BIN (Bank Identification Number)

What Is a BIN?

A Bank Identification Number (BIN) is the leading sequence of digits on a payment card that identifies which institution issued the card. Officially renamed to IIN (Issuer Identification Number) under the ISO/IEC 7812 standard, the term "BIN" remains dominant across the payments industry. When you swipe, tap, or enter a card number, the payment processor reads the BIN first to determine the card network, issuing bank, card type, and country of origin before the transaction proceeds.

BINs exist because card payments involve multiple parties: the cardholder, the merchant, the acquirer, the card network, and the issuer. The BIN acts as the routing address that tells each participant where to send authorization requests and how to handle the transaction. Without BINs, there would be no standardized way to identify who issued a card or which network should process it.

The American Bankers Association (ABA) manages the official BIN registry under ISO authority, and third-party BIN databases track over 350,000 BIN records across more than 13,000 banks globally.

How It Works

Every payment card number follows a structured format defined by ISO/IEC 7812. The card number is between 8 and 19 digits long, and the BIN occupies the first 6 to 8 positions. Here is how the number breaks down:

1. The first digit is the Major Industry Identifier (MII), which classifies the card by industry sector
2. Digits 1 through 6 (or 1 through 8 under the new standard) form the BIN, identifying the issuing institution
3. The remaining digits (excluding the last) are the individual account number
4. The final digit is a Luhn check digit used for basic validation

Major Industry Identifier

The first digit of any card number reveals its industry classification:

Mastercard also uses the 2221-2720 range (added in 2017) to supplement its traditional 51-55 prefix space.

The 6-to-8-Digit Expansion

For decades, BINs were 6 digits long. But the rise of fintechs, virtual card programs, and embedded finance platforms created an explosion of new card issuers that exhausted available 6-digit combinations. In response, ISO revised the standard, and Visa and Mastercard mandated 8-digit BINs effective April 2022.

The expansion means each legacy 6-digit BIN can now support up to 100 distinct 8-digit BINs (appending digits 00 through 99). Legacy 6-digit BINs remain valid and coexist with the new format. Any system that processes card payments: processors, gateways, fraud engines, and analytics tools: needed to update their BIN lookup tables and parsing logic to handle both formats.

BIN Lookup in Practice

When a cardholder initiates a payment, the first thing the payment processor does is extract the BIN and query a BIN database. The lookup returns:

• Card network (Visa, Mastercard, Amex, Discover)
• Issuing bank name and country
• Card type: credit, debit, or prepaid
• Card tier: classic, gold, platinum, corporate
• Whether the card is regulated under the Durbin Amendment (for US debit)

This metadata drives routing decisions, interchange fee calculations, and fraud screening before the authorization request even reaches the issuer.

Luhn Validation

The last digit of every card number is computed using the Luhn algorithm, a simple checksum that catches accidental data entry errors. It does not provide security against deliberate fraud, but it filters out obvious typos before a transaction hits the network:

// Luhn algorithm: validate a card number
function isValidLuhn(cardNumber: string): boolean {
  let sum = 0;
  let alternate = false;
  for (let i = cardNumber.length - 1; i >= 0; i--) {
    let digit = parseInt(cardNumber[i], 10);
    if (alternate) {
      digit *= 2;
      if (digit > 9) digit -= 9;
    }
    sum += digit;
    alternate = !alternate;
  }
  return sum % 10 === 0;
}

Use Cases

Transaction Routing

Payment orchestration platforms use BIN data to route transactions through the optimal processor for each card type. A debit card from a European bank might route through a different acquirer than a US corporate credit card, based on interchange costs and approval rates. This payment orchestration relies entirely on the BIN to make split-second routing decisions.

Fraud Detection and Risk Scoring

BIN data is a foundational input for risk scoring engines. Transaction monitoring systems compare the BIN's country of issuance against the cardholder's IP address, shipping address, and device location. A card issued in Brazil used from a German IP with a Nigerian shipping address triggers a high-risk score. Combined with velocity checks on the same BIN range, this data helps processors block fraud before it reaches the issuer.

