If all you need is a card type, then an algorithmic approach is probably best (e.g. a "4" prefix is Visa, "5" is Mastercard, etc.). But if you require the issuing country, institution, etc. then access to a regularly updated BIN list is a must.
If you have a merchant relationship with a bank you should be able to obtain one from them, probably under some non-disclosure arrangement. Without a relationship most banks are likely to just say "no". Access to a BIN list is not a big security risk, but the banks do love to have their secrets :-) I know RBS has one available to select customers.
At a previous company I worked with, we scheduled a monthly download from their bank's password-protected web site, and then imported it into our risk management database. The risk management team still needed manual processes for unlisted BIN ranges, since there is a delay between when a range is activated and when your bank's data is updated.
Depending on your requirements you may need to handle sub-BIN ranges (9 or 10 digit prefixes) as a major bank may assign part of a range to minor players or branding services. This is especially important when differentiating between debit cards and credit cards (risk level is usually higher for credit cards).
Some banks don't have very good data validation on these lists (one I saw was just a very long Excel spreadsheet) - encountering duplicate, split and merged ranges is very likely, so you'll need a range-based merge algorithm - a bit tricky to get all the edge conditions right.
A decent version of the BIN list will include the prefix range, card type (with separate credit and debit types), the country, card number length and institution name. You'll probably have to programatically manage a "last modified" field in the importer logic.
If you need to perform a risk assessment you may also want to look into MaxMind's online MinFraud subscription service (I'd recommend the extra results from the Premium version). It provides a good risk score for around $0.01 per query.
