Issuer PIN Security Guidelines - Visa
Issuer PIN Security Guidelines - Visa
Issuer PIN Security Guidelines - Visa
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
– The keyboard is controlled by secure logic .<br />
• The terminal should be designed to ensure that <strong>PIN</strong> management<br />
data, cannot be accessed by an application that has been loaded in an<br />
unauthorised way .<br />
• The terminal should provide a “clear” key to correct single digit errors during<br />
<strong>PIN</strong> entry .<br />
• The terminal should be equipped with a privacy shield .<br />
• If CCTV is used within the issuer location it should not be able to observe<br />
<strong>PIN</strong> entry .<br />
• The terminal and the operational environment should provide protection<br />
against exhaustive <strong>PIN</strong> searches, e .g . by the terminal blocking itself or being<br />
blocked after a suspiciously high proportion of incorrect <strong>PIN</strong>s attempts .<br />
<strong>PIN</strong> change by mail<br />
• Cardholder <strong>PIN</strong> change by mail should use the same process as cardholder<br />
selected <strong>PIN</strong> by mail .<br />
IVR <strong>PIN</strong> change<br />
• See section on IVR <strong>PIN</strong> advice .<br />
<strong>PIN</strong> change using the internet<br />
• See section on <strong>PIN</strong> advice using the internet<br />
Offline <strong>PIN</strong> change<br />
• The <strong>PIN</strong> change protocol should support synchronisation of the off-line and<br />
on-line <strong>PIN</strong> (when an on-line <strong>PIN</strong> exists) by recognizing exception conditions<br />
such as time-outs .<br />
• Unless the protocol demonstrates that both the on-line and the off-line<br />
<strong>PIN</strong>s have been changed successfully, the offline <strong>PIN</strong> value should roll back<br />
(where possible) to the original <strong>PIN</strong> value .<br />
• Transaction protocols at ATMs should ensure that the on-line and off-line<br />
<strong>PIN</strong>s are always aligned . Thus, any failures, such as “time-outs” will result in<br />
a “roll-back” to the original <strong>PIN</strong> .<br />
• If an on-line <strong>PIN</strong> update has been completed, but the off-line <strong>PIN</strong> update has<br />
not been completed for any reason there is the risk that the on-line and offline<br />
<strong>PIN</strong> values are not synchronised . <strong>Issuer</strong>s should implement procedures<br />
to identify such a condition when it occurs and to display appropriate<br />
instructions to the cardholder .<br />
<strong>Issuer</strong> <strong>PIN</strong> <strong>Security</strong> <strong>Guidelines</strong> 4 7<br />
<strong>Visa</strong> Public © 2010 <strong>Visa</strong>. All Rights Reserved.