What Is a PAN (Primary Account Number)?

What the PAN Is

The Primary Account Number, or PAN, is the long number embossed or printed on the front (or sometimes back) of a payment card. For most cards, this is a 16-digit number, though some card brands use different lengths -- American Express cards have 15 digits, for example. It is the number that identifies a specific cardholder account with the card-issuing bank.

When people talk about a "card number" in everyday conversation, they are referring to the PAN. It is the single most important piece of data in any card payment transaction and, consequently, the piece of data that criminals most want to steal.

How the PAN Is Structured

A PAN is not just a random string of digits. Each section carries specific meaning.

• The first digit identifies the card industry. Cards starting with 4 are Visa, those starting with 5 (or the 2221-2720 range) are Mastercard, and 3 indicates American Express or other brands.
• The first six to eight digits form the Bank Identification Number (BIN), which identifies the issuing bank and the type of card (credit, debit, prepaid, corporate, etc.).
• The middle digits are the individual account number assigned by the issuing bank to the specific cardholder.
• The last digit is a check digit calculated using the Luhn algorithm, a simple mathematical formula that catches accidental errors in the card number. If you mistype a single digit, the check digit will not match, and the system will reject the number before it even reaches the payment network.

Why the PAN Is Sensitive

The PAN is classified as cardholder data under PCI DSS, and for good reason. Combined with the expiry date and the card security code, the PAN is everything a criminal needs to make fraudulent card-not-present purchases -- online, over the phone, or by mail.

Unlike a PIN, which the cardholder memorises and never shares, the PAN is visible on the physical card and gets transmitted during every transaction. This makes it inherently more vulnerable. Every system that sees, stores, or transmits the PAN becomes a potential target for data thieves.

This is why PCI DSS exists -- to create a set of security rules that protect the PAN at every stage of its journey, from the moment a customer hands over their card details to the point where the transaction is settled and the data is either securely stored or destroyed.

How the PAN Is Used in Transactions

Every card payment, whether in-person or remote, starts with the PAN. Here is a simplified version of how it flows through a typical transaction.

• The customer provides their PAN, either by inserting their card into a terminal, tapping it on a contactless reader, typing it into a website, or entering it on a phone keypad during a call.
• The merchant's payment system captures the PAN and sends it (encrypted) to the payment gateway.
• The payment gateway forwards the PAN to the acquiring bank, which routes it through the card network (Visa, Mastercard, etc.) to the card-issuing bank.
• The issuing bank checks the PAN against its records, verifies the account is valid and has sufficient funds, and returns an authorisation decision.
• The merchant receives an approval or decline and completes (or cancels) the transaction.

Protecting the PAN

PCI DSS contains specific requirements for how the PAN must be handled at every stage.

In Storage

If a business needs to store the PAN (for recurring billing, for example), it must be rendered unreadable using encryption, tokenization, truncation, or hashing. Simply saving a card number in a spreadsheet or database in plain text is a serious PCI DSS violation and a data breach waiting to happen.

In Transit

Whenever the PAN is transmitted across a network -- particularly a public network like the internet -- it must be encrypted using strong cryptographic protocols such as TLS 1.2 or higher.

In Use

Access to the full PAN should be restricted to those with a legitimate business need. For most staff, a truncated version showing only the last four digits is sufficient for identification purposes.

The PAN and Telephone Payments

Telephone payments create particular challenges for PAN security. When a customer reads their card number to an agent, the PAN travels through the voice channel in the clear. The agent hears it, the call recording captures it, and the agent may see it on their screen as they type it into a virtual terminal. Each of these exposure points brings systems into PCI DSS scope.

DTMF masking technology addresses this by allowing customers to enter their PAN on their phone keypad instead of speaking it aloud. The keypad tones are masked or suppressed before reaching the agent, and the digits are routed directly to the payment processor. The agent never hears, sees, or handles the PAN, and call recordings contain no trace of it.

This approach is one of the most effective ways to protect the PAN in telephone payment environments while keeping the customer experience smooth and the call flowing naturally.

PAN Masking and Truncation

You will often see card numbers displayed as something like "XXXX XXXX XXXX 1234" on receipts, statements, and merchant dashboards. This is called masking or truncation -- showing only the last four digits and hiding the rest. PCI DSS allows the first six and last four digits to be displayed, but most organisations show even less to minimise risk.

Masking is not the same as encryption or tokenization. It simply means hiding part of the PAN from view. The full number may still exist in the underlying system, so masking alone does not remove PCI DSS obligations -- it just reduces visual exposure.