Security & Compliance

What data we handle

BINSearchLookup processes only the first 6–8 digits of payment card numbers — the BIN or IIN prefix. Under PCI DSS, these digits are not classified as sensitive cardholder data. We never receive, store, or transmit full card numbers, CVV codes, expiry dates, or cardholder names.

Traffic encryption

All traffic between clients and BINSearchLookup infrastructure is encrypted end-to-end:

• TLS 1.3 minimum for all HTTPS API connections. TLS 1.0 and 1.1 are disabled.
• HSTS (HTTP Strict Transport Security) enforced with a 1-year max-age directive.
• API keys transmitted exclusively via request headers — never in URL query strings or request bodies.
• All internal service-to-service communication encrypted in transit.

Post-quantum cryptography (PQC)

BINSearchLookup has deployed post-quantum cryptography to protect against future quantum computing threats on sensitive infrastructure channels:

• ML-KEM (Module Lattice Key Encapsulation Mechanism, NIST FIPS 203) — the NIST-standardized post-quantum key encapsulation algorithm, also known as CRYSTALS-Kyber. Used for key exchange on administrative and SSH connections to protect against harvest-now-decrypt-later attacks.
• SSH connections to infrastructure use PQC hybrid key exchange combining classical ECDH with ML-KEM, matching OpenSSH's mlkem768x25519-sha256 hybrid algorithm. This ensures forward secrecy even against adversaries with quantum-capable hardware.
• Classical algorithms (X25519, AES-256-GCM) remain active in hybrid mode — if the PQC component were broken, the classical component still provides protection.

SOC monitoring

Our infrastructure operates under continuous SOC (Security Operations Center) monitoring:

• SOC Type I — design and implementation of controls verified at a point in time.
• SOC Type II — operating effectiveness of controls verified over a sustained period, covering availability, confidentiality, and security trust service criteria.
• 24/7 automated alerting on anomalous access patterns, failed authentication spikes, and API abuse.
• Incident response procedures with defined SLAs for detection, containment, and notification.

Security audits

BINSearchLookup undergoes regular third-party security assessments:

• Annual penetration testing by an independent security firm.
• Infrastructure configuration audits reviewing access controls, network segmentation, and key management.
• Code-level security reviews for authentication, authorization, and API input validation.
• Audit findings are remediated under a tracked schedule; critical findings are resolved within 72 hours.

PCI DSS scope

BINSearchLookup subscription payments are processed by Stripe, Inc. (PCI DSS Level 1 certified). We do not store your payment card details. All billing data is held exclusively by Stripe.

Because BINSearchLookup handles only the non-sensitive BIN prefix (not cardholder data), our API integration does not require merchants to expand their PCI DSS cardholder data environment.

Data retention

• BIN query logs: retained for 90 days for abuse detection and analytics, then permanently deleted.
• No personally identifiable information is associated with BIN queries.
• Account data: retained for the duration of the active account, deleted within 30 days of account closure on request.

Privacy compliance

We comply with GDPR (EU), PIPEDA (Canada), and CCPA (California). See our Privacy Policy for full details on data handling, retention, and your rights.

Responsible disclosure

If you discover a security vulnerability, please contact us privately before public disclosure:

[email protected]

We aim to respond within 5 business days. We do not pursue legal action against good-faith security researchers acting within a responsible disclosure framework.