When it comes to handling credit card payments, keeping customer information safe is an important measure for businesses. One key component in card payments is the primary account number (PAN), which is a string of digits shown on your card.
The PAN is a series of numbers found on credit, debit and even virtual or prepaid cards. It plays a crucial role in facilitating the flow of information during payment transactions. While the PAN itself does not inherently protect against fraud, it must be properly safeguarded, as exposure to unauthorised parties could lead to fraudulent activity.
In this blog, we will explain what PANs are, how they work, how they differ from account numbers as well as how your business can protect customers’ PANs.
What is a primary account number (PAN)?
A primary account number (PAN), also known as a payment card number or simply a card number, is essentially a unique sequence of digits. When a customer orders a new card, the issuer automatically generates a unique PAN linked to the cardholder’s bank or eWallet account.
This number is different to bank account codes like SWIFT and BIC, as it is specific to a customer’s payment card. Furthermore, the sequence of digits follows a structured format rather than being entirely random. In fact, they meet the ISO/IEC 7812 standard, which allows both the card and the cardholder to be identified. It is important to keep this number safe, as it can be exploited for credit card fraud.
How do primary account numbers work?
PANs typically range from 14 to 19 digits, varying depending on the associated card scheme and card issuer. While PANs vary in length, they all follow a similar formula, as outlined below:
- The first set of digits is the Bank Identification Number (BIN), also sometimes referred to as the Issuer Identification Number (IIN). This identifies the financial institution that issued the card. The first digit of the BIN also indicates the card scheme, such as Mastercard, Visa or Amex. BINs typically range from 6 to 8 digits, depending on the card issuer.
- The next set of digits serves as a unique identifier for the cardholder.
- The last digit is the checksum number or check digit. This helps validate the authenticity of the PAN and ensures the card number has been entered correctly.
Whether swiping a physical card or inputting details on an online payment page, PANs act as a vital link between all entities involved in the transaction process.
How do PANs work for virtual cards?
Virtual cards are the digital equivalent of physical payment cards, existing solely in electronic form. They function using PANs as their unique numerical identifiers. Some virtual cards generate a single use PAN for additional security, while others function with a static PAN, similar to physical cards.
Primary account numbers vs bank account numbers
PANs and bank account numbers are unique identifiers crucial in financial transactions, but they have distinct roles in payment processing.
Primary account number
A 14 to 19 digit number on a credit, debit or prepaid card, created by the issuing bank. It is used in card-based transactions, requiring stringent security measures due to its sensitive nature. It is governed by standards like PCI DSS to ensure secure storage, processing and transmission throughout the payment process.
Bank account number
A unique identifier for accounts held at banks, unrelated to the card issuer or card type. Primarily, it is used in direct banking transactions like deposits, withdrawals and transfers. It is found on bank statements or obtained through bank portals and is not subject to the same PCI DSS standards as PANs.
While PANs are critical in card payments and require strict protection, account numbers are essential for banking transactions. It is important for businesses to understand how each number works to ensure the secure handling of sensitive financial data.
How can merchants protect their customers’ PANs?
PANs are highly sensitive and must be handled with the highest level of care. Merchants are required to adhere to PCI DSS guidelines to ensure the secure handling, storage and transmission of PANs. However, in most cases, particularly with online transactions, merchants do not handle the full PAN directly. Instead, payment gateways and processors manage PAN data, reducing the risk of fraud and data breaches.
Here are key security measures businesses can implement:
Truncation
Truncation refers to removing a portion of the PAN when displaying it, such as on a receipt or payment confirmation screen. For example, only the first six and last four digits are visible, with the rest replaced by the letter 'X' or asterisks. This helps to protect the PAN by ensuring that the full number is not displayed in places where fraudsters could see and copy it.
Masking
Similar to truncation, masking involves hiding part of the PAN, typically while a cardholder is entering the number or when it is displayed on a screen. For instance, when entering a card number on a website, each digit is replaced by an asterisk as soon as it is typed, ensuring that no malicious screen capturing software can read the full PAN.
Encryption
This process converts the PAN data into a coded form, making it unreadable to anyone without the decryption key. The PAN is encrypted throughout the payment process, from the initiation of the transaction to when it is transmitted to the appropriate financial institutions for authorisation. Encryption ensures that even if fraudsters intercept the transaction data, they cannot understand or use it.
Tokenisation
Tokenisation bolsters transaction security, particularly in eCommerce environments. This process replaces the PAN with a unique token of random alphanumeric digits for each transaction. If payment data is compromised, the token is useless to fraudsters.
Risk and fraud management
To safeguard customers' PANs, merchants can implement a multi-layered approach to risk and fraud management. This includes partnering with a trusted Payment Service Provider (PSP) to ensure PCI compliance and mitigate any instances of fraud. By leveraging advanced security measures such as velocity checks, transaction counts and amount thresholds as well as authentication protocols such as 3DS2 and Address Verification Number (AVS), merchants can effectively monitor and authenticate transactions, reducing the risk of unauthorised card usage and enhancing overall transaction security.
How can emerchantpay help you?
In the ever-evolving payments landscape, businesses must understand PAN security and best practices for securely accepting payments. This means merchants are not only protecting their customers against fraud but also safeguarding their profits while providing a seamless payment experience.
At emerchantpay, we are proud of our comprehensive global payment solution, which includes tokenisation, robust fraud and risk management and a range of solutions such as 3DS2 and AVS. Our experienced Risk Analysts are here to offer personalised support, guiding you on how to optimise your payment processes to improve the performance and profitability of your payments. Moreover, we go a step further by providing 1:1 support from an Account Manager to ensure that you receive tailored assistance whenever you need it, with vertical-specific expertise also available.
Ready to learn how emerchantpay can help you increase the efficiency of your payments to maximise revenue? Contact our team of payments experts today.