PAN (Primary Account Number)

The PAN is the foundational identifier in every card payment. It encodes the card network, issuing institution, and individual account in a structured format — and it is the target of most card fraud attacks, which is why the entire modern payments security stack is oriented around never exposing it.

PAN Structure

A 16-digit Visa or Mastercard PAN breaks down as follows:

• Digit 1: Major Industry Identifier (MII). 4 = Visa; 5 = Mastercard; 3 = Amex/Diners.
• Digits 1–6: Bank Identification Number (BIN). Identifies the issuing bank and card program. The BIN is used by acquirers and PSPs to route authorization requests.
• Digits 7–15: Individual Account Identifier. Assigned by the issuer; identifies the specific account.
• Digit 16: Luhn check digit. A mathematical check to catch transcription errors and simple forgeries.

Amex uses 15 digits; some cards (notably Maestro and some UnionPay) use 18 or 19 digits.

PCI DSS and PAN Storage

PCI DSS classifies the full PAN as the single most sensitive cardholder data element. The rules:

• Never store the full PAN unencrypted after authorization. Most compliant implementations truncate stored PANs (showing only the last 4 digits) or replace them with tokens.
• CVV, PIN, and magnetic stripe data must never be stored at all — post-authorization.
• Merchants in scope for PCI DSS who process PANs directly face the highest compliance burden (SAQ D, Level 1). Most reduce scope by tokenizing before the PAN touches their environment.

Tokenization and PAN Exposure Reduction

The primary architectural goal of modern payment security is to minimize PAN exposure. There are two distinct tokenization approaches:

PSP/gateway tokenization: The PSP replaces the PAN with a proprietary token on first use. The merchant stores the token, not the PAN. The PSP maps the token back to the PAN for authorization. Reduces PCI scope but the PAN still travels to the network in cleartext.

Network tokenization: Visa Token Service (VTS) or Mastercard Digital Enablement Service (MDES) replaces the PAN with a network-level token. The token is specific to the merchant and device. Even if intercepted, it cannot be used elsewhere. Authorization happens with the token; the network maps it to the PAN internally.

Network tokenization is the stronger security model. It also improves authorization rates — tokens survive card reissues automatically, eliminating declines from outdated card details.

PAN in Fraud

The PAN is the primary target of card fraud operations:

• Card testing: Fraudsters test stolen PANs with small transactions to verify which are live before attempting larger purchases.
• BIN attacks: Automated generation of valid PANs within a known BIN range, exploiting the predictable structure to generate valid-looking card numbers.
• CNP fraud: In card-not-present environments, the PAN (plus CVV and expiry) is sufficient to transact — no physical card required. This is why CNP fraud rates are structurally higher than card-present.

For merchants, PAN exposure reduction through tokenization is the most effective single control for both PCI compliance scope and fraud risk.