ISO 9564-3:2003
(Main)Banking — Personal Identification Number management and security — Part 3: Requirements for offline PIN handling in ATM and POS systems
Banking — Personal Identification Number management and security — Part 3: Requirements for offline PIN handling in ATM and POS systems
ISO 9564-3:2003 specifies the minimum security measures required for offline PIN handling and a standard means of interchanging PIN data in an offline environment. It is applicable to financial transaction card-originated transactions requiring offline PIN verification and to those institutions responsible for implementing techniques for the management and protection of the PIN at Automated Teller Machines (ATMs) and acquirer sponsored Point-of-Sale (POS) terminals.
Banque — Gestion et sécurité du numéro personnel d'identification — Partie 3: Exigences relatives à la protection du PIN pour traitement du PIN hors ligne dans les systèmes ATM et POS
General Information
Relations
Standards Content (Sample)
INTERNATIONAL ISO
STANDARD 9564-3
First edition
2003-11-15
Banking — Personal Identification
Number management and security —
Part 3:
Requirements for offline PIN handling in
ATM and POS systems
Banque — Gestion et sécurité du numéro personnel d'identification —
Partie 3: Exigences relatives à la protection du PIN pour traitement du
PIN hors ligne dans les systèmes ATM et POS
Reference number
ISO 9564-3:2003(E)
©
ISO 2003
---------------------- Page: 1 ----------------------
ISO 9564-3:2003(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.
© ISO 2003
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2003 — All rights reserved
---------------------- Page: 2 ----------------------
ISO 9564-3:2003(E)
Contents Page
Foreword. iv
Introduction . v
1 Scope. 1
2 Normative references . 2
3 Terms and definitions. 2
4 PIN protection during transmission between PED and IC reader. 2
5 Physical security. 3
6 PIN Block Format . 4
Bibliography . 5
© ISO 2003 — All rights reserved iii
---------------------- Page: 3 ----------------------
ISO 9564-3:2003(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies
(ISO member bodies). The work of preparing International Standards is normally carried out through ISO
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards
adopted by the technical committees are circulated to the member bodies for voting. Publication as an
International Standard requires approval by at least 75 % of the member bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO 9564-3 was prepared by Technical Committee ISO/TC 68, Banking, securities and other financial
services, Subcommittee SC 6, Retail financial services.
ISO 9564 consists of the following parts, under the general title Banking — Personal Identification Number
management and security:
Part 1: Basic principles and requirements for online PIN handling in ATM and POS systems
Part 2: Approved algorithms for PIN encipherment
Part 3: Requirements for offline PIN handling in ATM and POS systems
Part 4, Best practices for PIN handling in open networks, is under preparation.
iv © ISO 2003 — All rights reserved
---------------------- Page: 4 ----------------------
ISO 9564-3:2003(E)
Introduction
Financial transaction cards with embedded integrated circuits (IC) have made it technically feasible to perform
PIN verification offline using the IC card. Issuers can now choose whether to have PIN verification performed
online or offline. This part of ISO 9564 provides specific requirements for addressing offline PIN handling.
Offline PIN verification does not require that a cardholder's PIN be sent to the issuer host for verification, and
because of this many security requirements relating to PIN protection over networks are not applicable.
However, many general PIN protection principles and techniques remain applicable even though a PIN may
be verified offline. This part of ISO 9564 restricts itself to requirements relating specifically to the offline nature
of PIN handling and, unless explicitly excluded, the basic principles of PIN management given in ISO 9564-1
are applicable.
[1]
ISO 10202 and, in particular, Part 6 of that International Standard, defines security requirements for
cardholder verification using IC cards. It should be noted that ISO 10202 defines requirements for the IC card
itself, rather than for the acquirer IC card acceptance systems, and so can be considered as complementary
to ISO 9564.
© ISO 2003 — All rights reserved v
---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO 9564-3:2003(E)
Banking — Personal Identification Number management and
security —
Part 3:
Requirements for offline PIN handling in ATM and POS systems
1 Scope
This part of ISO 9564 specifies the minimum security measures required for offline Personal Identification
Number (PIN) handling and a standard means of interchanging PIN data in an offline environment.
It is applicable to financial transaction, card-originated transactions requiring offline PIN verification, and to
those institutions responsible for implementing techniques for the management and protection of the PIN at
Automated Teller Machines (ATMs) and acquirer sponsored Point-of-Sale (POS) terminals.
This part of ISO 9564 is not applicable to
a) PIN management and security in the online PIN environment, which is covered in ISO 9564-1,
b) approved algorithms for PIN encipherment, which are covered in ISO 9564-2,
c) the use of PINs in an open network environment, which is
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.