A BIN, or bank identification number, is the first several digits of a credit card, debit card, or other payment card that identify which financial institution issued it. When you swipe, tap, or type your card number online, the BIN is the piece that tells the payment system which bank or credit union to route the transaction to. The term is used interchangeably with IIN (issuer identification number), which is the more current official name under international standards.
How a Card Number Is Structured
Every payment card number follows a specific pattern. The full number can be up to 19 digits long, and each section serves a distinct purpose.
The very first digit is called the major industry identifier. It tells the payment network which industry or card network the card belongs to. A card starting with 4 is a Visa. Cards starting with 2 or 5 are Mastercard. American Express cards start with 3, and Discover cards start with 6. Less commonly, 1 is used for air travel, 7 for petroleum, 8 for healthcare and telecommunications, and 9 for government-issued cards.
After that first digit, the next several digits combine with it to form the full BIN. Together, these digits identify the specific institution that issued the card. The digits following the BIN are your individual account number, unique to you. The very last digit is a “check digit,” a mathematical verification number that confirms the card number is valid using a formula called the Luhn algorithm.
Six Digits, Eight Digits, or Nine
For decades, BINs were six digits long. That changed because the payment card industry was running out of available combinations. With billions of cards in circulation worldwide, six digits simply couldn’t support the growing number of issuers. The international standard governing card numbers (ISO/IEC 7812) was revised to expand the BIN to eight digits.
New BINs assigned since the transition are eight digits for cards used in international transactions. Nine-digit BINs exist for closed or national transaction networks. Older six-digit BINs weren’t scrapped. Instead, each existing six-digit BIN was converted into a block of one hundred eight-digit BINs, preserving backward compatibility while opening up far more room for new issuers.
Cards issued with eight-digit BINs must have a total card number of at least ten digits, though the maximum remains 19. If you’re a cardholder, this change is invisible to you. It primarily affects payment processors, merchants, and banks that need to correctly read and route transactions.
What BINs Actually Do in a Transaction
When you make a purchase, the payment terminal or website reads the BIN before anything else happens. Within milliseconds, it identifies the card network (Visa, Mastercard, etc.) and the issuing bank. This allows the system to route the authorization request to the correct institution, which then checks whether your account has sufficient funds or credit and whether the transaction looks legitimate.
BINs also help merchants and payment processors apply the right rules. Different card types carry different interchange fees, the percentage a merchant pays on each transaction. A premium rewards card from a large bank might cost the merchant more to accept than a basic debit card from a credit union. The BIN is how the system distinguishes between these cards before the transaction is approved.
How BINs Help Prevent Fraud
BINs play a significant role in fraud detection. Payment processors use them to verify that a card’s claimed network and issuer match what’s expected. If someone enters a card number that starts with digits associated with a bank in one country but the transaction originates from a completely different region, that mismatch can trigger a fraud alert. Processors also cross-reference BIN data with known patterns of suspicious activity to flag potentially stolen card information before a charge goes through.
On the flip side, criminals exploit BINs in what the industry calls BIN attacks. In this type of fraud, attackers start with a known BIN and then use software to generate thousands of possible complete card numbers by appending random digits and calculating valid check digits. They test these generated numbers on websites with weak security, often by attempting small purchases. Once a working combination of card number, expiration date, and CVV is found, the attacker uses it for unauthorized purchases until the card is flagged or canceled.
BIN attacks are a brute-force method, meaning they rely on volume rather than sophistication. Attackers can acquire BIN lists from stolen data or even from publicly available databases, since BINs themselves aren’t secret. The defense against these attacks falls on merchants and processors, who use velocity checks (flagging rapid-fire small transactions), CAPTCHA systems, and address verification to catch the testing phase before real damage is done.
Where You’ll Encounter BIN Lookups
You might run into BIN data in a few practical situations. Some online tools let you look up a BIN to see which bank issued a card and what type of card it is (credit, debit, prepaid). Merchants sometimes use BIN lookups to tailor payment options or assess risk on high-value orders. If you’ve ever seen an online checkout automatically display your bank’s logo after typing the first few digits of your card number, that recognition is powered by BIN data.
For most cardholders, the BIN is background plumbing. You don’t need to memorize it or look it up. But understanding what it is helps explain why your card works seamlessly across millions of merchants worldwide, and why your bank can catch suspicious charges before you even notice them.