February 06, 2024


The primary account number (PAN) is a unique identifier for credit cards, debit cards and other payment cards. It is often colloquially simply referred to as the “card number”. The PAN is typically between 14 and 19 digits long, with the first set of digits identifying the issuer of the card (the BIN or bank identification number). Together with the CVV (also known as SCS, CVC, CAV and CVD) the PAN is required for online transactions using a credit card.

The PAN (primary account number) is a unique identifier for credit cards, debit cards and other payment cards. This number can be up to 19 digits long, and consists of various sections.

The first 6 or 8 digits identify the industry, network and financial institution that issued the card, called the issuer identification number or IIN. The IIN is also known as the BIN, or bank identification number. The first digit in the BIN or IIN indicates the card network (e.g. American Express starts with a 3, Visa cards begin with the digit 4, and Discover starts with 6). The remaining digits in the BIN/IIN identify the financial institution that issues the card.

All other digits apart from the final digit identify the cardholder. The final digit is a checksum, and is used to validate that the card number has been typed in correctly, as this final digit depends on the value of all other digits.

Credit and debit card PANs represent sensitive financial information, and the network schemes have strict requirements for securing this information. PANs may only be stored in PCI DSS-compliant vaults that must implement strong security measures. As PCI DSS certification is expensive and must be performed annually, most merchants outsource the storage of PANs to a third party vault. This reduces the PCI DSS scope for merchants.

When a consumer first enters a PAN that should be stored - either because the user has opted to store their payment details, or because they have entered into a subscription contract - the PAN is sent directly to the vault for storage. A token is generated and returned to the merchant. This token can be stored by the merchant and used for subsequent card on file transactions. Tokens do not contain any sensitive information, but are simply a unique identifier used to look up the card details.

In order to reference a PAN stored in the vault when submitting a card on file transaction, the merchant needs to include this token with the transaction. The PSP or payment orchestration platform then looks up the corresponding PAN and forwards the actual PAN along with the transaction data for processing. This ensures that merchants never need to handle the PAN directly.

Card details can change over time. For example, cards have an expiration date and thus need to be re-issued regularly. Whenever a card is re-issued, its details change. This means that card on file transactions will no longer be possible without first updating the card details.

There are two methods of ensuring that card details remain up-to-date and can be used to process card on file transactions: account updaters and network tokenization.

An account updater periodically checks whether a card has been updated by requesting updated information from the card schemes. If the card details have changed since the last request, the updated card information is returned and can be updated in the secure vault used to store the PAN.

Network tokenization uses tokens issued directly by the card schemes. Participating issuers perform lifecycle management of the token, ensuring the card details referenced by the token are up-to-date. Changes to the card’s data, such as when a card is re-issued, do not invalidate the token stored by merchants and used to process transactions, as opposed to tokens issued by payment service providers.

IXOPAY offers an Account Updater and supports network tokenization.