iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
ISO

ISO 9564-2:2025

(Main)

Financial services — Personal Identification Number (PIN) management and security — Part 2: Approved algorithms for PIN encipherment

Financial services — Personal Identification Number (PIN) management and security — Part 2: Approved algorithms for PIN encipherment

This document specifies approved algorithms for the encipherment of personal identification numbers (PINs).

Services financiers — Gestion et sécurité du numéro personnel d'identification (PIN) — Partie 2: Algorithmes approuvés pour le chiffrement du PIN

General Information

Status
Published
Publication Date
18-Aug-2025
ICS
35.240.40 - IT applications in banking
Technical Committee
ISO/TC 68/SC 2 - Financial Services, security
Drafting Committee
ISO/TC 68/SC 2 - Financial Services, security
Current Stage
6060 - International Standard published
Start Date
19-Aug-2025
Due Date
08-Aug-2026
Completion Date
19-Aug-2025
Ref Project

Relations

Revises
ISO 9564-2:2014 - Financial services — Personal Identification Number (PIN) management and security — Part 2: Approved algorithms for PIN encipherment
Effective Date
12-Aug-2023

Buy Standard

ISO 9564-2:2025 - Financial services — Personal Identification Number (PIN) management and security — Part 2: Approved algorithms for PIN encipherment Released:19. 08. 2025ISO 9564-2:2025 - Financial services — Personal Identification Number (PIN) management and security — Part 2: Approved algorithms for PIN encipherment Released:19. 08. 2025
PreviousNext
Standard
ISO 9564-2:2025 - Financial services — Personal Identification Number (PIN) management and security — Part 2: Approved algorithms for PIN encipherment Released:19. 08. 2025
English language
13 pages
sale 15% off
Preview
sale 15% off
Preview
ISO/PRF 9564-2 - Financial services — Personal Identification Number (PIN) management and security — Part 2: Approved algorithms for PIN encipherment Released:10. 06. 2025ISO/PRF 9564-2 - Financial services — Personal Identification Number (PIN) management and security — Part 2: Approved algorithms for PIN encipherment Released:10. 06. 2025
PreviousNext
Draft
ISO/PRF 9564-2 - Financial services — Personal Identification Number (PIN) management and security — Part 2: Approved algorithms for PIN encipherment Released:10. 06. 2025
English language
13 pages
sale 15% off
Preview
sale 15% off
Preview
REDLINE ISO/PRF 9564-2 - Financial services — Personal Identification Number (PIN) management and security — Part 2: Approved algorithms for PIN encipherment Released:10. 06. 2025REDLINE ISO/PRF 9564-2 - Financial services — Personal Identification Number (PIN) management and security — Part 2: Approved algorithms for PIN encipherment Released:10. 06. 2025
PreviousNext
Draft
REDLINE ISO/PRF 9564-2 - Financial services — Personal Identification Number (PIN) management and security — Part 2: Approved algorithms for PIN encipherment Released:10. 06. 2025
English language
13 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)


International
Standard
ISO 9564-2
Fourth edition
Financial services — Personal
2025-08
Identification Number (PIN)
management and security —
Part 2:
Approved algorithms for PIN
encipherment
Services financiers — Gestion et sécurité du numéro personnel
d'identification (PIN) —
Partie 2: Algorithmes approuvés pour le chiffrement du PIN
Reference number
© ISO 2025
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 General . 1
5 Triple data encryption algorithm (TDEA) . 2
5.1 Definition of the TDEA algorithm .2
5.2 Use of the TDEA algorithm.2
6 RSA encryption algorithm . 2
6.1 Definition of the RSA algorithm .2
6.2 Use of the RSA algorithm .2
7 AES encryption algorithm. 2
7.1 Definition of the AES algorithm .2
7.2 Use of the AES algorithm .2
8 SM4 encryption algorithm. 2
8.1 Definition of the SM4 algorithm .2
8.2 Use of the SM4 algorithm .3
9 ECIES algorithm . 3
9.1 Definition of the ECIES algorithm .3
9.2 Use of the ECIES algorithm .3
Annex A (informative) Using key encapsulation mechanisms for establishment of ephemeral
PIN encryption keys . 4
Bibliography .13

