ISO 9564-1:2017

INTERNATIONAL ISO
STANDARD 9564-1
Fourth edition
2017-11
Financial services — Personal
Identification Number (PIN)
management and security —
Part 1:
Basic principles and requirements for
PINs in card-based systems
Services financiers — Gestion et sécurité du numéro personnel
d'identification (PIN) —
Partie 1: Principes de base et exigences relatifs aux PINs dans les
systèmes à carte
Reference number
ISO 9564-1:2017(E)
©
ISO 2017

---------------------- Page: 1 ----------------------
ISO 9564-1:2017(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO 2017, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO 2017 – All rights reserved

---------------------- Page: 2 ----------------------
ISO 9564-1:2017(E)

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 2
4 Basic principles of PIN management . 5
4.1 General . 5
4.2 Principles . 5
5 PIN handling devices . 6
5.1 PIN handling device security requirements . 6
5.2 Physical security for IC readers . 7
5.3 PIN entry device characteristics . 7
5.3.1 Character set . 7
5.3.2 Character representation . 7
6 PIN security issues . 7
6.1 PIN control requirements . 7
6.1.1 PIN processing systems . 7
6.1.2 Recording media . 8
6.1.3 Oral communications . 8
6.1.4 Telephone keypads . 8
6.2 PIN encipherment . 8
7 PIN verification . 9
7.1 General . 9
7.2 Online PIN verification . 9
7.3 Offline PIN verification . 9
8 Techniques for management/protection of account-related PIN functions.9
8.1 PIN length . 9
8.2 PIN establishment . 9
8.2.1 PIN establishment techniques . 9
8.2.2 Assigned derived PIN . 9
8.2.3 Assigned random PIN .10
8.2.4 Customer-selected PIN .10
8.3 PIN issuance and delivery to the cardholder .10
8.4 PIN selection .10
8.4.1 General.10
8.4.2 PIN conveyance .10
8.4.3 PIN selection at an issuer’s location.11
8.4.4 PIN selection by mail .11
8.5 PIN change .11
8.5.1 General.11
8.5.2 PIN change in an interchange environment .11
8.5.3 PIN change at an attended terminal .11
8.5.4 PIN change at an unattended terminal .12
8.5.5 PIN change by mail . . .12
8.6 PIN replacement .12
8.6.1 Replacement of forgotten PIN .12
8.6.2 Re-advice of forgotten PIN.12
8.6.3 Replacement of compromised PIN .12
8.7 Disposal of waste material and returned PIN mailers .12
8.8 PIN activation .12
8.9 PIN storage .13
© ISO 2017 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO 9564-1:2017(E)

8.10 PIN deactivation .13
8.11 PIN mailers .13
9 Techniques for management/protection of transaction-related PIN functions .14
9.1 PIN entry .14
9.2 Protection of PIN during transmission .14
9.2.1 PIN protection during transmission to the issuer for online PIN verification.14
9.2.2 PIN protection during conveyance to the ICC for offline PIN verification .15
9.3 Compact PIN block formats .17
9.3.1 PIN block construction and format value assignment .17
9.3.2 Format 0 PIN block .17
9.3.3 Format 1 PIN block .18
9.3.4 Format 2 PIN block .18
9.3.5 Format 3 PIN block .19
9.3.6 Compact PIN block usage restrictions .20
9.4 Extended PIN blocks .21
9.4.1 General.21
9.4.2 Format 4 PIN block .21
9.5 PIN block format translation restrictions .25
9.6 Journalizing of transactions containing PIN data .25
Annex A (normative) Destruction of sensitive data .26
Annex B (informative) Additional guidelines for the design of a PIN entry device .28
Annex C (informative) Information for customers .31
Bibliography .32
iv © ISO 2017 – All rights reserved

---------------------- Page: 4 ----------------------
ISO 9564-1:2017(E)

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 68, Financial services, Subcommittee SC 2,
Financial Services, security.
This fourth edition cancels and replaces the third edition (ISO 9564-1:2011), which has been technically
revised.
It also incorporates the Amendment ISO 9564-1:2011/Amd 1:2015.
A list of all parts in the ISO 9564 series can be found on the ISO website.
© ISO 2017 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO 9564-1:2017(E)

