As a merchant, it might be easy to dismiss the primary account number (PAN) as something that isn’t relevant to your business. After all, that number – the one embossed on the front of every debit or credit card in circulation today – only concerns your customer. Right?
Well, not exactly. The PAN plays a hugely important role in any in-person or online card payment transaction your business accepts: facilitating communication between the different banks involved and ensuring your transactions proceed swiftly, smoothly, and in seconds.
Given its sensitivity, a PAN must also be protected at all costs to ensure your business is compliant with PCI DSS (Payment Card Industry Data Security Standard) regulations and to safeguard you and your customers from fraud. So understanding the PAN is vital.
Below, we’ll help you do just that. We’ll explain what a PAN is, how it works, and break it down – digit by digit. We’ll also cover the PAN’s differences between similar payment industry terms, and explore the techniques you can use to shield your customers’ PANs from the prying eyes of hackers and fraudsters.
Let’s start with the first question: what is a PAN?
What is a primary account number (PAN)?
A primary account number (PAN) is the series of digits – typically 16 digits, but which can vary from 12 to 19 numbers long – embossed on the front of a credit, debit, or prepaid card. The PAN is usually also encoded into the magnetic stripe on the card’s rear side.
It is a unique number assigned by the card issuer to the cardholder’s account.
The PAN’s role? To identify the card – and the issuing bank it belongs to – and link it to the account and its holder.
In the credit card processing world, the PAN plays an integral role in facilitating how the different financial parties and players involved in the transaction talk to each other. And, since the exposure of the PAN can lead to identity theft or payment fraud, it’s vital that any business accepting credit and debit transactions – including yours – keeps it safe.
How do primary account numbers work?
To the naked eye, a PAN may look like one long chain of digits. But in fact, it’s actually a series of segments of numbers – each corresponding to a different element.
- The first eight digits of the PAN are known as the Issuer Identification Number (IIN), or the Bank Identification Number (BIN). These digits identify the institution that issued the card. (Or, simply, the ‘issuer’.)
- The latter 12 digits of the PAN (so, in a typical 16-digit pan, numbers five to 16) are the Account Identifier/Number. This represents the unique account number the issuer assigns to the cardholder and links the card to the holder’s specific account.
- The first digit of the PAN is known as the Major Industry Identifier (MII). This identifies the scheme – be it Mastercard, Discover, Visa, or American Express – supporting the card.
- The PAN’s last number is the Validator Digit. Also known as a ‘check digit’, this is calculated using a specific algorithm – often the Luhn algorithm – and is used to validate the accuracy of the entire PAN.
Now we know how PANs are set up, let’s zoom in for a closer look at the role they play in facilitating a debit or credit card transaction.
- Your customer initiates a card payment with your business. In the case of a card-present transaction – so, one made through a payment terminal at your bricks-and-mortar store – your device will collect the customer’s PAN. This happens either through the card’s EMV chip, its magnetic stripe, or (in the case of contactless payment) through NFC (near-field communication) technology.
- The payment is tokenized. Payment tokenization is the process of replacing the PAN with ‘tokens’: unique strings of numbers that act as non-sensitive references to, or ‘stand-ins’ for, the actual credit or debit card data. Should the transaction’s security become compromised, tokenization ensures the actual PAN isn’t exposed to thieves.
- The payment is submitted. Here, the PAN – along with information such as the transaction amount and your business’s details – is encrypted and submitted to the acquiring bank. (Also known as the ‘acquirer’, this is the financial institution you’ve selected to take payments on your business’s behalf.)
- The issuing bank gets involved. After receiving the transaction information from the acquirer, the issuer utilizes the PAN to locate the cardholder’s account and run some checks. These include scanning for potential fraud, checking the validity of the card, and making sure the account has sufficient funds to complete the transaction.
- The transaction is completed. Bar any issues, the issuing bank relays its approval back, via the payment rails of a card scheme, to the acquiring bank, before funneling it all the way back to where the transaction started – your business’s point of sale (POS).
Primary account numbers vs account numbers
Sometimes, the semantics of the credit card processing space serve up more than their fair share of confusion – particularly when so many of the same words and phrases are involved.
With that in mind, let’s quickly define the primary account number vs account number distinction. Because while both serve as unique identifiers that allow financial transactions to take place, each conveys different information and apply in contrasting contexts.
As we’ve discussed, a primary account number (PAN) is the number that appears on your customer’s credit or debit card. Its role is to link their card to their account with the financial institution they bank with. The PAN is used in transactions – both of the card-present and card-not-present variety – to enable the acquiring and issuing banks to communicate.
An account number is used for different purposes: including bank-to-bank transfers and direct debits. It’s the number your customer will find not on their credit or debit card (like the PAN is) but in their bank statements and online banking apps. The account number is linked directly to your customer’s account, and (unlike the PAN) contains no information about their payment card’s type or issuing bank.
Primary account numbers vs secondary account numbers
A secondary account is when a primary account holder authorizes someone they know – such as a relative, commonly a child – to their payment card account.
This person – the secondary account holder – will receive their own credit or debit card. Depending on the issuing bank’s policy, this card may have the same PAN as the primary account holder. But if it’s different, the card will come with a secondary card number.
Secondary account numbers are important in the case of prepaid business or corporate credit cards. To make expense tracking and the attribution of spending more trackable, these cards – which employees of a business receive – will all bear secondary account numbers. The main card (that of the business itself) will have a PAN.
How do PANs work for virtual cards?
PANS for virtual cards work a little differently.
Virtual cards are similar to physical credit or debit cards but exist only in digital form – you can’t pick them up and place them in your wallet. Essentially, virtual cards are what regular debit or credit cards would be if you stripped them of their physical attributes and boiled them down to their PANs alone.
If you’ve ever added a debit or credit card to a digital wallet (such as Apple Pay or Google Pay), and then used that digital wallet to make a smartphone payment, you’ve used a virtual card.
With a virtual card, the issuing bank doesn’t generate a static PAN for that card, as it would when supplying a physical card. (Static implies that the PAN doesn’t change.) Instead, tokenized virtual card transactions generate a fresh PAN every time the card is used to make a purchase – mitigating the risk of fraudulent activity.
Virtual cards also utilize tokenization. This process – which, as you’ll remember, involves masking the actual PAN behind unique, randomly generated strings of alphanumeric identifiers – helps safeguard the virtual card from misuse.
To find out exactly how tokenization helps prevent payment fraud, explore our guide for a comprehensive take.
Issue cards with Checkout.com
Here at Checkout.com, we’re known as a leading acquirer and payment processor – meaning we help your business accept payments in a wealth of different currencies and methods, all while safeguarding your transactions and business from fraud.
However, we also offer assistance on the issuing side of things, too.
This means that, as an issuer processor, Checkout.com won’t just help you manage and process card payments. We’ll enable you to issue those cards, too.
With us, you can launch and optimize your own card program, then – via our easy-to-use online portal – handle all your reporting and compliance responsibilities, too. (We’re also a card program manager, meaning we take the administrative burden of organizing and optimizing the issuing process off your shoulders.)
You can design your payment cards to fit your brand’s unique look and feel, apply spend controls, and then fund them for immediate use – without hassle or headache.
Better still, card issuing will ensure you earn a portion of interchange revenue on every transaction those cards are used in. And, with transparent pricing, granular reconciliation, and transaction reporting that goes well beyond the basics, you’ll have all the data you need to maximize your issuing impact – at your fingertips.
Want to know more? Explore Checkout.com’s issuing solution, or get in touch today with our friendly team of payment experts to chat through your business’s card-issuing needs.