iii
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee
has been established has the right to be represented on that committee. International organizations,
governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely
with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of ISO document should be noted. This document was drafted in accordance with the editorial rules of the
ISO/IEC Directives, Part 2 (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the use of (a)
patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed patent
rights in respect thereof. As of the date of publication of this document, ISO had not received notice of (a)
patent(s) which may be required to implement this document. However, implementers are cautioned that
this may not represent the latest information, which may be obtained from the patent database available at
www.iso.org/patents. ISO shall not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 68 Financial services, Subcommittee SC 2,
Financial services, security.
This fourth edition cancels and replaces the third edition (ISO 9564-2:2014), which has been technically
revised.
The main changes are as follows:
— in this revision, Rivest-Shamir-Adleman algorithm (RSA) can be also be used for PIN encryption during
PIN issuance and change over open networks;
— SM4 has been added as an additional 16-byte block cipher;
— ECIES has been added as an option for offline PIN encryption to an IC card;
— a new appendix has been added to provide guidance on using asymmetric techniques to transport an
ephemeral symmetric PIN encryption key.
A list of all parts in the ISO 9564 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.

iv
Introduction
This part of the ISO 9564 series specifies algorithms approved for the encipherment of personal identification
numbers (PINs). The algorithms approved for the encipherment of PINs are:
— triple data encryption algorithm (TDEA);
— Rivest–Shamir–Adleman algorithm (RSA);
— advanced encryption standard (AES);
— ShāngMì 4 (SM4);
— elliptic curve integrated encryption scheme (ECIES).

v
International Standard ISO 9564-2:2025(en)
Financial services — Personal Identification Number (PIN)
management and security —
Part 2:
Approved algorithms for PIN encipherment
1 Scope
This document specifies approved algorithms for the encipherment of personal identification numbers (PINs).
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO 9564-1, Financial services — Personal Identification Number (PIN) management and security — Part 1:
Basic principles and requirements for PINs in card-based systems
ISO/IEC 10116, Information technology — Security techniques — Modes of operation for an n-bit block cipher
ISO/IEC 18033-2, Information technology — Security techniques — Encryption algorithms — Part 2:
Asymmetric ciphers
ISO/IEC 18033-3, Information technology — Security techniques — Encryption algorithms — Part 3: Block ciphers
ISO/IEC 11770-6, Information technology — Security techniques — Key management — Part 6: Key derivation
ISO 11568, Financial services — Key management (retail)
ISO/IEC 18031, Information technology — Security techniques — Random bit generation
ISO/IEC 19772, Information security — Authenticated encryption
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 9564-1 apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
4 General
This document includes the approved algorithms for PIN encipherment. Key management practices
associated with PIN encipherment shall meet the requirements of ISO 11568.

