Issuer PIN Security Guidelines - Visa

More documents

Recommendations

Info

PIN Transmission Objective PINs and associated account data transmitted from one system to another should be protected against disclosure and protect PIN integrity against any party eavesdropping on, or manipulating, the communications link . PIN integrity refers to the integrity of the relationship between the PIN value and any associated information such as user account data or transaction information . Threats • Phone tap/wire tap . (GSM, VoIP, DTMF tones may be in the clear) • Reliance on network encryption (which is not under the application’s control and which may not be present or may use a compromised cryptographic technique) . • Attacks against the cryptographic algorithms used to encipher PIN codes and provide PIN integrity . Guidelines • PINs should be protected during transmission by one or more of the following: – Provision of physical protection – Encryption of the PIN value – Dissociation of the PIN from account data, with the use of an encrypted reference or control number to maintain PIN integrity . • The PIN transmission protocols should be designed such that the introduction of fraudulent messages, or modification of valid messages, does not yield any useful information regarding a PIN . • Enciphered transmission of PINs and associated data should provide PIN integrity • If the PAN is available, PINs should be enciphered using “PIN blocks” according to one of the methods specified in ISO 9564 . Use of ISO PIN block format 3 is recommended • If the PAN is not available, – the encrypted reference or control number uniquely linked to the PAN by the issuer (for example to avoid transmission of the PAN) should be used to construct a PIN block . The construction should provide the same security properties as provided by ISO PIN blocks . – the method used for formatting a PIN block prior to encryption should not enable the PIN to be recovered from the resulting ciphertext (e .g . by using rainbow tables) 2 6 Issuer PIN Security Guidelines Visa Public © 2010 Visa. All Rights Reserved.
• Any cryptographic algorithm used for protecting transmitted PINs, either for purposes of secrecy or integrity, should have a level of security appropriate to the task . This should be assessed according to the relevant international and industry standards (See ISO 11568) and to the current industry best practice . • Unenciphered PIN transmissions should not contain any information that can be directly connected with the cardholder or the account . For example the transmitted PIN should be linked to the PAN of the cardholder account by use of an encrypted reference or control number . . The control number should only be generated by the issuer . • Unenciphered PIN transmission should provide PIN integrity, for example use of a secure PIN mailer for PIN advice by post . Issuer PIN Security Guidelines 2 7 Visa Public © 2010 Visa. All Rights Reserved.
Page 1: Issuer PIN Security Guidelines Nove
Page 5 and 6: Table of Contents Using This Docume
Page 7 and 8: Using This Document Purpose This ma
Page 9 and 10: Issuer Approved PIN Entry • Offli
Page 11 and 12: General PIN Management Guidelines T
Page 13 and 14: PIN Fraud Mitigations Abbreviations
Page 15 and 16: Abbreviation Description PSTN Publi
Page 17 and 18: Term Definition Issuer Approved dev
Page 19 and 20: Term Definition POS Device Any devi
Page 21 and 22: 10 . ISO/IEC 13491: Banking—Secur
Page 23 and 24: Guidelines for Issuer Approved Devi
Page 25 and 26: Personal PIN Entry Devices Provided
Page 27 and 28: Offline PIN Generation Issuer Assig
Page 29 and 30: • The PIN selection system should
Page 31: PIN Verification Values General Gui
Page 35 and 36: issuers PIN storage processes, incl
Page 37 and 38: See the PIN handling device managem
Page 39 and 40: • Transported clear text key comp
Page 41 and 42: PIN Handling Device Management Obje
Page 43 and 44: Cardholder Authentication to PIN Ma
Page 45 and 46: PIN Advice Objective Plaintext PINs
Page 47 and 48: PIN Advice by SMS • The issuer sh
Page 49 and 50: • The control number should be ge
Page 51 and 52: Call Center Use Generation of the C
Page 53 and 54: - The keyboard is controlled by sec
Page 55 and 56: • Cardholders should be informed

Issuer PIN Security Guidelines - Visa

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?