What Is PAN Data?
PAN stands for Primary Account Number, the 13 to 19 digit number that identifies a payment card account. It is the most sensitive piece of cardholder data under PCI DSS. Any system that stores, processes, or transmits a PAN is in scope for PCI compliance.
Primary Account Number (PAN): Definition
The Primary Account Number (PAN) is the unique numerical identifier assigned to a payment card account by the issuing financial institution. It is typically 13 to 19 digits long and is structured to encode the card network, issuer, account number, and a check digit using the Luhn algorithm. Under PCI DSS, the PAN is the defining element of cardholder data. Its presence in any environment creates a compliance obligation.
PAN Structure
The first 6 digits are the Bank Identification Number (BIN) or Issuer Identification Number (IIN), identifying the card scheme and issuing bank. The middle digits are the account number. The final digit is a Luhn check digit for validation.
PCI DSS Scope Trigger
Any system that stores, processes, or transmits the full PAN is automatically in PCI DSS scope. This includes databases, logs, backups, and even screenshots. Scope can only be reduced by removing or tokenizing the PAN.
What Must Never Be Stored
PCI DSS prohibits storing the CVV/CVC after authorization and the full magnetic stripe data. The PAN may be stored only in a protected form, such as encrypted or tokenized. Truncated PANs (first 6 and last 4 digits) are permitted.
PAN Data Questions Answered
01 What is a PAN in payments?
PAN stands for Primary Account Number. It is the 13 to 19 digit number on a payment card that uniquely identifies the cardholder's account with the issuing bank. The PAN is required to process any payment transaction.
02 Why is PAN data considered sensitive under PCI DSS?
The PAN is the primary piece of cardholder data under PCI DSS. Its presence in any system triggers compliance obligations for that system. If a PAN is stolen, it can be used to make fraudulent card-not-present transactions. Any system that stores, processes, or transmits the PAN must comply with all 12 PCI DSS requirements.
03 What is the difference between PAN, CVV, and expiry date?
The PAN is the main card number. The CVV is the 3 or 4 digit security code on the card. The expiry date is the card's validity period. The PAN is the most critical element: its storage is the main trigger for PCI scope. CVV must never be stored after authorization.
04 How does tokenization protect PAN data?
Tokenization replaces the PAN with a random token that has no mathematical link to the original number. The real PAN is stored only inside a PCI DSS Level 1 certified vault. Every other system only ever sees the token, so a breach exposes no usable card data.
05 Can I store a truncated PAN?
Yes. PCI DSS allows storing a truncated PAN (first six and last four digits). A truncated PAN does not trigger PCI DSS scope on its own. However, you must not store the full PAN alongside any element that could reconstruct it. The safest approach is to store a token rather than even a truncated PAN.
Remove PAN Data From Your Systems Entirely
PCI Proxy replaces raw PANs with secure tokens from our EU-based PCI DSS Level 1 vault, so your cardholder data environment shrinks to near zero.