Payment card number

(Redirected from Primary account number)

A payment card number, primary account number (PAN), or simply a card number, is the card identifier found on payment cards, such as credit cards and debit cards, as well as stored-value cards, gift cards and other similar cards. In some situations the card number is referred to as a bank card number. The card number is primarily a card identifier and may not directly identify the bank account number(s) to which the card is/are linked by the issuing entity. The card number prefix identifies the issuer of the card, and the digits that follow are used by the issuing entity to identify the cardholder as a customer and which is then associated by the issuing entity with the customer's designated bank accounts. In the case of stored-value type cards, the association with a particular customer is only made if the prepaid card is reloadable. Card numbers are allocated in accordance with ISO/IEC 7812. The card number is typically embossed on the front of a payment card, and is encoded on the magnetic stripe and chip, but may also be imprinted on the back of the card.

The payment card number differs from the Business Identifier Code (BIC/ISO 9362, a normalized code—also known as Business Identifier Code, Bank International Code or SWIFT code). It also differs from Universal Payment Identification Code, another identifier for a bank account in the United States.

Structure

edit

Payment card numbers are composed of 8 to 19 digits,[1] The leading six or eight digits are the issuer identification number (IIN) sometimes referred to as the bank identification number (BIN).[2]: 33 [3] The remaining numbers, except the last digit, are the individual account identification number. The last digit is the Luhn check digit. IINs and PANs have a certain level of internal structure and share a common numbering scheme set by ISO/IEC 7812. The parts of the number are as follows:

  1. ^ IIN length has been extended to 8-digits in fifth edition of ISO/IEC 7812 published in 2017[4] and PAN will continue to remain variable length, ranging from 10 to 19 digits.

Issuer identification number (IIN)

edit
 
Partial IIN on a credit card (both printed and embossed)

The first six or eight digits of a card number (including the initial MII digit) are known as the issuer identification number (IIN). These identify the card issuing institution that issued the card to the card holder. The rest of the number is allocated by the card issuer. The card number's length is its number of digits. Many card issuers print the entire IIN and account number on their card.

In some circumstances, the issuer identification number (IIN) or bank identification number (BIN) may not be licensed directly from the issuing network (such as Mastercard or Visa). Obtaining an IIN/BIN number can be costly, time consuming and demand intensive operational burdens on in-house regulatory and compliance teams. For this reason, some new card programmes may use a 'BIN sponsor', in which case the IIN/BIN number is effectively sub-licensed from a scheme regulated entity. This is known as BIN sponsorship, and is a popular way for financial institutions to fast-track access to market.[6]

In the United States, IINs are also used in NCPDP pharmacy claims to identify processors, and are printed on all pharmacy insurance cards. IINs are the primary routing mechanism for real-time claims.

The ISO Register of Issuer Identification Numbers database is managed by the American Bankers Association. ABA is the Registration Authority for this standard and is responsible for allocating IINs to issuers.

Online merchants may use IIN lookups to help validate transactions. For example, if a card's IIN indicates a bank in one country, while the customer's billing address is in another, the transaction may call for extra scrutiny.