5 Triple data encryption algorithm (TDEA)
5.1 Definition of the TDEA algorithm
The definition of TDEA shall be as described in the ISO/IEC 18033-3.
5.2 Use of the TDEA algorithm
Encipherment, using the TDEA as described in ISO/IEC 18033-3 with TDEA keying option 1 or 2, of the PIN
blocks described in ISO 9564-1, shall be achieved using the algorithm operating in the electronic code book
(ECB) mode (with n equal to 64), as described in ISO/IEC 10116.
This algorithm is approved for use with PIN block formats 0, 1 and 3 only.
TDEA is increasingly considered unsafe and should not be used in new implementations.
TDEA should not be used where a single key is used for more than 2 encryptions.
6 RSA encryption algorithm
6.1 Definition of the RSA algorithm
The definition of RSA shall be as described in ISO/IEC 18033-2.
6.2 Use of the RSA algorithm
This algorithm is approved only for use for encipherment of:
— offline PINs for submission to integrated circuit cards (ICCs) as defined in ISO 9564-1. The format 2 PIN
block and its encipherment, using RSA, shall be as described in ISO 9564-1.
— PINs used in issuance and change over open networks, as defined in ISO 9564-1.
7 AES encryption algorithm
7.1 Definition of the AES algorithm
The definition of AES shall be as described in ISO/IEC 18033-3.
7.2 Use of the AES algorithm
Encipherment, using AES as described in ISO/IEC 18033-3, of the PIN block described in ISO 9564-1 shall
be achieved using the algorithm operating in ECB mode (with block size n equal to 128), as described in
ISO/IEC 10116.
This algorithm is approved for use with PIN block format 4 only.
8 SM4 encryption algorithm
8.1 Definition of the SM4 algorithm
The definition of SM4 shall be as described in ISO/IEC 18033-3.

8.2 Use of the SM4 algorithm
Encipherment, using SM4 of the PIN block described in ISO 9564-1, shall be achieved using the algorithm
operating in ECB mode (with block size n equal to 128), as described in ISO/IEC 10116.
This algorithm is approved for use with PIN block format 4 only.
9 ECIES algorithm
9.1 Definition of the ECIES algorithm
ECIES is a hybrid cipher defined in ISO/IEC 18033-2 as ECIES-HC. When used for the PIN encryption, the
following internal mechanisms shall be used:
— An ECIES-KEM key encapsulation mechanism as described in ISO/IEC 18033-2.
— A key derivation function listed in ISO/IEC 11770-6 or the KDF1 or KDF2 functions defined in
ISO/IEC 18033-2.
— A data encapsulation mechanism (DEM) based on AES or SM4. AES or SM4 shall be used in an authenticated
encryption mechanism as defined in ISO/IEC 19772.
9.2 Use of the ECIES algorithm
This algorithm is approved only for encipherment of offline PINs for submission to ICCs as defined in
ISO 9564-1. It is approve
...


