Banking -- Personal Identification Number (PIN) management and security -- Part 1: Basic principles and requirements for online PIN handling in ATM and POS systems
This part of ISO 9564 specifies the basic principles and techniques which provide the minimum security measures required for effective international PIN management. These measures are applicable to those institutions responsible for implementing techniques for the management and protection of PINs.
This part of ISO 9564 also specifies PIN protection techniques applicable to financial transaction-card-originated transactions in an online environment and a standard means of interchanging PIN data. These techniques are applicable to those institutions responsible for implementing techniques for the management and protection of the PIN at Automated Teller Machines (ATM) and acquirer sponsored Point-of-Sale (POS) terminals.
The provisions of this part of ISO 9564 are not intended to cover:
- PIN management and security in the offline PIN environment, which is covered in ISO 9564-3;
- PIN management and security in the electronic commerce environments, which is to be covered in a subsequent part of ISO 9564;
- the protection of the PIN against loss or intentional misuse by the customer or authorized employees of the issuer;
- privacy of non-PIN transaction data;
- protection of transaction messages against alteration or substitution, e.g. an authorization response to a PIN verification;
- protection against replay of the PIN or transaction;
- specific key management techniques.