BS ISO 9564-5. Financial services. Personal Identification Number (PIN) management and security Part 5. Methods for the generation, change, and verification of PINs and card security data using the advanced encryption standard
|Standard number:||21/30383510 DC|
|Status:||Draft for Comment|
This standard 21/30383510 DC BS ISO 9564-5. Financial services. Personal Identification Number (PIN) management and security is classified in these ICS categories:
- 35.240.40 IT applications in banking
This document provides requirements and guidance for methods of Issuer PIN Management using AES. It additionally defines a method for generating and verifying Card Security Codes using AES.
The processes defined in this Standard (in order as presented) are:
Generation and Verification of Card Security Code
All AES key lengths (128 bits, 192 bits and 256 bits) are acceptable for this Standard
Within this document, references to CMAC refer to algorithm 5 in ISO/IEC 9797-1 used with AES.
Assigned derived PINS, where PINs are derived from PANs and customer selection is supported by means of offsets, are not prohibited but are not recommended and so an AES-based method for this approach is not specified in this standard. One reason for not recommending this approach is that with this approach if a user PIN is discovered by a fraudster (along with non-secret PIN verification data) then to recover PIN security the card must be reissued with a new PAN.