Issuer PIN Security Guidelines - Visa
Issuer PIN Security Guidelines - Visa
Issuer PIN Security Guidelines - Visa
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Call Center<br />
Use<br />
Generation of<br />
the Control/<br />
Reference<br />
Number<br />
Linked to the<br />
PAN<br />
• Any involvement of a Customer Service Representative (CSR) should respect<br />
the principles of <strong>PIN</strong> advice by IVR and should not request the cardholder’s<br />
name or account number .<br />
• The IVR system taking part in the <strong>PIN</strong> advice call should have no way of<br />
associating a <strong>PIN</strong> advice call to the calling telephone number .<br />
• Cardholder <strong>PIN</strong> advice may be treated as equivalent to card activation .<br />
• The security of <strong>PIN</strong> advice by IVR is based on the premise that no individual<br />
can associate a control number with a specific account .<br />
• Payment-system brand requirements may apply to third parties outsourced<br />
to perform the service .<br />
• An issuer should ensure that the association of cardholder authentication<br />
credential with the control number does not weaken the principle that the<br />
control number cannot be used to determine a specific account .<br />
• Cardholder authentication should not be performed by the IVR system . It<br />
should be performed by a separate back end issuer host system and only<br />
after the control number is re-associated with the specific account .<br />
• <strong>Issuer</strong>s should ensure that call-center services are unable to divert <strong>PIN</strong> or<br />
sensitive cardholder information to an unauthorized destination for later<br />
retrieval .<br />
• Where possible, call center personnel activity should be analyzed against<br />
compromised cardholder accounts processed by the personnel .<br />
• Call center personnel should not request a cardholder to divulge their <strong>PIN</strong> in<br />
an oral or written manner .<br />
• Any cryptographic key used to generate the control number should not be<br />
used for any other purpose .<br />
• Any cryptographic keys to generate the control number should be managed in<br />
accordance with the <strong>PIN</strong> related Key management section .<br />
<strong>Issuer</strong> <strong>PIN</strong> <strong>Security</strong> <strong>Guidelines</strong> 4 5<br />
<strong>Visa</strong> Public © 2010 <strong>Visa</strong>. All Rights Reserved.