Visa Private BIN Range
Most times, when you see the words “Private BIN” on something, it’s very, very tasty.
Recently, Visa Europe has launched its own fine range, which (true to the traditions of the phrase) is also very tasty. May we present….. the Visa Private BIN range:
What, just a couple of numbers? Not anything in a bottle? Nothing to actually drink? No, sadly not.
But these 6-digit numbers are important. They represent something quite special in the world of PCI DSS, tokens, and de-scoping.
Visa Europe has set aside a pair of BINs (Bank Identification Numbers) which it promises will never be used in the ‘real world’. That is, companies are free to use these two 6-digit numbers internally, knowing that Visa will never issue them to real entities.
It means that when vendors which provide tokens (such as in our Veritape de-scoping products like OneProx), we can be confident that by starting the tokens with 468738 or 468739, our customers will know that these are tokens. Even when vendors’ tokens are Luhn-compliant, they can still be detected as tokens, and not be mistaken for real PANs.
That’s a Nebuchadnezzar-sized big deal. But why?
Like many applications which use tokens, both OneProx and our CallGuard DataShield software have always been able to issue Luhn-compliant tokens which plug right into our clients’ existing websites, CRM systems, payment gateways and applications. Luhn-compliant tokens are great, because they can be used in exactly the same systems or processes as card data, without requiring any changes to them. (After all, Luhn-compliant tokens will pass any existing client-side Luhn checking functions.)
However, it’s always been very difficult (or impossible) to determine whether a given number residing in a database field is a token, or a real PAN. So how does a merchant know whether, after implementing a token system, all the card data has truly been flushed out?
By starting a token with a Visa Private BIN number, Luhn-compliant tokens are easily differentiable from card data.
And yet (here’s the amazing bit!) these tokens are NOT cardholder data, so merchants’ systems can be de-scoped from PCI DSS.
The Visa Private BIN range has another important benefit, too, for companies already using data discovery tools.
Once the cardholder data discovery companies (such as Ground Labs and Foregenix) ‘lock’ these two magic numbers into their detection systems, customers will be able to run tokens and ‘actual’ cardholder data on the same databases, networks, etc, and easily be able to determine which is which. This is great for companies transitioning from ‘live’ cardholder data to tokens over a period of time (not instantly).
Of course, there are two important caveats here:
- Token providers will need to start their tokens with 468738 or 468739. This isn’t always possible, particularly if “first 6” formatting is being preserved.
- Merchants will need to make sure that the Private BINs are not submitted for processing. (They aren’t the beginning of real card numbers, so they won’t work!)
However, at least the payments industry now has one sensible way of detecting token needles in a haystack of PANs.
Thanks, Visa – very tasty indeed.By:
If your business is under pressure to lock down data storage, especially…
Your business may record customer phone calls for quality purposes, in-fact most…