Interchange Fee Optimization

The interchange fee charged on each transaction varies significantly by card type. Debit cards typically carry lower interchange than credit cards, and regulated debit cards (Durbin-eligible) carry even lower rates. Merchants and payment facilitators use BIN lookups to predict interchange costs and optimize their processing strategy. For a deeper look at how card network economics work, see the card network economics overview.

Virtual Card Programs

Fintech platforms use BIN sponsorship to issue virtual cards without becoming a licensed bank. Companies like Marqeta, Lithic, and Stripe Issuing partner with sponsor banks that hold the BIN, then issue virtual cards under that BIN on behalf of their fintech clients. This model enables any software platform to embed card issuance: a spend management tool can issue virtual cards with per-transaction controls, all tied to a BIN from the sponsor bank.

The 8-digit BIN expansion was partly driven by this use case. With hundreds of fintechs needing their own BIN ranges, the 6-digit space became unsustainable.

BIN Attacks

A BIN attack (also called card testing or carding) is a fraud technique where attackers exploit known BIN prefixes to generate and test card numbers at scale. Because BIN ranges are publicly known and card numbers follow a predictable structure with Luhn validation, attackers can systematically generate valid-looking card numbers.

How a BIN Attack Works

1. The attacker selects a known BIN prefix (for example, a popular issuer's range)
2. They generate thousands of card numbers by filling in sequential or randomized account digits and computing valid Luhn check digits
3. They run small-value test transactions (often under $1) against merchants with weak fraud controls
4. Valid card numbers that receive authorization are harvested for larger fraudulent purchases

Detection and Prevention

Processors and merchants detect BIN attacks through several signals:

• High-frequency, low-value transactions from a single IP or device
• Sequential or near-sequential card numbers in rapid succession
• Repeated failed CVV or expiry combinations against the same BIN range
• Velocity spikes on specific BIN prefixes that exceed normal patterns

Prevention measures include rate limiting on payment endpoints, CAPTCHA challenges, bot detection, 3D Secure enforcement, and PCI DSS compliant tokenization that prevents raw card numbers from being stored or reused. Issuers also mitigate BIN attacks by generating non-sequential account numbers, making it harder for attackers to enumerate valid cards within a range.

BINs and the Shift to Digital Payments

As payment infrastructure evolves, BINs remain central to card-based transactions but face growing competition from alternative payment rails. Payment tokenization replaces raw card numbers (and their BINs) with device-specific tokens for mobile wallets like Apple Pay and Google Pay. The BIN still exists within the token vault, but merchants never see it directly.

Meanwhile, real-time payment networks like FedNow and Pix bypass card networks entirely, using account-to-account transfers that have no BIN at all. As these rails gain adoption, the dominance of BIN-based routing may shift, though cards remain the most widely used payment method globally.

For businesses building on Bitcoin and stablecoins, the contrast is instructive: on-chain payments use public key addresses rather than BIN-based routing, offering a fundamentally different model for payment identification and processing. Platforms like Spark enable dollar-denominated Bitcoin payments that settle without touching card networks or BIN infrastructure at all.

Risks and Considerations

BIN Data Leakage

While BINs alone cannot authorize a transaction, they reveal the issuing bank, card type, and country. Aggregated BIN data can be used for social engineering attacks where fraudsters impersonate a cardholder's specific bank. Merchants should treat BIN data as sensitive information under PCI DSS requirements, even though it is technically the non-sensitive portion of the card number.

BIN Table Accuracy

BIN databases are maintained by third parties and can be incomplete or outdated. A stale BIN table might misidentify a card's issuer or type, leading to incorrect routing, wrong interchange calculations, or false fraud flags. Processors must regularly update their BIN tables, especially after the 8-digit expansion created thousands of new entries.

Regulatory Implications

In the United States, the Durbin Amendment caps interchange fees on regulated debit cards, and compliance depends on correctly identifying card types via BIN lookup. Misclassifying a regulated debit card as credit (due to a BIN table error) can result in overcharging merchants and regulatory penalties. Similarly, chargeback rules and liability shift depend on accurate BIN identification of card type and network.

This glossary entry is for informational purposes only and does not constitute financial or investment advice. Always do your own research before using any protocol or technology.