International
Standard
ISO 9564-2
Fourth edition
Financial services — Personal
Identification Number (PIN)
management and security —
Part 2:
Approved algorithms for PIN
encipherment
Services financiers — Gestion et sécurité du numéro personnel
d'identification (PIN) —
Partie 2: Algorithmes approuvés pour le chiffrement du PIN
PROOF/ÉPREUVE
Reference number
© ISO 2025
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
PROOF/ÉPREUVE
ii
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 General . 1
5 Triple data encryption algorithm (TDEA) . 2
5.1 Definition of the TDEA algorithm .2
5.2 Use of the TDEA algorithm.2
6 RSA encryption algorithm . 2
6.1 Definition of the RSA algorithm .2
6.2 Use of the RSA algorithm .2
7 AES encryption algorithm. 2
7.1 Definition of the AES algorithm .2
7.2 Use of the AES algorithm .2
8 SM4 encryption algorithm. 2
8.1 Definition of the SM4 algorithm .2
8.2 Use of the SM4 algorithm .3
9 ECIES algorithm . 3
9.1 Definition of the ECIES algorithm .3
9.2 Use of the ECIES algorithm .3
Annex A (informative) Using key encapsulation mechanisms for establishment of ephemeral
PIN encryption keys . 4
Bibliography .13
PROOF/ÉPREUVE
iii
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee
has been established has the right to be represented on that committee. International organizations,
governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely
with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of ISO document should be noted. This document was drafted in accordance with the editorial rules of the
ISO/IEC Directives, Part 2 (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the use of (a)
patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed patent
rights in respect thereof. As of the date of publication of this document, ISO had not received notice of (a)
patent(s) which may be required to implement this document. However, implementers are cautioned that
this may not represent the latest information, which may be obtained from the patent database available at
www.iso.org/patents. ISO shall not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 68 Financial services, Subcommittee SC 2,
Financial services, security.
This fourth edition cancels and replaces the third edition (ISO 9564-2:2014), which has been technically
revised.
The main changes are as follows:
— in this revision, Rivest-Shamir-Adleman algorithm (RSA) can be also be used for PIN encryption during
PIN issuance and change over open networks;
— SM4 has been added as an additional 16-byte block cipher;
— ECIES has been added as an option for offline PIN encryption to an IC card;
— a new appendix has been added to provide guidance on using asymmetric techniques to transport an
ephemeral symmetric PIN encryption key.
A list of all parts in the ISO 9564 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.
PROOF/ÉPREUVE
iv
Introduction
This part of the ISO 9564 series specifies algorithms approved for the encipherment of personal identification
numbers (PINs). The algorithms approved for the encipherment of PINs are:
— triple data encryption algorithm (TDEA);
— Rivest–Shamir–Adleman algorithm (RSA);
— advanced encryption standard (AES);
— ShāngMì 4 (SM4);
— elliptic curve integrated encryption scheme (ECIES).
PROOF/ÉPREUVE
v
International Standard ISO 9564-2:2025(en)
Financial services — Personal Identification Number (PIN)
management and security —
Part 2:
Approved algorithms for PIN encipherment
1 Scope
This document specifies approved algorithms for the encipherment of personal identification numbers (PINs).
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO 9564-1, Financial services — Personal Identification Number (PIN) management and security — Part 1:
Basic principles and requirements for PINs in card-based systems
ISO/IEC 10116, Information technology — Security techniques — Modes of operation for an n-bit block cipher
ISO/IEC 18033-2, Information technology — Security techniques — Encryption algorithms — Part 2:
Asymmetric ciphers
ISO/IEC 18033-3, Information technology — Security techniques — Encryption algorithms — Part 3: Block ciphers
ISO/IEC 11770-6, Information technology — Security techniques — Key management — Part 6: Key derivation
ISO 11568, Financial services — Key management (retail)
ISO/IEC 19772, Information security — Authenticated encryption
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 9564-1 apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
4 General
This document includes the approved algorithms for PIN encipherment. Key management practices
associated with PIN encipherment shall meet the requirements of ISO 11568.
PROOF/ÉPREUVE
5 Triple data encryption algorithm (TDEA)
5.1 Definition of the TDEA algorithm
The definition of TDEA shall be as described in the ISO/IEC 18033-3.
5.2 Use of the TDEA algorithm
Encipherment, using the TDEA as described in ISO/IEC 18033-3 with TDEA keying option 1 or 2, of the PIN
blocks described in ISO 9564-1, shall be achieved using the algorithm operating in the electronic code book
(ECB) mode (with n equal to 64), as described in ISO/IEC 10116.
This algorithm is approved for use with PIN block formats 0, 1 and 3 only.
TDEA is increasingly considered unsafe and should not be used in new implementations.
TDEA should not be used where a single key is used for more than 2 encryptions.
6 RSA encryption algorithm
6.1 Definition of the RSA algorithm
The definition of RSA shall be as described in ISO/IEC 18033-2.
6.2 Use of the RSA algorithm
This algorithm is approved only for use for encipherment of:
— offline PINs for submission to integrated circuit cards (ICCs) as defined in ISO 9564-1. The format 2 PIN
block and its encipherment, using RSA, shall be as described in ISO 9564-1.
— PINs used in issuance and change over open networks, as defined in ISO 9564-1.
7 AES encryption algorithm
7.1 Definition of the AES algorithm
The definition of AES shall be as described in ISO/IEC 18033-3.
7.2 Use of the AES algorithm
Encipherment, using AES as described in ISO/IEC 18033-3, of the PIN block described in ISO 9564-1 shall
be achieved using the algorithm operating in ECB mode (with block size n equal to 128), as described in
ISO/IEC 10116.
This algorithm is approved for use with PIN block format 4 only.
8 SM4 encryption algorithm
8.1 Definition of the SM4 algorithm
The definition of SM4 shall be as described in ISO/IEC 18033-3.
PROOF/ÉPREUVE
8.2 Use of the SM4 algorithm
Encipherment, using SM4 of the PIN block described in ISO 9564-1, shall be achieved using the algorithm
operating in ECB mode (with block size n equal to 128), as described in ISO/IEC 10116.
This algorithm is approved for use with PIN block format 4 only.
9 ECIES algorithm
9.1 Definition of the ECIES algorithm
ECIES is a hybrid cipher defined in ISO/IEC 18033-2 as ECIES-HC. When used for the PIN encryption, the
following internal mechanisms shall be used:
— An ECIES-KEM key encapsulation mechanism as described in ISO/IEC 18033-2.
— A key derivation function listed in ISO/IEC 11770-6 or the KDF1 or KDF2 functions defined in
ISO/IEC 18033-2.
— A data encapsulation mechanism (DEM) based on AES or SM4. AES or SM4 shall be used in an authenticated
encryption mechanism as defined in ISO/IEC 19772.
9.2 Use of the ECIES algorithm
This algorithm is approved only for encipherment of offline PINs for submission to ICCs as defined in
ISO 9564-1. It is approved for
...


