ISO TC 68/SC 2 Reference number ISO 9564 1 2011(E) © ISO 2011 INTERNATIONAL STANDARD ISO 9564 1 Third edition 2011 02 15 Financial services — Personal Identification Number (PIN) management and securi[.]
General
A PIN, or Personal Identification Number, is a secret numeric code shared between the cardholder and the issuer to verify authorized card transactions The term PIN can refer to different types, including "cardholder PIN," "reference PIN," and "transaction PIN." These PINs are issued to ensure secure and verified use of payment cards, playing a crucial role in cardholder authentication and fraud prevention during transactions.
1) the PIN i) is generated by the issuer and delivered to the cardholder (as the cardholder PIN), or ii) is selected by the cardholder and conveyed to the issuer;
The issuer securely stores the PIN either as a reference PIN or in a form that allows it to be recalculated, ensuring robust PIN management This reference PIN may be stored within the issuer's system or embedded in an IC card, facilitating secure authentication processes Proper storage and handling of the PIN are essential for maintaining transaction security and complying with industry standards.
1) the cardholder enters their PIN into a PED The PIN, once entered into a PED, is the transaction PIN;
2) the transaction PIN is transmitted to the issuer or sent to the IC card for comparison with the reference PIN
Certain PIN requirements apply universally to all PIN types, ensuring consistent security standards across the board, while others are specific to cardholder, reference, or transaction PINs When a requirement is applicable to all PINs, it is referred to simply as "PIN" without additional qualification, emphasizing its broad applicability This distinction helps clarify the specific security measures necessary for different PIN categories, supporting effective PIN management and compliance.
Principles
PIN management must adhere to fundamental principles that ensure security and integrity It is essential to prevent or detect fraudulent modifications or unauthorized access to the hardware and software responsible for PIN management (see 6.1.1) To protect against prediction, enciphering the same PIN across different accounts using a consistent key should not produce identical ciphertexts (see 6.2) The security of an encrypted PIN depends on the strength of the cryptographic key rather than the obscurity of the encryption algorithm itself (see 6.2) Additionally, a PIN should only exist within a secure cryptographic device, as specified in section 5.1, except in specific, securely controlled scenarios.
1) delivery of the PIN to the cardholder using an approved method as defined in 8.3;
Accounts with the same PIN must be encrypted using an approved algorithm, as specified in section 6.2, ensuring that identical PINs do not produce the same encrypted value This encryption process may utilize PIN block formats 0 or 3 to enhance security and maintain data confidentiality.
3) conveyance of the reference PIN to the IC card to enable offline PIN verification, as defined in 8.9;
4) storage of a reference PIN within an IC card in accordance with 7.3;
5) submission of a transaction PIN to an IC card in accordance with 9.2.2 e) PIN issuance shall be performed only by personnel authorized by the issuer, as defined in 8.3
PIN selection and change must be performed solely by the cardholder, as outlined in sections 8.2.4 and 8.5, ensuring personal control and security Management of devices used for PIN establishment or modification is restricted to authorized personnel operating under strict procedures, safeguarding against unauthorized access The PIN shall never be known to or accessible by bank employees or agents, except in specific cases such as PIN mailing, with utmost security measures in place Stored reference PINs must be protected from unauthorized substitution, and any compromise or suspected breach should trigger the end of the PIN’s lifecycle, maintaining security integrity The issuer is responsible for PIN verification processes, utilizing different encryption keys for PIN storage and transmission to prevent data breaches Customers should be informed in writing about the importance of PIN secrecy, emphasizing that transaction PINs are only temporary and should never be stored in cleartext or encrypted form beyond a single transaction Additionally, an IC card is considered part of the issuer's domain under ISO 9564 standards.
PIN handling device security requirements
A PIN handling device, such as a PIN entry device, IC reader, or host security module, processes clear text PINs while maintaining strict security standards Any additional features integrated into the device or system must not compromise the security of the PIN entry process Non-IC card PIN handling devices are required to be secure cryptographic devices that adhere to ISO 13491-1:2007 standards, ensuring physical security The security requirements for IC cards are detailed in section 7.3 of the standard, guaranteeing robust protection for sensitive PIN data.
A PIN entry device shall not rely on tamper evidence as its sole physical security characteristic
The PIN entry device must incorporate tamper-detection and response mechanisms to ensure security If tampering is detected, the device becomes instantly inoperable to prevent further access It also automatically erases all secret information stored within the device, making it impossible to recover sensitive data These features are essential to maintain the integrity and confidentiality of the device against attacks.
The PIN entry device must be capable of authenticating itself to the acquirer in a secure manner, ensuring that once compromised, it can no longer verify itself Implementing methods such as calculating Message Authentication Codes (MAC) over online transaction messages enhances security by providing robust authentication Additionally, erasing the MAC key after any attack prevents further misuse, safeguarding transaction integrity and strengthening overall device security.
Note: Systems supporting online PIN verification ensure security by having the acquirer authenticate the validity of the PIN entry device each time a PIN is processed This authentication is implicitly maintained through the use of the PIN encryption key, thereby ensuring the integrity and security of the PIN verification process.