Issuing network IIN ranges Active Length Validation
American Express 34, 37[7] Yes 15[8] Luhn algorithm
Bankcard[9] 5610, 560221–560225 No 16
China T-Union 31 Yes 19
China UnionPay 62 Yes 16–19[10]
Diners Club enRoute Yes 15 No Validation
Diners Club International[11] 30, 36, 38, 39 Yes 14–19[10] Luhn algorithm
Diners Club United States & Canada[12] 55 Yes 16
Discover Card 6011, 644-649, 65 Yes 16–19[10]
622126–622925 (China UnionPay co-branded) Yes 16–19[10]
UkrCard 60400100–60420099 Yes 16–19
RuPay 60, 65, 81, 82, 508 Yes 16
353, 356 (RuPay-JCB co-branded) Yes 16
InterPayment 636 Yes 16–19
InstaPayment 637–639 Yes 16
JCB 3528–3589 Yes 16–19[10]
Laser 6304, 6706, 6771, 6709 No 16–19
Maestro UK 6759, 676770, 676774[13] Yes 12–19
Maestro 5018, 5020, 5038, 5893, 6304, 6759, 6761, 6762, 6763 Yes 12–19
Dankort 5019 Yes 16
4571 (Visa co-branded)[14] Yes 16
Mir 2200–2204 Yes 16–19
BORICA (Bulgarian national payment system) 2205 Yes 16
NPS Pridnestrovie 6054740–6054744 No[15] 16
Mastercard 2221–2720[16] Yes (since 2017)[17] 16
51–55[16] Yes 16
Solo 6334, 6767 No 16, 18, 19
Switch 4903, 4905, 4911, 4936, 564182, 633110, 6333, 6759 No 16, 18, 19
Troy 65 (Discover co-branded[18]) Yes 16
9792[19] Yes 16
Visa 4 Yes 13, 16, 19
Visa Electron 4026, 417500, 4508, 4844, 4913, 4917 Yes 16
UATP 1 Yes 15
Verve 506099–506198, 650002–650027, 507865–507964 Yes 16, 18, 19
LankaPay 357111 Yes 16
UzCard 8600, 5614 Yes 16 Unknown
Humo 9860 Yes 16
GPN 1946 (BNI cards) Yes 16, 18, 19 Luhn algorithm
50, 56, 58, 60–63 Yes 16, 18, 19
Napas 9704 Yes 16, 19 Unknown

On 8 November 2004, Mastercard and Diners Club formed an alliance. Diners Club cards issued in Canada and the United States start with 54 or 55 and are treated as Mastercards worldwide. International cards use the 36 prefix and are treated as Mastercards in Canada and the United States, but are treated as Diners Club cards elsewhere. Diners Club International's website makes no reference to old 38 prefix numbers, and they can be presumed reissued under the 55 or 36 IIN prefix. Effective 16 October 2009, Diners Club cards beginning with 30, 36, 38 or 39 have been processed by Discover Card.[20]

On 3 November 2014, Mastercard announced that they were introducing a new series of BIN ranges that begin with a "2" (222100–272099). The "2" series BINs will be processed the same as the "51–55" series BINs are today. They became active 14 October 2016.

On 23 July 2014 JSC NSPK was established in the Russian Federation. The joint stock company National System of Payment Cards (NSPK) is the operator of the Mir National Payment System. The main initiatives of NSPK are to create the national payment system infrastructure and to issue a national payment card, Mir.

Effective 1 October 2006, Discover began using the entire 65 prefix, not just 650. Also, similar to the Mastercard/Diners agreement, China UnionPay cards are now treated as Discover cards and accepted on the Discover network.

While the vast majority of Visa's account ranges describe 16 digit card numbers there are still a few account ranges (forty as of 11 December 2013) dedicated to 13 digit PANs and several (439 as of 11 December2013) account ranges where the issuer can mix 13 and 16 digit card numbers. Visa's VPay brand can specify PAN lengths from 13 to 19 digits and so card numbers of more than 16 digits are now being seen.

Switch was re-branded as Maestro in mid-2007.[21] In 2011, UK domestic Maestro (formerly Switch) was aligned with the standard international Maestro proposition with the retention of a few residual country specific rules.

EMV Certification requires acceptance of a 19-digit Visa card (ADVT 6.1.1 Test Case 2) and Discover Card (E2E Test Plan v1.3, Test Case 06).

Canadian bank card numbering

edit

Bank card numbers issued by Canadian banks also follow a pattern for their systems:

Issuing network Ranges Length
Canadian Imperial Bank of Commerce Advantage Debit Card 4506 (Interac and Visa Debit) 16 digits
Royal Bank of Canada Client Card 4519 16 digits
TD Canada Trust Access Card 4724 (Interac and Visa Debit) 16 digits
Scotiabank Scotia Card 4536 16 digits
BMO ABM Card 500, 5510 16 digits
HSBC Bank Canada Card 56 16 digits
Conexus Credit Union Member Card 629449 16 digits

Security measures

edit

To reduce the risk of credit card fraud, various techniques are used to prevent the dissemination of bank card numbers. These include:

