iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
ISO

ISO 9564-1:2017

(Main)

Financial services — Personal Identification Number (PIN) management and security — Part 1: Basic principles and requirements for PINs in card-based systems

Financial services — Personal Identification Number (PIN) management and security — Part 1: Basic principles and requirements for PINs in card-based systems

ISO 9564-1:2017 specifies the basic principles and techniques which provide the minimum security measures required for effective international PIN management. These measures are applicable to those institutions responsible for implementing techniques for the management and protection of PINs during their creation, issuance, usage and deactivation. ISO 9564-1:2017 is applicable to the management of cardholder PINs for use as a means of cardholder verification in retail banking systems in, notably, automated teller machine (ATM) systems, point-of-sale (POS) terminals, automated fuel dispensers, vending machines, banking kiosks and PIN selection/change systems. It is applicable to issuer and interchange environments. The provisions of ISO 9564-1:2017 are not intended to cover: a) PIN management and security in environments where no persistent cryptographic relationship exists between the transaction-origination device and the acquirer, e.g. use of a browser for online shopping (for these environments, see ISO 9564-4); b) protection of the PIN against loss or intentional misuse by the customer; c) privacy of non-PIN transaction data; d) protection of transaction messages against alteration or substitution; e) protection against replay of the PIN or transaction; f) specific key management techniques; g) offline PIN verification used in contactless devices; h) requirements specifically associated with PIN management as it relates to multi-application functionality in an ICC.

Services financiers — Gestion et sécurité du numéro personnel d'identification (PIN) — Partie 1: Principes de base et exigences relatifs aux PINs dans les systèmes à carte

General Information

Status
Published
Publication Date
01-Nov-2017
ICS
35.240.40 - IT applications in banking
Technical Committee
ISO/TC 68/SC 2 - Financial Services, security
Drafting Committee
ISO/TC 68/SC 2/WG 13 - Security in retail banking
Current Stage
9092 - International Standard to be revised
Due Date
05-Nov-2024
Completion Date
05-Nov-2024
Ref Project

Relations

Revises
ISO 9564-1:2011/Amd 1:2015 - Financial services — Personal Identification Number (PIN) management and security — Part 1: Basic principles and requirements for PINs in card-based systems — Amendment 1
Effective Date
05-Nov-2015
Revises
ISO 9564-1:2011 - Financial services — Personal Identification Number (PIN) management and security — Part 1: Basic principles and requirements for PINs in card-based systems
Effective Date
05-Nov-2015

Buy Standard

ISO 9564-1:2017 - Financial services -- Personal Identification Number (PIN) management and securityISO 9564-1:2017 - Financial services -- Personal Identification Number (PIN) management and security
PreviousNext
Standard
ISO 9564-1:2017 - Financial services -- Personal Identification Number (PIN) management and security
English language
32 pages
sale 15% off
Preview
sale 15% off
Preview

Related Packages

ISO 9564 - Banking Personal Identification Number Package
ISO 9564 - Banking Personal Identification Number Package
3 documents

Standards Content (Sample)


INTERNATIONAL ISO
STANDARD 9564-1
Fourth edition
2017-11
Financial services — Personal
Identification Number (PIN)
management and security —
Part 1:
Basic principles and requirements for
PINs in card-based systems
Services financiers — Gestion et sécurité du numéro personnel
d'identification (PIN) —
Partie 1: Principes de base et exigences relatifs aux PINs dans les
systèmes à carte
Reference number
©
ISO 2017
© ISO 2017, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO 2017 – All rights reserved

