Skip to content
Fraud

The BIN-vs-IP mismatch: the fraud signal a geo API can’t give you

A card issued in one country, presented from an IP in another, is one of the strongest cheap fraud signals — and no geolocation API surfaces it.

5 min read

Where the card was issued vs where the request came from

The first 6–8 digits of a card number — the BIN, or IIN — identify the issuing bank and therefore its country. Compare that to the country the request’s IP resolves to. A Nigerian card presented from a Pakistani IP is not proof of fraud, but it is a strong, cheap signal worth a second look.

Why geo APIs miss it

A plain geolocation API turns an IP into a place and stops there. It has no concept of a card, so it cannot compare the two. Surfacing the mismatch requires understanding payments, not just networks — which is exactly the seam a commerce-intelligence API sits on.

Use it as a signal, not a verdict

Mismatch is three-valued: true, false, or unknown when either side can’t be resolved. Feed it into a score alongside VPN and datacenter detection; keep your own threshold and your own party-level screening. Never send a full card number anywhere to compute it — the BIN is enough.

See it in the API

10,000 free requests a month. No card required.

Get your API key

Keep reading_

More from the blog