pin block formats david tushie – consultant, prime factors, inc....

T34 C A R D M A N U F A C T U R I N G | S P E C I A L E V E N T S O N E 2 0 1 5

David Tushie – Consultant, Prime Factors, Inc.

The U.S. electronic payments industry sits on the edge of

a tidal change in technology. Issuers and merchants are

incented to migrate from magnetic stripe cards to integrated

chip smart cards compliant with the international EMV

standard. EMV, an acronym for Europay, MasterCard, and

Visa, established the requirements for managing electronic

payment transactions, authorizations, and cardholder

verification in new ways to reduce point-of-sale (POS)

counterfeit fraud. The standard has been in wide use

outside the U.S. for several years, demonstrating dramatic

reductions in issuers’ costs resulting from this type of

fraud. Starting in October 2015, point-of-sale counterfeit

card losses will shift from issuers to merchants for those

transactions where the card presented is EMV-compliant

and the merchant POS terminal is not.

One of the EMV keys to implementation, among others,

deals with verifying that the person presenting the card at

the point-of-sale is, indeed, the rightful cardholder. This

verification can, in some situations, occur entirely within the

scope of an EMV-compliant card reader, the EMV-compliant

card presented, and the personal identification number (PIN)

entered by the cardholder. This increases the importance of

PIN processing for payment card transactions since it is one

of the cardholder verification methods available to Issuers.

As part of the EMV Keys to Implementation series, Prime

Factors presents three papers that provide insight into the

mechanics of PIN processing for EMV. This paper, “PINs: PIN

Block Formats” provides an introduction to the way PIN’s

are transferred and transported between various locations.

The white papers directly related to PIN processing are

available at:

• PIN Technology and Management: http://tinyurl.com/

PrimeFactors-PINs1

• PIN Block Formats: http://tinyurl.com/PrimeFactors-PINs2

• PIN Transaction Security in Payment Networks: http://

tinyurl.com/PrimeFactors-PINs3

PIN Block Formats

Separate from any discussion about PIN or PVV generation

and verification is the way PINs are transferred and

transported between locations and processes.

Obviously, transferring secrets (PINs are examples of shared

secrets) requires encryption. But simply using a block cipher

has its challenges. What padding should be used for PINs

less that the smallest block size? How do you know how

many digits belong to the PIN? These are just a couple

of the challenges that the different standardized PIN block

formats address.

The two most common PIN Block formats come from the

International Standards Organization (ISO) but it should be

noted that industry players have also developed standards

for transporting encrypted PINs.

All the PIN blocks share the trait that they are eight bytes in

length (representing 16 characters in hex format (four bits

(nibble) per character)). In the case of the ISO PIN Blocks,

they also share a similar layout. One of the advantages of

the ISO formats is that there is some inherent check data

along with the actual PIN that can be used as a sanity check

on the receiving end of the encrypted PIN block.

Pin Block Formats

feature story

continued on page 36

35w w w . i c m a . c o m

ISO 9564 – Format 0

The ISO-0 PIN Block format is probably the most used PIN

block in the world. Its significant characteristic is that it ties

the PIN to a specific PAN as part of the block data. In order

to extract the correct PIN from the block, the PAN must be

known (transferred with the PIN block).

The data in an ISO PIN Block 0 is the XOR of two data items,

the PIN and the PAN.

The meanings of the PIN digits are as follows:

Format: indicates block format (ISO-0 = 0)

Cnt: number of PIN digits (4-12 (hex ‘C’))

P: PIN

P/X: PIN or FILL (hex ‘F’) as needed

The meanings of the PAN digits are as follows:

N: Null (0)

P: Right most 12 PAN digits excluding the check digit

Example:

A receiver of an ISO-0 PIN block, once it has been decrypted

should make sure that the format is “0” and the count is

between 4 and 12 (“C”). If not, there is a good chance that

the transmission has been corrupted. If the XOR of the PAN

doesn’t produce the correct padding, again the transmission

has been corrupted.


When the ISO-1 PIN Block format is used there is no PAN to

associate with the PIN. This could be, in the case of a VISA

PVV implementation, where the PINs are generated in one

location ahead of the PVV calculation (association to a PAN)

and needs to be transmitted to the PVV calculator.




P: PIN

P/X: PIN or FILL (random digits as needed)

The addition of random fill, as opposed to contiguous

repeated fill, produces a unique encrypted PIN block even

for identical PINs.


The ISO-2 PIN Block format is used for smart card offline

authentication. It is similar to an ISO-1 PIN Block in that

there is no PAN to associate with the PIN. It differs in that

the fill is 0xF instead of random digits.




P: PIN

P/X: PIN or FILL (0xF digits as needed)


The ISO-3 PIN Block format is an ISO-0 PIN Block with

random fill instead of 0xF. It ties the PIN to a specific PAN as

part of the block data and hides those PAN digits that would

show up as inverted digits in the ISO-0 PIN Block. In order

to extract the correct PIN from the block, the PAN must be

known. Some of the card brands recommend the ISO-3

format for PIN transmissions.

The data in an ISO PIN Block 3 is the XOR of two data items,





P: PIN

P/X: PIN or FILL

(random hex digits (0x0-0xF) as needed)


N: Null (0)

P: Right most 12 PAN digits excluding the check digit

36 C A R D M A N U F A C T U R I N G | S P E C I A L E V E N T S O N E 2 0 1 5

Example:

A receiver of an ISO-3 PIN block, once it has been decrypted,

should make sure that the format is “3” and the count is

between 4 and 12 (“C”). If not, there is a good chance that

the transmission has been corrupted.

Docutel / Diebold

A Docutel / Diebold PIN Block consists of PIN digits and fill

only. The requirement is that the fill is not a digit found in

the PIN digits.


P: PIN

P/X: PIN or FILL (not PIN digits, as needed)

The difference in the two formats is the typical fill character.

For Docutel, the fill value is 0xF and for Diebold, the value

is 0.

Plus

The PLUS PIN Block is the ISO-0 format with the left most

digits in the PAN being used in the XOR operation.

The data in a PLUS PIN Block is the XOR of two data items,



Format: indicates block format (PLUS = 0)


P: PIN

P/X: PIN or FILL (hex ‘F’) as needed


N: Null (0)

P: Left most 12 PAN digits

Example:

Conclusion

Card issuers have strong financial incentives to provide their

cardholders EMV-compliant credit cards prior to the liability

shift date in October, 2015. Many things change with the

adoption of EMV, perhaps most significantly in the option

to use PINs to verify cardholders at the point-of-sale. This

is something that the U.S. credit card payment network has

not fully supported in the past. Understanding PIN technol-

ogy and processing will assist in implementing this form of

cardholder verification.

Pin Block Formats, continued from page 35

feature story

pin block formats david tushie – consultant, prime factors, inc....

Documents