Skip to content

    Do more with PAN: Push provisioning & account updater

    Doing more with PAN
    Picture of Basis Theory ·
    Payments

    The single most powerful piece of data a merchant can earn access to is their customer’s personal account number, or PAN. This vital information represents the key to smoothing purchase processes, automatically debiting accounts for subscriptions, and delivering a customer experience that encourages consumer trust and enthusiasm. Due to the high value placed upon PAN, merchants are required to treat its security extremely seriously, with a host of PCI-DSS requirements dedicated to protecting against hacks and data breaches.

    What is the personal account number? 

    The PAN is printed on the front (or, increasingly, the back) of a credit or debit card. While it may seem like a random string of numbers, it comprises a set of distinct groupings:

    • The Major Industry Identifier (MII) is the first digit of the PAN. 3 stands for American Express, 4 for Visa, 5 for Mastercard, and 6 for Discover. While there are a few others, they are rarely used or seen in the wild.
    • The Bank Identification Number (BIN) is the first 6 to 8 digits (including the MII) and identifies the financial institution that issued and managed the account.
    • The Account Identifier is the remaining digits other than the final one, and represents the customer account that the card accesses
    • The Validator Digit is the final number, and as its name suggests, it is used to ensure that a full PAN string is accurate. This is a way for payment gateways and providers to ensure that consumers haven’t mistyped a digit somewhere along the way.

    Unlike a simple account number (such as the one found on the bottom of a check, for those who still use such things), the PAN delivers a powerful punch because it includes so much information about the consumer, the issuing bank, and the associated card network.

    Return to Top

    What role does the PAN play in payments? 

    When accepting a card payment, whether in-person or at an e-commerce business, one of the key elements of initiating a transaction is the PAN. That’s because the transaction process relies upon it:

    • PAN Collected: This may involve the consumer typing the numbers from their card into a purchase page, swiping their card in a machine, or simply tapping their phone against a payment terminal.
    • PAN Converted: The merchant can’t be sending the PAN through the web in plain form, so it is tokenized so that anyone trying to snag information on the way past ends up with something unusable.
    • PAN Transmitted: The tokenized version of the PAN is sent to the next participant in the process, generally, a payment provider or gateway, which has the necessary wherewithal to ensure that the PAN is valid (using an algorithm that relies upon the validator digit.)
    • PAN Passed to Card Network: Assuming it is valid, the transaction can continue to the appropriate card network (using the MII.)
    • PAN Passed to Issuing Bank: The card network can now pass it to the customer’s bank (based on the BIN) for approval.

    The unique makeup of the PAN makes it the key to smoothly transacting business between merchant and customer across a complex and multi-participant environment. Naturally, merchants who expect to do business regularly with a customer look to hang onto the PAN for easy future reuse. Because of its importance, a merchant must conform to PCI-DSS regulations to protect the PAN, which is why so many are turning to third-party tokenization vault providers to avoid potential hacks or data breaches.

    Return to Top

    Push Provisioning Simplifies PAN Acquisition 

    One of the places that consumers increasingly want to store their PAN for easy future re-use is digital wallets, such as Google Pay and Apple Pay. When this started, adding a card to a wallet could be finicky and annoying: the customer would need to type the details into a physical device—often their smartphone—and maneuver their way through a series of security screens and Terms & Conditions forms. 

    The emergence of push provisioning has cut through the red tape and made it easier for approved wallets and even websites to acquire access to a PAN. With push provisioning:

    • The account holder elects to push their details from the issuer’s site to one of the approved listed wallets.
    • The card issuer makes sure the card hasn’t already been added.
    • If the account hasn’t already been added, the card issuer pushes the PAN details directly to the wallet.
    • The consumer can now see the card in their wallet. 
    • The consumer will likely go through a simple activation process, which typically consists of providing the CVV code, and potentially entering a texted code on screen.

    Return to Top

    Card Account Updaters Keep PAN Fresh 

    Of course the challenge with the PAN is that it can go out of date: perhaps the card expires, or the customer loses their card and requests a new one. 

    For a merchant relying upon a saved PAN to transact future business, this is a big deal. Fortunately, all the large card networks offer what they call a Card Account Updater (CAU) service that allows approved merchants to receive updated PAN information without customer involvement. While setting up these services can take work (and, if purchased through a PSP, incur cost), the mechanism is fairly straightforward:

    • The merchant identifies stale PAN by identifying an expiration date or receiving a specific Decline code.
    • The merchant reaches out, either through a preferred payment provider or by way of their acquiring bank, requesting an updated PAN.
    • Assuming the merchant’s credentials are in order, and the account holder has not opted out of the program, the issuing bank will pass the new details to the acquiring bank.
    • The acquiring bank then passes the update back to the merchant, either directly or by way of the intermediary payment provider.

    By keeping track of, and updating, PAN and related information, the merchant can avoid poor customer service when a consumer is unable to complete their transactions.

    Return to Top

    Let the PAN Be More Than Stored Data 

    With stored PAN, merchants can smooth the path for customers to check out quickly and easily. Ensuring the easiest route for consumers to register their card, then maintaining the data over time, is critical to long-term success. 

    It is also vital to protect that PAN data: just one hack or data breach can torpedo customer satisfaction and brand trust. This is why merchants today are looking at programmable payment vaults, which allow them to have PANs and other PII collected and stored by a third party. In turn, that third party will provide them with secure tokens and programming interfaces so they can use the information over time without bringing their own systems into PCI-DSS scope. 

    For more information on how to implement a programmable payments vault, visit basistheory.com.

    Return to Top

    De-Risk Payments. De-Scope Compliance.   Accelerate time-to-compliance and eliminate nearly 90% of the PCI DSS Level 1 requirements using Basis theory.  

    Stay Connected

    Receive the latest updates straight to your inbox