AS 2805.3-2000

1 - AS 2805.3-2000 ELECTRONIC FUNDS TRANSFER - REQUIREMENTS FOR INTERFACES - PIN MANAGEMENT AND SECURITY
4 - PREFACE
5 - CONTENTS
6 - FOREWORD
7 - 1 SCOPE
7 - 2 APPLICATION
7 - 3 REFERENCED DOCUMENTS
8 - 4 DEFINITIONS
8 - 4.1 Acquirer
8 - 4.2 Algorithm
8 - 4.3 Authentication
8 - 4.4 Block encipherment
8 - 4.5 Card acceptor
8 - 4.6 Card issuer
8 - 4.7 Cardholder
8 - 4.8 Cipher text
8 - 4.9 Compromise
8 - 4.10 Cryptographic key
8 - 4.11 Data encipherment algorithm 3 (DEA 3)
8 - 4.12 Decipherment
8 - 4.13 Dual control
8 - 4.14 Encipherment
9 - 4.15 Financial institution
9 - 4.16 Identification
9 - 4.17 Interchange
9 - 4.18 Irreversible encipherment
9 - 4.19 Irreversible transformation of a key
9 - 4.20 Modulo 2 addition
9 - 4.21 Node
9 - 4.22 Notarization
9 - 4.23 Offset
9 - 4.24 Parity
9 - 4.25 Parity bit
9 - 4.26 Personal identification number (PIN)
9 - 4.27 PIN assignment
9 - 4.28 PIN issuance
9 - 4.29 PIN offset
10 - 4.30 PIN verification
10 - 4.31 Plain text
10 - 4.32 Point of service (POS)
10 - 4.33 Primary account information
10 - 4.34 Primary account number (PAN)
10 - 4.35 Pseudo-random
10 - 4.36 Reversible encipherment
10 - 4.37 Secure cryptographic device (SCD)
10 - 4.38 Transaction PIN
10 - 4.39 True random
10 - 4.40 Variant of a key
10 - 5 SECURITY
10 - 5.1 General
10 - 5.2 Transmission and storage
11 - 5.3 PIN accessibility
11 - 5.4 Verbal communications
11 - 5.5 Insecure devices
11 - 5.6 Record of transactions containing PIN data
11 - 6 PIN GENERATION AND ASSIGNMENT
11 - 6.1 General
11 - 6.2 Assigned derived PIN
11 - 6.3 Assigned random PIN
12 - 6.4 Customer selected PIN
12 - 7 PIN DELIVERY AND ISSUANCE
12 - 7.1 PIN mailing to customer
12 - 7.2 Delivery of customer selected PIN
13 - 7.3 PIN change
14 - 8 PIN ACTIVATION
14 - 9 PIN STORAGE
14 - 10 PIN ENTRY TECHNIQUES
14 - 10.1 General
15 - 10.2 PIN entry device considerations
17 - 11 PIN VERIFICATION
17 - 12 PIN TRANSMISSION
17 - 12.1 General
17 - 12.2 Network nodes or subsystems
17 - 12.3 Cryptographic PIN security
18 - 13 PIN BLOCK FORMATS AND CONSTRUCTION
18 - 13.1 Standard PIN block formats
18 - 13.2 PIN block construction
20 - 13.3 Cipher text PIN format
20 - 13.4 Other PIN block formats
20 - 14 PIN DEACTIVATION
21 - APPENDIX A - OVERVIEW
21 - A1 PIN MANAGEMENT FOR SECURITY
21 - A1.1 General
21 - A1.2 Obligations
21 - A1.3 Example
22 - A1.4 Problems
22 - A2 RISK ASSESSMENT
23 - A3 POSSIBLE FRAUD THREATS IN THE EVENT OF PIN DISCLOSURES
23 - A3.1 General
23 - A3.2 Lost or stolen cards
23 - A3.3 Counterfeit cards (‘mass fraud’)
24 - A4 DETERMINATION OF PIN FOR FRAUDULENT USE
24 - A4.1 General
24 - A4.2 Card-issuing institution
24 - A4.3 PIN delivery system
25 - A4.4 Customer
25 - A4.5 EFT system
26 - A5 RELATIVE RISKS
27 - APPENDIX B - EXAMPLE OF PIN DERIVATION METHOD
28 - APPENDIX C - INFORMATION FOR CUSTOMERS

Specifies minimum requirements for protecting the personal identification number (PIN), used as a means of verifying the identity of a customer within an electronic funds transfer (EFT) network, against unauthorized disclosure, compromise, and misuse throughout its life cycle, and in so doing, to minimize the risk of fraud occurring within EFT systems.

This Standard specifies the minimum security measures required for effective PIN management. Standard means of interchanging PIN data are provided. This Standard does not cover the following:(a) The protection of the PIN against loss or intentional misuse by the customer or authorized employees of the issuer.(b) Privacy of non-PIN transaction data (see AS 2805.9).(c) Protection of transaction messages against alteration or substitution, e.g. an authorization response to a PIN verification (see AS 2805.4).(d) Protection against replay of the PIN or transaction.(e) Specific key management techniques (see AS 2805.6 series).(f) PIN management and security for transactions conducted using integrated circuit cards (ICC).(g) The use of asymmetric encipherment algorithms for PIN management.NOTE: For a detailed discussion on the need for personal identification number (PIN) protection, see Appendix A.(h) Physical and logical security (see AS 2805.14.1).NOTE: Further information on PIN management for security is given in Appendices A and C.

First published as AS 2805.3-1985.
Second edition 2000.