ISO 9564-1:2017
Financial services - Personal Identification Number (PIN) management and security - Part 1: Basic principles and requirements for PINs in card-based systems

Standard No.
ISO 9564-1:2017
Release Date
2017
Published By
International Organization for Standardization (ISO)
Latest
ISO 9564-1:2017
Scope
This document specifies the basic principles and techniques which provide the minimum security measures required for effective international PIN management. These measures are applicable to those institutions responsible for implementing techniques for the management and protection of PINs during their creation, issuance, usage and deactivation. This document is applicable to the management of cardholder PINs for use as a means of cardholder verification in retail banking systems in, notably, automated teller machine (ATM) systems, pointof-sale (POS) terminals, automated fuel dispensers, vending machines, banking kiosks and PIN selection/change systems. It is applicable to issuer and interchange environments. The provisions of this document are not intended to cover: a) PIN management and security in environments where no persistent cryptographic relationship exists between the transaction-origination device and the acquirer, e.g. use of a browser for online shopping (for these environments, see ISO 9564-4); b) protection of the PIN against loss or intentional misuse by the customer; c) privacy of non-PIN transaction data; e) protection against replay of the PIN or transaction; d) protection of transaction messages against alteration or substitution; f) specific key management techniques; g) offline PIN verification used in contactless devices; h) requirements specifically associated with PIN management as it relates to multi-application functionality in an ICC.

ISO 9564-1:2017 Referenced Document

  • EN 1332-3:2008 Identification card systems - Man-machine interface - Part 3: Keypads
  • ISO 11568-1:2005 Banking - Key management (retail) - Part 1: Principles
  • ISO 11568-2:2012 Financial services - Key management (retail) - Part 2: Symmetric ciphers, their key management and life cycle
  • ISO 11568-4:2007 Banking - Key management (retail) - Part 4: Asymmetric cryptosystems - Key management and life cycle
  • ISO 134 Withdrawal of ISO 134-1973
  • ISO 13491-1:2016 Financial services - Secure cryptographic devices (retail) - Part 1: Concepts, requirements and evaluation methods
  • ISO 9564-2:2014 Financial services - Personal Identification Number (PIN) management and security - Part 2: Approved algorithms for PIN encipherment
  • ISO 9564-4:2016 Financial services - Personal Identification Number (PIN) management and security - Part 4: Requirements for PIN handling in eCommerce for Payment Transactions
  • ISO/IEC 7812-1:2017 Identification cards - Identification of issuers - Part 1: Numbering system
  • ISO/IEC 7813:2006 Information technology - Identification cards - Financial transaction cards
  • ISO/IEC 7816-10:1999 Identification cards - Integrated circuit(s) cards with contacts - Part 10: Electronic signals and answer to reset for synchronous cards
  • ISO/IEC 7816-11:2004 Identification cards - Integrated circuit cards - Part 11: Personal verification through biometric methods
  • ISO/IEC 7816-12:2005 Identification cards - Integrated circuit cards - Part 12: Cards with contacts - USB electrical interface and operating procedures
  • ISO/IEC 7816-13:2007 Identification cards - Integrated circuit cards - Part 13: Commands for application management in a multi-application environment
  • ISO/IEC 7816-15:2016 Identification cards - Integrated circuit cards - Part 15: Cryptographic information application
  • ISO/IEC 7816-1:2011 Identification cards - Integrated circuit cards - Part 1: Cards with contacts - Physical characteristics
  • ISO/IEC 7816-2:2007 Identification cards - Integrated circuit cards - Part 2: Cards with contacts - Dimensions and location of the contacts
  • ISO/IEC 7816-3:2006 Identification cards - Integrated circuit cards - Part 3: Cards with contacts - Electrical interface and transmission protocols
  • ISO/IEC 7816-4:2013 Identification cards - Integrated circuit cards - Part 4: Organization, security and commands for interchange
  • ISO/IEC 7816-5:2004 Identification cards - Integrated circuit cards - Part 5: Registration of application providers
  • ISO/IEC 7816-6:2016 Identification cards - Integrated circuit cards - Part 6: Interindustry data elements for interchange
  • ISO/IEC 7816-7:1999 Identification cards - Integrated circuit(s) cards with contacts - Part 7: Interindustry commands for Structured Card Query Language (SCQL)
  • ISO/IEC 7816-8:2016 Identification cards - Integrated circuit cards - Part 8: Commands and mechanisms for security operations
  • ISO/IEC 7816-9:2004 Identification cards - Integrated circuit cards - Part 9: Commands for card management

ISO 9564-1:2017 history

  • 2017 ISO 9564-1:2017 Financial services - Personal Identification Number (PIN) management and security - Part 1: Basic principles and requirements for PINs in card-based systems
  • 2015 ISO 9564-1:2011/Amd 1:2015 Financial services - Personal Identification Number (PIN) management and security - Part 1: Basic principles and requirements for PINs in card-based systems; Amendment 1
  • 2011 ISO 9564-1:2011 Financial services - Personal Identification Number (PIN) management and security - Part 1: Basic principles and requirements for PINs in card-based systems
  • 2002 ISO 9564-1:2002 Banking - Personal Identification Number (PIN) management and security - Part 1: Basic principles and requirements for online handling in ATM and POS systems
  • 1991 ISO 9564-1:1991 Banking; Personal Identification Number management and security; part 1: PIN protection principles and techniques
Financial services - Personal Identification Number (PIN) management and security - Part 1: Basic principles and requirements for PINs in card-based systems


Copyright ©2024 All Rights Reserved