Introduction
A Personal Identification Number (PIN) is used in financial services as one method of cardholder
verification.
The objective of PIN management is to protect the PIN against unauthorized disclosure, compromise
and misuse throughout its life cycle and, in so doing, to minimize the risk of fraud occurring within
electronic funds transfer (EFT) systems. The secrecy of the PIN needs to be ensured at all times during
its life cycle, which consists of its establishment, issuance, activation, storage, entry, transmission,
validation, deactivation and any other use made of it.
In this document, the following terms are used for the types of communication of the PIN.
a) Conveyance: reference PIN to the integrated circuit (IC) card or cardholder selected PIN to the issuer.
b) Delivery: PIN to the cardholder.
c) Transmission: transaction PIN to the issuer or IC reader for subsequent PIN verification.
d) Submission: transaction PIN to the ICC.
PIN security in part depends upon sound key management. Maintaining the secrecy of cryptographic
keys is of the utmost importance because the compromise of any key allows the compromise of any PIN
ever enciphered under it.
PINs can be verified online or offline. Since online PIN verification can be performed independent of the
card itself, any type of payment card or device can be used to initiate such a transaction. However, there
are special card requirements for those cards that perform offline PIN verification on the card itself.
Financial transaction cards with embedded IC can support offline PIN verification using the IC of
the card. Issuers can choose whether to have PIN verification performed online or offline. Offline
PIN verification does not require that a cardholder's PIN be sent to the issuer host for verification
and so security requirements relating to PIN protection differ from online PIN verification security
requirements. However, many general PIN protection principles and techniques are still applicable
even though a PIN can be verified offline.
This document is designed so that issuers can achieve reasonable assurance that a PIN, while under the
control of other institutions, is properly managed. Techniques are given for protecting the PIN-based
customer authentication process by safeguarding the PIN against unauthorized disclosure during the
PIN’s life cycle.
In ISO 9564-2, approved encipherment algorithms for use in the protection of the PIN are specified.
ISO 9564 is one of several series of International Standards which describe requirements for security in
the retail banking environment; these include ISO 11568 (all parts), ISO 13491 (all parts) and ISO 16609.
vi © ISO 2017 – All rights reserved

---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO 9564-1:2017(E)
Financial services — Personal Identification Number (PIN)
management and security —
Part 1:
Basic principles and requirements for PINs in card-
based systems
1 Scope
This document specifies the basic principles and techniques which provide the minimum security
measures required for effective international PIN management. These measures are applicable to
those institutions responsible for implementing techniques for the management and protection of PINs
during their creation, issuance, usage and deactivation.
This document is applicable to the management of cardholder PINs for use as a means of cardholder
verification in retail banking systems in, notably, automated teller machine (ATM) systems, point-
of-sale (POS) terminals, automated fuel dispensers, vending machines, banking kiosks and PIN
selection/change systems. It is applicable to issuer and interchange environments.
The provisions of this document are not intended to cover:
a) PIN management and security in environments where no persistent cryptographic relationship
exists between the transaction-origination device and the acquirer, e.g. use of a browser for online
shopping (for these environments, see ISO 9564-4);
b) protection of the PIN against loss or intentional misuse by the customer;
c) privacy of non-PIN transaction data;
d) protection of transaction messages against alteration or substitution;
e) protection against replay of the PIN or transaction;
f) specific key management techniques;
g) offline PIN verification used in contactless devices;
h) requirements specifically associated with PIN management as it relates to multi-application
functionality in an ICC.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 7816 (all parts), Identification cards — Integrated circuit cards
ISO 9564-2, Financial services — Personal Identification Number (PIN) management and security —
Part 2: Approved algorithms for PIN encipherment
ISO 11568 (all parts), Banking — Key management (retail)
© ISO 2017 – All rights reserved 1

---------------------- Page: 7 ----------------------
ISO 9564-1:2017(E)

ISO 13491-1, Financial services — Secure cryptographic devices (retail) — Part 1: Concepts, requirements
and evaluation methods
ISO 13491-2:2017, Financial services — Secure cryptographic devices (retail) — Part 2: Security compliance
checklists for devices used in financial transactions
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at http://www.iso.org/obp
— IEC Electropedia: available at http://www.electropedia.org/
3.1
acquirer
institution (or its agent) that acquires from the card acceptor (3.3) the financial data relating to the
transaction and initiates such data into an interchange system
3.2
algorithm
clearly specified mathematical process for computation
3.3
card acceptor
party accepting the card and presenting transaction data to an acquirer (3.1)
3.4
cardholder PIN
PIN (3.19) known by the cardholder (3.8)
3.5
cipher text
data in their enciphered form
3.6
compromise
breaching of confidentiality and/or integrity
3.7
cryptographic key
mathematical value that is used in an algorithm (3.2) to transform plain text (3.21) into cipher text (3.5)
or vice versa
3.8
customer
cardholder
individual associated with the primary account number (PAN) (3.22) specified in the transaction
3.9
decipherment
reversal of a previous reversible encipherment (3.26) rendering cipher text (3.5) into plain text (3.21)
3.10
dual control
process of utilizing two or more separate entities (usually persons) operating in concert to protect
sensitive functions or information whereby no single entity is able to access or utilize the materials
EXAMPLE A cryptographic key (3.7) is an example of the type of material protected by dual control.
2 © ISO 2017 – All rights reserved

---------------------- Page: 8 ----------------------
ISO 9564-1:2017(E)