The PIN prompt display must be securely controlled to prevent modification or misuse, ensuring the integrity of the cardholder verification process in compliance with ISO 13491-2:2005 standards (sections B.2.1 and B.2.2).
The card reader shall be protected to prevent unauthorized access, substitution or alteration of the card data read from the card (see ISO 13491-2:2005, B.2.1, number B3, and B.2.2, number B22)
Physical security for IC readers
The IC reader slot must be designed to prevent PIN-disclosing “bugs” by ensuring it cannot comfortably hold or be modified to conceal such devices Specifically, the slot should not have enough space to accommodate a “bug” that reveals PINs when a card is inserted Additionally, it should not be easily enlarged to hide “bugs” without detection Moreover, the slot should be positioned so that any wiring connecting external “bugs” cannot be hidden from users, maintaining transparency and security during card transactions.
PIN entry device characteristics
All PIN entry devices shall provide for the entry of the decimal numeric characters zero to nine
Alphabetic characters, although not specifically addressed in this section of ISO 9564, can serve as synonyms for decimal numeric characters, facilitating flexible PIN entry processes For comprehensive guidance on designing PIN entry devices, including mappings from alphabetic to numeric characters, refer to Annex B of the standard This ensures secure and user-friendly PIN authentication systems compliant with international security protocols.
The relationship between the numeric value of a PIN character and the internal coding of that value prior to any encipherment shall be as specified in Table 1
Table 1 — Character representation PIN character Internal binary
PIN control requirements
PIN processing systems play a crucial role throughout the entire PIN lifecycle, including merchant terminal systems, host application software managing host security modules, and card and PIN personalization systems These systems ensure the secure handling, management, and personalization of PINs, safeguarding sensitive information at every stage Implementing robust PIN processing solutions is essential for enhancing transaction security and protecting customer data across all points of interaction.
Systems used in PIN processing must ensure that hardware and software perform only their intended functions without unauthorized modification or access detection They must prevent fraudulent access or tampering with information and resist exhaustive trial and error methods to determine PINs PIN management devices handling clear text PINs should comply with ISO 13491-2:2005, Annex C, for secure cryptographic and PIN management functionality Additionally, sensitive information related to PIN selection and encipherment must be securely controlled during all stages of handling, including use, transmission, storage, and disposal When transmitting the PIN to an IC card, it must be immediately enciphered upon entry into the PED, except when sending the PIN in clear text.
Any recording media containing data from which a plain text PIN might be determined shall be rendered unreadable or physically destroyed immediately after use (see Annex A)
No procedure shall require or permit oral communication of the plain text PIN, either in person or by a person over the telephone
An institution shall never permit its employees to ask a customer to disclose the PIN or to recommend specific values
Institutions must ensure that their procedures prevent the entry of plain text PINs via telephone keypads at all times during the PIN lifecycle, unless the telephone device is explicitly designed to meet security standards outlined in sections 5.1 for PIN entry devices and 9.2 for PIN transmission.
PIN encipherment
If it is necessary to encipher a PIN (see 9.2), this shall be accomplished using one of the approved algorithms specified in ISO 9564-2
Different encipherment keys shall be used to protect the reference PIN and the transaction PIN
Symmetric PIN encipherment keys may be used in online and offline PIN verification systems Symmetric PIN encipherment keys shall not be used for any other cryptographic purpose
Asymmetric PIN encipherment is only permitted in offline PIN verification systems Asymmetric PIN encipherment keys should not be used for any other cryptographic purpose
The encipherment procedure must guarantee that encrypting a plain text PIN with a specific cryptographic key does not consistently produce the same encrypted output for identical PINs across different accounts This approach enhances security by preventing predictability in encrypted PIN values, ensuring that each account's PIN remains protected against potential breaches Implementing such a method aligns with best practices in cryptography and complies with security standards for safeguarding sensitive information.
NOTE A format 2 PIN block does not meet this requirement without additional protection mechanisms
Key management practices associated with PIN encipherment shall comply with the requirements of ISO 11568 (all parts)
General
PIN verification is a security process that compares a transaction PIN with a reference PIN to confirm their match, ensuring transaction authenticity During verification, derivatives of the PINs may be used instead of the plain-text PIN, enhancing security This process is essential for safeguarding financial transactions and preventing unauthorized access Implementing PIN verification with cryptographic methods helps protect sensitive data and maintain user privacy Proper PIN verification procedures are crucial for reliable authentication in payment systems.
Online PIN verification
Transaction PINs are verified online after secure transmission to the issuer according to 9.2.1 Responsibility for online PIN verification shall rest with the issuer.
Offline PIN verification
Transaction PINs are verified offline after submission to the IC card, as specified in section 9.2.2 The issuer holds the responsibility for offline PIN verification by programming and configuring the IC card, which remains under the issuer's control.
An ICC with a reference PIN for offline PIN verification must offer robust protection against known attacks, ensuring the security of stored secrets This level of security prevents the recovery of the plain text reference PIN, transaction PIN, or any other sensitive information stored within the ICC, safeguarding user data against potential threats.
8 Techniques for management/protection of account-related PIN functions
PIN length
A PIN shall be not less than four and not more than 12 digits in length
While there is a security advantage to having a longer PIN, usefulness may be hindered For usability reasons, an assigned numeric PIN should not exceed six digits in length.
