.png?width=365&height=122&name=BTLogo%20(1).png)
Read this, and you’ll never tap, swipe, or type your credit card information again without knowing what any of it means.
That 16-digit string isn’t random; each section is doing a job.
A credit card number encodes the card network, issuing bank, and account identifier. Together, these digits, along with the expiration date, security code, and chip, make up the data that routes, validates, and verifies a credit card transaction.
Each component of a credit card serves an important function to different stakeholders in the lifecycle of a card transaction. Understanding this credit card information, as well as their purpose and Payment Card Industry Data Security Standard (PCI DSS) requirements, can help organizations of all sizes refine their payment stack, strategy, and compliance posture.
PCI DSS was created to abstract the differences between card brands, such as format, placement, and terminology, and to standardize a security framework. Despite this, many inconsistencies remain that can be frustrating. For example, American Express places its 4-digit security code on the front of the card, while Visa's 3-digit security code is on the back.
What’s important to know is the security code, and the role each credit card number plays in the payment lifecycle.
What Each Credit Card Number Means
“Account data” is the credit card information presented or embedded in a physical card. Together, this data provides the necessary information to route and verify payment information with various parties throughout the transaction lifecycle.
For the purposes of PCI compliance, it’s important to know that account data breaks down into two subsets that we’ll explain in the following sections:
- Cardholder Data (CHD)
- Sensitive Authentication Data (SAD)
Cardholder Data (CHD)
Cardholder data (CHD) consists of the full Primary Account Number, or the 16-digit card number (15 digits for American Express), Expiration Date, Cardholder Name, and Service Code. With the proper controls in place, this card information can be stored on file. When combined with the necessary authorization request, doing so allows merchants to reinitiate transactions.
Primary Account Number (PAN)
You can think of a Primary Account Number (PAN) as a mailing address. Each digit in the 15-to-16-digit string helps processors, networks, and issuing banks find your account among the hundreds of millions of cardholders.
The PAN comprises three main parts, one of which has a sub-part. Here’s a good outline demonstrating the hierarchy:
- Primary Account Number
- Bank Identification Number
- Major Industry Identifier (MII)
- Account Identifier
- Validator Digit
Bank Identification Number (BIN)
The Bank Identification Number (BIN), or Issuer Identification Number (IIN), is the first six to eight digits in the PAN. It routes payment instructions to the correct network and its member bank or credit union.
Major Industry Identifier (MII)
The Major Industry Identifier (MII) is the first digit of the BIN and PAN. It indicates to processors which card brand (e.g., Visa, Mastercard, American Express, or Discover) to send the payment for further processing.
While there are 10 MII, as you see below, there are likely only four you need to know.
- 0: ISO/TC 68 and other industry assignments
- 1: Airlines
- 2: Airlines and other industry assignments
- 3: Travel and entertainment (American Express)
- 4: Banking and financial (Visa)
- 5: Banking and financial (Mastercard)
- 6: Merchandising and banking, financial or national assignments (Discover)
- 7: Petroleum
- 8: Healthcare, telecommunications, and other industry assignments
- 9: National assignment
The card networks use the remaining BIN digits to determine which financial institutions to route the transaction for further processing.
Account Identifiers
An Account Identifier is a unique account number used by an issuing bank to identify a cardholder’s account. Going back to our mail service analogy, you can think of your Account Identifier as your home’s unit number and street. It ultimately tells the bank which ledger account it should debit or credit.
What’s the validator digit?
A Validator Digit, also known as a check digit, is a popular method for validating the accuracy of a long string of preceding numbers.
In the context of payment card processing, the Validator Digit is used to ensure the accuracy of the PAN. For example, if a customer mistakenly enters a ‘2’ instead of a ‘3’ at checkout, the validator digit would be incorrect, indicating that the number is invalid. This is a great way to catch small inconsistencies up front before they reach the networks (and reduce the strain on the systems that support them).
What is a Service Code?
PCI DSS defines the Service Code as a:
“Three-digit or four-digit value in the magnetic stripe that follows the expiration date of the payment card on the track data. It is used for various things such as defining service attributes, differentiating between international and national interchange, or identifying usage restrictions.”
For example, a service code tells a merchant and processor whether to process the card as a debit or credit card.
Sensitive Authentication Data (SAD)
The Sensitive Authentication Data (SAD) contains information used to verify transactions and prevent abuse. Unlike CHD, SAD cannot be stored and must be immediately deleted after authorization (unless you’re an issuer).
As it pertains to the information on your card, SAD consists of the security code (or Card Verification Code or Value), EMV chip, and a subset of information found in the magnetic strip. Let’s dig in briefly on each.
3-Digit or 4-Digit Security Codes
A Card Verification Code (CVC) or Value (CVV) is the 3-digit that is printed on the back of a payment card or a 4-digit code printed on the front (i.e., American Express). As noted, this security code cannot be stored on the magnetic stripe or EMV chip of the card, but why?
While it doesn’t seem like much, requiring the CVC or CVV for card-not-present transactions helps verify that your card is in your possession. Were your card ever compromised with your CVV, attackers would have free reign to use your card anywhere.
What does EMV stand for, and what data is on the EMV chip?
EMV stands for Europay, Mastercard, and Visa—the original developers of the technology. The technology has since been adopted by other payment card networks and is now a global standard for payment card security.
