If your business processes or stores the full-BIN, you need to know if you will be impacted by Visa's Numerics Initiative (i.e., the 8-Digit BIN expansion mandate). According to Visa’s recently published impact survey, there is a good chance your organization will be. The survey identifies crucial activities for Numerics Project Management success and shows that a large percentage of organizations are still evaluating impact and most have not begun their third-party outreach. There are also other impacts (e.g. FPE implementations) not identified in the Visa survey. Finally, with the deadline just over a year away, some key compliance questions remain unanswered.
The cost and effort to transition to the new BIN structure will be significant for many organizations. We expect this transition has the potential to cost the industry millions of dollars and countless headaches. For compliance teams, depending on how your organizations use BINs, this initiative may have the de facto effect of re-interpreting the definition of cardholder data and enlarging your PCI DSS scope. Failure to realize this could find your organization non-compliant and under pressure to remediate quickly. If you haven’t yet started, you should use the next 13 months to minimize this risk.
Almost four years ago, Visa announced an initiative to increase the number of BINs available to issuers. While industry watchers may have expected the new 8-digit BINS to come with longer PANs, Visa decided to implement them on the existing 16-digit PAN structure. It was immediately apparent that the PCI DSS implications of this decision would affect truncation and masking rules and any organization that needed to keep the full BIN and last four digits would be non-compliant unless the rules were changed. The decision was to not change the rules and require organizations to treat full 8-digit BINs as cardholder data under requirement 3.4. For many organizations, some having spent significant effort over years to minimize their compliance footprint and PCI responsibilities, this would result in an explosion of scope necessitating remediation efforts, expense and possibly an extended period of non-compliance.
Note: Mastercard is implementing their own 8-Digit BIN program for April 2022. We will provide an update on this and any differences later. (Updated March 26, 2021)
Visa recently published more guidance on this initiative. In addition, to making more BINs available in the future, here are three key facts about this initiative:
Amongst the new publications, the Impact Assessment Survey, should be considered a must read by any organization that processes or stores the full BIN. Some key take-aways from this survey include:
Six business functions were identified that impact between 43% and 69% of Visa Clients including:
The Survey identifies critical Numerics Project Management Activities :
Key takeaways form this study:
The de facto redefinition of 8-digit BIN as cardholder data leads to scope explosion. Addressing this will require data flow analysis, data discovery, and reengineering of one or more of the following controls network access, system, remote access, database, application, and logging and monitoring.
Implementing the new scope controls may potentially be expensive and non-trivial. We expect that organizations could be in the position of being non-compliant for an extended time solely due to the 8-digit BIN initiative.
Many organizations must annually report their DSS compliance. It is unclear how an organization that is compliant but for the new 8-digit BIN ranges will report non-compliance that only affects Visa. The judgement of the DSS is binary and there is no concept of partially compliant or compliant for some brands and not others. Several of the card brands maintain lists of validated service providers that are relied upon heavily by compliance teams. Filings of non-compliance will, under current rules, result in the delisting of many organizations and undermine confidence in the industry. Additional guidance is needed here.
There are potentially other impacts arising from this initiative. One that we have become aware of affects implementations of Format Preserving Techniques (see our FPE articles below). Basically, these cannot be expanded beyond the current six-and-four truncation/masking rules.
As we move into 2022, organizations will also be challenged by evolving PCI Standards and guidance. PCI DSS v4 is expected in late 2021 and although it won’t be mandatory until April 2022, it is expected to introduce changes that will impact organizational compliance programs. The PA-DSS program will be in full transition to the new software security framework. SSF will be mandatory and many software vendors and their customers will be transitioning.
We've talked to several Canadian Acquirers who arent sharing full BIN with merchants. Those merchant's are unlikely to be at risk unless they have their own payment applications and are using the BIN for purposes such as analytics, or are also Issuers. However for due diligence, merchants should seek confirmation from their Acquirers to ensure they aren't impacted.
Control Gap on 8-Digit BINs:
Control Gap on PCI DSS Scope and Applicability:
Control Gap on Format Preserving Techniques:
PCI FAQ's:
Visa "Numerics Initiative" page (2021) and supporting documents https://usa.visa.com/partner-with-us/info-for-partners/numerics-initiative.html
Previous References: