AS 2805.3.2-2008

1 - AS 2805.3.2-2008 ELECTRONIC FUNDS TRANSFER-REQUIREMENTS FOR INTERFACES - PIN MANAGEMENT AND SECURITY-OFFLINE
4 - PREFACE
6 - CONTENTS
7 - FOREWORD
8 - 1 SCOPE
8 - 2 APPLICATION
9 - 3 REFERENCED DOCUMENTS
9 - 4 DEFINITIONS
9 - 4.1 Acquirer
9 - 4.2 Cipher text
9 - 4.3 Encipherment
9 - 4.4 Encryption algorithm
9 - 4.5 Integrated Circuit Card (ICC)
9 - 4.6 Personal identification number (PIN)
9 - 4.7 PIN block
9 - 4.8 Plain text
10 - 5 BASIC PRINCIPLES OF PIN MANAGEMENT
10 - 6 PIN PROTECTION DURING TRANSMISSION BETWEEN PED AND ICC READER
11 - 7 SECURITY REQUIREMENTS
12 - 8 PIN BLOCK FORMAT
12 - 8.1 General
12 - 8.2 Format 2 PIN block
12 - 9 PHYSICAL SECURITY
12 - 9.1 Physical security for PIN entry devices
12 - 9.2 Physically secure device
13 - 9.3 Physically secure environment
13 - 9.4 PIN entry device requirements

Specifies requirements for addressing offline PIN management using IC cards.

This Standard specifies the minimum security measures required for PIN management in an off-line environment. It is applicable to financial transaction card originated transactions requiring offline PIN verification by an IC card and to those institutions responsible for implementing techniques for the management and protection of the PIN at Automated Teller Machines (ATM) and Point-of-Sale (POS) terminals. The provisions of this part of AS 2805.3 are not intended to cover:(a) PIN management and security in the online PIN environment, which is covered in AS 2805.3.1.(b) The protection of the PIN against loss or intentional misuse by the customer or authorized employees of the issuer or their agents.(c) Privacy of non-PIN transaction data.(d) Protection of transaction messages against alteration or substitution, e.g. an online authorisation response.(e) Protection against replay of the PIN or transaction.(f) Specific key management techniques.(g) The decision as to whether the IC card is to receive the PIN enciphered.(h) Contactless IC cards. Requirements associated with multi-application IC cards are considered to be the responsibility of the issuer and are not included in this Standard. This Standard is described in terms applicable to IC card technology, however this language is not meant to restrict the applicability of this part to IC card technology.

Originated as part of AS 2805.3-1985.
Previous edition part of AS 2085.3-2000.
Revised in part and redesignated AS 2805.3.2-2008.