PIN establishment
A PIN shall be established using one of the following techniques: a) assigned derived PIN; b) assigned random PIN; c) customer-selected PIN
It is recommended that, regardless of the method used to establish a PIN, PIN values be checked against known weaknesses as described in Annex C
When the reference PIN is an "assigned derived PIN", the issuer shall derive it cryptographically from a) the primary account number, and/or b) some other value associated with the customer
The PIN derivation process should not contain a bias towards specific sets or values
When the reference PIN is an "assigned random PIN", the issuer shall obtain a value by means of either a) a true random number generator, or b) a pseudo-random number generator
These may be achieved using a random number generator compliant with ISO/IEC 18031 and tested using NIST SP 800-22
When a reference PIN is designated as a “customer-selected PIN,” the customer is responsible for choosing the value The issuer must provide clear instructions and warnings to assist the customer in making an informed selection, as outlined in Annex C.
PIN issuance and delivery to the cardholder
The issuance and delivery of PINs must adhere to strict security protocols to protect customer information The plain text PIN must never be transmitted outside secure environments unless absolutely necessary and in a manner that prevents association with the cardholder or account, following ISO 13491-2:2005 standards It is essential that no employee or agent of the financial institution gains knowledge or access to the PIN at any stage of the process PIN issuance functions involving staff must be under dual control to prevent misuse During delivery, the PIN should never appear in plain text in a way that links it directly to a customer's account or PAN Additionally, the PIN should only be retrieved, deciphered, or regenerated for presentation to the cardholder, utilizing secure methods such as PIN mailers or cryptographic devices with display capabilities to maintain secrecy When it is necessary to handle the PIN in plain text outside secure cryptographic devices, it must only be maintained for the minimal required duration within a secure environment, complying with ISO 13491-2:2005 standards.
PIN selection
PIN selection is a process performed by the cardholder either as part of the card issuance process or during PIN change
A PIN selected by the customer shall be conveyed to the issuer using one of the following techniques: a) PIN selection at an issuer's location (see 8.4.3); b) PIN selection by mail (see 8.4.4)
8.4.3 PIN selection at an issuer's location
PIN selection must be conducted at the issuer's location using a compliant PIN entry device, ensuring the customer does not disclose their PIN to employees or third parties An authorized employee must verify customer identity and be properly identified and authorized before enabling the PIN selection process The PIN entry process is completed once the PIN has been successfully entered, with the employee’s identification, date, and time recorded as part of the transaction record To ensure security, the PIN must be entered twice for validation, with both entries verified to be identical, and the comparison conducted in a way that prevents exposure of the PIN information.
PIN selection by mail must be conducted using a form that includes a control number and a designated space for the selected PIN, ensuring the control number does not reveal the account number Cryptographic keys used for generating control numbers are to be managed securely according to ISO 11568 standards and not reused for other purposes The form must not include any information linking the PIN to the customer's personal details The mailing process involves sending the PIN selection form and instructions to the customer, with the mailing adhering to established procedures, treating the control number as the PIN Customers are instructed to write their PIN on the form, avoid including additional information or correspondence, and return the form in a pre-addressed envelope Only authorized issuer employees shall process the received forms, and the control number can be a reversible cipher of the account number to enhance security.
PIN change
A PIN change is a request initiated by the cardholder, involving selecting a new PIN and updating related data on the card and in host systems as needed This process ensures the security of the cardholder's account and must be performed in accordance with the requirements outlined in section 8.4 Proper PIN management is essential for safeguarding sensitive information and maintaining compliant transaction processing.
8.5.2 PIN change in an interchange environment
PIN changes in an interchange environment should be limited to IC cards and conducted only when the PIN update is performed through a secure, cryptographically controlled relationship between the issuer and the IC card This ensures the integrity and security of the PIN update process.
8.5.3 PIN change at an attended terminal
The procedure for PIN change at an attended terminal shall be the same as specified for PIN selection in 8.4.3
8.5.4 PIN change at an unattended terminal
The procedure for PIN change at an unattended terminal shall require the current PIN to be entered and verified before selection and activation of the replacement customer selected PIN
To ensure secure PIN entry, the new PIN must be entered twice for validation, with both entries verified to be identical This comparison process is designed to prevent exposure of any PIN information, safeguarding user data during the verification process.
The card issuer must authenticate the cardholder before sending out the PIN change form Effective communication with the cardholder is essential, and the issuer should notify them of the dispatch method All communications should be documented using a record-keeping method to ensure proper tracking and security.
The PIN change process via mail follows the same procedures outlined in section 8.4.4 for PIN selection Note that this method is not suitable for applications requiring updates to PIN-related data directly on the card.
PIN replacement
Replacing a forgotten PIN must be carried out exclusively through the issuer’s system, not within the interchange environment The issuer is responsible for authenticating the cardholder before issuing a new PIN All procedures for PIN replacement should adhere to the guidelines outlined in section 8.3, ensuring a secure and compliant process.