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 2
4 Basic principles of PIN management . 5
4.1 General . 5
4.2 Principles . 5
5 PIN handling devices . 6
5.1 PIN handling device security requirements . 6
5.2 Physical security for IC readers . 7
5.3 PIN entry device characteristics . 7
5.3.1 Character set . 7
5.3.2 Character representation . 7
6 PIN security issues . 7
6.1 PIN control requirements . 7
6.1.1 PIN processing systems . 7
6.1.2 Recording media . 8
6.1.3 Oral communications . 8
6.1.4 Telephone keypads . 8
6.2 PIN encipherment . 8
7 PIN verification . 9
7.1 General . 9
7.2 Online PIN verification . 9
7.3 Offline PIN verification . 9
8 Techniques for management/protection of account-related PIN functions.9
8.1 PIN length . 9
8.2 PIN establishment . 9
8.2.1 PIN establishment techniques . 9
8.2.2 Assigned derived PIN . 9
8.2.3 Assigned random PIN .10
8.2.4 Customer-selected PIN .10
8.3 PIN issuance and delivery to the cardholder .10
8.4 PIN selection .10
8.4.1 General.10
8.4.2 PIN conveyance .10
8.4.3 PIN selection at an issuer’s location.11
8.4.4 PIN selection by mail .11
8.5 PIN change .11
8.5.1 General.11
8.5.2 PIN change in an interchange environment .11
8.5.3 PIN change at an attended terminal .11
8.5.4 PIN change at an unattended terminal .12
8.5.5 PIN change by mail . . .12
8.6 PIN replacement .12
8.6.1 Replacement of forgotten PIN .12
8.6.2 Re-advice of forgotten PIN.12
8.6.3 Replacement of compromised PIN .12
8.7 Disposal of waste material and returned PIN mailers .12
8.8 PIN activation .12
8.9 PIN storage .13
8.10 PIN deactivation .13
8.11 PIN mailers .13
9 Techniques for management/protection of transaction-related PIN functions .14
9.1 PIN entry .14
9.2 Protection of PIN during transmission .14
9.2.1 PIN protection during transmission to the issuer for online PIN verification.14
9.2.2 PIN protection during conveyance to the ICC for offline PIN verification .15
9.3 Compact PIN block formats .17
9.3.1 PIN block construction and format value assignment .17
9.3.2 Format 0 PIN block .17
9.3.3 Format 1 PIN block .18
9.3.4 Format 2 PIN block .18
9.3.5 Format 3 PIN block .19
9.3.6 Compact PIN block usage restrictions .20
9.4 Extended PIN blocks .21
9.4.1 General.21
9.4.2 Format 4 PIN block .21
9.5 PIN block format translation restrictions .25
9.6 Journalizing of transactions containing PIN data .25
Annex A (normative) Destruction of sensitive data .26
Annex B (informative) Additional guidelines for the design of a PIN entry device .28
Annex C (informative) Information for customers .31
Bibliography .32
iv © ISO 2017 – All rights reserved

Foreword
ISO (the International Organization for Standardization) is a world
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO
ISO/TS 9546:2024(Main)
Guidelines for security framework of information systems of third-party payment services

This document provides guidelines for a security framework to address the implementation of security mechanisms in technical infrastructures designed for the provision of third-party payment (TPP) services in order to achieve the security objectives defined in ISO 23195. The security framework is intended to protect critical systems and objects within the TPP system environment, either under the direct control of the third-party payment service provider (TPPSP) or by another entity (e.g. a bank). This document is applicable to the provision of any TPP service, including: — the TPP logical structural model; — the definition of the security framework; — the design principles, responsibilities and functional recommendations to support the security mechanism; — guidelines for applying the security framework defined in this document.

  • Technical specification
    24 pages
    English language
    sale 15% off
ISO
ISO 13491-1:2024(Main)
Financial services — Secure cryptographic devices (retail) — Part 1: Concepts and requirements

This document specifies the security characteristics for secure cryptographic devices (SCDs) based on the cryptographic processes defined in the ISO 9564 series, ISO 16609 and ISO 11568. This document states the security characteristics concerning both the operational characteristics of SCDs and the management of such devices throughout all stages of their life cycle. This document does not address issues arising from the denial of service of an SCD. This document does not address software services that use multi-party computation (MPC) to achieve some security objectives and, relying on these, offer cryptographic services. NOTE These are sometimes called “soft” or software hardware security modules (HSMs) in common language, which is misleading and does not correspond to the definition of HSM in this document.

  • Standard
    27 pages
    English language
    sale 15% off
ISO
ISO 5201:2024(Main)
Financial services — Code-scanning payment security

This document provides an overview, risk assessment, minimum security requirements and extended security guidelines for code-scanning payment in which the payer uses a mobile device to operate the payment transaction. This document is applicable to cases where the payment code is used to initiate a mobile payment and presented by either the payer or the payee. The following is excluded from the scope of this document: — details of payer and payee onboarding; — details of the supporting payment infrastructure, as described in 5.1.

  • Standard
    30 pages
    English language
    sale 15% off
ISO
ISO/TS 23526:2023(Main)
Security aspects for digital currencies

This document specifies an acceptable security framework for the issuance and management of digital currencies using cryptographic mechanisms standardized by ISO/TC 68/SC 2 and other references. This document proposes a framework approach based on standards for mitigating vulnerabilities for digital currency systems. The objective is that security aspects are integrated by design and not added afterwards as an extra processing layer that needs to accommodate legacy infrastructures.