The EMV chip is a small, microprocessor-based integrated circuit that is embedded into a payment card. This differs from the traditional magnetic strip, which stores cardholder data and some verification logic as static data. Whereas the information embedded in the magnetic strip will never change during its lifetime, the EMV chip generates a unique code for each transaction. This makes it much more difficult for fraudsters to capture and use cardholder data in a fraudulent transaction.
The magnetic strip has been around for ages and contains both CHD and SAD (for card-present purchases). Per our previous comment, the SAD data found inside the mag stripe cannot be stored by merchants.
Common Questions About Credit Card Numbers
What do the numbers on a credit card mean?
A credit card number is a structured 15-to-16-digit string with every section doing a specific job. The first digit identifies the card network, the next five to seven digits identify the issuing bank. The middle digits are your unique account identifier, and the final digit is a validator used to catch entry errors. Together, these numbers give processors everything they need to find the right account, and route a transaction to the right place.
What is the difference between a credit card number and an account number?
The credit card number (the full PAN, or Primary Account Number) is the complete 15-to-16-digit string on the front of your card. The account identifier is the middle segment assigned by your issuing bank to uniquely identify your account. Think of the full PAN as a mailing address: the BIN is the zip code and city, the account identifier is the street address, and the validator digit is the error-check at the end.
What's the difference between a CVC and CVV?
The Card Verification Code (CVC) or value (CVV) are different terms used by Visa and Mastercard to refer to the same 3-digit or 4-digit security code on a plastic card. Both are considered sensitive authentication data and cannot be stored by merchants. This security code adds another layer of protection for card-not-present transactions, ensuring those without your physical card can’t easily use it for other online purchases.
Can someone use my credit card number without the CVV?
For card-not-present transactions (online purchases, phone orders), most merchants require both the PAN and the CVV to process a payment. Without the CVV, completing a transaction is significantly harder. That said, some merchants don't require CVV verification. The PAN alone can sometimes be sufficient, which is why protecting the full card number matters even when the CVV isn't involved.
What’s the difference between a service code and a security code?
A service code is a set of three digits embedded into the magnetic strip that provides information about the card and how it can be used. A security code (aka CVC or CVV), on the other hand, is a unique string used to verify the authenticity of a transaction. This code is typically located on the back of a payment card and is not embossed on the card itself, making it a bit more difficult for attackers to obtain.
What do the first 4 digits of a credit card mean?
The first four digits are part of the Bank Identification Number (BIN), also called the Issuer Identification Number (IIN). The first digit, the Major Industry Identifier (MII) tells the network which card brand to route the payment to. For example, cards starting with 4 are Visa, cards starting with 5 are Mastercard. The remaining digits of the BIN (typically six to eight digits total) identify the specific issuing bank or financial institution.
What is a BIN number on a credit card?
The Bank Identification Number (BIN), sometimes called the Issuer Identification Number (IIN), is the first six to eight digits of a credit card number. It tells payment processors which network and issuing bank to contact when routing a transaction. For merchants and payment platforms, BIN data is also a useful source of intelligence: it can reveal the card type (credit vs. debit), the issuing country, and even the card product tier (standard, premium, corporate, etc.)
Why do American Express cards have 15 digits instead of 16?
American Express uses a 15-digit format rather than the 16-digit format used by Visa and Mastercard. This is a network-level convention that goes back to the early days of card issuance. Amex also structures its BIN and account identifier fields differently, which is why Amex card numbers don't follow the same pattern as Visa or Mastercard. The 15-digit format is one of several Amex-specific quirks. The 4-digit security code on the front of the card (versus 3 digits on the back for most other networks) is another.
What information is stored on the magnetic stripe vs the EMV chip?
The magnetic stripe stores static data like the cardholder's name, PAN, expiration date, service code, and some verification data. Because this data never changes, it's vulnerable to skimming.
The EMV chip generates a unique cryptographic code for each transaction. This makes captured chip data useless for subsequent fraudulent transactions. The chip has become the global standard for in-person payment security precisely because it eliminates the replayability problem that plagued magnetic stripes.
What credit card data can merchants store, and what's off-limits?
Under PCI DSS, this comes down to the distinction between Cardholder Data (CHD) and Sensitive Authentication Data (SAD). Merchants can store CHD like the PAN (in truncated or tokenized form), cardholder name, expiration date, and service code with the right security controls in place. What they cannot store under any circumstances is SAD: the CVV/CVC, the full magnetic stripe data, and EMV chip data. SAD must be purged immediately after authorization.
What to Do With This Information
Understanding what's on a credit card is straightforward. What's harder is deciding how your organization handles that data once it enters your systems.
Every field covered in this post, from the PAN, expiration date, CVV, and magnetic stripe, carries compliance obligations the moment it touches your infrastructure. Storing any of it puts you in scope for PCI DSS. Storing the wrong parts (SAD, specifically) isn't just a compliance risk; it's prohibited outright.
Most companies face one of two paths: build and maintain their own cardholder data environment, which means ongoing audit burden, security infrastructure, and operational overhead, or find a way to handle payment data without owning it directly.
Tokenization is how the second path works. Instead of storing raw card data, you store a token — a surrogate value that's useless to anyone who intercepts it, but can still be used to route transactions, update card credentials, or switch processors without re-collecting payment details from your customers.
See how to implement tokenization and reduce PCI scope.
_.png)