8.6.2 Re-advice of forgotten PIN
Re-advising a forgotten PIN must be conducted exclusively through the issuer’s secure system, not within an interchange environment Before re-advising the PIN, the issuer is required to authenticate the cardholder to ensure security The procedures for re-advising a customer of their forgotten PIN should follow the guidelines outlined in section 8.3, ensuring a secure and compliant process.
When a PIN is suspected to be compromised, it must be deactivated immediately (see 8.10), and the customer should be informed about the replacement PIN or given the option to choose a new one The replacement PIN should never be intentionally identical to the compromised PIN to ensure security Activation of the replacement PIN can be either implicit or explicit, following the guidelines outlined in section 8.8.
When a derived PIN is suspected of exposure, it is essential to change at least one data element used in the PIN derivation process, generate a new PIN, and issue a new card This procedure may also involve re-issuing or re-encoding the card and blocking the old card from use to ensure security.
Disposal of waste material and returned PIN mailers
Issuers must implement robust security measures to safeguard the internal handling and disposal of returned PIN mailers, as well as any waste generated from the printing of these mailers, to protect sensitive information and ensure compliance with data security standards.
Return addresses for card and PIN mailers should be different
PIN activation
A PIN may be activated either implicitly or explicitly Under a system of implicit PIN activation, the issuer assumes successful PIN delivery, unless advised to the contrary
When activating a PIN, the issuer must wait until the customer has returned a signed and verified receipt or used alternative verification methods This ensures secure and verified PIN activation, complying with industry security standards Proper verification procedures are essential to prevent unauthorized PIN activation and protect customer accounts.
⎯ confirms that this response is from the legitimate cardholder
The receipt or response shall not contain the PIN.
PIN storage
PIN storage shall be implemented in accordance with the requirements of 4.2 d)
PIN encipherment (reversible or irreversible) shall incorporate the account number (or other data) such that the verification process would detect substitution of one value for another stored value
A plain text PIN shall never be stored on the magnetic stripe of a card
Values associated with the PIN, such as the PIN offset, must be securely stored to prevent PIN reconstruction It should be impossible to recover the actual PIN without access to the cryptographic keys used to generate these values, ensuring robust security and data protection.
Unauthorized substitution of the reference PIN shall be prevented For example the reference PIN may be cryptographically bound to the associated account/card number
When the reference PIN is stored in the IC card for subsequent offline PIN verification, it shall be protected in accordance with 7.3
The conveyance of a clear text reference PIN to the IC card shall be performed solely within a secure environment conforming to the requirements of ISO 13491-2:2005, H.5.
PIN deactivation
PIN deactivation occurs when a cardholder’s PIN and associated card are invalidated within the issuer system, rendering them unusable for transactions For IC cards, PIN deactivation involves blocking the PIN, account, or card as appropriate to prevent unauthorized use It is important to distinguish PIN deactivation from PIN suspension, which temporarily disables the PIN after exceeding the maximum number of failed PIN attempts.
Responsibility for PIN deactivation lies with the issuer, who must deactivate a PIN as soon as possible under certain circumstances These include when the PIN is compromised or suspected to be compromised, when all accounts linked to the PIN are closed, when the customer requests deactivation of the associated card, or when the issuer determines that deactivation is necessary for any other reason.
In the case of PIN compromise or a deactivation request by the customer, the customer shall be advised of the action taken
The issuer shall take appropriate measures to ensure that the deactivated PIN cannot be used with its associated account number
NOTE Examples of such measures are erasure of the deactivated PIN from the issuer's records and blocking access to the account
PIN mailers
A PIN mailer typically comprises an outer envelope and an inner tamper-evident security feature designed to protect the Personal Identification Number (PIN) These components can also be integrated into a single, tamper-evident PIN mailer for enhanced security This design ensures that the PIN remains secure during transit and provides clear evidence of tampering, safeguarding sensitive banking information.
When using PIN mailers to deliver an assigned PIN to a cardholder, it is essential that the mailer is tamper-evident, preventing unauthorized access to the plain text PIN without evident tampering The externally visible parts of the mailer should display only the minimum necessary information to ensure it reaches the correct recipient Cardholders must be warned not to use a PIN from an opened or tampered mailer and to report such incidents to the issuer Additionally, the PIN mailer should not contain information that allows anyone other than the cardholder to determine the associated account number, with only limited details, such as the last four digits of the account number, included in the private portion.
Multiple cards issued on the same account may each have a different PIN, requiring the PIN mailer to display cardholder identification details for accurate delivery To enhance security, the PIN and card should never be mailed together or at the same time, reducing the risk of simultaneous receipt Additionally, the PIN mailer should be sent separately, without any materials that could cause it to be overlooked or discarded.
Additionally the issuer should notify the cardholder of the despatch of the PIN mailer using the communications method of record
The envelope or its contents may contain residual PIN information, such as carbon paper It is essential for issuers to warn customers to destroy the mailer after memorizing the PIN or to keep it in a secure location Proper handling of the mailer helps prevent unauthorized access and enhances account security.
9 Techniques for management/protection of transaction-related PIN functions
PIN entry
Responsibility for protecting the PIN during the entry process rests with the customer, the card acceptor and the acquirer or its agent
The first digit entered into the PIN entry device shall be the high-order digit (leftmost) The last digit to be entered shall be the low-order digit (rightmost)
Equipment used for interchange shall support entry of a 4- to 12-digit PIN.
Protection of PIN during transmission
9.2.1 PIN protection during transmission to the issuer for online PIN verification
To ensure the security of a PIN during network transmission, including within network nodes, it must be protected through either physical safeguards or encryption Specifically, the PIN should be secured via physical protection measures as outlined in section 5.1 or by encipherment as described in section 6.2 Implementing these security measures helps prevent unauthorized access and maintains data integrity during transmission.
Whenever it is necessary to decode or encode a PIN during transmission—such as converting between different PIN formats or updating the encryption key—the PIN must be stored within a physically secure device to ensure maximum security This practice helps protect sensitive information from unauthorized access and maintains data integrity during transmission Using secure hardware modules for PIN management complies with industry security standards and reduces the risk of PIN exposure or theft.
9.2.2 PIN protection during conveyance to the ICC for offline PIN verification
The IC reader and PIN entry device can be either integrated into a single device or implemented as two separate units When these components are combined within a single device, it must meet the requirements outlined in section 5.1, ensuring secure and reliable operation for secure payment transactions.
When submitting a PIN to the IC card in plain text form, the device is not required to encrypt the PIN; it can simply transmit the plaintext PIN directly to the IC card.
When submitting a PIN to an IC card, it must be encrypted to ensure security If the PIN is to be sent in encrypted form, the device must encrypt the PIN using the IC card’s authenticated encipherment key before submission In cases where the PIN is entered in an unprotected environment—meaning the PIN entry device and IC reader are not integrated within a compliant device—the PIN should be encrypted by the PIN entry device according to specified standards prior to submission The encrypted PIN is then transmitted to the IC reader, which processes the data securely.
1) decipher the PIN for submission in plain text to the IC card,
2) decipher the PIN and then re-encipher it using the authenticated encipherment key of the IC card and submit the enciphered PIN to the IC card, or
3) submit the enciphered PIN to the IC card (if the PIN is already enciphered using the authenticated encipherment key of the IC card)
All PIN encipherment operations shall occur within a device meeting the requirements of 5.1
To ensure the integrity and authenticity of the PIN encipherment key on the IC card, the PIN must be submitted in an encrypted form Proper safeguards must be in place to protect the encipherment key, preventing unauthorized access and maintaining secure PIN transmission This process is essential for guaranteeing the security and trustworthiness of the PIN submission within the IC card system.
To safeguard against the substitution of the encipherment key during handling within the IC reader and PED, it is essential to implement measures such as using an integrity-ensured channel between the IC reader and the PED This ensures the security and integrity of the key throughout the communication process, preventing unauthorized modifications or substitutions.
⎯ verifying that the encipherment key is chained to a trusted public key installed in the device performing the authentication
Table 2 summarizes the PIN protection requirements for various terminal configurations and PIN submission methods as detailed above in this subclause
Table 2 — ICC PIN protection summary
PIN entry device and IC reader integrated
PIN entry device and IC reader not integrated
Plain text PIN submitted to the IC card
No encipherment is required The plain text PIN is submitted to the IC card [see 9.2.2.1 a) 1)]
The PIN is securely encrypted from the PIN entry device to the IC reader following the guidelines in section 6.2 Once transmitted, the plaintext PIN is decrypted and subsequently submitted to the IC card as specified in section 9.2.2.1 b) 1) This process ensures a secure and compliant transfer of sensitive PIN data within the system.
Enciphered PIN submitted to the IC card
The PIN is submitted to the IC card enciphered using an authenticated encipherment key of the IC card [see 9.2.2.1 a) 2)]
The PIN is enciphered (using a symmetric key) by the PIN entry device in accordance with 6.2 The
The IC reader receives the encrypted PIN, deciphers it, and then re-encrypts it using the authenticated encipherment key of the IC card The re-encrypted PIN is subsequently submitted to the IC card for secure processing, ensuring data integrity and security throughout the transaction.
The PIN is encrypted using the authenticated encipherment key of the IC card by the PIN entry device, following the process outlined in section 6.2 The IC reader then receives the encrypted PIN and submits it to the IC card for verification, as specified in clause 9.2.2.1 b) 3).
The PIN submitted by the IC reader to the IC must be stored within a PIN block that complies with the format 2 PIN block requirements outlined in section 9.3.4 This requirement applies regardless of whether the PIN is transmitted in plaintext or encrypted using an encipherment key of the IC, ensuring secure and standardized handling of PIN data.
PINs encrypted solely for transmission between the PIN entry device and the IC reader must utilize approved PIN block formats, such as those specified in sections 9.3 or 9.4 When using format 2 PIN blocks, a unique key per transaction method, in compliance with ISO 11568 standards, should be implemented to ensure secure and individualized encryption for each transaction.
When presenting an encrypted PIN to the IC, the PIN must be formatted into a format 2 PIN block within an encryption block, as illustrated in Figure 1 This encryption block is then secured by encrypting it with the authenticated encipherment key of the IC This process follows the detailed procedures outlined in EMV Book 2, ensuring secure communication and transaction integrity.
PIN Block (format 2) 8 PIN in PIN block (see 9.3.4)
ICC Unpredictable Number 8 Unpredictable number obtained from the ICC
Random Pad N IC – 17 Random pad generated by the terminal
NOTE N IC is the length in bytes of the authenticated encipherment key of the IC
Figure 1 — ICC encryption block format
The random pad must have an unpredictable value that cannot be determined even with knowledge of previous values, ensuring high security Prior to encryption, these values should only be stored in secure hardware dedicated to protecting the plaintext PIN Each encryption must utilize a completely random value, with all possible values being equally likely, avoiding internal patterns or repetitions This approach enhances the security and integrity of PIN encryption, adhering to best practices in cryptographic protection.
This may be achieved using a random number generator compliant with ISO/IEC 18031 and tested using NIST SP 800-22
Compact PIN block formats
9.3.1 PIN block construction and format value assignment
This subclause specifies the construction of a 64-bit block of PIN data and includes the number, position and function of the bits
The most significant 4 bits of the block form the control field The following values are assigned:
0100 through 0111 : For allocation by Technical Committee ISO/TC 68
1000 through 1011 : Reserved for allocation by national standards organizations
1100 through 1111 : Allocated for private use
In international interchange, either the 0 PIN block format or the 3 PIN block format should be used when the Primary Account Number (PAN) is available The 3 PIN block format is recommended when the same PIN encipherment key is used for multiple PIN encipherments, such as in fixed or session key management systems Use of the appropriate PIN block format ensures secure and compliant PIN transmission across international networks.
The PIN block is generated through modulo-2 addition of two 64-bit fields: the plain text PIN and the account number The specific formats of these fields are detailed in sections 9.3.2.2 and 9.3.2.3, respectively.
The format 0 PIN block shall be reversibly enciphered when transmitted
The plain text PIN field shall be formatted in the following way
C = Control field: 4-bit field value 0000 (zero);
N = PIN length: 4-bit binary number with permissible values of 0100 (4) to 1100 (12);
P = PIN digit: 4-bit field with permissible values of 0000 (zero) to 1001 (9);
P/F = PIN/Fill digit: designation of these fields is determined by the PIN length field;
F = Fill digit: 4-bit field value 1111 (15)
The account number field shall be formatted in the following way
0 = Pad digit: a 4-bit field with the only permissible value of 0000 (zero);
The A1 to A12 codes represent the account number, which consists of the 12 rightmost digits of the primary account number (PAN), excluding the check digit A12 is the digit immediately before the check digit within the PAN If the PAN (excluding the check digit) is shorter than 12 digits, the relevant extraction adjusts accordingly for accurate identification Ensuring correct interpretation of these account number segments is crucial for secure payment processing and transaction validation.
12 digits, the digits are right justified and padded to the left with zeros Permissible values are 0000 (zero) to 1001 (9)
A PIN block is created by concatenating the plain text PIN field with the transaction field The Format 1 PIN block is specifically used when the PAN (Primary Account Number) is not available during the transaction.
The format 1 PIN block shall be reversibly enciphered when transmitted
The format 1 PIN block shall be formatted in the following way
C = Control field: 4-bit field value 0001 (1);
N = PIN length: 4-bit binary number with permissible values 0100 (4) to 1100 (12);
P = PIN digit: 4-bit field with permissible values 0000 (zero) to 1001 (9);
P/T = PIN/Transaction digit: designation of these fields is determined by the PIN length field;
T = Transaction digit: 4-bit binary number with permissible values of 0000 (zero) to 1111 (15)
The transaction field is a binary number consisting of [56 − (N * 4)] bits, ensuring a unique identifier for each PIN block occurrence This binary value is designed to be unique, mitigating the risk of duplication except by chance, and can be generated using various methods such as a transaction sequence number, timestamp, or random number.
The transaction field should not be transmitted and is not required in order to translate the PIN block to another format since the PIN length is known
The format 2 PIN block is specifically designed for use with IC cards in offline environments, ensuring secure PIN storage and transmission It should never be used for online PIN verification, maintaining strict security protocols This PIN block is created by concatenating two fields: the plain text PIN and a filler field, providing an effective method for PIN encryption and management in offline transactions.
The format 2 PIN block shall be formatted in the following way:
C = Control field: 4-bit field value 0010 (2);
N = PIN length: 4-bit binary number with permissible values 0100 (4) to 1100 (12);
P = PIN digit: 4-bit field with permissible values 0000 (zero) to 1001 (9);
P/F = PlN/Fill digit: designation of these fields is determined by the PIN length field;
F = Fill digit: 4-bit field value 1111 (15)
A format 2 PIN block shall be formatted within an encryption block when enciphered by the authenticated encipherment key of the IC (see 9.2.2.3)
The format 3 PIN block is the same as format 0 PIN block except for the fill digits
The PIN block is created by performing a modulo-2 addition (bitwise XOR) of two 64-bit fields: the plain text PIN field and the account number field These fields follow specific formats, detailed in sections 9.3.5.2 and 9.3.5.3, respectively This method ensures secure encapsulation of the PIN within the combined data structure.