3.11
encipherment
rendering of text unintelligible by means of an encoding mechanism
3.12
integrated circuit
IC
microprocessor (typically) embedded in an ICC (3.13)as specified in ISO/IEC 7816 (all parts)
3.13
integrated circuit card
ICC
card with integrated circuits as specified in ISO/IEC 7816 (all parts)
Note 1 to entry: All references to an ICC are understood to be references to the IC (3.12) of the card and not to any
other storage on the card (e.g. magnetic stripe).
3.14
irreversible encipherment
transformation of plain text (3.21) to cipher text (3.5) in such a way that the original plain text cannot be
recovered other than by exhaustive procedures, even if the cryptographic key (3.7) is known
3.15
issuer
institution holding the account identified by the primary account number (PAN) (3.22)
3.16
key component
one of at least two parameters having the format of a cryptographic key (3.7) that is added modulo-2
with one or more like parameters to form a cryptographic key
3.17
modulo-2 addition
exclusive OR-ing
binary addition with no carry
3.18
node
message processing entity through which a transaction passes
3.19
Personal Identification Number
PIN
string of numeric digits established as a shared secret between the cardholder (3.8) and the issuer
(3.15), for subsequent use to validate authorized card usage
3.20
PIN entry device
PED
device providing for the secure entry of PINs (3.19)
Note 1 to entry: Security requirements for PIN entry devices are specified in 5.1.
3.21
plain text
data in its original unenciphered form
© ISO 2017 – All rights reserved 3

---------------------- Page: 9 ----------------------
ISO 9564-1:2017(E)

3.22
primary account number
PAN
assigned number, composed of an issuer identification number, an individual account identification
and an accompanying check digit as specified in ISO/IEC 7812-1, which identifies the card issuer and
cardholder (3.8)
3.23
primary account number token
PAN Token
surrogate value used in place of the original PAN (3.22) in certain, well-defined situations, but that is
not used in place of the original PAN in every way that the original PAN is used
3.24
pseudo-random number
number that is statistically random and essentially unpredictable although generated by an
algorithmic process
3.25
reference PIN
value of the PIN (3.19) used to verify the transaction PIN (3.30)
3.26
reversible encipherment
transformation of plain text (3.21) to cipher text (3.5) in such a way that the original plain text can be
recovered
3.27
sensitive state
device condition that provides access to the secure operator interface such that it can only be entered
when the device is under dual or multiple control
3.28
split knowledge
condition under which two or more parties separately and confidentially have custody of components
of a single key that individually convey no knowledge of the resultant cryptographic key (3.7)
3.29
terminal
acquirer-sponsored device that accepts ISO/IEC 7813 and ISO/IEC 7816 compliant cards and initiates
transactions into a payments system
Note 1 to entry: It can also include other components and interfaces, such as host communications.
3.30
transaction PIN
PIN (3.19) as entered by the customer (3.8) at the time of the transaction and subsequently transmitted
to an issuer system or submitted to the ICC (3.13) for verification
Note 1 to entry: Verification means comparison to the reference PIN (3.25).
3.31
true random number generator
device that utilizes an unpredictable and non-deterministic physical phenomenon to produce a stream
of bits, where the ability to predict any bit is no greater than 0,5 given knowledge of all preceding and
following bits
4 © ISO 2017 – All rights reserved

---------------------- Page: 10 ----------------------
ISO 9564-1:2017(E)

4 Basic principles of PIN management
4.1 General
The term “PIN” is used to describe any string of numeric digits established as a shared secret between
the cardholder and the issuer, for subsequent use to validate authorized card usage. The term PIN may
be qualified as “cardholder PIN”, “reference PIN” and “transaction PIN” in the following ways.
a) Issuance:
1) the PIN
i) is generated by the issuer and delivered to the cardholder (as the cardholder PIN), or
ii) is selected by the cardholder and conveyed to the issuer;
2) the issuer stores the PIN as the reference PIN or stores data such that the reference PIN can be
recalculated; the reference PIN may be stored in the issuer system and/or an ICC.
b) Usage:
1) the cardholder enters their PIN into a PED. The PIN, once entered into a PED, is the
transaction PIN;
2) the transaction PIN is transmitted to the issuer or sent to the ICC for comparison with the
reference PIN.
Some requirements pertain to all PINs while other requirements are specific to cardholder PINs,
reference PINs, and/or transaction PINs. Where requirements apply to all PINs, the term PIN is used
without qualification.
4.2 Principles
PIN management shall be governed by the following basic principles.
a) Fraudulent modification or access to the hardware and software used for all PIN management
functions shall be prevented or detected (see 6.1.1).
b) For different accounts, encipherment of the same PIN value under a given encipherment key shall
not produce the same cipher text (see 6.2) except by chance.
c) Security of an enciphered PIN shall not rely on the secrecy of the encipherment design or algorithm,
but on the security of the cryptographic key (se
...