Few aspects of financial life have changed more than the way we conduct payment transactions. Businesses, particularly those that handle card payments, stand at the forefront of this transformation and must deal with the data at the heart of payment processing, including primary account numbers (PANs).
For businesses, using PANs securely and efficiently is not a trivial task – it's a core aspect of their operations, one that can have direct implications on a business's reputation and customer trust. To maintain robust and compliant payment systems, businesses must understand the regulatory environment, security measures and practical considerations surrounding PANs. This knowledge might seem too granular to be meaningful for businesses, but as payment systems and fraud-prevention efforts become more complex and expansive, understanding payment fundamentals will become a baseline requirement for any business that conducts card transactions.
Below, we'll look at how PANs function, the important differences between PANs and other account numbers, the standards that govern PANs, and the best practices that businesses can implement to safeguard and improve their use.
What's in this article?
- What is a primary account number (PAN)?
- How primary account numbers work
- Primary account numbers vs account numbers
What is a primary account number (PAN)?
A primary account number (PAN) is the technical term for a payment card number – the series of (usually 12 to 19) digits that is embossed or encoded on a credit, debit or prepaid card, which identifies the issuer and the specific account. Assigned by a financial institution to a cardholder account, the PAN is a key piece of data that facilitates communication between the entities involved in processing a payment. Keeping the PAN secure is important, as misuse or unauthorised access can lead to fraudulent transactions or identity theft.
How primary account numbers work
Understanding the role of the primary account number is important for anyone in the payment processing industry. This unique identifier lives at the core of payment transactions, linking cardholders to their account information stored in the issuer's database.
These steps show the PAN's role in a card payment transaction:
1. Transaction initiation
When a cardholder initiates a transaction, the payment terminal reads the PAN from the card, either via the magnetic strip or the EMV chip, or via near-field communication (NFC) (for contactless payments).
2. Tokenisation
Tokenisation bolsters transaction security, particularly in digital or card-not-present (CNP) environments. This process replaces the PAN with a unique token for each transaction, thereby protecting the real account details in the event that transaction data is compromised.
3. Data transmission
The transaction information, including the PAN, transaction amount and business information, is encrypted and sent to the business's bank, also called the acquiring bank or acquirer.
4. Forwarding information
The acquiring bank then sends this information through a card network to the cardholder's bank, known as the issuing bank or issuer.
5. Validation checks
The issuing bank uses the PAN to look up the cardholder's account and checks the account balance, card validity and any potential indicators of fraud before approving the transaction.
6. Transaction approval
Once the issuing bank has approved the transaction, the response travels through the card network to the acquiring bank and ultimately to the business's terminal, usually within seconds.
The PAN plays a fundamental role in payment processing and businesses must take PAN-related security seriously. Security standards, such as the Payment Card Industry Data Security Standard (PCI DSS), help to protect PANs during storage, processing and transmission. These measures include:
Encryption
This process converts the PAN data into a coded form, making it unreadable to anyone without the decryption key. The PAN is encrypted during transmission, from the point of transaction (e.g. a payment terminal) to the appropriate financial institutions. Encryption ensures that even if fraudulent actors intercept the transaction data, they cannot understand or use it.Truncation
Truncation refers to removing a portion of the PAN when displaying it. For instance, on a receipt or a payment confirmation screen, you might only see the last four digits of the PAN, with the rest replaced by the letter "X" or asterisks. Truncation helps to protect the PAN by ensuring that the full number isn't displayed in places where fraudulent actors could see and copy it.Masking
Similar to truncation, masking involves hiding part of the PAN, typically while a cardholder is entering the number or when it is displayed on a screen. For instance, when you enter your card number on a website, it's common to see each digit replaced by an asterisk as soon as you type it. This ensures that neither someone looking over your shoulder nor malicious screen capture software can read the full PAN.
These measures help to build trust with customers because they demonstrate that the business is serious about the security of their payment information. Businesses that process card payments are required to comply with these standards and failure to do so can result in penalties.
Primary account numbers vs account numbers
Primary account numbers and account numbers both serve as unique identifiers for financial accounts, but they have different uses and applications, especially in the context of payment processing. Here's a rundown of the key distinctions between them:
Primary account number
A PAN is a 12- to 19-digit number that appears on a credit, debit or prepaid card. It is an identifier issued by the card-issuing bank or financial institution. The PAN identifies the cardholder's account and also contains information about the card issuer and the card type.
The PAN is used in card-based transactions, both at point-of-sale (POS) terminals and for online payments. Because of the sensitive nature of the PAN, which enables communication between the entities involved in processing a payment, businesses must handle this key piece of data with a high level of security. Standards such as the PCI DSS provide rules on how businesses should protect PANs during storage, processing and transmission.
Account number
An account number is a unique identifier for an account held at a bank or other financial institution. Unlike the PAN, the account number doesn't contain information about the card issuer or card type. Instead, it's linked directly to an individual's or a business's account and is used primarily for direct transactions with the bank, such as deposits, withdrawals or transfers.
Typically, account numbers are used for direct debits, bank transfers and other forms of direct bank transfers. You can find account numbers on bank statements or obtain them through your bank's online portal or customer service channels. Although it's also important to handle account numbers securely, they aren't subject to the same stringent PCI DSS standards as PANs because they are not used in card transactions.
Though PANs and account numbers both serve as unique identifiers, their applications differ. Businesses that handle card payments need to be aware of the regulatory requirements surrounding PANs and protect this data. Though account numbers are more common in direct banking transactions, businesses involved in this kind of activity should also ensure that they handle these numbers securely.
The granular details of card payments, such as PANs, might seem like minor concerns that shouldn't matter much to businesses. But as technology changes the ways in which card payments are processed, understanding the detailed components of card transactions can give businesses an edge in adopting and improving their use of payment technology.
The content in this article is for general information and education purposes only and should not be construed as legal or tax advice. Stripe does not warrant or guarantee the accuracy, completeness, adequacy, or currency of the information in the article. You should seek the advice of a competent lawyer or accountant licensed to practise in your jurisdiction for advice on your particular situation.