Visa 8-Digit BINs are Just Around the Corner and Many Questions Remain

If your business processes or stores the full-BIN, you need to know if you will be impacted by Visa's Numerics Initiative (i.e., the 8-Digit BIN expansion mandate). According to Visa’s recently published impact survey, there is a good chance your organization will be. The survey identifies crucial activities for Numerics Project Management success and shows that a large percentage of organizations are still evaluating impact and most have not begun their third-party outreach. There are also other impacts (e.g. FPE implementations) not identified in the Visa survey. Finally, with the deadline just over a year away, some key compliance questions remain unanswered.

The cost and effort to transition to the new BIN structure will be significant for many organizations. We expect this transition has the potential to cost the industry millions of dollars and countless headaches. For compliance teams, depending on how your organizations use BINs, this initiative may have the de facto effect of re-interpreting the definition of cardholder data and enlarging your PCI DSS scope. Failure to realize this could find your organization non-compliant and under pressure to remediate quickly. If you haven’t yet started, you should use the next 13 months to minimize this risk.

The Visa Numerics Initiative – 8-Digit BINs

Almost four years ago, Visa announced an initiative to increase the number of BINs available to issuers. While industry watchers may have expected the new 8-digit BINS to come with longer PANs, Visa decided to implement them on the existing 16-digit PAN structure. It was immediately apparent that the PCI DSS implications of this decision would affect truncation and masking rules and any organization that needed to keep the full BIN and last four digits would be non-compliant unless the rules were changed. The decision was to not change the rules and require organizations to treat full 8-digit BINs as cardholder data under requirement 3.4. For many organizations, some having spent significant effort over years to minimize their compliance footprint and PCI responsibilities, this would result in an explosion of scope necessitating remediation efforts, expense and possibly an extended period of non-compliance.

Note: Mastercard is implementing their own 8-Digit BIN program for April 2022. We will provide an update on this and any differences later. (Updated March 26, 2021)

Visa recently published more guidance on this initiative. In addition, to making more BINs available in the future, here are three key facts about this initiative:

• After April 2022, 6-digit Visa BINs will be considered legacy and all new BIN ranges will be 8-digits.
• Existing legacy BIN holders will be encouraged, but not forced, to convert to the new 8-digit BINs.
• Visa and PCI guidance is clear that organizations storing the full 8-digit BINs will need additional controls and potentially may include expanded scope.

Visa Numerics Impact Discovery Findings

Amongst the new publications, the Impact Assessment Survey, should be considered a must read by any organization that processes or stores the full BIN. Some key take-aways from this survey include:

• Six business functions were identified that impact between 43% and 69% of Visa Clients including:

  • 47% - Transaction processing lifecycle
  • 50+% - BIN and PAN assignment strategy (think of ranges for loyalty, rewards, benefits, gift, corporate, and fleet cards)
  • 69% - Merchant point of sale processes, hardware, terminal software, and BIN tables
  • 63% - fraud rules and supporting systems
  • 50+%- using full BIN in data warehouses and other systems outside core payment systems (think of BIN outside your CDE)
  • 43% - use BIN for determining "on-us" ATM transactions

• The Survey identifies critical Numerics Project Management Activities :

  • 53% have not started third party outreach
  • 43% of ATM acquirers have identified impacts and 19% are still investigating
  • 37% have identified Issuer Cardholder Servicing Impacts and 37% are investigating
  • 69% of acquirers/processors have identified impacts and 8% are still investigating

• Key takeaways form this study:

  • "The findings emphasize how important it is for every Visa client to conduct a broad discovery and impact assessment across their internal systems and processes, as well as their vendors and clients." (i.e., Where does your new cardholder data reside and who have you shared it with).
  • "Clients that use truncation as their only method of complying with the PCI requirement for protecting data at rest who would like to expose the full eight-digit BIN as well as the last four digits will need to add one or more of the other acceptable methods for data protection, such as encryption, hashing or tokenization" (i.e., full 8-digit BINs must now be considered cardholder data and protected just like full PAN) While Issuers may be able to temporarily delay dealing with some of these issues by staying with their legacy BIN ranges, other organizations will have less flexibility. There is much more in the Impact Survey and we strongly encourage people to review it.

Implementation and Compliance Challenges

The de facto redefinition of 8-digit BIN as cardholder data leads to scope explosion. Addressing this will require data flow analysis, data discovery, and reengineering of one or more of the following controls network access, system, remote access, database, application, and logging and monitoring.

Implementing the new scope controls may potentially be expensive and non-trivial. We expect that organizations could be in the position of being non-compliant for an extended time solely due to the 8-digit BIN initiative.

Many organizations must annually report their DSS compliance. It is unclear how an organization that is compliant but for the new 8-digit BIN ranges will report non-compliance that only affects Visa. The judgement of the DSS is binary and there is no concept of partially compliant or compliant for some brands and not others. Several of the card brands maintain lists of validated service providers that are relied upon heavily by compliance teams. Filings of non-compliance will, under current rules, result in the delisting of many organizations and undermine confidence in the industry. Additional guidance is needed here.

