Another Way 8-Digit Bins Complicate PCI Compliance: It's Not Just Data-at-Rest
Posted by David Gamey on 23 Apr 2021.
The adoption of 8-digit BINs in 2022 has already created many transitional challenges for organizations needing access to the full BIN numbers (see 8-Digit BINs are Just Around the Corner). For entities that must comply with PCI DSS and need access to the full BIN, there are well documented issues with masking, truncation, and DSS scope. Many organizations will focus on their data-at-rest. However, don't overlook the PCI implications of data-in-transit as well.
In the old 6-digit BIN world, the card BIN and last 4 digits were not considered cardholder data and did not require protection under PCI DSS. While systems receiving the full 16-digit PAN were in scope, properly truncated 6-and-4-data was considered innocuous and outside of scope and could be forwarded outside of the entity’s cardholder data environment without further safeguards.
In the new 8-digit BIN world, the old format 6-and-4-data is still safe but any organization needing access to the full 8-digit BIN will need to safeguard the data as 8-and-4-data is considered in-scope. Any system and network storing or transmitting this data will now be in the organizations new expanded PCI DSS scope. Furthermore, any connected-to, or security-impacting systems and networks will also be drawn into this new scope.
It might be easy to think that this stops with data-at-rest, but unfortunately it doesn’t. In the old BIN world, an organization could send 6-and-4-data over any network in the clear without any protection or concern. In the new 8-digit BIN world, you need to consider everywhere all 8-and-4-data is transmitted, including:
- In clear-text over an open public network it must be encrypted with strong cryptography.
- In clear-text over private networks and communications links bring all connected-to systems and networks along the communications path into DSS scope.
To illustrate how this could cause problems, consider a scenario where transaction data is sent in the clear through an internal network. Further, assume all PAN and SAD was sent in encrypted fields. Under current rules, this traffic could pass through multiple systems and networks without any PCI implications as long as the keys were only accessible to the endpoints. In the new 8-digit BIN world where the BIN must be treated like cardholder data, all intermediate systems and networks would suddenly be pulled into scope for the full weight of PCI DSS.
- Both Visa and Mastercard are supporting 8-digit BINs (see 8-Digit BINs are Just Around the Corner)
- Any masking or truncation scheme that removes less than six digits will not be compliant without additional controls (see FAQ#1091 for details)
Note: We've talked to several Canadian Acquirers who arent sharing full BIN with merchants. Those merchant's are unlikely to be at risk unless they have their own payment applications and are using the BIN for purposes such as analytics, or are also Issuers. However for due diligence, merchants should seek confirmation from their Acquirers to ensure they aren't impacted.
- Visa 8-Digit BINs are Just Around the Corner and Many Questions Remain with many references on scoping, Format Preserving Encryption, earlier articles on 8-digit BINs https://controlgap.com/blog/Visa%208-digit-BINs-are-just-around-the-corner
- Visa's Impact Assessment (2021 - Must Read) https://usa.visa.com/dam/VCOM/global/partner-with-us/documents/visa-numerics-impact-assessment-discovery-interview-findings.pdf
- MasterCard on their 8-Digit BIN program https://www.mastercard.com/content/dam/public/mastercardcom/globalrisk/pdf/8-Digit-BIN-Expansion-Mandate-and-PCI-DSS-Impact.pdf
- #1091 What are acceptable formats for truncation of primary account numbers? and What Is The Difference Between Masking And Truncation In PCI Compliance? https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/What-are-acceptable-formats-for-truncation-of-primary-account-numbers
- Understanding "Connected-to" - Is The Internet In Scope For PCI DSS? https://controlgap.com/blog/connected-to-pci