How Bank Identification Number (BIN) Works
Every payment card in circulation carries a structured number governed by ISO/IEC 7812. The first segment of that number — the BIN — is a compact identifier that tells every participant in the payment chain who issued the card, what network it runs on, and what kind of card it is. Understanding the mechanics of BIN processing is foundational for anyone building or optimizing a payment flow.
Card number is submitted
The cardholder enters or taps their card at a POS terminal or online checkout. The full Primary Account Number (PAN) is captured by the merchant's payment form or terminal and passed to the payment gateway.
BIN is extracted
The gateway or processor extracts the first 6 or 8 digits of the PAN. These digits form the BIN. No cardholder-sensitive data is needed at this stage — the BIN alone is sufficient for identification and routing.
BIN lookup is performed
The extracted BIN is matched against a BIN database — a structured registry mapping BIN ranges to issuing institutions, card networks, card types, geographies, and additional metadata. BIN databases are maintained commercially by providers such as Mastercard, Visa, and third-party data vendors.
Routing and risk decisions are made
Using the BIN metadata, the processor determines the correct network rails to use, applies any surcharge or interchange rules tied to card type, runs fraud scoring models that factor in issuer country vs. billing address, and decides whether to proceed, flag, or block the transaction before it ever reaches the issuer.
Authorization request is sent
With routing confirmed, an authorization request travels over the appropriate network to the issuing bank. The issuer validates the remaining PAN digits, CVV, expiry, and available funds before returning an approval or decline code.
6 vs. 8-digit BINs
ISO/IEC 7812-1 was updated in 2022 to extend BINs from 6 to 8 digits. Always confirm your BIN database and payment processor support 8-digit lookups — systems relying solely on 6-digit BINs will misidentify cards issued under the expanded format.
Why Bank Identification Number (BIN) Matters
BINs are invisible to cardholders but fundamental to how the global payments infrastructure functions. Every authorization, every fraud decision, and every routing choice at scale depends on fast, accurate BIN resolution. The business impact of getting BIN handling right — or wrong — is substantial.
According to Nilson Report data, there are over 25,000 active BIN ranges in circulation globally as of 2024, spanning more than 200 countries and territories. With the 8-digit expansion, the potential address space grows from roughly 900,000 usable BINs to 90 million, future-proofing capacity for decades of fintech growth.
Fraud prevention is the highest-stakes use case. The Association of Certified Fraud Examiners (ACFE) 2024 Payment Fraud Report found that card-not-present fraud accounted for 65% of payment card fraud losses globally. BIN-level signals — country mismatch, prepaid card detection, high-risk issuer flags — are among the top three features used by fraud models to score CNP transactions in real time. Merchants who implement real-time BIN lookups at checkout report false-positive rate reductions of up to 30% compared to those using only address and CVV checks.
BINs also drive direct revenue outcomes. Interchange fees vary significantly by card type and issuer country, information encoded in the BIN. Processors that accurately identify premium, corporate, or international cards via BIN lookup can apply the correct interchange optimization strategy, reducing effective processing costs by 15–40 basis points on eligible transactions.
Bank Identification Number (BIN) vs. Primary Account Number (PAN)
BIN and PAN are related but serve different purposes in the payment lifecycle. Conflating them leads to both technical errors and compliance gaps.
| Attribute | BIN | PAN |
|---|---|---|
| Length | 6 or 8 digits | 8–19 digits (full card number) |
| Location | Leading digits of the PAN | Entire card number including BIN |
| Sensitivity | Non-sensitive; public metadata | Sensitive; PCI DSS in-scope |
| Purpose | Issuer/network/type identification | Uniquely identifies cardholder account |
| Storage rules | Can be stored post-transaction | Cannot be stored unencrypted (PCI DSS) |
| Used by | Gateways, fraud tools, routers | Issuers, networks, authorization systems |
| Exposure risk | Minimal | High — core target of card data theft |
The BIN is always a subset of the PAN, but because it carries no cardholder-specific information, it sits entirely outside PCI DSS cardholder data protection requirements. Merchants can safely log, analyze, and store BIN data for analytics and fraud modeling without triggering PCI scope.
Types of Bank Identification Number (BIN)
Not all BINs behave the same way. The metadata encoded within a BIN range varies significantly based on the product and issuer, and merchants should account for these distinctions in their acceptance and fraud logic.
Standard consumer credit BINs are the most common. They map to revolving credit accounts issued by banks and credit unions, carrying typical chargeback rights and interchange tiers.
Debit BINs identify cards tied directly to checking or savings accounts. These transactions may route over PIN debit networks (like Interlink or PULSE) or signature debit rails, affecting interchange costs and chargeback rules.
