BS ISO 9564-4:2016 pdf download – Financial services — Personal Identification Number (PIN) management and security Part 4: Requirements for PIN handling in eCommerce for Payment Transactions 5 PIN handling requirements 5.1 General A PIN shall not be entered into a network access device (NAD), including, but not limited to, personal computers, mobile phones, etc. Personal devices used for PIN entry in eCommerce shall be for the exclusive use of the cardholder. The use of public (shared) PIN entry devices is restricted to PEDs defined in 5.4 and 5.5. 5.2 Functionally secure PIN entry devices (FSPED) Functionally secure PIN entry devices (FSPED) are limited functionality PIN entry devices that shall be approved by the issuer for use in conjunction with any of that issuer’s IC cards for offline OTT generation. FSPEDs that support software updates shall have a cryptographic relationship with the card issuer but the associated cryptographic keys shall not be used for PIN encipherment. The device shall only apply software updates that it has cryptographically authenticated and shall ensure that the software updates are applied in the correct order (an older update cannot be applied after a newer one has already been applied). An FSPED shall contain a contact IC reader for communication with an IC card. The device shall also contain a keypad for PIN entry and a display screen. Following entry of a PIN (which may be verified by the IC card), the FSPED interacts with the IC card to produce an OTT for subsequent verification by the issuer. The IC card generates a cryptographic value. This value may be used directly as the OTT or the FSPED may format this value to an OTT (e.g. by decimalization and/or truncation) that is convenient for a user to enter manually. The OTT is then either entered into or transferred to the NAD as part of the eCommerce transaction and sent to the issuer for verification. In addition to the PIN, solutions may require the entry of other transaction related data into the FSPED before an OTT can be generated. Such transaction related data may be manually entered or transmitted from the NAD to the FSPED. Such transaction details (e.g. amount) should be displayed on the FSPED for the cardholder to verify. The FSPED shall make no cryptographic contribution to the value of the OTT. However, for example, the FSPED may encipher the PIN with an IC card...

Download Address

  • Download