Glossary

February 06, 2024

PAN

The primary account number (PAN) is a unique identifier for credit cards, debit cards and other payment cards. It is often colloquially simply referred to as the “card number”. The PAN is typically between 14 and 19 digits long, with the first set of digits identifying the issuer of the card (the BIN or bank identification number). Together with the CVV (also known as SCS, CVC, CAV and CVD) the PAN is required for online transactions using a credit card.

What is a PAN?

The PAN (primary account number) is a unique identifier for credit cards, debit cards and other payment cards. This number can be up to 19 digits long, and consists of various sections.

The first 6 or 8 digits identify the industry, network and financial institution that issued the card, called the issuer identification number or IIN. The IIN is also known as the BIN, or bank identification number. The first digit in the BIN or IIN indicates the card network (e.g. American Express starts with a 3, Visa cards begin with the digit 4, and Discover starts with 6). The remaining digits in the BIN/IIN identify the financial institution that issues the card.

All other digits apart from the final digit identify the cardholder. The final digit is a checksum, and is used to validate that the card number has been typed in correctly, as this final digit depends on the value of all other digits.

How can merchants store PANs for recurring transactions?

Credit and debit card PANs represent sensitive financial information, and the network schemes have strict requirements for securing this information. PANs may only be stored in PCI DSS-compliant vaults that must implement strong security measures. As PCI DSS certification is expensive and must be performed annually, most merchants outsource the storage of PANs to a third party vault. This reduces the PCI DSS scope for merchants.

When a consumer first enters a PAN that should be stored - either because the user has opted to store their payment details, or because they have entered into a subscription contract - the PAN is sent directly to the vault for storage. A token is generated and returned to the merchant. This token can be stored by the merchant and used for subsequent card on file transactions. Tokens do not contain any sensitive information, but are simply a unique identifier used to look up the card details.

In order to reference a PAN stored in the vault when submitting a card on file transaction, the merchant needs to include this token with the transaction. The PSP or payment orchestration platform then looks up the corresponding PAN and forwards the actual PAN along with the transaction data for processing. This ensures that merchants never need to handle the PAN directly.

How can merchants ensure that their customer card details are up-to-date?

Card details can change over time. For example, cards have an expiration date and thus need to be re-issued regularly. Whenever a card is re-issued, its details change. This means that card on file transactions will no longer be possible without first updating the card details.

There are two methods of ensuring that card details remain up-to-date and can be used to process card on file transactions: account updaters and network tokenization.

An account updater periodically checks whether a card has been updated by requesting updated information from the card schemes. If the card details have changed since the last request, the updated card information is returned and can be updated in the secure vault used to store the PAN.

Network tokenization uses tokens issued directly by the card schemes. Participating issuers perform lifecycle management of the token, ensuring the card details referenced by the token are up-to-date. Changes to the card’s data, such as when a card is re-issued, do not invalidate the token stored by merchants and used to process transactions, as opposed to tokens issued by payment service providers.

IXOPAY offers an Account Updater and supports network tokenization.

Partner	Name	Description	Duration
IXOPAY GmbH	cookiesConsent	Cookie Banner. Stores your cookie settings.	12 Months
IXOPAY GmbH	_fm	User centric security cookie to detect authentication abuses. Filters out computer/bot generated Website requests.	30 Minutes
Google Ireland Limited	reCAPTCHA	User centric security cookie to detect if a human being or a computer is making a specific entry in our contact or newsletter form.	6 Months
Cloudflare Inc.	cf_clearance	Used by Cloudflare (Website Security Network) to identify trusted web traffic, and protect our website against malicious activity (see Cloudflare's Cookie Informations).	30 minutes

Partner	Name	Description	Duration
Google Ireland Limited	_ga	Analytical cookie set by the service Google Analytics used to distinguish visitors. Collects data about number of visits and user journey.	2 years
Google Ireland Limited	_gid	Analytical cookie set by the service Google Analytics used to distinguish visitors. Collects data about number of visits and user journey.	24 h
Google Ireland Limited	_gat_ua-keynumber	Analytical cookie set by the service Google Analytics used to throttle the request rate, limiting the collection of data on Websites with high traffic.	Session
Google Ireland Limited	_ga_container-id	Cookie set by the service Google Analytics 4. The cookie is used to persist session state.	12 month
Microsoft Ireland Operations Limited	Clarity	Analytical service capturing your interactions on the Website such as how the page has rendered and what interactions you had on the Website (surfing behavior: mouse movements, clicks, scrolls). Microsoft collects or receives personal data from us to provide Microsoft Advertising (see Microsoft Privacy Statements). Sensitive content such as passwords, usernames, and user input are masked before sending to Microsoft.	12 months
Dealfront Group GmbH	_lfa	Analytical service that collects the visitor IP address to detect corporate visits and their geographic location. Leadfeeder only shows company visits, automatically filtering out all users visiting from residential IP addresses. All visit data is aggregated Dealfront Group GmbH / Analytical service that collects the visitor IP address to detect corporate visits and their geographic location. Dealfront only shows company visits, automatically filtering out all users visiting from residential IP addresses. All visitor data is aggregated on the company level (no reference to natural persons). Via a connection to Google Analytics, Dealfront shows company visitors' interactions on the Website (pages viewed, visitor source and duration of session). Dealfront also enriches that company data with contact data for individuals from publicly available data sources (eg. LinkedIn).	24 months

Partner	Name	Description	Duration
Google Ireland Limited	_gcl_au	Conversion-cookie set by the service Google Ads for assessing advertisement efficiency across our Websites and on websites of our marketing- & advertising partners.	3 months
Google Ireland Limited	_gac_gb_container-id	Cookie which connects Google Analytics und Google Ads. Google Ads website conversion tags will read this cookie.	90 days
Microsoft Ireland Operations Limited	Universal Event Tracking (UET)	Conversion-cookie set by the service Microsoft Advertising for assessing advertisement efficiency across our Websites and on websites of our marketing- & advertising partners. In general, the cookie in the relevant domain and your IP address are passed to Microsoft with every http request and not just via UET.	13 months