Issuer PIN Security Guidelines - Visa
Issuer PIN Security Guidelines - Visa
Issuer PIN Security Guidelines - Visa
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Cardholder Authentication to <strong>PIN</strong> Management Systems<br />
<strong>Issuer</strong>s that allow cardholders to remotely manage their <strong>PIN</strong>s via the internet or<br />
IVR may authenticate cardholders by providing credentials to a <strong>PIN</strong> management<br />
system . Vulnerabilities in these systems could lead to <strong>PIN</strong> compromise .<br />
Objective Cardholder access to <strong>PIN</strong> management functionality that enables a <strong>PIN</strong> to be<br />
revealed or changed should use a high assurance authentication mechanism .<br />
The implementation should ensure that this can be done in a way that<br />
minimizes the risk of exposure of the <strong>PIN</strong> and associated account data .<br />
Threats • If the credentials for accessing the <strong>PIN</strong> management system are the same as<br />
those displayed on the cardholder payment device, an attacker with access to<br />
the device could impersonate a cardholder to access the system .<br />
• The channel used to access the <strong>PIN</strong> management systems may be<br />
compromised .<br />
– For example malware installed on a PC or installed to a mobile (root kits,<br />
sniffers and keystroke loggers, MITB, MITM) may retrieve cardholder<br />
data . Credentials can be recorded and transmitted to fraudsters .<br />
– DNS poisoning may lead to pharming attacks where the cardholder<br />
browser is redirected to a fraudulent website .<br />
• Displayed cardholder data may be surfed or screen scraped .<br />
• Vishing or SMSishing may be used to socially engineer the cardholder into<br />
entering credentials into a malicious application .<br />
• Calling line identification can be spoofed .<br />
• Calls to a nominated mobile number can be maliciously forwarded to another<br />
number without the cardholder’s knowledge .<br />
• A fraudster may impersonate the customer at an issuer branch and present<br />
forged documents to inexperienced issuer personnel .<br />
• If unsolicited <strong>PIN</strong> management requests from the issuer to cardholders are<br />
possible, for example via call-center, email or SMS, a cardholder may be<br />
socially engineered into revealing login credentials .<br />
<strong>Guidelines</strong> • Cardholders should be provided with a means to determine that a dialogue<br />
with the issuer is genuine .<br />
• Cardholder authentication credentials should not be based on information<br />
that is publicly available .<br />
• Cardholder authentication credentials should not enable a specific cardholder<br />
account to be determined from them .<br />
<strong>Issuer</strong> <strong>PIN</strong> <strong>Security</strong> <strong>Guidelines</strong> 3 7<br />
<strong>Visa</strong> Public © 2010 <strong>Visa</strong>. All Rights Reserved.