any connected-to, or security-impacting systems and networks will also be drawn into this new scope.

It might be easy to think that this stops with data-at-rest, but unfortunately it doesn’t. In the old BIN world, an organization could send 6-and-4-data over any network in the clear without any protection or concern. In the new 8-digit BIN world, you need to consider everywhere all 8-and-4-data is transmitted, including:

  • In clear-text over an open public network it must be encrypted with strong cryptography.
  • In clear-text over private networks and communications links bring all connected-to systems and networks along the communications path into DSS scope.

To illustrate how this could cause problems, consider a scenario where transaction data is sent in the clear through an internal network. Further, assume all PAN and SAD was sent in encrypted fields. Under current rules, this traffic could pass through multiple systems and networks without any PCI implications as long as the keys were only accessible to the endpoints. In the new 8-digit BIN world where the BIN must be treated like cardholder data, all intermediate systems and networks would suddenly be pulled into scope for the full weight of PCI DSS.

To recap:

  • Both Visa and Mastercard are supporting 8-digit BINs (see 8-Digit BINs are Just Around the Corner)
  • Any masking or truncation scheme that removes less than six digits will not be compliant without additional controls (see FAQ#1091 for details)

Note: We've talked to several Canadian Acquirers who arent sharing full BIN with merchants. Those merchant's are unlikely to be at risk unless they have their own payment applications and are using the BIN for purposes such as analytics, or are also Issuers. However for due diligence, merchants should seek confirmation from their Acquirers to ensure they aren't impacted.

Learn More

Visa 8-Digit BINs are Just Around the Corner and Many Questions Remain

6 min read

Visa 8-Digit BINs are Just Around the Corner and Many Questions Remain

If your business processes or stores the full-BIN, you need to know if you will be impacted by Visa's Numerics Initiative (i.e., the 8-Digit BIN...

Read More
3 Ways 8-Digit BIN Ranges May Impact PCI Compliance

3 min read

3 Ways 8-Digit BIN Ranges May Impact PCI Compliance

New 8-digit Bank Identification Numbers (BIN) could complicate PCI truncation rules and create compliance headaches for those required to maintain...

Read More
8-digit BIN Issues and Risks Remain after PCI Truncation Rules Clarified

2 min read

8-digit BIN Issues and Risks Remain after PCI Truncation Rules Clarified

Last month we wrote this article about issues arising from the addition of new BIN ranges and the lack of clear guidance specifically with 16-digit...

Read More