  • Technical specification
    14 pages
    English language
    sale 15% off
ISO
ISO/TR 24374:2023(Main)
Financial services — Security information for PKI in blockchain and DLT implementations

This document describes the management of cryptographic keys in a blockchain, or distributed system used in the financial sector The objective of this document is to consider the impact of different types of key management processes that are required for PKI implementations in Blockchain and DLT projects

  • Technical report
    18 pages
    English language
    sale 15% off
ISO
ISO 19092:2023(Main)
Financial services — Biometrics — Security framework

This document specifies the security framework for using biometrics for authentication of customers in financial services, focusing exclusively on retail payments. It introduces the most common types of biometric technologies and addresses issues concerning their application. This document also describes representative architectures for the implementation of biometric authentication and associated minimum control objectives. The following are within the scope of this document: — use of biometrics for the purpose of: — verification of a claimed identity; — identification of an individual; — biometric authentication threats, vulnerabilities and controls; — validation of credentials presented at enrolment to support authentication; — management of biometric information across its life cycle, comprising enrolment, transmission and storage, verification, identification and termination processes; — security requirements for hardware used in conjunction with biometric capture and biometric data processing; — biometric authentication architectures and associated security requirements. The following are not within the scope of this document: — detailed specifications for data collection, feature extraction and comparison of biometric data and the biometric decision-making process; — use of biometric technology for non-financial transaction applications, such as physical or logical system access control.

  • Standard
    65 pages
    English language
    sale 15% off
ISO
ISO 11568:2023(Main)
Financial services — Key management (retail)

This document describes the management of symmetric and asymmetric cryptographic keys that can be used to protect sensitive information in financial services related to retail payments. The document covers all aspects of retail financial services, including connections between a card-accepting device and an Acquirer, between an Acquirer and a card Issuer, and between an ICC and a card-accepting device. It covers all phases of the key life cycle, including the generation, distribution, utilization, archiving, replacement and destruction of the keying material. This document covers manual and automated management of keying material, and any combination thereof, used for retail financial services. It includes guidance and requirements related to key separation, substitution prevention, identification, synchronization, integrity, confidentiality and compromise, as well as logging and auditing of key management events. Requirements associated with hardware used to manage keys have also been included in this document.

  • Standard
    115 pages
    English language
    sale 15% off
ISO
ISO 13491-2:2023(Main)
Financial services — Secure cryptographic devices (retail) — Part 2: Security compliance checklists for devices used in financial transactions

This document specifies checklists to be used to evaluate secure cryptographic devices (SCDs) incorporating cryptographic processes as specified in ISO 9564‑1, ISO 9564‑2, ISO 16609, and ISO 11568 in the financial services environment. Integrated circuit (IC) payment cards are subject to the requirements identified in this document up until the time of issue, after which they are to be regarded as a “personal” device and outside of the scope of this document.

  • Standard
    39 pages
    English language
    sale 15% off
ISO
ISO 16609:2022(Main)
Financial services — Requirements for message authentication using symmetric techniques

This document specifies procedures, independent of the transmission process, for protecting the integrity of transmitted financial-service-related messages and for verifying that a message has originated from an authorized source, or that stored data has retained integrity. A list of block ciphers approved for the calculation of a message authentication code (MAC) is also provided. The authentication methods defined in this document are applicable to stored data and to messages formatted and transmitted both as coded character sets or as binary data. This document is designed for use with symmetric algorithms where both sender and receiver use the same key. It does not specify methods for establishing the shared key. Its application will not protect the user against internal fraud perpetrated by the sender or the receiver, nor against forgery of a MAC by the receiver.

  • Standard
    13 pages
    English language
    sale 15% off
ISO
ISO 23195:2021(Main)
Security objectives of information systems of third-party payment services

This document defines a common terminology to be used in the context of third-party payment (TPP). Next, it establishes two logical structural models in which the assets to be protected are clarified. Finally, it specifies security objectives based on the analysis of the logical structural models and the interaction of the assets affected by threats, organizational security policies and assumptions. These security objectives are set out in order to counter the threats resulting from the intermediary nature of TPPSPs offering payment services compared with simpler payment models where the payer and the payee directly interact with their respective account servicing payment service provider (ASPSP). This document assumes that TPP-centric payments rely on the use of TPPSP credentials and the corresponding certified processes for issuance, distribution and renewal purposes. However, security objectives for such processes are out of the scope of this document. NOTE This document is based on the methodology specified in the ISO/IEC 15408 series. Therefore, the security matters that do not belong to the TOE are dealt with as assumptions, such as the security required by an information system that provides TPP services and the security of communication channels between the entities participating in a TPP business.

  • Standard
    40 pages
    English language
    sale 15% off
  • Standard
    40 pages
    English language
    sale 15% off