The BIN is used to identify the bank that issued the credit card. Previously, it was the first six digits of the Primary Account Number (PAN) and now it is the first eight digits. Who decides or sets the standards for the BIN? The International Organization for Standardization (ISO) sets the standard, in this case, ISO/IEC 7812-1. Although incorporated in 2017, effective April 2022, the changes impact payment and payment processor technology.
This mainly impacts your payment processor or if you happen to have a propriety POS environment. These impact payment back-end systems. For example, effective April 2022, Visa acquirers and processors have to be able to support the new issuing BIN length, which can impact:
According to VISA, “any logic specific to the six-digit issuing BIN that has been implemented in your processing or downstream systems must be changed, particularly if you:”
According to VISA, “PCI-DSS allows exposure of the first six and any other four digits in a PAN as the only method for protecting data at rest. If a merchant would like to expose the full eight-digit BIN as well as the last four digits, they will need to add one or more of the other acceptable methods for data protection, such as encryption, hashing or tokenization. Merchants should consult their Qualified Security Assessor (QSA) prior to implementation”.
Resources
https://blog.pcisecuritystandards.org/8-digit-bins-and-pci-dss-what-you-need-to-know
https://usa.visa.com/content/dam/VCOM/global/partner-with-us/documents/merchant-action-sheet.pdf