ISO/TC 68/SC 2
Secretariat: BSI
Date: 2025-06-10
Financial services — Personal identification number (PIN) management and security — Part 2:
Approved algorithms for PIN encipherment

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no
part of this publication may be reproduced or utilized otherwise in any form or by any means,
electronic or mechanical, including photocopying, or posting on the internet or an intranet, without
prior written permission. Permission can be requested from either ISO at the address below or
ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
Contents
Foreword . iv
Introduction . v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 General . 1
5 Triple Data Encryption Algorithm (TDEA) . 1
5.1 Definition of the TDEA algorithm . 1
5.2 Use of the TDEA algorithm . 2
6 RSA encryption algorithm . 2
6.1 Definition of the RSA algorithm . 2
6.2 Use of the RSA algorithm . 2
7 AES encryption algorithm . 2
7.1 Definition of the AES algorithm . 2
7.2 Use of the AES algorithm . 2
8 SM4 encryption algorithm . 2
8.1 Definition of the SM4 algorithm . 2
8.2 Use of the SM4 algorithm . 2
9 ECIES algorithm . 3
9.1 Definition of the ECIES algorithm . 3
9.2 Use of the ECIES algorithm . 3
Annex A (informative) Using key encapsulation mechanisms for establishment of PIN
encryption keys . 4
A.1 Overview . 4
A.2 Acceptable key encapsulation mechanisms . 4
A.3 Acceptable PIN block formats . 4
A.4 Replay protection . 5
A.5 Origin authentication . 5
A.6 Public key authenticity and integrity . 5
A.7 Key Usage . 5
A.8 Example PIN change mechanism using RSA . 6
A.9 Example mechanism using Elliptic Curve Cryptography . 10
iii
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO
collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the use of
(a) patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed
patent rights in respect thereof. As of the date of publication of this document, ISO had not received notice
of (a) patent(s) which may be required to implement this document. However, implementers are
cautioned that this may not represent the latest information, which may be obtained from the patent
database available at www.iso.org/patents. ISO shall not be held responsible for identifying any or all
such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the World
Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see
www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 68 Financial services, Subcommittee SC 2,
Financial services, security.
This fourth edition cancels and replaces the third edition (ISO 9564-2:2014), which has been technically
revised.
The main changes are as follows:
— in this revision, Rivest-Shamir-Adleman algorithm (RSA) can be also be used for PIN encryption
during PIN issuance and change over open networks;
— SM4 has been added as an additional 16-byte block cipher;
— ECIES has been added as an option for offline PIN encryption to an IC card;
— a new appendix has been added to provide guidance on using asymmetric techniques to transport an
ephemeral symmetric PIN encryption key.
A list of all parts in the ISO 9564 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.
iv
Introduction
This part of the ISO 9564 series specifies algorithms approved for the encipherment of personal
identification numbers (PINs). The algorithms approved for the encipherment of PINs are:
— triple data encryption algorithm (TDEA);
— Rivest–Shamir–Adleman algorithm (RSA);
— advanced encryption standard (AES);
— ShāngMì 4 (SM4);
— elliptic curve integrated encryption scheme (ECIES).
v
International Standard ISO 9564-2:2025(en)

