The long number on the front of a payment card isn’t just a random sequence, and the first six to eight digits are perhaps the most important of all.
Known as the BIN, these digits provide the merchant with a wealth of information, including the identity and category of the issuer, which allow the merchant to process payments quickly and fight fraud.
But why six to eight numbers? How do BINs work? What are they used for? And how does the number of digits in the sequence affect merchants?
Below, we reveal all.
A Bank Identification Number (BIN) is the first six to eight digits of the Primary Account Number (PAN), the long number on a credit, debit, or prepaid card. A BIN essentially tells the merchant which bank or other financial institution issued the card.
Merchants can use BINs to match any given transaction to the corresponding issuer. They can also be used to identify lost or stolen cards to prevent them from being used for identity theft.
Issuing banks can also act as BIN Sponsors. BIN sponsorship allows issuers, via their relationships with card networks like Mastercard or Visa, to offer fintech businesses access to payment processing and card management services. This means that those fintech businesses don’t have to go through the lengthy process of forms, fees, and due diligence that it takes to join a card scheme.
Credit card BIN numbers can be broken down into two parts: the Major Industry Identifier (MII) and Issuer Identification Number (IIN).
The first single digit is called the MII, and is used to identify the type of institution that issued the card. For example, the BIN for a card with a Visa logo on it will always start with a 4, the issuer category for banking and financial cards. Likewise, the 5 that most Mastercards start with also identifies it as a bank.
In contrast, American Express BINs always start with a 3 (34 or 37 more specifically), the issuer category for travel and entertainment cards. That’s because, while it is now classed as a bank holding company, Amex has a history of providing travel services.
The remaining five to seven digits constitutes the IIN, which identifies the specific bank or institution responsible for issuing the card. However, while the MII is its own unique number, it is technically part of the IIN, which is frequently used interchangeably with BIN.
The remainder of the PAN makes up the individual account number, which identifies the specific account that the card is tied to.
The BIN doesn't just identify the issuer category and card issuer, it also tells merchants the following information:
This empowers the merchant in a number of ways. Perhaps most importantly, the BIN helps to prevent identity theft and other types of fraud by allowing the merchant to check whether or not the addresses of both the cardholder and the issuing bank match the ones it has on file.
It also allows merchants to accept multiple payment methods and improves payment processing speed by making it easy to validate customer details with the issuer.
BINs are a vital component of successful payment processing. They provide accurate identifying information that merchants can use to verify customers, drive efficiency, and avoid fraud.
However, it’s only very recently that they’ve taken their present six to eight digit form. Until 2022, BINs were commonly four to six numbers. But in 2017, major card brands realized that, with the proliferation of fintech companies and the growth in the number of payment cards being issued, they would eventually run out of six digit combinations.
As a result, the International Organization for Standardization (ISO), which is responsible for card-numbering conventions, decided to transition to eight digit BINs in order to address this potential future shortage. As of April 2022, all new BINs have been issued with eight digits, though existing six digit BINs are still valid.
As merchants are responsible for analyzing BINs, one implication is that you may have to modify your system to accommodate the storage and masking of longer BINs. You might also have to reassess your data handling and storage practices to ensure they are compliant with the most up to date PCI-DSS. That means only storing the bare minimum of PAN digits that are necessary for transaction processing, minimizing the exposure of sensitive information to hackers.
Merchants should also implement security measures to guard against BIN attacks, where criminals use brute-force computing techniques to try to steal card numbers, expiration dates, and CVVs for use in fraud. Fraud detection software and address verification can prevent BIN attacks.
Are you looking to start a card program? Checkout.com can help. We allow you to issue, process and manage both virtual and physical payment card programs via our open APIs.
Our one-stop issuing shop can help you get your card program up and running in no time, and combines processing, card management, compliance and reporting capabilities all in one place.
It also offers maximum customization of options like card design (so that you can promote your brand) and spend controls, allowing you to create unique experiences that meet your customers’ needs. Whether it's a debit or credit card product, single or multi-use, virtual or physical - we’ve got you covered.
Most importantly, of course, security is built into every element, from 3D Secure authentication to flexible fraud rules.
Get in touch with our team to find out more about launching a card program with Checkout.com.