Pin Block Formats David Tushie – Consultant, Prime Factors, Inc

feature story

Pin Block Formats David Tushie – Consultant, Prime Factors, Inc.

The U.S. electronic payments industry sits on the edge of The white papers directly related to PIN processing are a tidal change in technology. Issuers and merchants are available at: incented to migrate from magnetic stripe cards to integrated • PIN Technology and Management: http://tinyurl.com/ chip smart cards compliant with the international EMV PrimeFactors-PINs1 standard. EMV, an acronym for Europay, MasterCard, and Visa, established the requirements for managing electronic • PIN Block Formats: http://tinyurl.com/PrimeFactors-PINs2 payment transactions, authorizations, and cardholder • PIN Transaction Security in Payment Networks: http:// verification in new ways to reduce point-of-sale (POS) tinyurl.com/PrimeFactors-PINs3 counterfeit fraud. The standard has been in wide use PIN Block Formats outside the U.S. for several years, demonstrating dramatic reductions in issuers’ costs resulting from this type of Separate from any discussion about PIN or PVV generation fraud. Starting in October 2015, point-of-sale counterfeit and verification is the way PINs are transferred and card losses will shift from issuers to merchants for those transported between locations and processes. transactions where the card presented is EMV-compliant Obviously, transferring secrets (PINs are examples of shared and the merchant POS terminal is not. secrets) requires encryption. But simply using a block cipher TOne of the EMV keys to implementation, among others, has its challenges. What padding should be used for PINs deals with verifying that the person presenting the card at less that the smallest block size? How do you know how the point-of-sale is, indeed, the rightful cardholder. This many digits belong to the PIN? These are just a couple verification can, in some situations, occur entirely within the of the challenges that the different standardized PIN block scope of an EMV-compliant card reader, the EMV-compliant formats address. card presented, and the personal identification number (PIN) The two most common PIN Block formats come from the entered by the cardholder. This increases the importance of International Standards Organization (ISO) but it should be PIN processing for payment card transactions since it is one noted that industry players have also developed standards of the cardholder verification methods available to Issuers. for transporting encrypted PINs.

As part of the EMV Keys to Implementation series, Prime All the PIN blocks share the trait that they are eight bytes in Factors presents three papers that provide insight into the length (representing 16 characters in hex format (four bits mechanics of PIN processing for EMV. This paper, “PINs: PIN (nibble) per character)). In the case of the ISO PIN Blocks, Block Formats” provides an introduction to the way PIN’s they also share a similar layout. One of the advantages of are transferred and transported between various locations. the ISO formats is that there is some inherent check data along with the actual PIN that can be used as a sanity check on the receiving end of the encrypted PIN block.

34 CARD MANUFACTURING | SPECIAL EVENTS ONE 2015 ISO 9564 – Format 0 P: PIN P/X: PIN or FILL (random digits as needed) The ISO-0 PIN Block format is probably the most used PIN block in the world. Its significant characteristic is that it ties The addition of random fill, as opposed to contiguous the PIN to a specific PAN as part of the block data. In order repeated fill, produces a unique encrypted PIN block even to extract the correct PIN from the block, the PAN must be for identical PINs. known (transferred with the PIN block). ISO 9564 – Format 2

The data in an ISO PIN Block 0 is the XOR of two data items, The ISO-2 PIN Block format is used for smart card offline the PIN and the PAN. authentication. It is similar to an ISO-1 PIN Block in that The meanings of the PIN digits are as follows: there is no PAN to associate with the PIN. It differs in that the fill is 0xF instead of random digits.

The meanings of the PIN digits are as follows: Format: indicates block format (ISO-0 = 0) Cnt: number of PIN digits (4-12 (hex ‘C’))

P: PIN Format: indicates block format (ISO-2 = 2) P/X: PIN or FILL (hex ‘F’) as needed Cnt: number of PIN digits (4-12 (hex ‘C’)) The meanings of the PAN digits are as follows: P: PIN P/X: PIN or FILL (0xF digits as needed) ISO 9564 – Format 3

N: Null (0) The ISO-3 PIN Block format is an ISO-0 PIN Block with P: Right most 12 PAN digits excluding the check digit random fill instead of 0xF. It ties the PIN to a specific PAN as Example: part of the block data and hides those PAN digits that would show up as inverted digits in the ISO-0 PIN Block. In order to extract the correct PIN from the block, the PAN must be known. Some of the card brands recommend the ISO-3 format for PIN transmissions.

A receiver of an ISO-0 PIN block, once it has been decrypted The data in an ISO PIN Block 3 is the XOR of two data items, should make sure that the format is “0” and the count is the PIN and the PAN. between 4 and 12 (“C”). If not, there is a good chance that The meanings of the PIN digits are as follows: the transmission has been corrupted. If the XOR of the PAN doesn’t produce the correct padding, again the transmission has been corrupted. Format: indicates block format (ISO-3 = 3) ISO 9564 – Format 1 Cnt: number of PIN digits (4-12 (hex ‘C’)) P: PIN When the ISO-1 PIN Block format is used there is no PAN to P/X: PIN or FILL associate with the PIN. This could be, in the case of a VISA (random hex digits (0x0-0xF) as needed) PVV implementation, where the PINs are generated in one location ahead of the PVV calculation (association to a PAN) The meanings of the PAN digits are as follows: and needs to be transmitted to the PVV calculator. The meanings of the PIN digits are as follows: N: Null (0) P: Right most 12 PAN digits excluding the check digit

Format: indicates block format (ISO-1 = 1) Cnt: number of PIN digits (4-12 (hex ‘C’)) continued on page 36

www.icma.com 35 feature story

Pin Block Formats, continued from page 35

Example: The meanings of the PIN digits are as follows:

Format: indicates block format (PLUS = 0) Cnt: number of PIN digits (4-12 (hex ‘C’)) P: PIN A receiver of an ISO-3 PIN block, once it has been decrypted, P/X: PIN or FILL (hex ‘F’) as needed should make sure that the format is “3” and the count is The meanings of the PAN digits are as follows: between 4 and 12 (“C”). If not, there is a good chance that the transmission has been corrupted. Docutel / Diebold N: Null (0) A Docutel / Diebold PIN Block consists of PIN digits and fill P: Left most 12 PAN digits only. The requirement is that the fill is not a digit found in Example: the PIN digits.

The meanings of the PIN digits are as follows:

P: PIN P/X: PIN or FILL (not PIN digits, as needed) Conclusion

The difference in the two formats is the typical fill character. Card issuers have strong financial incentives to provide their For Docutel, the fill value is 0xF and for Diebold, the value cardholders EMV-compliant credit cards prior to the liability is 0. shift date in October, 2015. Many things change with the Plus adoption of EMV, perhaps most significantly in the option to use PINs to verify cardholders at the point-of-sale. This The PLUS PIN Block is the ISO-0 format with the left most is something that the U.S. credit card payment network has digits in the PAN being used in the XOR operation. not fully supported in the past. Understanding PIN technol- The data in a PLUS PIN Block is the XOR of two data items, ogy and processing will assist in implementing this form of the PIN and the PAN. cardholder verification.

36 CARD MANUFACTURING | SPECIAL EVENTS ONE 2015