Financial services — Personal identification number (PIN)
management and security — Part 2: Approved algorithms for PIN
encipherment
1 Scope
This document specifies approved algorithms for the encipherment of personal identification numbers
(PINs).
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 9564-1, Financial services — Personal Identification Number (PIN) management and security —
Part 1: Basic principles and requirements for PINs in card-based systems
ISO/IEC 10116, Information technology — Security techniques — Modes of operation for an n-bit
block cipher
ISO/IEC 18033-2, Information technology — Security techniques — Encryption algorithms — Part 2:
Asymmetric ciphers
ISO/IEC 18033-3, Information technology — Security techniques — Encryption algorithms — Part 3:
Block ciphers
ISO/IEC 11770-6, Information technology — Security techniques — Key management — Part 6: Key
derivation
ISO 11568, Financial services — Key management (retail)
ISO/IEC 19772, Information security — Authenticated encryption
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 9564-1 apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https://www.iso.org/obp
— IEC Electropedia: available at https://www.electropedia.org/
4 General
This document includes the approved algorithms for PIN encipherment. Key management practices
associated with PIN encipherment shall meet the requirements of ISO 11568.
5 Triple data encryption algorithm (TDEA)
5.1 Definition of the TDEA algorithm
The definition of TDEA shall be as described in the ISO/IEC 18033-3.
5.2 Use of the TDEA algorithm
Encipherment, using the TDEA as described in ISO/IEC 18033-3 with TDEA keying option 1 or 2, of the
PIN blocks described in ISO 9564-1, shall be achieved using the algorithm operating in the electronic code
book (ECB) mode (with n equal to 64), as described in ISO/IEC 10116.
This algorithm is approved for use with PIN block formats 0, 1 and 3 only.
TDEA is increasingly considered unsafe and should not be used in new implementations.
TDEA should not be used where a single key is used for more than 2 encryptions.
6 RSA encryption algorithm
6.1 Definition of the RSA algorithm
The definition of RSA shall be as described in ISO/IEC 18033-2.
6.2 Use of the RSA algorithm
This algorithm is approved only for use for encipherment of:
— offline PINs for submission to integrated circuit cards (ICCs) as defined in ISO 9564-1. The format 2
PIN block and its encipherment, using RSA, shall be as described in ISO 9564-1.
— PINs used in issuance and change over open networks, as defined in ISO 9564-1.
7 AES encryption algorithm
7.1 Definition of the AES algorithm
The definition of AES shall be as described in ISO/IEC 18033-3.
7.2 Use of the AES algorithm
Encipherment, using AES as described in ISO/IEC 18033-3, of the PIN block described in ISO 9564-1 shall
be achieved using the algorithm operating in ECB mode (with block size n equal to 128), as described in
ISO/IEC 10116.
This algorithm is approved for use with PIN block format 4 only.
8 SM4 encryption algorithm
8.1 Definition of the SM4 algorithm
The definition of SM4 shall be as described in ISO/IEC 18033-3.
8.2 Use of the SM4 algorithm
Encipherment, using SM4 of the PIN block described in ISO 9564-1, shall be achieved using the algorithm
operating in ECB mode (with block size n equal to 128), as described in ISO/IEC 10116.
This algorithm is approved for use with PIN block format 4 only.
9 ECIES algorithm
9.1 Definition of the ECIES algorithm
ECIES is a hybrid cipher defined in ISO/IEC 18033-2 as ECIES-HC. When used for the PIN encryption, the
following internal mechanisms shall be used:
— An ECIES-KEM key encapsulation mechanism as described in ISO/IEC 18033-2.
— A key derivation function listed in ISO/IEC 11770-6 or the KDF1 or KDF2 functions defined in
ISO/IEC 18033-2.
— A data encapsulation mechanism (DEM) based on AES or SM4. AES or SM4 shall be used in an
authenticated encryption mechanism as defined in ISO/IEC 19772.
9.2 Use of the ECIES algorithm
This algorithm is approved only for encipherment of offline PINs for submission to ICCs as defined in ISO
9564-1. It is approved for use only with PIN block format 2, as described in ISO 9564-1.
ECIES shall not be used for direct encryption of online PINs or PINs transported in issuance or change
over open networks. Components of ECIES, including ECIES-KEM and KDFs, can be used as part of a
mechanism to establish a symmetric online PIN encryption key. For further information, see Annex A.
I
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO
ISO 18960:2025(Main)
Security controls and implementation for third party payment service providers — Guidance and requirements

