Increasing Issuer Identification Number (IIN) to 8-digits in the Payment Industry
August 31, 2016 - Exploring the challenges and impacts for increasing Issuer Identification Number (IIN) to 8-digits in the Payment Industry.
What’s going on?
While change is a constant in the payment world, it's not always easy. Some changes require investigation, planning, preparation, re-configuration, re-testing and just a lot of work. The upcoming increase in length of the Issuer Identification Number (IIN), also known as Bank Identification Number (BIN), is one of those changes.
The Issuer Identification Number (IIN) is the standardized global numbering scheme globally used for identifying institutions, who assign primary account numbers (PAN) to their customers. Most typically to support the issuance of a payment card.
Traditionally, IINs are 6 digits long and serve as a consistent, reliable ways for the payment ecosystem (merchants/acquirers/schemes) to identify issuers for interchange reconciliation and VAS (such as cashback or closed-loop offers) purposes. With the revision of the ISO/IEC 7812-1 standard, the length of IINs is changing. Concretely, the length will change from six digits to eight digits. The PAN however will remain the same variable length (10 to 19 digits). A draft of this revised standard is currently in the enquiry stage. A Draft International Standard (DIS) has been distributed for voting by ISO member bodies in May 2016. The target for the final publication of the new ISO/IEC 7812-1 by ISO is early 2017.
Why is the expansion necessary?
This change is driven by the expected depletion of the available IINs across the industry e.g. one of the reason is proliferation of tokenization and they exponentially increasing need for PANs. Similar initiatives are made by the schemes earlier, such as introducing MasterCard 2-series BIN, Visa mandates on 9-digits account ranges, etc. But increasing the length will solve all these problems, which are caused by the growth of the payment industry, underutilization of capacity within IINs and the increase in innovative new products having their own IIN. It will provide more robust portfolio segmentations and a way to assign features, benefits and opportunities to support new functionalities. Several parties depend on the IIN and will be impacted. Issuers but also merchants, processors and acquirers will have to adapt their existing systems. This mean all schemes need to define the potential implication areas where upgrades need to be done.
The IIN expansion is unlikely to happen in the next couple of years. But industry experts and ISO have started recommending all IIN users to begin preparations and analysis to identify any potential system and process impacted by their plans to adopt to revised ISO standard. Just to make sure the transition goes as smooth as possible with minimal impact.
Note that in UK, they already support 8-digits IIN’s for national use only which means some systems already supports 8-digits IIN but not all ranges.
What are the major impacts?
One of the major challenges for the payment industry will be for the internal storage to support the IIN length expansion such as in BIN routing tables. This will require a systematic review of platforms to ensure that available storage is acceptable for longer IIN fields. This is also a main concern especially for legacy terminals in the field which no longer manufactured/updated by the terminal vendors. This means that there will be more pressure on merchants to upgrade to accept cards with 8 digits IIN support in the future.
Another major challenge will be the amount of impact on existing systems. Proper regression testing must be design and executed to ensure that existing implementations will not be affected by these upgrades.
Additional impacts are discuss below:
For an issuer to support an 8-digits IIN, the card management, authorization and clearing systems need to be upgraded. The management and routing of authorizations from domestic or regional networks to the account management systems must be capable of handling both version of IINs. In case the system supports tokenization or Mobile/Digital wallet solutions, the issuer must accommodate all scenarios of tokens and solutions for the accounts being used, for either 6-digit or 8-digit IINs. For ATM networks, verification of adding new IINs must be done and if expanded IINs from other issuers are used at an ATM, it should be identified and routed correctly for authorization.
Even if an issuer does not use the expanded IIN immediately for their own issuing, other organizations will start using them, meaning that the systems should be able to send funds to accounts from organizations using 8 digit IINs. These transactions need to be supported within these systems to ensure there are no gaps or operational issues/data losses that may occur
Merchants must be able to accept the new 8-digit IIN ranges in both card-present and card-not present payment acceptance channels. Thorough assessment should be done to ensure that the POS terminals, web applications and Online Stores payments processor/gateways support the expanded IIN. The merchant needs to verify with the terminal and software supplier that correct configuration of tools and logic are in place. Also, the system and routines used must remain compliant with the PCI DSS standard so that transactions with expanded IINs are managed correctly. It might be the case that some merchants will use the IIN involved in transactions for data mining, which should be upgraded so that transactions with 8 digits IIN are categorized correctly.
Merchants typically use the BIN to identify whether a BIN is domestic or belongs to a specific issuer for value-added services such as cashback, loyalty and discounts. These services are provided by PSPs who have the same checklist as Acquirer that must be reviewed to check the readiness of extended IINs.
Acquirers must ensure that the system configuration and authorization systems are supporting and routing the transactions using 8-digit IINs correctly. For that, they must validate the identification and associated product codes together with the expanded IINs that are used through payment processing and the dispute lifecycle. For example for POS devices, control and configuration systems need to be reviewed as well ensuring that all terminal types deployed recognize all transactions correctly.
In an e-commerce infrastructure, any software application, library or API used for payment processing needs to be updated, reviewed and tested to support and recognize 8-digit IINs. This also includes the fraud and risk management systems that should be able to recognize and process the expanded IIN correctly to not omit or misclassify these transactions.
Below the potential areas of impacts are listed, categorized by issuers, acquirers and merchants:
Authorization, routing and processing systems.
Card personalization and production
Online banking and ATM processing
Reporting & settlement
Fraud & risk management systems
Authorization and clearing systems
Routing and processing
Acquirer host update
Online Banking and ATM processing
Reporting and settlement
Fraud & risk management systems
Value added services
Fraud & risk management systems
PCI DSS Data Security Standards
Processing, reporting and reconciliation
Industry-wide changes like this one can be easily engrossed with thorough planning and coordination. Once process for assigning 8-digit IINs are implemented by ISO, all schemes will outline rules, planning and estimation of potential impacts on various internal systems for future extension of IINs.
UL is closely monitoring these developments and is looking forward to assisting you, our valued customer, to make the impact of these changes as minimal and manageable as possible.