ISO 9564-1:2011 pdf free download – Financial services – Personal ldentification Number (PIN) management and security一 Part 1: Basic principles and requirements for PINs in card-based systems.
Systems used in PIN processing shall be implemented in such a way that the following are assured.
a) The hardware and software are correctly performing their designed function and only their designed function.
b) The hardware and software cannot be modified or accessed without detection and/or disabling.
c) Information cannot be fraudulently accessed or modified without detection and rejection of the attempt.
d) The system is not capable of being used or misused to determine a PIN by exhaustive trial and error.
e) Any PIN management device (e.g. host security modules) handling clear text PINs conforms to the requirements of Secure Cryptographic Devices with PIN management functionality, as specified in ISO 13491-2:2005, Annex C.
f) Output of any sensitive information used in the selection, calculation or encipherment of the PIN is controlled during use, delivery, conveyance, submission, transmission, storage and disposal.
g) Except when the PIN is to be sent to the IC card in clear text, the PIN is enciphered immediately upon entry into the PED.
6.1.2 Recording media
Any recording media containing data from which a plain text PIN might be determined shall be rendered unreadable or physically destroyed immediately after use (see Annex A).
6.1.3 Oral communications
No procedure shall require or permit oral communication of the plain text PIN, either in person or by a person over the telephone.
An institution shall never permit its employees to ask a customer to disclose the PIN or to recommend specific values.
6.1.4 Telephone keypads
Procedures of an institution shall not permit entry of the plain text PIN through a keypad of a telephone at any time in the PIN life cycle, unless the telephone device is designed and constructed to meet the requirements specified in 5.1 for PIN entry devices and 9.2 for PIN transmission.
6.2 PIN encipherment
If it is necessary to encipher a PIN (see 9.2), this shall be accomplished using one of the approved algorithms specified in ISO 9564-2.
Different encipherment keys shall be used to protect the reference PIN and the transaction PIN.
Symmetric PIN encipherment keys may be used in online and offline PIN verification systems. Symmetric PIN encipherment keys shall not be used for any other cryptographic purpose.
Asymmetric PIN encipherment is only permitted in offline PIN verification systems. Asymmetric PIN encipherment keys should not be used for any other cryptographic purpose.
The adopted encipherment procedure shall ensure that the encipherment of a plain text PIN value using a particular cryptographic key does not predictably produce the same enciphered value when the same PIN value is associated with different accounts.
NOTE A format 2 PIN block does not meet this requirement without additional protection mechanisms.
Key management practices associated with PIN encipherment shall comply with the requirements of ISO 11568 (all parts).