ISO 9564 explained

ISO 9564 is an international standard for personal identification number (PIN) management and security in financial services.

The PIN is used to verify the identity of a customer (the user of a bank card) within an electronic funds transfer system, and (typically) to authorize the transfer or withdrawal of funds. Therefore, it is important to protect PINs against unauthorized disclosure or misuse. Modern banking systems require interoperability between a variety of PIN entry devices, smart cards, card readers, card issuers, acquiring banks and retailers  - including transmission of PINs between those entities  - so a common set of rules for handling and securing PINs is required, to ensure both technical compatibility and a mutually agreed level of security. ISO 9564 provides principles and techniques to meet these requirements.

ISO 9564 comprises three parts,[1] under the general title of Financial services - Personal Identification Number (PIN) management and security.

Part 1: Basic principles and requirements for PINs in card-based systems

ISO 9564-1:2011[2] specifies the basic principles and techniques of secure PIN management. It includes both general principles and specific requirements.

Basic principles

The basic principles of PIN management include:

PIN entry devices

The standard specifies some characteristics required or recommended of PIN entry devices (also known as PIN pads), i.e. the device into which the customer enters the PIN, including:

Smart card readers

A PIN may be stored in a secure smart card, and verified offline by that card. The PIN entry device and the reader used for the card that will verify the PIN may be integrated into a single physically secure unit, but they do not need to be.

Additional requirements that apply to smart card readers include:

Other specific PIN control requirements

Other specific requirements include:

PIN length

The standard specifies that PINs shall be from four to twelve digits long, noting that longer PINs are more secure but harder to use. It also suggests that the issuer should not assign PINs longer than six digits.

PIN selection

There are three accepted methods of selecting or generating a PIN:

assigned derived PIN: The card issuer generates the PIN by applying some cryptographic function to the account number or other value associated with the customer.
assigned random PIN: The card issuer generates a PIN value using a random number generator.
customer selected PIN: The customer selects the PIN value.

PIN issuance and delivery

The standard includes requirements for keeping the PIN secret while transmitting it, after generation, from the issuer to the customer. These include:

PIN encryption

To protect the PIN during transmission from the PIN entry device to the verifier, the standard requires that the PIN be encrypted, and specifies several formats that may be used. In each case, the PIN is encoded into a PIN block, which is then encrypted by an "approved algorithm", according to part 2 of the standard).

The PIN block formats are:

Format 0

The PIN block is constructed by XOR-ing two 64-bit fields: the plain text PIN field and the account number field, both of which comprise 16 four-bit nibbles.

The plain text PIN field is:

The account number field is:

Format 1

This format should be used where no PAN is available. The PIN block is constructed by concatenating the PIN with a transaction number thus:

Format 2

Format 2 is for local use with off-line systems only, e.g. smart cards. The PIN block is constructed by concatenating the PIN with a filler value thus:

(Except for the format value in the first nibble, this is identical to the plain text PIN field of format 0.)

Format 3

Format 3 is the same as format 0, except that the "fill" digits are random values from 10 to 15, and the first nibble (which identifies the block format) has the value 3.

Extended PIN blocks

Formats 0 to 3 are all suitable for use with the Triple Data Encryption Algorithm, as they correspond to its 64-bit block size. However the standard allows for other encryption algorithms with larger block sizes, e.g. the Advanced Encryption Standard has a block size of 128 bits. In such cases the PIN must be encoding into an extended PIN block, the format of which is defined in a 2015 amendment to ISO 9564-1.[3]

Part 2: Approved algorithms for PIN encipherment

ISO 9564-2:2014[4] specifies which encryption algorithms may be used for encrypting PINs. The approved algorithms are:

Part 3 (withdrawn)

ISO 9564-3 Part 3: Requirements for offline PIN handling in ATM and POS systems,[5] most recently published in 2003, was withdrawn in 2011 and its contents merged into part 1.

Part 4: Requirements for PIN handling in eCommerce for Payment Transactions

ISO 9564-4:2016[6] defines minimum security requirements and practices for the use of PINs and PIN entry devices in electronic commerce.

External links

Notes and References

  1. Parts 1, 2 and 4. Part 3 was withdrawn in 2011.
  2. http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=54083 ISO 9564-1:2011 Financial services - Personal Identification Number (PIN) management and security - Part 1: Basic principles and requirements for PINs in card-based systems
  3. http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=61447 ISO 9564-1:2011/Amd 1:2015 Financial services - Personal Identification Number (PIN) management and security - Part 1: Basic principles and requirements for PINs in card-based systems AMENDMENT 1
  4. http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=61448 ISO 9564-2:2014 Financial services - Personal Identification Number (PIN) management and security - Part 2: Approved algorithms for PIN encipherment
  5. http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=35124 ISO 9564-3:2003 Banking - Personal Identification Number management and security - Part 3: Requirements for offline PIN handling in ATM and POS systems
  6. http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=61246 ISO 9564-4:2016 Financial services - Personal Identification Number (PIN) management and security - Part 4: Requirements for PIN handling in eCommerce for Payment Transactions