Glossary/PAN (Primary Account Number)

What Is a PAN (Primary Account Number)?

The PAN (Primary Account Number) is the long number embossed or printed on the front or back of a payment card — typically 16 digits for Visa and Mastercard. It uniquely identifies the cardholder's account and is the most sensitive piece of data involved in a card payment.

PAN Explained

Every debit card, credit card and prepaid card has a Primary Account Number — the long number you read out or type in when making a payment. For most Visa and Mastercard cards, this is 16 digits long, though American Express uses 15 digits and some other card types vary.

The PAN is not just a random number. Its structure contains specific information:

  • The first 6-8 digits (BIN/IIN) — the Bank Identification Number (also called the Issuer Identification Number) identifies the card issuer and the card type. For example, Visa cards start with 4, Mastercard with 51-55 or 2221-2720.
  • The middle digits — these identify the individual cardholder's account with the issuing bank.
  • The last digit — this is a check digit calculated using the Luhn algorithm, which helps detect accidental errors when the number is typed or read out.

Why the PAN Is So Important

The PAN is the single most valuable piece of card data for a fraudster. With the PAN, expiry date and CVV, someone can make card-not-present purchases. This is why PCI DSS (the Payment Card Industry Data Security Standard) places the strictest controls on how the PAN is handled.

PCI DSS Requirements for PAN Data

Under PCI DSS, any organisation that stores, processes or transmits the PAN must comply with the full set of security requirements. Key rules include:

  • The PAN must be rendered unreadable when stored — using encryption, tokenization, truncation or hashing.
  • Access to the full PAN must be restricted — only personnel with a legitimate business need should see the complete number.
  • The PAN must never be stored in plain text — in databases, log files, spreadsheets or anywhere else.
  • Displaying the PAN — when shown on screen or printed, only the first six and last four digits may be visible (masking the middle digits).

PAN Masking and Truncation

You will often see a card number displayed as something like 4532 **** **** 1234. This is PAN masking — the middle digits are hidden to protect the full number while still allowing the cardholder or agent to confirm which card was used. Truncation goes a step further by permanently removing digits so they can never be recovered.

Protecting the PAN in Telephone Payments

Telephone payments present a unique challenge because the customer must communicate their PAN to complete the transaction. If an agent hears or sees the full number, or if the call is recorded, the PAN is exposed and your PCI DSS scope expands significantly. This is why technologies like DTMF masking are critical — they allow the customer to enter their PAN via the phone keypad without the digits being heard, seen or recorded.

How Paytia Uses This

Paytia's entire platform is built around the principle that the PAN should never be exposed to your business. When a customer enters their card number during a telephone payment using Paytia, the digits are captured securely using DTMF masking technology. This means the PAN is never heard by the agent, never displayed on screen and never included in call recordings.

The PAN is transmitted directly to the payment gateway in an encrypted form, bypassing your systems entirely. Your business only ever sees a masked or tokenized version of the card number — enough to identify the transaction, but useless to a fraudster.

By keeping the PAN out of your environment, Paytia dramatically reduces your PCI DSS scope, making compliance simpler and more affordable. This is the core of how Paytia's descoping approach works.

DTMF SuppressionAgent-Assisted PaymentsSecure Telephone Payments

Frequently Asked Questions

How many digits is a PAN?

Most Visa and Mastercard PANs are 16 digits long. American Express cards have 15 digits. Some other card types may have between 13 and 19 digits, though 16 is by far the most common.

Can I store the full PAN in my database?

Only if it is rendered unreadable using strong encryption, tokenization or another approved method. PCI DSS strictly prohibits storing the PAN in plain text. For most businesses, the simplest and safest approach is to use tokenization so you never store the real card number at all.

What is PAN masking?

PAN masking is the practice of hiding the middle digits of a card number when it is displayed, for example showing 4532 **** **** 1234. This allows the card to be identified without exposing the full number. PCI DSS requires that no more than the first six and last four digits are shown.

Related Terms

CVV / CVC / CV2TokenizationDTMF Masking

See how Paytia handles pan (primary account number)

Book a personalised demo and we'll show you how our platform works with your setup.

Request a Demo