What is a BIN/IIN?
A Bank Identification Number (BIN), formally known as the Issuer Identification Number (IIN) under ISO/IEC 7812, is the first 6-8 digits of a payment card number that identifies the issuing institution and the card scheme. As of April 2022, IINs migrated from 6 to 8 digits to expand allocation capacity. BIN/IIN drives card scheme routing, interchange determination, fraud risk scoring, and product-level features.
What BIN reveals
- Card scheme: Visa (starts 4), Mastercard (51-55, 2221-2720), American Express (34, 37), Discover (6011, 65), JCB (35), UnionPay (62), Troy (9792).
- Issuer: specific bank or financial institution.
- Country of issuance: derived from the issuer.
- Card type: credit, debit, prepaid; consumer vs. commercial.
- Product tier: Standard, Gold, Platinum, World, Infinite, Business.
BIN in fintech operations
- Routing: determining the acquirer-issuer path for authorisation.
- Interchange: different BIN ranges carry different interchange fees.
- Fraud scoring: BIN-level historical fraud rates feed risk models.
- BIN attacks: automated card-testing attacks rely on enumerating valid BIN+ranges — detection and rate-limiting are essential.
- Cross-border acceptance: some merchants restrict by BIN country.
Türk pazarında BIN
Türk kartları Troy (9792 başlangıçlı), Visa, Mastercard ve American Express scheme’leri altında ihraç edilir. BKM (Bankalararası Kart Merkezi) BIN tahsisini ve yerel kart işleme standartlarını yönetir. Türk e-ticaret işletmeleri için BIN-bazlı risk skorlama özellikle yurt dışı kartlardan gelen dolandırıcılık dalgalarına karşı pratiktir. PSP’ler BIN veritabanlarını entegre eder.
Do: use a maintained BIN database for routing, fraud, and analytics; monitor BIN-attack signatures (rapid sequential testing); migrate to 8-digit IIN handling.
Don’t: store BIN-derived issuer data alongside cleartext PAN without scope analysis — PCI DSS rules still apply.