PAN o Card number
What is the PAN or Primary account number on a card?
The PAN (Primary Account Number) is the unique 12‑ to 19‑digit number printed on the front of a credit, debit, virtual, or prepaid card. It serves as the main identifier of the cardholder’s account within the global payments system and is the key data element used to authorize and settle any card transaction, both in-store and online.
The PAN is not a random sequence. Every digit follows the ISO/IEC 7812 international standard, encoding information about the payment network, issuing bank, individual account, and a final check digit.
How the PAN works
The card number is divided into three functional blocks:
- BIN/IIN (first 6–8 digits): Identify the payment network and issuing bank. The first digit indicates the network: 4 for Visa, 5 (ranges 51–55) or 2 (ranges 2221–2720) for Mastercard, and 34 or 37 for American Express.
- Individual account number (middle digits): Uniquely identifies the cardholder within the issuing institution. Its length varies depending on the network and card type.
- Check digit (last digit): Calculated using the Luhn algorithm to detect transcription errors before the transaction is sent to the payment gateway.
In Europe, the standard PAN length is 16 digits for Visa and Mastercard, while American Express uses 15 digits in a 4‑6‑5 format. This difference requires proper input validation in any ecommerce checkout to avoid unnecessary declines.
In ecommerce environments, the real PAN is replaced with a token through tokenization, ensuring that merchants never store the actual card number.
Regulatory impact and applicable security standards
According to PCI DSS v4.0, the PAN is the data element that defines the existence of a Cardholder Data Environment (CDE). Any entity that stores, processes, or transmits the PAN must comply with the full PCI DSS standard, which requires:
- Encryption of PAN data in transit and at rest.
- Masking on screen, showing only the BIN and last four digits.
- Truncation or tokenization to ensure stored data is unreadable.
At the European level, PSD2 (Directive 2015/2366) mandates Strong Customer Authentication (SCA) for electronic payments. Even if a third party obtains the PAN, they cannot complete an online purchase without passing a second authentication factor (biometrics, SMS OTP, or dynamic key).
| Protection Measure | Standard / Regulation | Main Function |
|---|---|---|
| PAN Encryption | PCI DSS v4.0 | Unreadability in transit and at rest |
| Masking | PCI DSS v4.0 | Partial display (BIN + last 4 digits) |
| Tokenization | EMVCo Payment Tokenisation | Replacing the PAN with a context‑limited token |
| SCA / 3D Secure 2 | PSD2 (Directive 2015/2366) | Strong authentication of the cardholder |
Operational advantages and disadvantages
Advantages:
- Enables payment authorization in under two seconds by acting as a logical address within the global card network.
- Its standardized structure ensures interoperability across acquirers, schemes, and issuers worldwide.
- Combined with tokenization, it enables one‑click payments without exposing the customer’s real card data.
Disadvantages:
- Its exposure is the most critical fraud vector in Card‑Not‑Present transactions. If an attacker obtains the PAN, expiry date, and CVV, they may attempt unauthorized purchases.
- Any merchant storing the PAN automatically falls under PCI DSS scope, with the associated audit and certification costs.
- Switching payment gateways can complicate the migration of tokens linked to the original PAN, causing temporary declines in recurring payments.
Was this term useful?
Leave a Comment