The format 3 PIN block shall be reversibly enciphered when transmitted
The plain text PIN field shall be formatted in the following way
C = Control field: 4-bit field value 0011 (3);
N = PIN length: 4-bit binary number with permissible values of 0100 (4) to 1100 (12);
P = PIN digit: 4-bit field with permissible values of 0000 (zero) to 1001 (9);
P/F = PIN/Fill digit: designation of these fields is determined by the PIN length field;
The F (Fill digit) is a 4-bit field with possible values ranging from 1010 (decimal 10) to 1111 (decimal 15) These fill-digit values are randomly or sequentially selected from this set of six options, ensuring variability This approach makes it highly unlikely that the same fill-digit configuration will recur within the same account number field when processed by the same PIN encipherment device, enhancing security through variability.
The account number field shall be formatted in the following way
0 = Pad digit: a 4-bit field with the only permissible value is 0000 (zero);
The A1 to A12 values represent the account number, which consists of the 12 rightmost digits of the primary account number (PAN) excluding the check digit Specifically, A12 is the digit immediately before the PAN's check digit If the PAN (excluding the check digit) contains fewer than 12 digits, the account number is adjusted accordingly This information is vital for accurately identifying and verifying account details in payment processing.
12 digits, the digits are right justified and padded to the left with zeros
Permissible values are 0000 (zero) to 1001 (9)
9.3.6 Compact PIN block usage restrictions
To ensure PIN security, strict controls must be implemented to prevent misuse of card issuance functions, including PIN changes, with proper restrictions on compact PIN block usage Standard ISO PIN block formats (0, 1, 2, and 3) must not be translated into non-standard formats, and format 2 PIN blocks should only be used for offline PIN verification and PIN changes within ICC environments Translating PIN formats that include the PAN to those without it is prohibited, particularly avoiding translation from ISO formats 0 and 3 into format 1 When translating between PIN formats containing the PAN, changes to the PAN are only supported under secured conditions—specifically when host security modules are in a sensitive state under dual control, with no support in interchange processing systems Only ISO formats 0 and 3 are supported when calculating PIN verification values, such as PIN offsets and PVV, based on the PIN and PAN If the enciphered account number segment in the PIN block does not match the input PAN during value calculation, no result shall be returned unless a new PAN is introduced for account number changes, which must occur under secure conditions All integrity checks on deciphered PIN blocks should rely solely on the control and PIN length fields in the first byte and validation of permissible digits These guidelines are detailed in Table 3, which covers requirements for translations from formats 0, 1, and 3. -**Sponsor**Looking to improve your article on PIN security and ensure it's SEO-friendly? We can help! Important sentences that highlight key restrictions for compact PIN block usage include preventing misuse of card issuance functions and avoiding translation of standard PIN block formats into non-standard ones For more in-depth information on PIN security best practices and to optimize your article for search engines, explore [Novakid Global ARABIC](https://pollinations.ai/redirect-nexad/FDYAch90), where you can find resources to make complex topics clear and engaging Remember, clear and concise content is key for SEO success!
Translation from ISO format 0 ISO format 1 ISO format 2 ISO format 3
Permitted anywhere without change of PAN
Change of PAN only permitted in sensitive state for card issuance
Not permitted Permitted for submission to an IC card
Permitted anywhere without change of PAN
Change of PAN only permitted in sensitive state for card issuance
ISO format 1 Permitted Permitted Permitted for submission to an IC card Permitted
ISO format 2 Not permitted Not permitted Permitted for submission to an IC card Not permitted
Permitted anywhere without change of PAN
Change of PAN only permitted in sensitive state for card issuance
Not permitted Permitted for submission to an IC card
Permitted anywhere without change of PAN
Change of PAN only permitted in sensitive state for card issuance
Extended PIN blocks
When encrypting the PIN with a 128-bit or stronger block cipher like AES, it must be formatted using an extended PIN block that is approved by ISO/TC 68, SC 2 This compliance ensures secure and standardized encryption practices for sensitive PIN information.
NOTE 1 It is intended to develop an extended PIN block (see Introduction)
NOTE 2 Support for block ciphers with longer block and key lengths does not imply phasing out of block ciphers currently in use, such as TDEA.
Journalizing of transactions containing PIN data
Messages journalized (post-authorization storage) shall not contain plain text or enciphered PINs in any form
10 Approval procedure for encipherment algorithms
Before integrating an encipherment algorithm into ISO 9564-2, it must meet essential criteria: it should address a purpose not covered by the existing standard, such as targeting a different market, providing cost-effective implementation, or offering enhanced security Additionally, the algorithm must be sufficiently secure, reliable, and stable to fulfill its intended role, with approval received according to ISO 11568-1:2005, Annex A standards.
This article defines minimum standards for the erasing (such as degaussing and overwriting) and destruction procedures of storage media handling sensitive data, ensuring prevention of unauthorized access or data compromise It provides alternative methods tailored for cases where the media is intended for re-use after data destruction or is being permanently decommissioned at end-of-life, enhancing data security throughout the media’s lifecycle.
