How are the card brands managing the 8-Digit BIN mandate?

The International Organization for Standardization (ISO) is calling for an expansion of the issuing BIN (bank identification number) from six to eight digits, due to the significant increase of card issuers and digital activity. Effective April 2022, all merchants and payment processors should support the new BIN length.

As expected, the card brands have started moving to 8-digit BINs (bank identification numbers) for credit card numbers.

PCI DSS currently allows the display the first six and last four digits of a card number to be displayed on receipts, used for transactions, or stored without encryption. With the new 8-digit BINs, business operations must be updated to accommodate.

This has caused the brands and the PCI SSC to update their guidance on what is now seen as truncation when it comes to cardholder data. Each card brand takes their own approach towards the migration.

In summary:

All but AMEX is loosening the truncation criteria a bit to allow for variations of the “first 6-8 and any other 4-7” based on the length of the PAN and BIN.

For cards that are still 16 digits with a 6-digit BIN, it’s now acceptable to have “First 6, any other 4” for all the DSS card brands (except AMEX), rather than the previous truncation definition of “First 6, last 4”.

AMEX is the only brand that still requires the “First 6, last 4” truncation.

Acceptable truncation formats vary according to PAN (primary account number) length and Payment Brand requirements.

Read the table from PCI SSC to view how each brand is managing their adoption of the new 8-digit BIN.

PCI DSS Requirements

PCI DSS Requirement 5.4.1: Anti-spoofing controls such as DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, Sender Policy Framework (SPF), and Domain Keys Identified Mail (DKIM) can help stop phishers from spoofing the entity’s domain and impersonating personnel.