Consumers’ embrace of ecommerce, as well as the rapid innovation in the payments industry has resulted in an unprecedented increase in the number of card numbers issued in recent years. In fact, data shows that there were 365 million open credit cards at the end of 2020. This sharp growth in credit card issuance has resulted in a shortage of available Bank Identification Numbers (BINs), which help identify the geographical location, type, and brand of the card being used.
To address this shortage, the International Standards Organization (ISO) mandated that banks switch over from the current 6-digit Bank Identification Number (ISO/IEC 7812–1) to the new 8-digit BIN on all credit and debit cards. This change to what has been an industry standard is worth unpacking as it has the potential to create vulnerabilities around fraud prevention, payment and data processing, and routing, just to name a few.
According to Deloitte, Riskified’s Marketplace Partner, Visa and Mastercard ‘have stated that acquirers and acquirer processors will need to be ready to operate on 8-digit BINs. After April 2022, Visa will only issue 8-digit BINs. Mastercard will issue 8-digit BINs after April 2022 but has not set a date for discontinuing issuance of 6-digit BINs.’ This is despite the fact that 6-digit BINs have not been eliminated entirely, and both 8-digit and 6-digit BINs continue to be supported. All other card issuers will set their own timelines for the transition and expansion.
Most encryption technology today is built on the legacy standard that a BIN counts for a fixed length of six digits and a minimum of six digits must be masked in all 16-digit card transactions. Making the necessary systems and process changes required to support 8-digit BINs can be a significant undertaking for ecommerce merchants and payment processors. The consequences of not having these changes can be detrimental to a merchant’s processing, reporting, and fraud monitoring capabilities. Merchants, who leverage BINs to drive decisions for their businesses, could face negative repercussions and disrupt the customer experience.
As more issuers adopt 8-digit BINs, it won’t be possible to continue relying solely on the first six digits of a card for routing and transaction clearing. Identifying the card issuer and the cardholder without requiring the whole card number is important for running business processes such as payment transaction routing, chargebacks, refunds, and fraud detection - all while minimizing the risk of the card data breach.
Let’s take a closer look at how these different areas could be impacted:
Fraud management: BINs are a key fraud indicator as they help identify mismatches between the location of the cardholder and the person placing the transaction, and so an adjustment in their structure can adversely affect fraud detection models if not handled correctly. Adjusting the structure of the BIN will change the way that fraud models are able to detect country of origin, which can, in turn, adversely affect approval rates.
Payment data & processing: Some merchants use tokenization services to protect the cardholder’s identity and store the card on file without the actual card number. The 8-digit BIN shift will impact how merchants tokenize data and handle customer identification.
Routing: International merchants that sell to customers in multiple countries typically use multiple gateways to process customer transactions. Since these get routed based on the BIN, these merchants will need to update their systems to be able to support both 6- and 8-digit BINs and ensure that the data sources they use for BIN values are also up to date.
Rewards and loyalty programmes: Companies, such as entertainment ticket distributors, use BINs to determine rewards and loyalty. This shift to 8-digit BINs can impact their detection system and negatively affect the customer experience.
To help mitigate the vulnerabilities that the shift to 8-digit bins could cause for your organisation, consider taking these three actions today:
Assess the impacts that the change to 8-digit BINs will have on your systems and processes as soon as possible. Inaccuracy in how cards are interpreted can lead to poor fraud management decisioning, while an increase in false declines will negatively impact good customers.
Update your BIN database each month since the roll-out of new BINs will be gradual.
Partner with providers who are on top of this change to avoid losing revenue and alienating good customers. At Riskified, we’re actively helping our merchant partners by ensuring that our system is up to date with all recent BIN values and that we’re able to accept and process both 6- and 8-digit values correctly. We are also monitoring changes of BIN data coverage and value formats on a consistent basis.
Kevin Sprake is the Senior Director of Payment Partnerships at Riskified, a fraud management platform enabling frictionless ecommerce. Throughout his career, Kevin has launched and managed Payment as a Service platforms and analytics companies in the ecommerce payments and fraud prevention industry.
Riskified empowers businesses to realize the full potential of eCommerce by making it safe, accessible, and frictionless. We have built a next-generation platform that allows online merchants to create trusted relationships with their consumers. Leveraging machine learning that benefits from a global merchant network, our platform identifies the individual behind each online interaction, helping merchants eliminate risk and uncertainty from their business. We drive higher sales and reduce fraud and other operating costs for our merchants and provide superior consumer experiences, as compared to our merchants’ performance prior to onboarding us. See www.riskified.com.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now