How many times and in how many places have you entered your bank card’s PIN (Personal Identification Number) today? To make sure that the integrity of this data is protected throughout all transactions, ISO has technically revised and updated the standard providing requirements for the management and security of PINs (ISO 9564-1).

Why an International Standard for PIN management? Take the example of just one financial institution, Visa. In 2007, Visa had 20 000 member banks with 1.59 billion cards in circulation generating 59 billion transactions per year, with peaks of more than 6 800 transactions per second. The ISO standard for PIN management helps protect the identification numbers used for cardholder verification against unauthorized disclosure, compromise and misuse everywhere in the world. It thus helps minimize the risk of fraud through electronic funds transfer systems.

Mark Sutton, Chair of the ISO subcommittee that developed the standard,explains, “A PIN’s life span may be long and involve its use in many different countries, bank machines, shops, and even online. Its secrecy needs to be assured at all times, both for online and offline transactions, from the moment it is established to its deactivation (including any issuances, storage, entries, transmissions, validations, etc.).”

© P.Krieger, ISO

ISO 9564-1:2011, Financial services – Personal Identification Number (PIN) management and security – Part 1: Basic principles and requirements for PINs in card-based systems, specifies principles and techniques that provide the minimum security measures required for effective international PIN management. These measures are applicable to institutions responsible for the management and protection of PINs during their creation, issuance, usage and deactivation.

Online and offline PIN verification may have very different security requirements. Since online PINs can be verified independent of the card itself, any type of payment card or device can be used to initiate a transaction. However, there are special requirements for cards used in offline verifications. In particular because the latter type does not require that a cardholder’s PIN be sent to the issuer host for verification.

This part of ISO 9564 is designed so that issuers can uniformly make certain that a PIN, while under the control of other institutions, is properly managed. Techniques are given for protecting the PIN-based customer authentication process throughout its life cycle.

“The updated standard, ISO 9564-1, will help banks and their counterparts to maintain the secrecy of cryptographic keys. This is of the utmost importance as any compromised key can endanger PIN security,” explains Mr. Sutton.

ISO 9564-1 is applicable to the management of PINs for cardholder verification in retail banking systems in, notably, automated teller machine (ATMs), point-of-sale terminals, automated fuel dispensers, vending machines, banking kiosks and PIN selection/change systems.

This third edition of the standard cancels and replaces the previous two, which have been technically revised.  

ISO 9564-1 was developed by ISO technical committee ISO/TC 68, Financial services, subcommittee SC 2, Security management and general banking operations.

ISO 9564-1, Financial services – Personal Identification Number (PIN) management and security – Part 1: Basic principles and requirements for PINs in card-based systems, is available from ISO national member institutes (see the complete list with contact details). It may also be obtained directly from the ISO Central Secretariat, price 118 Swiss francs through the ISO Store or by contacting the Marketing, Communication & Information department (see right-hand column).