This document gives requirements and guidance on security controls and implementation for third-party payment service providers (TPPSPs). This document deals with the overall security controls of TPPSPs from developing and testing to installing, operating and auditing the system. These security controls consist of: — security governance controls; — cross-functional controls; — function-specific controls.

  • Standard
    24 pages
    English language
    sale 15% off
  • Draft
    24 pages
    English language
    sale 15% off
  • Draft
    24 pages
    English language
    sale 15% off
ISO
ISO/TS 9546:2024(Main)
Guidelines for security framework of information systems of third-party payment services

This document provides guidelines for a security framework to address the implementation of security mechanisms in technical infrastructures designed for the provision of third-party payment (TPP) services in order to achieve the security objectives defined in ISO 23195. The security framework is intended to protect critical systems and objects within the TPP system environment, either under the direct control of the third-party payment service provider (TPPSP) or by another entity (e.g. a bank). This document is applicable to the provision of any TPP service, including: — the TPP logical structural model; — the definition of the security framework; — the design principles, responsibilities and functional recommendations to support the security mechanism; — guidelines for applying the security framework defined in this document.

  • Technical specification
    24 pages
    English language
    sale 15% off
ISO
ISO 13491-1:2024(Main)
Financial services — Secure cryptographic devices (retail) — Part 1: Concepts and requirements

This document specifies the security characteristics for secure cryptographic devices (SCDs) based on the cryptographic processes defined in the ISO 9564 series, ISO 16609 and ISO 11568. This document states the security characteristics concerning both the operational characteristics of SCDs and the management of such devices throughout all stages of their life cycle. This document does not address issues arising from the denial of service of an SCD. This document does not address software services that use multi-party computation (MPC) to achieve some security objectives and, relying on these, offer cryptographic services. NOTE These are sometimes called “soft” or software hardware security modules (HSMs) in common language, which is misleading and does not correspond to the definition of HSM in this document.

  • Standard
    27 pages
    English language
    sale 15% off
ISO
ISO 5201:2024(Main)
Financial services — Code-scanning payment security

This document provides an overview, risk assessment, minimum security requirements and extended security guidelines for code-scanning payment in which the payer uses a mobile device to operate the payment transaction. This document is applicable to cases where the payment code is used to initiate a mobile payment and presented by either the payer or the payee. The following is excluded from the scope of this document: — details of payer and payee onboarding; — details of the supporting payment infrastructure, as described in 5.1.

  • Standard
    30 pages
    English language
    sale 15% off
ISO
ISO/TS 23526:2023(Main)
Security aspects for digital currencies

This document specifies an acceptable security framework for the issuance and management of digital currencies using cryptographic mechanisms standardized by ISO/TC 68/SC 2 and other references. This document proposes a framework approach based on standards for mitigating vulnerabilities for digital currency systems. The objective is that security aspects are integrated by design and not added afterwards as an extra processing layer that needs to accommodate legacy infrastructures.

