Introduction
ECommerce has transformed the way how customers shop and conduct businesses. With the ever-expanding demand for online shopping, the inevitable requirement of having online payment transactions involving the usage of credit, debit or stored value card apart from other payment mechanisms has become crucial for any online retail business and its supply chain.
In the growing world of digital payments, handling and processing of customer payment card data is paramount for any business. Securing Payment data refers to the adherence of the regulatory requirements mandated by PCI DSS (Payment Card Industry Data Security Standard) council. It is essential for merchants to understand the significance of PCI DSS mandated compliance and the implications it has on their business operations.
The BIN Number
The number shown on the customer card (credit/debit) is not just a fancy number, but a sequence of digits holding vital information. The count of the numbers shown on the card ranges from 12 to 19 digits but in general, most widely published card numbers have 16 digits. The first 6 or 8 digits of a card number holds the most valuable information. The first 6 or 8 digits of a card number is known as the BIN or Bank Identification Number. The merchant uses the BIN number to process payments and assist them to fight against fraud. The BIN number helps the merchant to identity the card brand (Visa, MasterCard, American Express, Diners, JCB, RuPay etc.) and the details about the card issuing bank or the financial institution.
The Bank Identification Number (BIN) helps the merchant in identifying the bank or the financial institution that has issued the card. The BIN sequence helps to identify the card issuer and allows electronic financial transactions by making sure that the amount is sent to the correct bank for payment. Merchants uses the BIN number to match a payment transaction with the card issuer (bank or the financial institution). The BIN number, with the help of the issuer, helps the merchant to identity whether the payment transaction was done using a lost or stolen cards and helps them to prevent identity thefts.
The Issuer or Issuing bank acts as BIN sponsors and allows the merchants to join a card scheme. The Issuing Bank, by means of their relationship with card brands (Visa, MasterCard, American Express, Diners, JCB, RuPay etc.) provides financial technology (better known as fintech) services such as financial applications, payment processing, card management etc. that rely heavily on technology to their merchants. The merchants with the help of BIN sponsors allows them to issue their own card product such as loyalty cards, prepaid cards, virtual cards etc. to their customers.
Format of a BIN Number
A BIN number consist of two distinct parts, and they are:
- MII – Major Industry Identifier Number
- IIN – Issuer Identification Number.
The MII – Major Industry Identifier number
The first single digit of the BIN number is known as the MII number. The MII number signifies the business category of the card issuer. For example, a BIN number starting with a 4 or 5 represents an issuer category associated with a Banking and Financial Business. A card having the first digit as 4 or 5, should have been issued by a financial institution that is associated with Banking and Financial Business. A BIN starting with 3 represents an issuer category associated with Entertainment and Travel Business.
Below given are the list of MII (left) and the business category (right) associated with them:
- 1 and 2 : Airline Business
- 3 : Entertainment and Travel Business
- 4 and 5 : Banking and Financial Business
- 6 : Merchandising and Banking Business
- 7 : Petroleum Business
- 8 : Health Care and Telecommunications Business
- 9 : National Assignment Business
The IIN – Issuer Identification Number
The first 6 or 8 digits (including the MII digit) represents the Issuer Identification Number (IIN). The Issuer Identification Number helps in identifying the card brand and the card issuing bank or the financial institution.
The largest card brands (Visa and MasterCard) always begin with the number 4 and 5 respectively. American Express (Amex) card brand always begin with the number 3, more specifically 34 or 37.
Below given are the list of card brands and their IIN ranges:
- Visa : 4
- MasterCard : 5
- American Express (Amex) : 34,37
- Diners : 300-3005, 309, 36, 38, 39
- JCB : 3528-3589
- RuPay : 607
How BIN Helps?
The BIN numbers provide various information to the merchant. The BIN number helps the merchant to identify:
- The Card Brand (i.e., Visa, MasterCard, American Express, Diners, JCB, RuPay etc.).
- The Business Category of the Card Issuer. (i.e., Banking and Financial Business, Travel and Entertainment etc.).
- The Name of the Card Issuer. (i.e., Bank Name or the Financial Institution Name).
- The Address, Phone Number and the Country of the Card Issuer. (i.e., Bank Address or the Financial Institution Address).
- The Card Level (Classic, Signature, Platinum or Infinite etc.). The Card Level provides benefits and coverage levels to the customer.
- Helps to identify blocked or stolen cards.
- Helps to validate the billing address of the customer available on the merchant file with the billing address marked for the customer at the card Issuer end.
- The country of card transaction and the country of card issuer. This data helps the merchant to detect any fees associated for international transactions and to identify a fraudulent transaction.
- Helps to verify customers.
- Helps to fight against fraud and prevent fraudulent transactions. BIN validation ensures the authenticity of a card. BIN validation helps in declining fraudulent card transactions and protecting the merchant from fraudulent charges.
Transition from a 6-digit BIN to an 8-digit BIN
Historically, the first 6 digits of a card number were reserved for the BIN. From April-2022, the number of digits in a BIN were increased from 6 to 8. This decision was taken because of the massive issuance of cards (credit, debit, prepaid cards etc.) and hence the major card brands realized a shortage of 6-digit BIN and their combinations. To avoid future shortage of BIN, the International Organization for Standardization (ISO), which is responsible for card-numbering conventions introduced a new standard to extend the BIN from the current 6 digits to 8 digits. An 8-digit BIN would provide a wider range of combinations and no-near possibility of BIN number shortages. The 6-digit BIN are still valid, but any card issued after April-2022, received an 8-digit BIN. However, an increase in BIN, does not change the overall length of the card number.
Securing BIN
BIN attacks are common across online commerce. In a BIN attack, fraudsters use brute-force computing applications or bots to guess and steal valid combination of card sequence, expiry date, and Card Verification Code (CVC) and perform an online transaction. Fraud detection application and Address Verification Services helps to detect and disable BIN attacks.
Several security measures are put in place to protect the merchants and their business from BIN attacks. Effective solutions such as Multi-Factor Authentication, CAPTCHA, OTP, 3D-Secure check and more secure payments methods such as Wallets etc. can be used during payment flow to prevent BIN Attacks.
There are multiple ways to detect BIN attacks and securing the BIN, including:
- Multiple payment declines.
- Huge volume of international transactions
- Multiple transactions using similar card numbers with minor changes to the digits.
- Transactions made of huge amounts.
- Unusual timings of transactions.
- Multiple low value or similar value transactions made in a short span of time.
A destructive BIN attack can harm the business in following ways:
- Identity theft.
- Chargebacks.
- Higher decline rates.
- Regulatory fines.
- Impacts the reputation.
- Additional Fees.
Merchants should frequently reassess their data handling and data storage process to ensure that they are complaint with the latest PCI-DSS rules and guidelines. This means, storing only limited digits of the card number that are necessary for payment transaction and minimizing the exposure of sensitive information to fraudsters.