The Eight-Digit BIN Mandate and How It Impacts PAN PCI DSS Compliance

The International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), jointly referred to as ISO/IEC JTC1, released standard ISO/IEC 7812-1, “Identification cards – Identification of issuers – Part 1: Number system” in 2017. This standard revises the length of an Issuer Identification Number (IIN), also referred to by the credit card brands as a Bank Identification Number (BIN) from six digits to eight digits. Effective in April 2022, only eight-digit IINs/BINs will be assigned, with continued support for existing six-digit IINs/BINs. The IIN/BIN is the beginning portion of a payment card’s primary account number (PAN) that is used to identify the card-issuing institution during the processing of payment card transactions. The intention of the increased IIN/BIN length is to accommodate the demand for payment cards and the anticipated depletion of available IINs/BINs associated with the increased demand.

PCI DSS compliance requirements

The Payment Card Industry Security Standards Council (PCI SSC) PCI Data Security Standard (PCI DSS) requires the following in relation to the storage and display of PANs:

  • PCI DSS Requirement 3.3: Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see more than first six/last four digits of the PAN.
  • PCI DSS Requirement 3.4: Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches:
    • One-way hashes based on strong cryptography, (hash must be of the entire PAN).
    • Truncation (hashing cannot be used to replace the truncated segment of PAN).
    • Index tokens and pads (pads must be securely stored).
    • Strong cryptography with associated key-management processes and procedures.

Note: It is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the same PAN are present in an entity’s environment, additional controls must be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN.

Rules for PAN truncation

The PCI SSC provides guidance for acceptable formats for the truncation of PANs in PCI SSC FAQ 1091, dated April 2018. This guidance sets forth the requirement to remove at least six digits of a 16-digit PAN, and to remove at least five digits of a 15-digit PAN. The adoption of eight-digit IINs/BINs has not changed the PCI SSC’s view regarding the number of digits that must be removed from the PAN when storing this data.

The PCI SSC recognizes that some entities may have business drivers that necessitate flexibility for the requirement to only retain a maximum of the first six and last four digits of the PAN. Guidance for acceptable variations for which digits must be removed is also provided in FAQ 1091. It should be noted that, given the increased risk of reconstruction of full PAN that is present when decreasing the number of digits removed when storing the PAN, entities wishing to store the full eight-digit IIN/BIN in addition to the last four digits of the PAN will not be able to rely on truncation as the only protection of this data. At least one or more additional methods of protecting the increased data storage would need to be employed, such as encryption, hashing, or tokenization.

Should you have any questions on this or any other topic regarding PCI DSS compliance, please reach out to our team of Qualified Security Assessors (QSAs) and we will be happy to help.

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author