[in]security blog

Another Way 8-Digit Bins Complicate PCI Compliance: It's Not Just Data-at-Rest | blog,pci | Control Gap

Written by David Gamey | Apr 24, 2021 2:07:00 AM

The adoption of 8-digit BINs in 2022 has already created many transitional challenges for organizations needing access to the full BIN numbers (see 8-Digit BINs are Just Around the Corner). For entities that must comply with PCI DSS and need access to the full BIN, there are well documented issues with masking, truncation, and DSS scope. Many organizations will focus on their data-at-rest. However, don't overlook the PCI implications of data-in-transit as well.

Update: In December 2021, the PCI DSS truncation rules were changed to mitigated many issues identified in this article, for more details please see https://controlgap.com/blog/8-Digit-BINs-Great-PCI-Truncation-Reset

In the old 6-digit BIN world, the card BIN and last 4 digits were not considered cardholder data and did not require protection under PCI DSS. While systems receiving the full 16-digit PAN were in scope, properly truncated 6-and-4-data was considered innocuous and outside of scope and could be forwarded outside of the entity’s cardholder data environment without further safeguards.

In the new 8-digit BIN world, the old format 6-and-4-data is still safe but any organization needing access to the full 8-digit BIN will need to safeguard the data as 8-and-4-data is considered in-scope. Any system and network storing or transmitting this data will now be in the organizations new expanded PCI DSS scope. Furthermore, any connected-to, or security-impacting systems and networks will also be drawn into this new scope.

It might be easy to think that this stops with data-at-rest, but unfortunately it doesn’t. In the old BIN world, an organization could send 6-and-4-data over any network in the clear without any protection or concern. In the new 8-digit BIN world, you need to consider everywhere all 8-and-4-data is transmitted, including:

  • In clear-text over an open public network it must be encrypted with strong cryptography.
  • In clear-text over private networks and communications links bring all connected-to systems and networks along the communications path into DSS scope.

To illustrate how this could cause problems, consider a scenario where transaction data is sent in the clear through an internal network. Further, assume all PAN and SAD was sent in encrypted fields. Under current rules, this traffic could pass through multiple systems and networks without any PCI implications as long as the keys were only accessible to the endpoints. In the new 8-digit BIN world where the BIN must be treated like cardholder data, all intermediate systems and networks would suddenly be pulled into scope for the full weight of PCI DSS.

To recap:

  • Both Visa and Mastercard are supporting 8-digit BINs (see 8-Digit BINs are Just Around the Corner)
  • Any masking or truncation scheme that removes less than six digits will not be compliant without additional controls (see FAQ#1091 for details)

Note: We've talked to several Canadian Acquirers who arent sharing full BIN with merchants. Those merchant's are unlikely to be at risk unless they have their own payment applications and are using the BIN for purposes such as analytics, or are also Issuers. However for due diligence, merchants should seek confirmation from their Acquirers to ensure they aren't impacted.

Learn More