Prepaid BINs represent loaded-value cards with no direct link to a bank account. They are frequently associated with elevated fraud risk and limited chargeback recourse. Many merchants apply stricter velocity rules to prepaid BIN ranges.
Corporate and purchasing card BINs identify B2B-issued cards. These typically carry Level 2/Level 3 data requirements for interchange optimization and different liability rules than consumer cards.
Virtual card BINs are issued by BaaS providers and fintech programs for single-use or limited-use digital card numbers. These BINs are increasingly common in B2B payables and subscription billing contexts.
Network-specific BINs (e.g., Amex, Discover) are tightly controlled by the network themselves, which also act as the issuer in a closed-loop model — unlike the open-loop Visa/Mastercard model where any bank can hold a BIN range.
Prepaid card detection
Detecting prepaid BINs at checkout is legal in most jurisdictions and widely used by merchants selling age-restricted products, subscriptions, or high-value digital goods. Always check local regulatory requirements before blocking prepaid cards outright.
Best Practices
Effective BIN handling requires different practices depending on whether you're on the business side or building the integration layer.
For Merchants
Keep your BIN database current. BIN ranges are reassigned, expanded, and deprecated regularly. A stale BIN database causes misrouted transactions, incorrect surcharging, and broken fraud logic. Subscribe to quarterly updates from your BIN data provider or ensure your payment gateway handles lookups dynamically.
Use BIN data to personalize checkout. Displaying the correct card network logo as soon as the first digits are typed reduces checkout abandonment. Studies by Baymard Institute show that trust indicators — including accurate card brand identification — reduce form abandonment by up to 20% at the payment step.
Implement BIN-level velocity monitoring to detect BIN attacks. Set alert thresholds for authorization attempts sharing the same BIN prefix within short time windows (e.g., more than 10 attempts per BIN per minute). Combine with CAPTCHA and device fingerprinting for layered defense.
For Developers
Integrate an 8-digit BIN lookup service rather than building your own static table. The expanded ISO 7812 format makes self-maintained lookups impractical at scale. Commercial providers such as Mastercard's BIN table service, Visa's BIN Attribute Sharing Service, or third-party vendors offer structured APIs with SLAs.
Separate BIN extraction logic from PAN handling. Since BINs are non-sensitive, they should flow through lightweight, high-availability paths. Do not route BIN lookup through PCI-scoped vaults — this adds unnecessary latency and compliance overhead.
Cache BIN results intelligently. BIN metadata changes infrequently for a given range. A TTL-based cache (24–72 hours) on BIN lookup results dramatically reduces API call volume without meaningfully degrading accuracy.
Common Mistakes
Using a 6-digit BIN database post-2022. With the ISO 7812 expansion, 8-digit BINs are now live. A 6-digit lookup on an 8-digit BIN may return incorrect issuer data, wrong card type, or no match at all, silently breaking fraud logic and routing rules.
Treating all prepaid BINs as fraudulent. Not every prepaid card is a fraud vector. Gift cards, reloadable debit cards, and employee expense cards all use prepaid BINs. Blanket blocking of prepaid BINs will reject legitimate customers and create unnecessary support friction. Use risk scoring rather than binary rules.
Skipping BIN validation on server-side. Some developers rely solely on client-side BIN lookup to display card logos and defer routing decisions to the gateway. If the gateway has a stale BIN database and yours is current, discrepancies cause silent misrouting. Always validate critical BIN-based decisions server-side.
Logging raw PANs when intending to log BINs. A developer building analytics on card type often accidentally logs full PANs rather than the BIN prefix, inadvertently bringing systems into PCI DSS scope. Log only the first 6–8 digits and the last 4, never the full PAN.
Ignoring BIN metadata on recurring transactions. Cards are reissued, and BIN-level attributes can change between the initial charge and a future subscription renewal. Re-run a BIN lookup on stored payment methods periodically, especially for high-value or high-risk subscription merchants.
Bank Identification Number (BIN) and Tagada
BIN intelligence is embedded across Tagada's payment orchestration layer. When a transaction enters Tagada, the platform performs an automatic BIN lookup to inform routing, risk scoring, and acceptance logic — before the authorization request leaves the system.
Tagada uses real-time 8-digit BIN resolution to dynamically route transactions to the processor most likely to approve a given card type and issuer geography. For example, a UK-issued debit card will be routed differently than a US corporate credit card — without any merchant configuration required. This BIN-aware routing typically lifts authorization rates by 2–5 percentage points compared to static single-processor setups.
Merchants on Tagada also benefit from BIN-level fraud signals surfaced in the transaction event stream. Each payment event includes enriched BIN metadata — card type, issuer country, prepaid flag, and network — available for downstream analytics, chargeback dispute evidence, and custom rule configuration in Tagada's risk engine.