Card issuing is a core component of modern fintech. To operate a card program, virtual or physical, you must understand the key elements that define how cards work, how they are identified, and how they stay secure. This guide explains BIN, PAN, CVV, and tokenization in a simple, accurate, and practical way with a real-life example.
1. BIN (Bank Identification Number)
The BIN is the first 6 to 8 digits of a card number. It identifies the issuing bank or fintech, the card type (debit, credit, prepaid), the card network (Visa, Mastercard), and the country of issuance.
Example: For a Visa debit card issued in Germany, the BIN might start with 416739. This tells payment processors that the card belongs to a specific German issuer.
Why it matters
Routing transactions, fraud detection, defining where the card can be used, authorization logic, and card program rules.
2. PAN (Primary Account Number)
This is the full 16-digit (or 15 or 19-digit) card number printed on the card. The PAN contains the BIN (first 6 to 8 digits), unique customer identifier digits, and a checksum digit for validation.
Purpose: The PAN identifies the user’s card within the issuer’s system.
Important: PAN must be encrypted or tokenized and never stored in plain form.
3. CVV (Card Verification Value)
The CVV is a 3 or 4-digit security code used for card-not-present transactions.
CVV types
- CVV1: used during card swipe or chip
- CVV2: used for online payments
- iCVV: used for contactless and mobile tokenized transactions
Why CVV exists: to ensure the user physically has the card during an online purchase.
4. Tokenization
Tokenization replaces sensitive card data (PAN, CVV) with a secure, non-sensitive token.
Used in Apple Pay, Google Pay, Samsung Pay, stored cards in apps, and recurring billing systems.
How it works
- User adds card to a mobile wallet
- PAN is sent to card network
- Network generates a token (Device PAN or DPAN)
- Merchant never sees the real card number
- Transactions use the token instead of the PAN
Benefits
Protects card data, eliminates risk of card number theft, and enables safer online and in-app purchases.
5. Additional Key Terms
Expiration date: defines card validity period (MM/YY), needed for online transactions.
Issuer processor: the technology provider that authorizes card transactions for the fintech (examples: Marqeta, Paymentology, FIS, Galileo).
3D Secure (3DS): extra authentication step for online transactions, required in the EU under PSD2.
Real-Life Example (Germany to Sweden Online Purchase)
Scenario: A customer in Germany uses their BinaxPay-issued Visa virtual card to buy software from a Swedish online store.
- Card details used
- PAN: 16-digit number
- CVV2: 3-digit code
- Expiry date
- BIN identifies it as a German-issued Visa card
- Authorization flow
- Swedish merchant sends the payment request
- Visa checks the BIN to route the request to BinaxPay’s issuer processor
- Issuer processor validates PAN structure, CVV2, token status (if mobile wallet used), user balance, and fraud rules
- If all checks pass, transaction approved
- Merchant receives confirmation instantly
- If user pays via Apple Pay (tokenized)
- No PAN is shared
- A secure DPAN token is used
- CVV is replaced with a dynamic cryptogram
- Even if leaked, the token is useless outside that exact device
Outcome: The German user pays safely, the Swedish merchant receives funds, and real card data never leaves secure systems.
Summary
BIN identifies the issuer and card type. PAN is the full card number used to route transactions. CVV secures card-not-present transactions. Tokenization protects sensitive card data and powers mobile wallets. These elements form the foundation of every card issuing program in modern fintech.