What is a Primary Account Number (PAN)?
What is a Primary Account Number (PAN)?
The Primary Account Number (PAN) is the unique number embossed or printed on a payment card (credit or debit card) that identifies the card issuer and the cardholder's account. The PAN is the defining data element in PCI DSS — if your systems store, process, or transmit PAN data, PCI DSS requirements apply.
Structure of a PAN
A PAN typically consists of 13 to 19 digits:
- Issuer Identification Number (IIN) — the first 6-8 digits identify the card issuer and payment network (e.g., Visa cards start with 4, Mastercard with 51-55 or 2221-2720)
- Account number — the middle digits identify the individual cardholder account
- Check digit — the last digit is calculated using the Luhn algorithm and serves as a validation check
PAN and PCI DSS scope
The presence of PAN is the primary factor that brings systems into PCI DSS scope. PCI DSS defines cardholder data as:
- PAN — always triggers PCI DSS scope
- Cardholder name — protected when stored with PAN
- Expiration date — protected when stored with PAN
- Service code — protected when stored with PAN
If PAN is not stored, processed, or transmitted, the other data elements alone do not trigger PCI DSS requirements. This is why many organizations focus on eliminating PAN from their environment wherever possible.
Protecting PAN
PCI DSS specifies several requirements for protecting PAN:
Rendering PAN unreadable when stored — PAN must be rendered unreadable anywhere it is stored using one of these methods:
- One-way hashing with strong cryptography
- Truncation (retaining no more than the first 6 and last 4 digits)
- Index tokens and pads (tokenization)
- Strong cryptography with associated key management
Masking PAN when displayed — PAN must be masked when displayed, showing no more than the first 6 and last 4 digits. Only personnel with a legitimate business need should see more than the masked PAN.
Encrypting PAN in transit — PAN must be encrypted when transmitted across open, public networks using strong cryptography.
PAN vs sensitive authentication data
PCI DSS distinguishes between cardholder data (which includes PAN) and sensitive authentication data:
- Full track data — magnetic stripe or chip data
- CAV2/CVC2/CVV2/CID — the card verification code
- PIN/PIN block — personal identification number
Sensitive authentication data must never be stored after authorization, even if encrypted. This is stricter than PAN storage rules, which permit storage if the PAN is rendered unreadable.
Minimizing PAN exposure
Organizations should minimize PAN exposure through:
- Tokenization — replace PAN with non-sensitive tokens for downstream processing
- Point-to-point encryption — encrypt PAN from the point of capture to the payment processor
- Data minimization — avoid storing PAN when not necessary for business purposes
- Scope reduction — isolate systems that must handle PAN from the rest of the network
Data discovery
Organizations should regularly scan their environments for unintended PAN storage. PAN can end up in unexpected locations such as:
- Log files
- Email systems
- Backup tapes
- Test and development environments
- Spreadsheets and reports
- Helpdesk ticket systems
Data discovery tools that recognize PAN patterns (using the Luhn algorithm) can identify these hidden exposures.
How episki helps
episki tracks where PAN exists in your environment, documents protection measures, and monitors compliance with PAN handling requirements. The platform helps you maintain a current inventory of PAN storage locations and flags any gaps in protection. Learn more on our PCI DSS compliance page.
