A PAN, or Primary Account Number, is the unique numerical identifier embossed or printed on a payment card that identifies the card account. It is typically 13 to 19 digits long and encodes information about the card network, the issuing institution, and the individual account. The PAN is the most sensitive piece of data associated with a payment card and is the primary target of card fraud and data theft.
The PAN is used to route transactions through the payment network, identify the cardholder’s account at the issuing bank, and link transaction records across the payment lifecycle from authorization through settlement. In card-not-present environments, the cardholder typically enters the PAN manually at checkout. In card-present environments, the PAN is read from the magnetic stripe, chip, or NFC interface.
Because the PAN is sensitive cardholder data, its storage, transmission, and processing is subject to strict PCI DSS requirements. Merchants and processors are required to protect PANs using encryption, tokenization, and access controls, and are prohibited from storing certain elements of card data after authorization is complete.
Diving Deeper into PAN
The primary account number is the central identifier in the card payment system. Every component of the payment ecosystem — gateways, processors, networks, issuers — uses the PAN to route transactions, match records, and identify accounts. Its ubiquity and sensitivity make it one of the most consequential pieces of data in financial services from both an operational and a security perspective.
The Structure of a PAN
A PAN is not a random string of digits. Its structure encodes meaningful information about the card and the institution that issued it.
Bank Identification Number
The first six to eight digits of the PAN form the Bank Identification Number, also called the BIN or IIN. The BIN identifies the card network and the issuing institution. When a gateway or processor receives a PAN, it uses the BIN to determine which card network to route the transaction through and which issuer will receive the authorization request. BIN databases maintained by processors and gateways map each BIN to the associated network, issuer, card type, and geographic market.
Account Number
The digits following the BIN up to the second-to-last digit identify the specific cardholder account at the issuing institution. The issuer assigns these digits and uses them to look up the account during authorization.
Check Digit
The final digit of the PAN is a check digit calculated using the Luhn algorithm, a simple checksum formula. The check digit allows systems to quickly validate that a PAN is structurally valid before submitting it for authorization, catching data entry errors and obviously invalid numbers without incurring the cost of a network round trip.
PAN Security and PCI DSS
The PAN is classified as sensitive cardholder data under PCI DSS, the Payment Card Industry Data Security Standard. PCI DSS imposes specific requirements on any entity that stores, processes, or transmits PANs.
Storage Restrictions
PCI DSS prohibits storing the full PAN in plaintext after authorization. If PANs must be stored for legitimate business purposes such as recurring billing or dispute resolution, they must be stored in a form that renders the full number unreadable, using strong cryptographic algorithms, one-way hashing, truncation, or tokenization. The first six and last four digits of the PAN may be retained in plaintext for display and identification purposes, but the full number in plaintext form must never be stored in logs, databases, or files accessible to unauthorized parties.
Transmission Requirements
PANs transmitted over open public networks must be encrypted using strong cryptography. Payment gateways and processors use TLS encryption for all PAN transmission and point-to-point encryption at the terminal level to ensure that PANs are encrypted immediately upon capture and remain encrypted throughout the processing chain.
PAN Tokenization
Tokenization is the primary technique used to reduce PAN exposure in payment systems. A token is a surrogate value that replaces the PAN in storage and processing environments while the actual PAN is stored in a secure token vault maintained by the tokenization provider.
Merchant Tokenization
Payment gateways provide merchant tokenization services that replace the PAN with a merchant-specific token for recurring billing and stored payment credential use cases. The merchant stores the token rather than the PAN, substantially reducing PCI scope. When the merchant needs to process a subsequent transaction, they submit the token to the gateway, which retrieves the associated PAN and processes the transaction.
Network Tokenization
Card networks offer network tokenization through programs such as Visa Token Service and Mastercard Digital Enablement Service. Network tokens are issued by the card network itself and are tied to a specific device or merchant domain. They provide higher approval rates than static PANs because issuers can update the underlying account information when cards are reissued without requiring the merchant to collect new card credentials.
PAN vs. Token in Modern Payment Flows
In modern payment architectures, the actual PAN travels through fewer systems than it once did. At the point of sale, point-to-point encryption immediately encrypts the PAN. Gateways issue tokens that replace the PAN in merchant systems. Card networks issue network tokens that replace the PAN in processing flows. The result is that the actual PAN may never be visible in plaintext to the merchant, the gateway, or in many cases even the processor, with only the issuer retaining access to the underlying account number.