Bank identification numbers (BINs) are the first digits of every payment card. They expanded from 6 to 8 digits under an ISO standard that Visa mandated for newly issued cards after April 2022. The extra two digits are not cosmetic. They carry card-level intelligence: issuer identity, card product type, geography, and commercial vs. consumer classification. Merchants still relying on 6-digit BIN databases are not capturing any of this for newly issued cards.
For fraud detection and routing systems built on 6-digit lookups, the metadata driving those decisions is incomplete for every newly issued card now in circulation. This is not a future risk. It is the present reality for any merchant whose BIN database has not been updated to the 8-digit standard.
What changed, and why the industry had to expand BINs
A BIN (Bank Identification Number) is the standardized prefix of a payment card number that identifies the issuing institution. It tells the payment network, and the merchant, which bank issued the card, what card network it runs on, and what category of card product it is. For decades, BINs were 6 digits. That was enough when the number of issuing banks and card products was manageable.
The six-digit space ran out. With global card issuance expanding, the available pool of unique 6-digit BIN combinations became insufficient. ISO updated its card identification standard to support 8-digit BINs, and Visa mandated that newly issued cards carry 8-digit BINs starting April 2022. Mastercard, Amex, and other networks followed similar timelines.
The current state is mixed. Cards issued before April 2022 retain their 6-digit BINs. Cards issued after the mandate carry 8-digit BINs. Merchants today process both, and the mix is steadily shifting toward 8-digit BINs as older cards expire and new ones are issued. A merchant's payment infrastructure built for 6-digit BIN lookups now receives a growing share of transactions where the lookup returns incomplete or mismatched metadata.
What the extra two digits actually tell you
The difference between a 6-digit and 8-digit BIN lookup is not just two more numbers. It is a meaningful increase in the precision of card-level intelligence, the kind routing and fraud systems use to make decisions on every transaction.
What a 6-digit BIN lookup typically returns:
- Issuing bank (at country level)
- Card network (Visa, Mastercard, Amex)
- Broad card type (credit vs. debit)
What an 8-digit BIN lookup additionally returns:
| Data point | Business use |
| Precise issuer identification (sub-bank level) | More accurate routing to connectors with better acquiring relationships for that issuer |
| Card product name (e.g., Visa Infinite, MC World Elite) | Correct interchange tier identification; routing optimisation for premium card types |
| Consumer vs. commercial card | Interchange rate category selection; commercial cards carry different interchange structures |
| Prepaid card flag | Subscription merchants can block prepaid cards pre-authorisation to avoid failed recurring charges |
| Geographic precision (sub-country level) | More accurate 3DS applicability determination; PSD2/SCA requirement identification |
| Network tokenisation support | Identify whether the card supports network tokenisation before attempting token enrolment |
| Interchange rate category | Pre-authorisation estimate of interchange cost; route to IC++ or blended connector based on card type |
Each of these data points influences a merchant's decision that happens at authorization time, before the transaction is submitted. The value of 8-digit BIN data is that it makes those decisions more accurate, in real time, at no additional processing cost.
What merchants with 6-digit BIN databases are missing right now
The practical consequence of operating on a 6-digit BIN database in a mixed environment is not a clean error. It is a silent degradation of decision quality. The fraud and routing systems appear to be working, but they are working from incomplete information on a growing share of transactions.
Fraud signals lost to imprecise issuer identification
Fraud detection rules that flag transactions from specific high-risk issuers depend on correctly identifying the issuer from the BIN. A 6-digit lookup on an 8-digit BIN card may return a broader issuer match that does not resolve to the specific sub-issuer associated with a known fraud pattern. The fraud signal fires on the right issuer family but misses the specific sub-issuer the rule was written for. That is a false negative that lets a high-risk transaction through.
Routing decisions made on incomplete card type data
A routing rule that sends commercial cards to a connector with better commercial card acquisition relationships depends on correctly identifying the card as commercial. A 6-digit lookup that returns "Visa credit" where an 8-digit lookup would return "Visa Business Signature" routes the transaction to the wrong connector, not by design, but because the card type signal was imprecise.
Interchange misclassification accumulating in settlement
Commercial cards, premium rewards cards, and corporate cards carry different interchange rates than standard consumer cards. If the BIN lookup misclassifies a premium rewards card as a standard Visa credit card, the merchant may be routed to a blended-rate connector that charges a single bundled rate, one that is more expensive for a standard card but even more so for a premium card where IC++ pricing would have been cheaper.
This misclassification does not surface in a single transaction. It accumulates across thousands of transactions and shows up as unexplained variance in effective processing fees.
3DS threshold misconfiguration from imprecise geography
PSD2/SCA requirements apply to EEA-issued cards processed by EEA acquirers. Correctly identifying whether a card falls under SCA requirements depends on geographic BIN data. A 6-digit lookup that returns "Europe" where an 8-digit lookup would specify "Germany" or "United Kingdom" may apply or withhold 3DS incorrectly, either adding unnecessary friction to non-SCA transactions or failing to apply required authentication to SCA-covered ones.
