BIN Monitoring: Detecting Compromised Cards Before the Chargeback
Stolen cards are bought, tested, and used within hours of the leak. BIN monitoring closes the gap, flagging exposed cards under the ranges you issue or accept the moment they surface on the dark web. Here is how it works and how to put it to use.
Whiteintel Team
Threat Intelligence
By the time a chargeback lands, the loss has already happened. The card was stolen, listed, tested, and spent, often inside a single day. BIN monitoring moves your visibility upstream of that timeline so you can act while the card is still in the attacker's hands, not after the dispute arrives.
This guide explains what BIN monitoring is, where compromised cards come from, what an exposed-card record actually contains, and how fraud, issuing, and acquiring teams use it. It is written around Whiteintel Payment Fraud Intelligence, the module that delivers stolen-card and BIN-level monitoring inside the platform, but the concepts apply to any program that needs earlier warning on card compromise.
What is BIN monitoring?
A BIN, or Bank Identification Number, is the first six to eight digits of a payment card. It identifies the issuing bank and the specific card program behind the card. Every Visa, Mastercard, Amex, or other card you issue or accept rolls up to a BIN range that belongs to an institution.
BIN monitoring is the practice of watching for compromised cards by those ranges rather than one card at a time. You register the BINs you issue, acquire, or sponsor, and the monitoring system tells you whenever a fresh card under one of those prefixes appears in a place it should not be. It turns an impossible task, tracking millions of individual cards, into a tractable one: tracking a short list of BIN ranges that belong to you.
The Payment Fraud Intelligence dashboard: BIN coverage, issuer exposure, and the exposed-card explorer in one view.
How compromised cards reach the dark web
Card data is stolen through several channels that feed the same underground economy:
- Infostealer malware. Malware on an infected device harvests saved cards, autofill data, and full browser sessions, then exfiltrates them to the operator. These logs are one of the largest and fastest-growing sources of fresh card data.
- E-skimming and Magecart. Malicious JavaScript injected into a checkout page copies card details as the shopper types them, invisible to the merchant.
- Point-of-sale malware and breaches. Compromised terminals, processors, and merchant databases leak cards in bulk.
- Phishing and social engineering. Fake payment pages and support scams collect card and identity data directly from the cardholder.
From there the data is sold or traded in carding shops, underground marketplaces, and Telegram channels. The window between theft and resale is short, frequently a matter of hours, which is exactly why a monitoring approach that surfaces cards quickly is worth more than a periodic report.
What an exposed-card record contains
A useful alert is more than a flag. Each compromised card Whiteintel surfaces carries the context a fraud analyst needs to act on it without pivoting to another tool. The full PAN and CVV stay masked; what you get is the descriptive and attribution data:
Sample card findings: each record carries issuer attribution, network and tier, expiry, and a validity status computed at query time.
Why validity is computed at query time
A compromised card is not compromised forever. It expires, it gets reissued, the issuer cancels it. Storing a single validity flag at index time would leave you acting on stale data. Whiteintel recomputes validity every time you query, weighing how recently the card surfaced, whether it has been re-listed, its stated expiry relative to today, and any reissue signals in the data. A card that has already been reissued stops reading as live, so your team spends its time on cards that still matter.
Three ways teams use BIN monitoring
Pre-authorization validation
Query the exposed-card index by BIN-6, BIN-8, or last-four against a card presented at checkout. Run it as a parallel signal next to your existing fraud score and combine the compromised flag with your model's decision. The endpoint is built for sub-second response so it fits inside an authorization pipeline.
BIN watchlists and alerting
Add the BIN-6 or BIN-8 prefixes you issue or sponsor to a watchlist of up to 256 entries. Any new compromised card under a watched BIN triggers an email alert, giving issuers and BIN sponsors continuous coverage without querying card by card.
Issuer exposure prioritization
The issuer view surfaces which institutions and ranges are most exposed in the current window. Fraud and risk teams use it to time reissuance, prioritize chargeback prevention, and reach out before a mass-reissue event is forced on them.
Who BIN monitoring is for
Card issuers and banks
Monitor your own BIN ranges for compromise, prioritize reissuance, and cut chargeback losses before disputes arrive.
Acquirers and PSPs
Run pre-transaction validation across the BINs you accept and add a real-time exposed-card signal to your authorization decisions.
Fraud operations
Add an exposed-card feed next to your existing scoring stack, and investigate compromise patterns by issuer, network, and tier.
Access and quotas
BIN monitoring ships inside the Payment Fraud Intelligence module. It is available as a yearly add-on for the Enterprise and Threat Intelligence licenses at 17,500 USD per year, with up to 15,000 UI searches per month, 100 API calls per day, and a 256-BIN watchlist. On the Extended Threat Intelligence license the capability is bundled at higher production volumes. The full field set is returned on both the dashboard and the API, with no downgrade between surfaces.
Frequently asked questions
What is BIN monitoring?
BIN monitoring watches for compromised cards by their Bank Identification Number, the first six or eight digits that identify the issuing bank and card program. You monitor the BIN ranges you issue, acquire, or sponsor, so any newly exposed card under those prefixes is flagged the moment it surfaces. Whiteintel continuously indexes compromised cards from carding shops, infostealer logs, and dark web channels and alerts you when a card in one of your watched BINs appears.
How do compromised cards end up on the dark web?
Cards are stolen through infostealer malware on infected devices, e-skimming and Magecart injections on checkout pages, point-of-sale malware, phishing, and breaches of merchants or processors. The data is then sold or shared in carding shops, underground marketplaces, and Telegram channels, usually within hours of the theft.
What data does Whiteintel return for each exposed card?
Every match returns BIN-6, BIN-8, and last-four (the full PAN and CVV stay masked), issuer bank, issuer country, card network (Visa, Mastercard, Amex, Discover, JCB, UnionPay), card type (credit, debit, prepaid, charge), card tier (consumer, business, premium, corporate, platinum, gold), expiry date when present, a validity status computed at query time, and source attribution with first-seen and last-seen timestamps.
How is card validity determined?
Validity is recomputed every time you query, not stored as a stale snapshot. The signal weighs how recently the card surfaced, whether it has been re-listed, the stated expiry relative to today, and any reissue signals visible in the data. A card that has already been reissued does not keep reading as live.
What is a BIN watchlist?
A BIN watchlist is a list of BIN-6 or BIN-8 prefixes (up to 256 per account) representing the cards you issue, accept, or sponsor. Once a BIN is on the watchlist, any new compromised card detected under that prefix triggers an email alert, so issuers and BIN sponsors get continuous coverage without checking card by card.
Can I use BIN monitoring at authorization time?
Yes. The card-check endpoint is built for sub-second response, so it fits inside an authorization pipeline. The common pattern is to call it as a parallel signal alongside your existing fraud-score model, then combine the Whiteintel compromised flag with your model's score in your decision logic.
Who is BIN monitoring for?
Card issuers and banks monitoring their own BIN ranges for chargeback prevention, acquirers and payment service providers running pre-transaction validation, and fraud-operations teams that want a real-time exposed-card signal next to their existing scoring stack.
How do I get access to Whiteintel BIN monitoring?
BIN monitoring ships inside the Payment Fraud Intelligence module. It is available as a yearly add-on for Enterprise and Threat Intelligence licenses at 17,500 USD per year, with up to 15,000 UI searches per month, 100 API calls per day, and a 256-BIN watchlist. It is bundled on the Extended Threat Intelligence license at higher production volumes.
Put your BINs on watch
See which of your cards are already exposed. Add your BIN ranges to a watchlist and get alerted the moment a new compromised card appears, or talk to us about putting the API inside your authorization flow.