Other Impacts

There are potentially other impacts arising from this initiative. One that we have become aware of affects implementations of Format Preserving Techniques (see our FPE articles below). Basically, these cannot be expanded beyond the current six-and-four truncation/masking rules.

• Many Format Preserving Encryption (FPE) implementations cleverly generate cryptograms that look like the original PAN sharing the first six, last four digits, and matching the check digit. The NIST standard behind FPE is designed to replace the middle six digits. The strength of FPE is based on the replacement of one cryptogram representing one million possible plain texts within the context of the entire account number (See Learn More on FPE). This was already a problem with Luhn matching and may be inadequate with the new bin structure.
• There are also FP implementations of tokenization and random masking (used in some payment terminal applications) that will face similar challenges.

Additional Compliance Challenges in 2022

As we move into 2022, organizations will also be challenged by evolving PCI Standards and guidance. PCI DSS v4 is expected in late 2021 and although it won’t be mandatory until April 2022, it is expected to introduce changes that will impact organizational compliance programs. The PA-DSS program will be in full transition to the new software security framework. SSF will be mandatory and many software vendors and their customers will be transitioning.

(Update) Canadian Merchants

We've talked to several Canadian Acquirers who arent sharing full BIN with merchants. Those merchant's are unlikely to be at risk unless they have their own payment applications and are using the BIN for purposes such as analytics, or are also Issuers. However for due diligence, merchants should seek confirmation from their Acquirers to ensure they aren't impacted.

Learn More

• Visa's Impact Assessment (2021 - Must Read) https://usa.visa.com/dam/VCOM/global/partner-with-us/documents/visa-numerics-impact-assessment-discovery-interview-findings.pdf
• Update MasterCard on their 8-Digit BIN on 19-Digit PAN program https://www.mastercard.com/content/dam/public/mastercardcom/globalrisk/pdf/8-Digit-BIN-Expansion-Mandate-and-PCI-DSS-Impact.pdf

• Control Gap on 8-Digit BINs:

  • 3 Ways 8-Digit BIN Ranges May Impact PCI Compliance https://controlgap.com/blog/new-bin-ranges-and-pci-truncation
  • 8-digit BIN Issues and Risks Remain after PCI Truncation Rules Clarified https://controlgap.com/blog/pci-truncation-rules-clarified

• Control Gap on PCI DSS Scope and Applicability:

  • Understanding "Connected-to" - Is The Internet In Scope For PCI DSS? https://controlgap.com/blog/connected-to-pci
  • PCI Compliance Footprints: 7 Ways To Simplify Compliance, Reduce Risk And Save Money https://controlgap.com/blog/pci-compliance-footprints

• Control Gap on Format Preserving Techniques:

  • NIST Update to Format Preserving Encryption Standard affects PCI Use Cases https://controlgap.com/blog/nist-update-to-format-preserving-encryption-standard-affects-pci-use-cases
  • Must Format Preserving Encryption (FPE) be distinguishable from cardholder data for PCI? https://controlgap.com/blog/format-preserving-encryption-and-cardholder-data
  • 7 Things You Can Do To Deal With The Recent Format Preserving Encryption (FPE) Compromise https://controlgap.com/blog/7-things-to-do-with-fpe-break

• PCI FAQ's:

  • #1492 How can an entity meet PCI DSS requirements for PAN masking and truncation if it has migrated to 8-digit BINs? https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/How-can-an-entity-meet-PCI-DSS-requirements-for-PAN-masking-and-truncation-if-it-has-migrated-to-8-digit-BINs
  • #1091 What are acceptable formats for truncation of primary account numbers? and What Is The Difference Between Masking And Truncation In PCI Compliance? https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/What-are-acceptable-formats-for-truncation-of-primary-account-numbers

• Visa "Numerics Initiative" page (2021) and supporting documents https://usa.visa.com/partner-with-us/info-for-partners/numerics-initiative.html

  • https://usa.visa.com/dam/VCOM/global/partner-with-us/documents/visa.com-numerics-faq.pdf
  • https://usa.visa.com/dam/VCOM/global/partner-with-us/documents/acquirer-and-acquirer-processor-impact-questionnaire.pdf
  • https://usa.visa.com/dam/VCOM/global/partner-with-us/documents/issuer-and-issuer-processor-impact-questionnaire.pdf
  • https://usa.visa.com/dam/VCOM/global/partner-with-us/documents/merchant-action-sheet.pdf
  • https://usa.visa.com/dam/VCOM/global/partner-with-us/documents/service-provider-action-sheet.pdf

• Previous References:

  • Retail Solutions Providers Association re-posting: VISA Bulletin - Eight-Digit Issuer BIN will be Implemented in April 2022 http://www.gorspa.org/wp-content/uploads/Visa_Bulletin_Implementation-of-8-Digit-BINs.pdf
  • MasterCard: Expansion to 2-series Bank Identification Numbers (BINs) and MasterCard 2-Series BIN Implementation for Issuers https://www.mastercard.us/content/dam/mccom/en-us/documents/issuer-2-series-BIN-impact-checklist-aug-2016.pdf
  • PYMTS blog: MasterCard Questions Need For 8-Digit BIN http://www.pymnts.com/news/payment-methods/2016/mastercard-october-bin-upgrade/