A merchant routing transactions based on a 6-digit BIN database is making card-type and issuer identification decisions from a dataset that no longer accurately represents newly issued cards. Every new Visa card issued after April 2022 carries an 8-digit BIN. Six-digit lookups on those cards return partial or mismatched metadata.
The PCI DSS tension merchants have not resolved
The transition to 8-digit BINs created a compliance conflict that most merchants have not fully addressed.
PCI DSS (the Payment Card Industry Data Security Standard) has long permitted merchants to display or store only the first six and last four digits of the Primary Account Number (PAN). This masking rule was designed to protect cardholder data. The middle digits carry the account number that uniquely identifies the cardholder.
An 8-digit BIN occupies the first eight digits of the PAN. PCI DSS's "first six" masking rule was written for the 6-digit BIN era. Under the original rule, displaying an 8-digit BIN while masking the middle portion would show more digits than PCI DSS intended to permit, reducing the protected middle section from its original span.
PCI DSS v4.0 introduced updated guidance addressing this (PCI Security Standards Council, 2022), but implementation across merchant systems, acquiring banks, and payment processors is still in progress.
Merchants are currently operating across three states:
| Merchant state | BIN data access | PCI DSS risk |
| Using 6-digit BIN only | Incomplete card intelligence | Compliant with original PCI DSS rule |
| Using 8-digit BIN with tokenisation | Full card intelligence, raw card data not stored | Compliant; tokenisation resolves the conflict |
| Using 8-digit BIN without updated masking | Full card intelligence | Potentially non-compliant with PCI DSS masking rules |
Tokenization resolves this conflict. When card data is tokenised at entry, replaced with a network token before storage or processing, the raw PAN never sits in merchant systems. The 8-digit BIN is available from the token metadata without the merchant storing or displaying the raw PAN.
Interchange misclassification from incorrect card-type identification, such as a commercial card processed as consumer or a prepaid card not flagged as prepaid, is not caught in per-transaction reporting. It accumulates silently in settlement data until a fee reconciliation audit surfaces it.
How richer BIN data improves three merchant decisions
The operational value of 8-digit BIN data concentrates on three decisions merchants make on every transaction.
Decision 1: Routing
Not all PSPs handle all card types equally. Some connectors have better acquiring relationships with specific issuing banks. Some offer IC++ pricing that is cheaper for low-interchange cards but more expensive for high-interchange premium cards. Some have better authorization rates for commercial cards. Routing decisions that use 8-digit BIN data can direct:
- Commercial cards to connectors with IC++ pricing and commercial card acquiring relationships
- High-value consumer credit (Visa Infinite, MC World Elite) to connectors with premium card authorization rate advantages
- Prepaid cards on subscription transactions to alternative payment method prompts before authorization, to avoid predictable failed recurring charges
- EEA-issued cards to connectors configured for SCA compliance
Each of these routing decisions requires knowing, at the BIN level, what type of card the transaction involves. Six-digit BIN data makes this imprecise. Eight-digit BIN data makes it reliable.
Decision 2: Fraud
Pre-authorization fraud checks that use 8-digit BIN data can evaluate:
- Whether the card's country of issue matches the billing address and device location (geographic mismatch signal)
- Whether the card type is consistent with the merchant's normal customer mix (a commercial card on a consumer-focused checkout is anomalous)
- Whether the card is prepaid, which carries higher fraud incidence for certain transaction types
- Whether the card is from an issuer with a historically elevated fraud rate for this merchant category
These checks fire before the authorization attempt, at the point where blocking or challenging the transaction costs nothing, rather than after the authorization, where the decline event has already been consumed.
Decision 3: Chargebacks
Certain card types generate higher chargeback rates for specific merchant categories. Premium rewards cards, corporate cards, and cards from specific issuing banks in high-fraud geographies have historically elevated dispute rates on categories like travel, digital goods, and subscription services. With 8-digit BIN-level intelligence, merchants can apply pre-authorisation risk adjustments, such as 3DS authentication, higher order review probability, or a lower automatic approval threshold, to transactions matching high-dispute BIN profiles before the transaction that becomes a chargeback has been approved.
How Hyperswitch’s BIN layer keeps merchant systems current
Maintaining an accurate 8-digit BIN database is not a one-time project. BIN assignments change as new cards are issued, card products are updated, and issuing banks merge or restructure. A BIN database that was accurate in 2023 has accumulated drift by 2026.
Juspay Hyperswitch’s BIN infrastructure provides:
25+ data points per BIN: Card issuer identity, card product name, consumer vs. commercial classification, network tokenisation support and PSD2/SCA applicability are all available per BIN for every transaction processed through Hyperswitch.
BIN data surfaced in routing logic and fraud scoring automatically: Merchants using Juspay's intelligent routing benefit from 8-digit BIN data in routing decisions without building or maintaining BIN lookup infrastructure. The BIN enrichment happens at the orchestration layer, between the transaction submission and the PSP, invisibly to the merchant's checkout and order management systems.
