pin block formats david tushie – consultant, prime factors, inc....
TRANSCRIPT
T34 C A R D M A N U F A C T U R I N G | S P E C I A L E V E N T S O N E 2 0 1 5
David Tushie – Consultant, Prime Factors, Inc.
The U.S. electronic payments industry sits on the edge of
a tidal change in technology. Issuers and merchants are
incented to migrate from magnetic stripe cards to integrated
chip smart cards compliant with the international EMV
standard. EMV, an acronym for Europay, MasterCard, and
Visa, established the requirements for managing electronic
payment transactions, authorizations, and cardholder
verification in new ways to reduce point-of-sale (POS)
counterfeit fraud. The standard has been in wide use
outside the U.S. for several years, demonstrating dramatic
reductions in issuers’ costs resulting from this type of
fraud. Starting in October 2015, point-of-sale counterfeit
card losses will shift from issuers to merchants for those
transactions where the card presented is EMV-compliant
and the merchant POS terminal is not.
One of the EMV keys to implementation, among others,
deals with verifying that the person presenting the card at
the point-of-sale is, indeed, the rightful cardholder. This
verification can, in some situations, occur entirely within the
scope of an EMV-compliant card reader, the EMV-compliant
card presented, and the personal identification number (PIN)
entered by the cardholder. This increases the importance of
PIN processing for payment card transactions since it is one
of the cardholder verification methods available to Issuers.
As part of the EMV Keys to Implementation series, Prime
Factors presents three papers that provide insight into the
mechanics of PIN processing for EMV. This paper, “PINs: PIN
Block Formats” provides an introduction to the way PIN’s
are transferred and transported between various locations.
The white papers directly related to PIN processing are
available at:
• PIN Technology and Management: http://tinyurl.com/
PrimeFactors-PINs1
• PIN Block Formats: http://tinyurl.com/PrimeFactors-PINs2
• PIN Transaction Security in Payment Networks: http://
tinyurl.com/PrimeFactors-PINs3
PIN Block Formats
Separate from any discussion about PIN or PVV generation
and verification is the way PINs are transferred and
transported between locations and processes.
Obviously, transferring secrets (PINs are examples of shared
secrets) requires encryption. But simply using a block cipher
has its challenges. What padding should be used for PINs
less that the smallest block size? How do you know how
many digits belong to the PIN? These are just a couple
of the challenges that the different standardized PIN block
formats address.
The two most common PIN Block formats come from the
International Standards Organization (ISO) but it should be
noted that industry players have also developed standards
for transporting encrypted PINs.
All the PIN blocks share the trait that they are eight bytes in
length (representing 16 characters in hex format (four bits
(nibble) per character)). In the case of the ISO PIN Blocks,
they also share a similar layout. One of the advantages of
the ISO formats is that there is some inherent check data
along with the actual PIN that can be used as a sanity check
on the receiving end of the encrypted PIN block.
Pin Block Formats
feature story
continued on page 36
35w w w . i c m a . c o m
ISO 9564 – Format 0
The ISO-0 PIN Block format is probably the most used PIN
block in the world. Its significant characteristic is that it ties
the PIN to a specific PAN as part of the block data. In order
to extract the correct PIN from the block, the PAN must be
known (transferred with the PIN block).
The data in an ISO PIN Block 0 is the XOR of two data items,
the PIN and the PAN.
The meanings of the PIN digits are as follows:
Format: indicates block format (ISO-0 = 0)
Cnt: number of PIN digits (4-12 (hex ‘C’))
P: PIN
P/X: PIN or FILL (hex ‘F’) as needed
The meanings of the PAN digits are as follows:
N: Null (0)
P: Right most 12 PAN digits excluding the check digit
Example:
A receiver of an ISO-0 PIN block, once it has been decrypted
should make sure that the format is “0” and the count is
between 4 and 12 (“C”). If not, there is a good chance that
the transmission has been corrupted. If the XOR of the PAN
doesn’t produce the correct padding, again the transmission
has been corrupted.
ISO 9564 – Format 1
When the ISO-1 PIN Block format is used there is no PAN to
associate with the PIN. This could be, in the case of a VISA
PVV implementation, where the PINs are generated in one
location ahead of the PVV calculation (association to a PAN)
and needs to be transmitted to the PVV calculator.
The meanings of the PIN digits are as follows:
Format: indicates block format (ISO-1 = 1)
Cnt: number of PIN digits (4-12 (hex ‘C’))
P: PIN
P/X: PIN or FILL (random digits as needed)
The addition of random fill, as opposed to contiguous
repeated fill, produces a unique encrypted PIN block even
for identical PINs.
ISO 9564 – Format 2
The ISO-2 PIN Block format is used for smart card offline
authentication. It is similar to an ISO-1 PIN Block in that
there is no PAN to associate with the PIN. It differs in that
the fill is 0xF instead of random digits.
The meanings of the PIN digits are as follows:
Format: indicates block format (ISO-2 = 2)
Cnt: number of PIN digits (4-12 (hex ‘C’))
P: PIN
P/X: PIN or FILL (0xF digits as needed)
ISO 9564 – Format 3
The ISO-3 PIN Block format is an ISO-0 PIN Block with
random fill instead of 0xF. It ties the PIN to a specific PAN as
part of the block data and hides those PAN digits that would
show up as inverted digits in the ISO-0 PIN Block. In order
to extract the correct PIN from the block, the PAN must be
known. Some of the card brands recommend the ISO-3
format for PIN transmissions.
The data in an ISO PIN Block 3 is the XOR of two data items,
the PIN and the PAN.
The meanings of the PIN digits are as follows:
Format: indicates block format (ISO-3 = 3)
Cnt: number of PIN digits (4-12 (hex ‘C’))
P: PIN
P/X: PIN or FILL
(random hex digits (0x0-0xF) as needed)
The meanings of the PAN digits are as follows:
N: Null (0)
P: Right most 12 PAN digits excluding the check digit
36 C A R D M A N U F A C T U R I N G | S P E C I A L E V E N T S O N E 2 0 1 5
Example:
A receiver of an ISO-3 PIN block, once it has been decrypted,
should make sure that the format is “3” and the count is
between 4 and 12 (“C”). If not, there is a good chance that
the transmission has been corrupted.
Docutel / Diebold
A Docutel / Diebold PIN Block consists of PIN digits and fill
only. The requirement is that the fill is not a digit found in
the PIN digits.
The meanings of the PIN digits are as follows:
P: PIN
P/X: PIN or FILL (not PIN digits, as needed)
The difference in the two formats is the typical fill character.
For Docutel, the fill value is 0xF and for Diebold, the value
is 0.
Plus
The PLUS PIN Block is the ISO-0 format with the left most
digits in the PAN being used in the XOR operation.
The data in a PLUS PIN Block is the XOR of two data items,
the PIN and the PAN.
The meanings of the PIN digits are as follows:
Format: indicates block format (PLUS = 0)
Cnt: number of PIN digits (4-12 (hex ‘C’))
P: PIN
P/X: PIN or FILL (hex ‘F’) as needed
The meanings of the PAN digits are as follows:
N: Null (0)
P: Left most 12 PAN digits
Example:
Conclusion
Card issuers have strong financial incentives to provide their
cardholders EMV-compliant credit cards prior to the liability
shift date in October, 2015. Many things change with the
adoption of EMV, perhaps most significantly in the option
to use PINs to verify cardholders at the point-of-sale. This
is something that the U.S. credit card payment network has
not fully supported in the past. Understanding PIN technol-
ogy and processing will assist in implementing this form of
cardholder verification.
Pin Block Formats, continued from page 35
feature story