# Card Networks (Visa, Mastercard, Amex, Discover, Diners)

## Scope

Card rails are **private routing artifacts** (BIN tables, acquirer routing). There is **no public "discover Visa endpoint"** behavior. Ingestion is from internal systems only; strong encryption and access controls apply. The directory stores routing tables and returns directives to an ISO8583/API switch. Never store PAN; BIN ranges only. Merchant ID (MID), Terminal ID (TID), and contract identifiers are **Tier 2** (confidential)—encrypt at rest and restrict access. See [data-classification](../security/data-classification.md).

## Identifier Taxonomy

- **pan.bin** — BIN/IIN range (6–8 digits only); never full PAN.
- **mid**, **tid**, **caid** — Merchant/terminal/card-acceptor IDs (tenant-scoped).
- **processorId** / **acquirerId** — Tenant/contract scoped.
- **network.brand** — Constraint: visa, mastercard, amex, discover, diners.

Do not store PAN or token values in plaintext.

## Endpoints

- **iso8583.tcp** — Host:port, mTLS/VPN.
- **api.https** — Base URL + auth.
- **file.sftp** — Clearing files.
- **mq** — Internal switch.

Profile indicates channel (e.g. visa-base1, mc-mip).

## BIN-Table Model

- Artifact type: **bin_table**. Payload: versioned entries with binPrefix, binLength, brand, region, routingTarget, optional tenantId.
- Resolver matches request BIN to longest-matching prefix and returns directive with target_address = routingTarget. Per-tenant overrides supported.

## Directive Outputs

- ISO8583: target_protocol iso8583, target_address host:port.
- API: target_protocol api/https, target_address base URL.

Capabilities: auth.request/response, clearing.presentment, chargeback, reversal, advice, tokenization, 3ds.

## Security

- Store BIN ranges only; no PAN/token. Field-level encryption for merchant/terminal IDs. Strict RBAC and audit for card-related records. See security/key-reference-model.md.