  • Format-preserving encryption: in which the account number is replaced with a strongly encrypted version which retains the format of the card data including non sensitive parts of the field such as first six and last four digits. This permits data field protection without changing payment IT systems and applications. A common use is for protecting card data from the point of capture in a secure reader to the payment processing host end-to-end to mitigate risk of data compromise in systems such as the Point of Sale (POS). AES-FF1 Format-Preserving Encryption is defined in NIST Specification SP800-38G.
  • PAN truncation: in which only some of the digits on a card are displayed or printed on receipts. The PCI DSS standard dictates that only the first six and last four digits of the PAN may be printed on a receipt or displayed in cases other than where a business need requires the full PAN. US federal law (FACTA) allows only the display of the last 5 digits. In order to comply with both PCI DSS requirements and US federal law, generally only the last four digits are provided elsewhere to allow an individual to identify the card used.
  • Tokenization: in which an artificial account number (token) is printed, stored or transmitted in place of the true account number.

References

edit
  1. ^ "Announcing Major Changes to the Issuer Identification Number (IIN) Standard". www.ansi.org.
  2. ^ R. Shirey (August 2007). Internet Security Glossary, Version 2. Network Working Group. doi:10.17487/RFC4949. RFC 4949. Informational.
  3. ^ "ISO/IEC 7812-1:2017 Identification cards – Identification of issuers – Part 1: Numbering system". ISO.org. January 2017. Retrieved 12 June 2017.
  4. ^ "ISO/IEC 7812-1:2017".
  5. ^ "ISO/IEC 7812-1:2006". ISO.
  6. ^ "What is issuing BIN sponsorship?". Monavate.com. 29 March 2021. Retrieved 2 July 2021.
  7. ^ "Card Security Features" (PDF). American Express. January 2001. Archived from the original (PDF) on 5 March 2006. Retrieved 5 April 2006.
  8. ^ "American Express Card security features" (PDF). Archived from the original (PDF) on 4 May 2021. Retrieved 25 October 2021.
  9. ^ "Bankcard Association of Australia". Archived from the original on 6 April 2006. Retrieved 3 February 2017.
  10. ^ a b c d e "February 2017 Compliance Update" (PDF). Archived from the original (PDF) on 22 August 2017. Retrieved 22 August 2017.
  11. ^ "Mastercard Diners Club Alliance". Archived from the original on 4 December 2008. Retrieved 11 August 2022.{{cite web}}: CS1 maint: unfit URL (link)
  12. ^ "Diners Club - Fraud Management". Archived from the original on 29 December 2007. Retrieved 11 August 2022.{{cite web}}: CS1 maint: unfit URL (link)
  13. ^ "Barclaycard BIN Ranges and Rules - UK" (PDF). Archived from the original on 17 February 2019. Retrieved 11 August 2022.{{cite web}}: CS1 maint: unfit URL (link)
  14. ^ "Nets Technical Reference Guide" (PDF). 1-14.3.2 Building the MSC Selection Table.
  15. ^ "Об отмене Указа Президента Приднестровской Молдавской Республики от 22 мая 2015 года № 202 «Об общих условиях организации и функционирования в Приднестровской Молдавской Республике Национальной платежной системы»" [On the cancellation of the Decree of the President of the Pridnestrovian Moldavian Republic dated 22 May 2015 No. 202 "On the general conditions for the organization and functioning of the National Payment System in the Pridnestrovian Moldavian Republic"].
  16. ^ a b "Mastercard Rules" (PDF). Mastercard. 21 December 2017. Archived from the original (PDF) on 14 May 2018.
  17. ^ "Mastercard 2-Series BIN Implementation for Merchants" (PDF). www.mastercard.us.
  18. ^ "Turkey's Troy moves overseas with Discover deal". No. 9 November 2017. 9 November 2017. Retrieved 19 February 2022.
  19. ^ Elçiboğa, Ibrahim Kudret. "TROY Bin Listesi". Fraud and Chargeback (in Turkish). Retrieved 31 August 2020.
  20. ^ "Diners Club International Ranges Available for Development Purposes Only" (PDF). October 2008. Archived from the original on 6 October 2011. Retrieved 27 August 2023.{{cite web}}: CS1 maint: unfit URL (link)
  21. ^ "Switch to Maestro". Archived from the original on 8 August 2010. Retrieved 20 August 2010.