BS ISO 9564-1:2017
Current
The latest, up-to-date edition.
Financial services. Personal Identification Number (PIN) management and security Basic principles and requirements for PINs in card-based systems
Hardcopy , PDF
English
24-11-2017
Important note : Users cannot be edited or removed once added to your Multi user PDF.
Foreword
Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Basic principles of PIN management
5 PIN handling devices
6 PIN security issues
7 PIN verification
8 Techniques for management/protection of account-related
PIN functions
9 Techniques for management/protection of
transaction-related PIN functions
Annex A (normative) - Destruction of sensitive data
Annex B (informative) - Additional guidelines for the design
of a PIN entry device
Annex C (informative) - Information for customers
Bibliography
Describes the basic principles and techniques which provide the minimum security measures required for effective international PIN management.
| Committee |
IST/12
|
| DevelopmentNote |
Supersedes 09/30201974 DC. (03/2011) Supersedes 13/30275456 DC. (05/2015) Supersedes 15/30323818 DC. (11/2017)
|
| DocumentType |
Standard
|
| Pages |
42
|
| PublisherName |
British Standards Institution
|
| Status |
Current
|
| Supersedes |
This document specifies the basic principles and techniques which provide the minimum security measures required for effective international PIN management. These measures are applicable to those institutions responsible for implementing techniques for the management and protection of PINs during their creation, issuance, usage and deactivation. This document is applicable to the management of cardholder PINs for use as a means of cardholder verification in retail banking systems in, notably, automated teller machine (ATM) systems, point-of-sale (POS) terminals, automated fuel dispensers, vending machines, banking kiosks and PIN selection/change systems. It is applicable to issuer and interchange environments. The provisions of this document are not intended to cover: PIN management and security in environments where no persistent cryptographic relationship exists between the transaction-origination device and the acquirer, e.g. use of a browser for online shopping (for these environments, see ISO9564‑4 ); protection of the PIN against loss or intentional misuse by the customer; privacy of non-PIN transaction data; protection of transaction messages against alteration or substitution; protection against replay of the PIN or transaction; specific key management techniques; offline PIN verification used in contactless devices; requirements specifically associated with PIN management as it relates to multi-application functionality in an ICC.
| Standards | Relationship |
| ISO 9564-1:2017 | Identical |
| ISO/IEC 18031:2011 | Information technology Security techniques Random bit generation |
| ISO 13491-2:2017 | Financial services — Secure cryptographic devices (retail) — Part 2: Security compliance checklists for devices used in financial transactions |
| ISO/IEC 7813:2006 | Information technology Identification cards Financial transaction cards |
| ISO 13491-1:2016 | Financial services — Secure cryptographic devices (retail) — Part 1: Concepts, requirements and evaluation methods |
| EN 1332-3:2008 | Identification card systems - Man-machine interface - Part 3: Keypads |
| ISO 16609:2012 | Financial services — Requirements for message authentication using symmetric techniques |
| ISO/IEC 7812-1:2017 | Identification cards — Identification of issuers — Part 1: Numbering system |
| ISO 9564-2:2014 | Financial services — Personal Identification Number (PIN) management and security — Part 2: Approved algorithms for PIN encipherment |
| ISO 9564-4:2016 | Financial services — Personal Identification Number (PIN) management and security — Part 4: Requirements for PIN handling in eCommerce for Payment Transactions |
Access your standards online with a subscription
Features
-
Simple online access to standards, technical information and regulations.
-
Critical updates of standards and customisable alerts and notifications.
-
Multi-user online standards collection: secure, flexible and cost effective.