  • Technical specification
    14 pages
    English language
    sale 15% off
ISO
ISO/TR 24374:2023(Main)
Financial services — Security information for PKI in blockchain and DLT implementations

This document describes the management of cryptographic keys in a blockchain, or distributed system used in the financial sector The objective of this document is to consider the impact of different types of key management processes that are required for PKI implementations in Blockchain and DLT projects

  • Technical report
    18 pages
    English language
    sale 15% off
ISO
ISO 19092:2023(Main)
Financial services — Biometrics — Security framework

This document specifies the security framework for using biometrics for authentication of customers in financial services, focusing exclusively on retail payments. It introduces the most common types of biometric technologies and addresses issues concerning their application. This document also describes representative architectures for the implementation of biometric authentication and associated minimum control objectives. The following are within the scope of this document: — use of biometrics for the purpose of: — verification of a claimed identity; — identification of an individual; — biometric authentication threats, vulnerabilities and controls; — validation of credentials presented at enrolment to support authentication; — management of biometric information across its life cycle, comprising enrolment, transmission and storage, verification, identification and termination processes; — security requirements for hardware used in conjunction with biometric capture and biometric data processing; — biometric authentication architectures and associated security requirements. The following are not within the scope of this document: — detailed specifications for data collection, feature extraction and comparison of biometric data and the biometric decision-making process; — use of biometric technology for non-financial transaction applications, such as physical or logical system access control.

  • Standard
    65 pages
    English language
    sale 15% off
ISO
ISO 11568:2023(Main)
Financial services — Key management (retail)

This document describes the management of symmetric and asymmetric cryptographic keys that can be used to protect sensitive information in financial services related to retail payments. The document covers all aspects of retail financial services, including connections between a card-accepting device and an Acquirer, between an Acquirer and a card Issuer, and between an ICC and a card-accepting device. It covers all phases of the key life cycle, including the generation, distribution, utilization, archiving, replacement and destruction of the keying material. This document covers manual and automated management of keying material, and any combination thereof, used for retail financial services. It includes guidance and requirements related to key separation, substitution prevention, identification, synchronization, integrity, confidentiality and compromise, as well as logging and auditing of key management events. Requirements associated with hardware used to manage keys have also been included in this document.

  • Standard
    115 pages
    English language
    sale 15% off
ISO
ISO 13491-2:2023(Main)
Financial services — Secure cryptographic devices (retail) — Part 2: Security compliance checklists for devices used in financial transactions

This document specifies checklists to be used to evaluate secure cryptographic devices (SCDs) incorporating cryptographic processes as specified in ISO 9564‑1, ISO 9564‑2, ISO 16609, and ISO 11568 in the financial services environment. Integrated circuit (IC) payment cards are subject to the requirements identified in this document up until the time of issue, after which they are to be regarded as a “personal” device and outside of the scope of this document.

  • Standard
    39 pages
    English language
    sale 15% off
ISO
ISO 16609:2022(Main)
Financial services — Requirements for message authentication using symmetric techniques

This document specifies procedures, independent of the transmission process, for protecting the integrity of transmitted financial-service-related messages and for verifying that a message has originated from an authorized source, or that stored data has retained integrity. A list of block ciphers approved for the calculation of a message authentication code (MAC) is also provided. The authentication methods defined in this document are applicable to stored data and to messages formatted and transmitted both as coded character sets or as binary data. This document is designed for use with symmetric algorithms where both sender and receiver use the same key. It does not specify methods for establishing the shared key. Its application will not protect the user against internal fraud perpetrated by the sender or the receiver, nor against forgery of a MAC by the receiver.

  • Standard
    13 pages
    English language
    sale 15% off