ISO standard PINs down fraud

A new international ISO standard aims to reduce the opportunity for a breach in security and provide a high probability of detection of any unauthorised disclosure of personal identification numbers, or PINs.

A new international ISO standard aims to reduce the opportunity for a breach in security and provide a high probability of detection of any unauthorised disclosure of personal identification numbers (PINs).

ISO 9564-1, Banking – Personal Identification Number (PIN) management and security, Part 1: Basic principles and requirements for online PIN handling in ATM and POS systems, provides instructions to financial institutions in the development, implementation and/or the operation of systems and procedures for the protection of PIN throughout its lifecycle.

ISO 9564-1 costs 110 Swiss francs and is available from ISO national member institutes and from ISO Central Secretariat. The new standard is the work of ISO technical committee ISO/TC 68, Banking, securities and other financial services, subcommittee SC 6, Retail financial services, working group WG 6, Security in retail banking.

Automated Teller Machine (ATM) and Point-of-Sale (POS) technology are becoming increasingly popular world-wide. These payment options offer convenience for shoppers, guaranteed payment for merchants (in the case of a POS system) and incremental revenue for banks and networks. At the same time, the easy access to funds in checking and savings accounts can also attract those who steal and victimise.

According to Richard Hite, convenor of working group WG 6, the primary benefit of ISO 9564-1 is the establishment of a baseline security framework for the management of cardholder PINs in interchange systems.

‘The standard is designed so that issuers of PIN authenticated payment cards can have confidence that their personal information numbers are being uniformly protected while under the control of other institutions and participants in the payment system.’

‘The role of the PIN has been expanded from being just an online customer verification method for the magnetic stripe card, to being used in offline environments and in open networks. Consequently, many of the original assumptions regarding the protection of cardholder PINs in the traditional closed networks of the online world required updating, making the standard relevant to the current environment.’

ISO 9564-1 specifies the basic principles and techniques which provide the minimum security measure required for effective international PIN management. It specifies PIN protection techniques applicable to financial transactions in an online environment and a standard means of interchanging PIN data. It applies to all stages of its selection, issuance, activation, storage, entry, transmission, validation, deactivation and any other use made of it.

During an electronic fund transfer (EFT), the PIN acts as an electronic signature, identifying the customer as the true holder of the card. In order to prevent the risk of fraud, all banks and equipment that accept or process the PIN – issuing bank, acquiring bank and the network operator – must contain sufficient levels of security to prevent disclosure of the PIN or any part of it to an outside party.

The new ISO standard will provide financial institutions with a good starting point for securing PIN material against unauthorised disclosure, compromise and misuse throughout its lifecycle and, in so doing, help minimise the risk of fraud occurring within an electronic fund transfer (EFT) system. Regardless of the level of security requirements needed, the type of online transaction, or the type of system used, users will benefit from reviewing their PIN management procedures against the standard’s best practice.

The publication of two additional parts of ISO 9564 are underway which will cover PIN protection principles and techniques, electronic commerce and other features: ISO 9564-2, Banking – Personal Identification Number management and security – Part 2: Approved algorithm(s) for PIN encipherment and ISO 9564-3, Banking – Personal Identification Number management and security – Part 3: Requirements for offline PIN handling in ATM and POS systems. In addition, a Technical Report is also being prepared, ISO/PDTR 9564-4; Banking – Personal Identification Number management and security – Part 4: Best Practices for PIN handling in open network devices which will be monitored and updated by the working group as the technologies of the open network mature.

‘With the introduction of smart cards and the increasing role of the Internet and other open networks, the PIN is increasingly becoming the customer verification method of choice. Consequently, the additional sections [of ISO 9564] are intended to augment PIN protection requirements, making its security relevant to these new communication channels,’ further noted Mr. Hite.

The new ISO standard is intended to be used by national standards bodies, financial institutions, regulators, payment schemes, ATM vendors, PIN entry device vendors, and system developers.

On the web