Adam Caudill

Security Engineer, Researcher, & Developer

IIN (BIN) Database

An Issuer Identification Number (IIN, more commonly called a BIN) is the first 6 digits of a credit or debit card, and it identifies the bank that issued it – and if you want to know if a number is a real credit card or just a bunch or random digits, it’s a huge help. While credit card numbers do use the Luhn algorithm (mod 10 check) to see if the number is valid, it still produces a huge false-positive rate.

For an application like ccsrch, having this data available would be very handy to reduce false positives when scanning a large file system (scanning a large server produces a huge number of possible hits), but for what I would call fairly misguided reasons, the official registrar of these numbers (the ABA) doesn’t make this data publicly available. As a result many people have pulled together what data they could find and made it freely available.

So I’ll add my name to that list.

I’ve pulled data from many public sources (sorry, I didn’t keep very good notes as to the sources) and cleaned it up to a reasonable point. All told, I’ve probably spent 40 hours or more cleaning this data up and getting it to a usable state. It contains over 60,000 entries, including major credit cards (Visa, MasterCard, Amex, Discover) as well as a few merchant entries.

Each record contains the following:

  • IIN
  • Type (Mastercard, Visa, Visa Credit, etc.)
  • Name (Issuer name)
  • Length

Data Quality

It’s not perfect. It’s from public sources so there may be errors, and there are some duplicates from cases where I wasn’t able to determine who the IIN actually belongs to. I’ve also updated for name changes and mergers where possible, but I’m sure I’ve missed a few and there are some where the assets were split, so I don’t know who the correct owner actually is (Washing Mutual being the leading example of this).

In general, I leaned to the side of caution – so if I didn’t know for sure, I left the duplicate in.

If you need absolutely correct data – contact the ABA, they are the only source that can give you the completely accurate listing. If you need to have a decent idea if a number is valid for most cases – I would say that this data is good enough.


Just to make it really, really, really clear: There is no guarantee that this data is accurate, that it won’t cause to lose your job, cause your house to burn down, or cause Rebecca Black’s Friday to get stuck in your head (yup, you’re welcome ;)).


Based on my understanding of US copyright law, it is my understanding that this data is not subject to copyright as it is a compilation of facts and doesn’t constitute an original expression. Thus, to the best of my knowledge, this data is in the public domain.


Here (zipped CSV)

Adam Caudill

Related Posts

  • CCSRCH v1.0.5

    During my employers annual PCI audit, our auditor requested that we perform a search of all of our servers for credit card data. He recommended a tool called “ccsrch” – which like many open source projects had a couple of issues, and hadn’t been updated in years. So, I fixed it. CCSRCH is a cross-platform, command-line application that reads every file from the starting point passed in, and scans them for what looks like credit card numbers (and using the Luhn algorithm to check each possible result).

  • Google Chrome Leaking Credit Card Data?

    While testing ccsrch I noticed a number that looked familiar – my debit card number. Now, being just a little paranoid, I don’t leave such information on my system unencrypted – so seeing it was a real surprise. But, here’s the real kicker: it was on my work PC, where it never should have been. But there it was, plain as day, in clear text. I spent a couple of minutes staring at the log trying to figure out why it would be there.

  • Testing for SWEET32 with YAWAST

    Testing for SWEET32 isn’t simple – when the vulnerability was announced, some argued that the best solution was to assume that if a TLS server supported any of the 3DES cipher suites, consider it vulnerable. The problem is, it’s not that simple. On my employer’s corporate blog, I wrote about practical advice for dealing with SWEET32 – and pointed out that there are ways around the vulnerability, and some are quite simple.

  • Piracy: Modern Marketing

    Piracy is bad, right? Maybe not, and it seems Microsoft figured it out. Piracy can be indirectly profitable, both by giving you additional customers that you may collect from at some future point, and it also serves to reduce or limit the market share of rivals. Microsoft chairman, Bill Gates, acknowledged this back in 1998 while speaking at the University of Washington, saying: Although about 3 million computers get sold every year in China, people don’t pay for the software.

  • Where’s the service?

    When I buy something, I expect support. When I buy something expensive, I expect really good support. That may be asking too much, but that’s just how I think. Now, when I contact the vendor for support, I expect to talk to somebody that understands the product. When I bring up an issue that gets me on a conference call with a Vice President and a Project Manager, I expect them to give me accurate data.