Tokenization architecture that resolves the PCI DSS BIN masking conflict: Hyperswitch’s tokenization layer replaces raw card data with network tokens at entry, making full 8-digit BIN metadata accessible from token data without the merchant storing or displaying raw PANs. This provides the full intelligence of 8-digit BINs within a PCI DSS-compliant architecture.
Key takeaways
- Visa mandated 8-digit BINs for newly issued cards after April 2022. Merchants now process a growing mix of 6-digit and 8-digit BIN cards, and that mix shifts further toward 8-digit with every card renewal cycle.
- Eight-digit BINs return more precise card intelligence than 6-digit lookups: exact issuer, card product name, commercial vs. consumer, prepaid status, geographic precision, interchange category, and SCA applicability.
- Merchants operating on 6-digit BIN databases face silent decision degradation. Fraud rules misfire on imprecise issuer matches, routing decisions misclassify card types, and interchange costs accumulate from incorrect rate category assignment. None of this surfaces as an explicit error.
- The PCI DSS "first six digits" masking rule was written for the 6-digit BIN era. Tokenization resolves the conflict between accessing 8-digit BIN data and PCI DSS compliance by making the raw PAN unnecessary.
- Eight-digit BIN data improves three merchant decisions simultaneously: routing (send each card type to the right connector), fraud (flag mismatches pre-authorization), and chargeback prevention (identify high-dispute BIN profiles before approval).
- Maintaining an accurate 8-digit BIN database requires ongoing updates. A BIN database that was accurate two years ago has accumulated drift as new cards were issued and card products changed.
Frequently asked questions
What is a BIN, and what are the first digits of a payment card used for?
A BIN (Bank Identification Number) is the standardized prefix of a payment card number, historically 6 digits and now 8 digits for newly issued cards. It identifies the issuing bank, the card network (Visa, Mastercard, Amex), and the card product type. When a payment is submitted, the BIN is used by the payment network to route the authorisation request to the correct issuing bank, and by the merchant or their payment orchestration layer to make routing, fraud, and compliance decisions before the authorisation attempt is sent. Without accurate BIN data, those decisions are made on incomplete information.
Why did the industry shift from 6-digit to 8-digit BINs?
The 6-digit BIN space ran out of available unique combinations to support ongoing global card issuance growth. ISO updated the card identification standard to support 8-digit BINs, and Visa mandated 8-digit BINs for newly issued cards after April 2022. The shift was a necessary infrastructure expansion to support the continued growth of card-based payments. Six-digit BINs remain in use for cards issued before the mandate. The industry is now operating in a mixed environment that will continue shifting toward 8-digit BINs as older cards expire.
Does the shift to 8-digit BINs affect how my fraud detection works?
Yes, if your fraud detection relies on BIN-level signals such as issuer identity, geographic origin, or card type, and your BIN database has not been updated to 8-digit precision. Fraud detection rules that flag specific issuers or card types return less precise matches on 8-digit BIN cards, because the 6-digit lookup resolves to a broader issuer category that may not match the specific sub-issuer the rule was written for. The practical effect is increased false negatives: high-risk transactions that should be flagged pass through because the issuer signal was not precise enough to fire the rule. Updating to an 8-digit BIN database tightens issuer and card-type identification, improving rule accuracy.
What is the PCI DSS conflict with 8-digit BINs, and how is it resolved?
PCI DSS historically permitted merchants to display or store only the first six and last four digits of a card number, a masking rule designed to protect the account-identifying middle digits. With 8-digit BINs, displaying the full BIN would expose more digits than the original rule intended, potentially conflicting with PCI DSS masking requirements. PCI DSS v4.0 introduced updated guidance (PCI Security Standards Council, 2022), but implementation varies. The practical resolution is tokenization: when card data is replaced with a network token at entry, the raw PAN is never stored or displayed by the merchant. The 8-digit BIN is available from token metadata without the merchant holding raw card data, making the masking rule conflict moot.
How does BIN data affect interchange costs?
Interchange rates vary by card type. Consumer debit, consumer credit, premium rewards credit, commercial credit, and prepaid cards all carry different interchange rates. A routing decision that sends a premium rewards Visa card to a connector with blended-rate pricing, where interchange is bundled into a flat rate regardless of card type, may be more expensive than routing the same card to an IC++ connector where interchange passes through at cost. Correctly identifying the card type from the BIN is the prerequisite for making that routing decision. Merchants without precise 8-digit BIN data misclassify card types and make interchange-suboptimal routing decisions that accumulate as unexplained fee variance in monthly settlement reconciliation.
How do I update my systems to use 8-digit BINs?
The practical options are: update your BIN lookup provider to one that has migrated to 8-digit BIN data and confirm their update frequency, as BIN assignments change regularly; implement tokenization to access 8-digit BIN metadata from token data without PCI DSS masking conflicts; or use a payment orchestration platform that provides 8-digit BIN enrichment at the routing and fraud layer without requiring merchant-side BIN database management. The orchestration approach is the least operationally intensive. The BIN enrichment happens above the PSP layer, automatically applied to every transaction, without the merchant building or maintaining BIN lookup infrastructure.
