Fraud is a double threat to any ecommerce business. First, there’s the monetary cost: you lose profits when a transaction becomes a chargeback or a credit card issuer claws back the proceeds from an unauthorized purchase. Second, there’s the reputational cost: a consumer who sees your name linked to the surprise charge on their credit card statement may then have a negative association with your brand.
Unfortunately, scammers are always finding new ways to defraud consumers and companies. Your fraud protection program needs to stay as agile as they are. If you don’t know what bank identification numbers (BINs) are and how fraudsters are using them, your company and your customers are at risk.
Thankfully, once you learn the basics, it’s easy to build protections around this sensitive bit of information. You can even use BINs to make sure your customers get the best service possible. Here’s how just a few numbers can make a big difference for your business.
A bank identification number (BIN) is part of the account number on any payment card, be it credit, debit, or another card type. You may also see BINs referred to as issuer identification numbers (IINs) because not all payment cards are issued by banks. BINs aren’t unique for each user, but they encode important information about the card being used.
The BIN is the first six to eight digits of any payment card account number. Traditional BINs only took up the first four to six digits, but with more payment cards issued now than ever before, card issuers opted to lengthen the BIN. Any Visa or Mastercard issued after 2022 has an eight-digit BIN. Other card brands are likely to follow suit soon.
The digits of the BIN can tell you:
Of course, there are enough potential options across these four categories that memorizing the associated BINs would be impossible for any person. The good news is your payment processor does the decoding for you. If you ever need to interpret a BIN, you can use an online BIN lookup service to do the work for you.
Payment processors use a BIN to check whether a card is valid during the authorization process. It’s sort of like a return address on a letter. The processor decodes the BIN to learn the issuing bank, then asks that institution if the account is valid and whether there are funds available for the purchase.
The other information encoded in the BIN can help gatekeep transactions. For example, the first digit of every card number is the Major Industry Identifier (MII), which tells the card brand. Processors that can’t accept American Express cards know not to attempt a transaction if a BIN starts with a three. Likewise, those that only work for US-based buyers won’t attempt to run a card if the address of the issuing bank is in the UK. Or, if someone enters a United States billing address when their BIN shows the card is from a French bank, the processor may flag the transaction as fraud.
Subscription sellers should also take note of the card type signifier. Buyers who enroll in a subscription with a prepaid card may only have enough funds to cover the first billing cycle. You may want to limit the types of cards you accept to address this issue.
BINs aren’t just a useful tool for the payment industry — criminals have figured out how to use them to steal credit card information from consumers. Here are the two main BIN-related schemes they use.
A BIN scammer uses their knowledge of BINs to mislead cardholders into sharing their credit card numbers with the scammer. This type of fraudster poses as a bank representative and attempts to “verify” where their target banks. This information allows them to guess the first few numbers of that person’s BIN with reasonable accuracy.
Many individuals trust that someone who knows part of their credit card number is legitimate; the scammer takes advantage of this to ask the target to verify the rest of the digits. They may also try to get other information (like billing zip code) while they have the person on the phone.
Because this is mostly a customer-side issue, there’s not much you can do to fight it. However, BIN scamming reinforces the importance of protecting your data. If a hacker can recover buyers’ names and the first few digits of their credit card numbers from your database, they can target your customers.
Hackers may also attempt to make fraudulent purchases by starting with a known BIN and generating potential card numbers. With thousands of combinations on hand, they’re sure to luck into a few that are linked to real accounts.
Scammers who attempt BIN fraud have to test each generated card number individually. If they choose to do so on your site, you may see one or more of the following warning signs
BIN fraud likely isn’t targeting your customers directly — and your store might not even be the retailer a scammer wants to steal from. But, it could increase your chargeback ratio or slow down transactions for your legitimate customers by clogging your payment processors.
Now that you know how scammers use BINs, let’s talk about what you should be doing with them. You can take steps to keep your customers safe and protect yourself from BIN-related fraud. Some merchants go even further, leveraging BIN data to better serve their customers.
Stop BIN fraudsters in their tracks with a BIN blocker. As the name suggests, this tool prevents purchases from any card with a certain BIN. You can use it to block an entire card issuer or specific issuing banks, depending on your risk management practices.
A good BIN blocker allows you to create rules on which payments to intercept. You’ll want to create policies based on your own experience with fraud or other types of risk. Merchants often crack down on:
A good BIN blocker works in real time. It sits in front of your payment processor to identify and block transactions that meet its criteria.
There is a risk of a BIN blocker catching legitimate customers in its net. To minimize the chance of losing buyers, get a BIN blocker that sends error messages to both you and your customer. The message you get should be different than the one your buyers see; telling scammers you have a BIN blocker may prompt them to try to bypass it. However, you’ll want to let legitimate customers know they’ll need a different payment method to buy from you.
Ecommerce merchants looking to tailor their offerings for their audience can use BINs to glean insights about their buyers. Analyze them in aggregate, and you can learn a few things.
First, check out popular issuing banks among your customer base. You may find a large group of international customers who would appreciate a localized website.
Second, look to see whether there are certain card levels disproportionately used by your customers. If you see a lot of labels like “elite” or “preferred,” that’s a sign you’re catering to higher-income buyers. You may be able to introduce products in higher price ranges or upsell subscribers.
Finally, it’s smart to look at BINs from failed transactions. If you see a significant range of customers who bounce after their American Express card fails, you might want to integrate with a payment gateway that can handle that card brand.
We know ecommerce merchants have plenty on their plates, but a BIN strategy doesn’t have to be a new worry. It likely ties into work your company has already been doing. Most ecommerce merchants want to know their payments flow is working as smoothly and efficiently as possible and being mindful of BINs will enhance this effort.
Think about it. Failed transactions still run through your payment gateways and processors, running up fees. BIN scamming or BIN fraud can result in unauthorized charges that lead to chargebacks. And if your company gets caught up in a hack, buyers will lose their trust in you — regardless of whether it was your fault.
When you consider it in those terms, investing in a solid BIN strategy is the smartest solution you have.