Banking — Personal Identification Number (PIN) management and security — Part 4: Guidelines for PIN handling in open networks

ISO/TR 9564-4:2004 provides guidelines for personal identification number PIN handling in open networks, presenting finance industry best-practice security measures for PIN management and the handling of financial card originated transactions in environments where issuers and acquirers have no direct control over management, or where no relationship exists between the PIN entry device and the acquirer prior to the transaction.

Banque — Gestion et sécurité du numéro personnel d'identification (PIN) — Partie 4: Directives sur la manipulation du PIN dans les dispositifs à réseau ouvert

General Information

Status
Withdrawn
Publication Date
14-Mar-2004
Withdrawal Date
14-Mar-2004
Current Stage
9599 - Withdrawal of International Standard
Completion Date
09-Mar-2016
Ref Project

Relations

Buy Standard

Technical report
ISO/TR 9564-4:2004 - Banking -- Personal Identification Number (PIN) management and security
English language
6 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

TECHNICAL ISO/TR
REPORT 9564-4
First edition
2004-03-15

Banking — Personal Identification
Number (PIN) management and
security —
Part 4:
Guidelines for PIN handling in open
networks
Banque — Gestion et sécurité du numéro personnel d'identification
(PIN) —
Partie 4: Directives sur la manipulation du PIN dans les dispositifs à
réseau ouvert




Reference number
ISO/TR 9564-4:2004(E)
©
ISO 2004

---------------------- Page: 1 ----------------------
ISO/TR 9564-4:2004(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.


©  ISO 2004
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO 2004 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/TR 9564-4:2004(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies
(ISO member bodies). The work of preparing International Standards is normally carried out through ISO
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards
adopted by the technical committees are circulated to the member bodies for voting. Publication as an
International Standard requires approval by at least 75 % of the member bodies casting a vote.
In exceptional circumstances, when a technical committee has collected data of a different kind from that
which is normally published as an International Standard (“state of the art”, for example), it may decide by a
simple majority vote of its participating members to publish a Technical Report. A Technical Report is entirely
informative in nature and does not have to be reviewed until the data it provides are considered to be no
longer valid or useful.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO/TR 9564-4 was prepared by Technical Committee ISO/TC 68, Banking, securities and other financial
services, Subcommittee SC 6, Retail financial services.
ISO 9564 consists of the following parts, under the general title Banking — Personal Identification Number
(PIN) management and security:
 Part 1: Basic principles and requirements for online PIN handling in ATM and POS systems
 Part 2: Approved algorithms for PIN encipherment
 Part 3: Requirements for offline PIN handling in ATM and POS systems
 Part 4: Guidelines for PIN handling in open networks [Technical Report]
© ISO 2004 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/TR 9564-4:2004(E)
Introduction
The open network environment is a high-risk environment. This is especially true for PIN-based transactions,
since the management of the PIN entry device is beyond the control of either the issuer or acquirer. In many
circumstances, it is the cardholder who decides on the network access device (NAD).
This part of ISO 9564 provides guidelines to assist the payment system participants in reducing the exposure
of PIN compromise in open networks and the likelihood of subsequent fraud in those payment systems
covered by ISO 9564-1 and ISO 9564-3. Its purpose is to define minimal PIN security practices in the open
network environment. If PIN security in this environment is deficient, there is a high probability, if card data are
also disclosed, that both (card data and PIN) may be fraudulently used in the ATM, POS or open network
environments.
The integrity of the authentication mechanism is contingent on the confidentiality of the PIN and the
cardholder data. In this environment, the lack of control makes protection of the PIN difficult; therefore,
protection of the cardholder data is necessary to minimise the risk of fraud resulting from card data capture
and PIN compromise in the open network environment.
Noting the fluidity of the technology and the market, it was decided that the development of an International
Standard was not advised at the time of publication. This part of ISO 9564 will be reviewed on a regular basis
to ensure consistency with current market requirements and technological developments.

iv © ISO 2004 – All rights reserved

---------------------- Page: 4 ----------------------
TECHNICAL REPORT ISO/TR 9564-4:2004(E)

Banking — Personal Identification Number (PIN) management
and security —
Part 4:
Guidelines for PIN handling in open networks
1 Scope
This part of ISO 9564 provides guidelines for personal identification number (PIN) handling in open networks,
presenting finance industry best-practice security measures for PIN management and the handling of financial
card originated transactions in environments where issuers and acquirers have no direct control over
management, or where no relationship exists between the PIN entry device and the acquirer prior to the
transaction.
It is applicable to financial card-originated transactions requiring verification of the PIN and to those
organizations responsible for implementing techniques for the management of the PIN in terminals and PIN
entry devices when used in open networks.
It is not applicable to
 PIN management and security in the online and offline ATM and POS PIN environments, which are
covered in ISO 9564-1 and ISO 9564-3,
 approved algorithms for PIN encipherment, which are covered in ISO 9564-2,
 the protection of the PIN against loss or intentional misuse by the customer or authorised employees of
the issuer or their agents,
 privacy of non-PIN transaction data,
 protection of transaction messages against alteration or substitution, e.g. an online authorisation
response,
 protection against replay of the PIN or transaction,
 specific key management techniques,
 access to, and storage of, card data by server-based applications such as wallets, or
 financial institution sponsored, cardholder activated, secure PIN entry devices.
© ISO 2004 – All rights reserved 1

---------------------- Page: 5 ----------------------
ISO/TR 9564-4:2004(E)
2 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
2.1
acquirer
institution, or its agent, that acquires from the card acceptor the financial data relating to the transaction and
initiates such data into an interchange system
2.2
compromise
〈cryptography〉 breaching of secrecy and/or security
2.3
encipherment
rendering of text unintelligible by means of an encoding mechanism
2.4
integrated circuit card
ICC
ID-1 card type, as specified in ISO 7810, ISO 7811, ISO 7812 and ISO 7813, into which one or more
integrated circuits have been inserted
NOTE See ISO 7816-1.
2.5
issuer
institution holding the account identified by the primary account number (PAN)
2.6
network access device
NAD
personal computer, set top box, mobile phone, PDA or other devic
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.