Eight Digit BIN implementation

As of April 2022 merchants will have to fully adapt from the current existing 6 digit BIN system to the new 8 digit BIN system. Although these changes seem to be a fair amount of time away we have already started to encounter merchants who have run into 8 digit bins as of now. As stated in the PCI DSS documentation, an 8 digit bin can be presented to the merchant when necessary to finalize business activity. The new implementation of an 8 digit BIN number imposes some cause for concern when it comes to the safekeeping of sensitive data because of the increased number of digits that a merchant will be keeping within their server. Currently, businesses are provided with the 6 digit BIN and the last 4 digits of the PAN number for the purpose of client identification and payment processing. With the present BIN system, the merchant is given access to a total of 10 digits of the PAN leaving 6 digits in between to undergo truncation to help mask the original number of the card. Truncation and masking work by creating a sequence of random numbers to replace original numbers from the PAN to help decrease the possibility of the original credit card number being obtained. By keeping 10 digits of the 16 digit PAN, the truncation process for the middle 6 digits is much harder to break based on the number of potential possibilities to replace the numbers that have been masked. The biggest concern with the new 8 digit BIN implementation is that only 4 middle digits will be left to go through truncation for masking purposes leaving a smaller window for guessing the possibility of uncovering the number in between. Also, with the merchant now having to store 12 digits of the PAN, they are increasing their PCI scope and possible exposure to fraudulent activity with the increased possibility of original credit card numbers being discovered. For merchants who require the 8 digit BIN, HPCI has developed a solution that will effectively address the concerns mentioned above. By reformating our HPCI token sequence to providing the 8 digit BIN followed by 8 digits of truncation sequencing, HostedPCI will continue to reduce the merchant’s PCI scope while meeting PDI DSS standards.