Issuer PIN Security Guidelines - Visa

More documents

Recommendations

Info

• Reduce PIN management as a target for fraudsters by maintaining separation of the PIN from associated account data used for payment transaction processing throughout the PIN management processes . • Ensure that PINs are protected during processing, transmission and storage by one or more of the following: – Provision of physical protection – Encryption of the PIN – Use of separate HSMs for Issuer vs . Acquirer functionality – Use of an encrypted reference or control number to indirectly link the PIN to the PAN when the two items of data must be transmitted separately . – Issuers should ensure that their PIN management system prevents the PIN from being stored wherever it is received while under issuer responsibility . PIN mailers, SMS messages and emails are vulnerable and their content should be constructed to meet the PIN Generation, General Guidelines section . • Conduct employee monitoring with respect to accessing cardholder data . Routine monitoring can help determine if employees are accessing cardholder records when there is no need to do so, for example accessing an unusual amount of cardholder records, or asking for cardholders’ PINs . • Provide guidance on safe PIN management to cardholders when the account is first opened, and at least annually, for example: – Never share your PIN with anyone . – Select a PIN that cannot be easily guessed (i .e ., do not use birth date, partial account numbers, sequential numbers like 1234, or repeated values such as 1111) . – Memorize your PIN . Do not write it down on your card or keep it on a piece of paper in your wallet . – Do not use your PIN as a password for other bank and non-bank services . – Be aware of others nearby when entering your PIN at an ATM or point of sale . – Check your monthly statements for unauthorized charges • Regularly insert a PIN security reminder into cardholder statements and promote cardholder awareness of ‘phishing’ and other social engineering attacks . • Issuers, member/client service providers and vendors providing any PIN management service should refer to brands for any mandates that apply to the service . 6 Issuer PIN Security Guidelines Visa Public © 2010 Visa. All Rights Reserved.
PIN Fraud Mitigations Abbreviations • Apply risk factors to ATM withdrawal limit assignments: – Establish an expanded range of higher POS spending and ATM withdrawal limit tiers in combination with an ongoing limit upgrade program that is aligned with customer risk, as well as deposit classification/value . This strategy can promote higher penetration, spending, and usage for more credit-worthy customers, while minimizing risk exposure . – Review requests for higher ATM withdrawal limits at an individual cardholder level . Customer demand for higher ATM withdrawal limits is relatively small and should be satisfied by permitting individually-raised ATM withdrawal limits on a case-by-case basis . • Apply cashback amounts to the ATM withdrawal limit . The cashback portion of a POS PIN transaction should always be applied toward the cardholder ATM withdrawal limit . • Ensure that quasi-cash is categorized as cash and applied to the ATM withdrawal limit . The total amount of a quasi-cash transaction should also be applied to the ATM withdrawal limit . Abbreviation Description ANSI American National Standards Institute ATM Automated Teller Machine AVR Automated Voice Response AVS Address Verification System BIN Bank Identification Number CAM Card Authentication Method CAP Chip Authentication Program CAST Compliance Assessment Security Testing CNP Card Not Present CVC Card Validation Code CVM Cardholder Verification Method CVV Card Verification Value DES Data Encryption Standard DNS Domain Name Server DSS Data Security Standard Issuer PIN Security Guidelines 7 Visa Public © 2010 Visa. All Rights Reserved.
Page 1: Issuer PIN Security Guidelines Nove
Page 5 and 6: Table of Contents Using This Docume
Page 7 and 8: Using This Document Purpose This ma
Page 9 and 10: Issuer Approved PIN Entry • Offli
Page 11: General PIN Management Guidelines T
Page 15 and 16: Abbreviation Description PSTN Publi
Page 17 and 18: Term Definition Issuer Approved dev
Page 19 and 20: Term Definition POS Device Any devi
Page 21 and 22: 10 . ISO/IEC 13491: Banking—Secur
Page 23 and 24: Guidelines for Issuer Approved Devi
Page 25 and 26: Personal PIN Entry Devices Provided
Page 27 and 28: Offline PIN Generation Issuer Assig
Page 29 and 30: • The PIN selection system should
Page 31 and 32: PIN Verification Values General Gui
Page 33 and 34: • Any cryptographic algorithm use
Page 35 and 36: issuers PIN storage processes, incl
Page 37 and 38: See the PIN handling device managem
Page 39 and 40: • Transported clear text key comp
Page 41 and 42: PIN Handling Device Management Obje
Page 43 and 44: Cardholder Authentication to PIN Ma
Page 45 and 46: PIN Advice Objective Plaintext PINs
Page 47 and 48: PIN Advice by SMS • The issuer sh
Page 49 and 50: • The control number should be ge
Page 51 and 52: Call Center Use Generation of the C
Page 53 and 54: - The keyboard is controlled by sec
Page 55 and 56: • Cardholders should be informed

Issuer PIN Security Guidelines - Visa

Create successful ePaper yourself

Delete template?

Save as template?