All sensitive data shall be destroyed securely, such that it is infeasible to restore, read or otherwise obtain destroyed data
To protect sensitive data stored on various media and devices such as disks and microelectronic circuits, it is essential to implement special precautions against residual data compromise This article outlines recommended procedures for secure data erasure and destruction, emphasizing the importance of proper handling to prevent information leaks For more detailed guidance, refer to NIST SP 800-88, which provides comprehensive best practices for destroying sensitive data securely.
Magnetic media must be securely erased using a degaussing machine or an equivalent method, such as overwriting at least seven times, to ensure data destruction After erasure, the media should be carefully safeguarded, controlled, and clearly marked based on the sensitivity of the original information recorded on them Proper management of erased magnetic media is essential to protect sensitive data and prevent unauthorized access.
Before decommissioning erased magnetic media, it must undergo two degaussing cycles to ensure complete data destruction Following this process, the media should be securely destroyed either by physically disintegrating it into pieces no larger than 5 mm by 5 mm or smaller, or by incineration, to prevent data recovery and ensure compliance with data security standards.
A.4 Internal memory, buffers and registers
To ensure data security, internal memory, buffers, and registers must be thoroughly erased by overwriting every data bit with continuously changing random data for at least 1,000 cycles Regular testing of the erasure process is essential to verify that the method is functioning correctly Implementing this systematic approach guarantees the complete removal of sensitive information and maintains data integrity.
Where the equipment is to be permanently removed from service the internal memory, buffers and registers should be destroyed by disintegration
To ensure the integrity of semiconductor memory, different types require specific erasure procedures RAM, internal memory, buffers, and registers should be erased by overwriting all data bits with continuously changing random data for 1,000 cycles, with periodic verification to confirm proper operation EPROM needs to be erased using ultraviolet light to erase the entire array, followed by verification, after which all locations should be overwritten with non-sensitive random data and verified EEPROM should be erased through its built-in electrical erasure mechanism, with subsequent verification, and all storage locations must then be overwritten with non-sensitive random data and checked to ensure data integrity.
Where the equipment is to be permanently removed from service, the semiconductor memory should be destroyed by disintegration
To ensure secure disposal, paper materials should be destroyed through burning, pulverizing, or cross-cut shredding Shredded documents must be reduced to pieces no larger than 5mm by 5mm to prevent information leakage When burning paper, the residue should be transformed into unreadable white ash, ensuring all sensitive data is thoroughly destroyed.
Before releasing a printer, it is essential to remove the platen and ribbon The platen’s rubber surface should be physically destroyed, such as by incineration, to ensure data security Similarly, the ribbon must be properly destroyed, for example through incineration, to prevent unauthorized access Proper disposal of these components is a critical step in secure printer management.
Optical media should be destroyed by burning, pulverizing or shredding
Additional guidelines for the design of a PIN entry device
This annex describes features such as function keys and the design of a PIN entry device installation and, as such, it supplements the requirements given in Clause 5
Standardizing the overall layout of PIN entry devices, including function keys, is highly desirable to enhance user familiarity and operational consistency While it is crucial to keep the numeric key layout fixed, a uniform design across devices helps customers navigate and operate the PIN entry process more easily This consistency reduces the likelihood of errors during PIN entry, improving security and user experience.
Function keys are designed to maintain a consistent layout and provide clear, unambiguous functions The three primary operations assigned to these keys include: (a) "Enter" or "Complete Entry," (b) "Clear" the current input, and (c) "Cancel" the ongoing transaction Ensuring these key functions are standardized enhances user experience and operational efficiency.
For optimal usability, it is recommended to use color coding on keys alongside engravings that indicate their functions Specifically, green should be used for the “Enter” key, yellow for the “Clear” key, and red for the “Cancel” key This color coding enhances user recognition and improves the overall efficiency of the keypad.
Function keys are typically arranged in a vertical column to the right of the numeric keypad, with the “Cancel” key at the top, the “Clear” key in the middle, and the “Enter” key at the bottom When the function keys are arranged horizontally, the same order is maintained: “Cancel” on the left, “Enter” on the right, and the “Clear” key positioned in between This consistent layout ensures ease of use and quick accessibility across different keyboard configurations.
“clear” key in the middle To assist blind or partially sighted customers, it is recommended that the “5” key have a raised dot or other tactile identifier on it
EXAMPLE 1 The numeric PIN entry device with two horizontally placed function keys:
EXAMPLE 2 US alpha-numeric PIN entry device with vertically placed function keys:
EXAMPLE 3 ITU-T Recommendation E.161/EN 1332-3 alpha-numeric PIN entry device with vertically placed function keys:
EXAMPLE 4 The numeric PIN entry device with three horizontally placed function keys (not used in automated teller machines):
Visual observation of the PIN is the most common way that a PIN is compromised Privacy during PIN entry may be achieved by providing a cowl over the keys or by positioning the PIN entry device such that during PIN entry the keys are shielded by the customer's body, for example when using a hand-held PIN entry device Special consideration is given to prevent the possible recording of the PIN entry by video cameras
This subclause describes the relationship between the customer-known character set (which may be alphabetic, numeric or both) and the internal binary codes Alphabetic characters are only synonyms for decimal digits and are not distinguishable by the terminal or network Tables B.1 and B.2 show the ANSI and ITU-T Recommendation E.161 alphanumeric mappings