ANSI X9.8 Part 1-2003 Banking - Personal Identification Number Management and Security - Part 1 PIN protection principles and techniques for online PIN verification in ATM & POS sy.pdf

1、 American National Standard for Financial Services X9.82003 BANKING - PERSONAL IDENTIFICATION NUMBER MANAGEMENT AND SECURITY Part 1: PIN protection principles and techniques for online PIN verification in ATM their existence does not in any respect preclude anyone, whether he has approved the standa

2、rds or not from manufacturing, marketing, purchasing, or using products, processes, or procedures not conforming to the standards. The American National Standards Institute does not develop standards and will in no circumstances give an interpretation of any American National Standard. Moreover, no

3、person shall have the right or authority to issue an interpretation of an American National Standard in the name of the American National Standards Institute. Requests for interpretations should be addressed to the secretariat or sponsor whose name appears on the title page of this standard. CAUTION

4、 NOTICE: This American National Standard may be revised or withdrawn at any time. The procedures of the American National Standards Institute require that action be taken to reaffirm, revise, or withdraw this standard no later than five years from the date of approval. Published by Accredited Standa

5、rds Committee X9, Incorporated Financial Industry Standards P. O. Box 4035 Annapolis, MD 21403 X9 Online http:/www.x9.org Copyright 2003 by Accredited Standards Committee X9, Incorporated All rights reserved. No part of this publication may be reproduced in any form, in an electronic retrieval syste

6、m or otherwise, without prior written permission of the publisher. Printed in the United States of America Copyright American National Standards Institute Provided by IHS under license with ANSINot for ResaleNo reproduction or networking permitted without license from IHS-,-,-ANS X9.82003 2003 All r

7、ights reserved iiiThis ANSI Standard is based on ISO 9564-1:2002(E) Banking Personal Identification Number (PIN) management and security Part 1: PIN protection principles and techniques for online PIN verification in ATM and POS systems. The ISO 9564-1:2002(E) has been reproduced in its entirety wit

8、h the addition of “ANSI NOTE“s where required to adapt the text for use as an ANSI Standard. Where applicable, references to ANSI standards have been added. Specific references to “ISO 9564“ in the original ISO 9564 have been replaced with “ISO 9564 this standard“, for the purpose of clarity. “ANSI

9、NOTE“s have been added to the following sections of ISO 9564-1:2001(E): 5.1 6.2 (two Notes) 6.3.3 7.2.2 7.3.3.3 8.3.1 Annex A Annex E Annex A, General Principles of Key Management, has been superseded by ANS X9.24-2002, Retail Financial Services Symmetric Key Management Part 1: Using Symmetric Techn

10、iques Annexes A, B, C, D, E, F and G are informative annexes, presented for information only. ANS X9.8 consists of the following parts, under the general title Banking - Personal Identification Number (PIN) Management and Security: - Part 1: PIN protection principles and techniques for online PIN ve

11、rification in ATM therefore, PIN management procedures should implement preventive measures to reduce the opportunity for a breach in security and aim for a “high“ probability of detection of any illicit access or change to PIN material should these preventive measures fail. This applies at all stag

12、es of the generation, exchange and use of a PIN, including those processes that occur in cryptographic equipment and those related to communication of PINs. This part of ISO 9564 this standard is designed so that Issuers can uniformly make certain, to whatever degree is practical, that a PIN, while

13、under the control of other institutions, is properly managed. Techniques are given for protecting the PIN-based customer authentication process by safeguarding the PIN against unauthorised disclosure during the PINs life cycle. This standard includes the following annexes: a) annex A covers general

14、principles of key management; b) annex B covers techniques for PIN verification; c) annex C deals with implementation concepts for a PIN entry device for online PIN encipherment; d) annex D identifies an example of pseudo-random PIN generation; e) annex E indicates additional guidelines for the desi

15、gn of a PIN entry device; f) annex F specifies guidance on clearing and destruction procedures for sensitive data; g) annex G gives information for customers. Copyright American National Standards Institute Provided by IHS under license with ANSINot for ResaleNo reproduction or networking permitted

16、without license from IHS-,-,-ANS X9.82003 viii 2003 All rights reservedIn ISO 9564-2, this standard - part 2 approved encipherment algorithms to be used in the protection of the PIN are specified. Application of the requirements of this part of ISO 9564 this standard requires bilateral agreements to

17、 be made, including the choice of algorithms specified in ISO 9564-2 this standard - part 2. This part of ISO 9564 this standard is one of a series that describes requirements for security in the retail banking environment, as follows: ISO 9564-2:1991, Banking - Personal Identification Number manage

18、ment and security - Part 2., Approved algorithm(s) for PIN encipherment. ISO DIS 9564-3,Banking - Personal Identification Number management and security - Part 3, PIN protection principles for offline PIN handling in ATM and POS systems1ISO 10202, Financial transaction cards - Security architecture

19、of financial transaction systems using integrated circuit cards (all parts) ISO 11568, Key management (retail) - (all parts) ISO 13491, Secure cryptographic devices - (all parts) ISO 15668, Banking - Financial transaction cards - Secure file transfer (retail) ISO DIS 16609, Banking - requirements fo

20、r message authentication1Suggestions for the improvement of this standard will be welcome. They should be sent to the ASC X9 Secretariat, Accredited Standards Committee X9, Incorporated, P. O. Box 4035, Annapolis, MD 21403. This Standard was processed and approved for submittal to ANSI by the Accred

21、ited Standards Committee on Financial Services, X9. Committee approval of the Standard does not necessarily imply that all the committee members voted for its approval. The X9 committee had the following members: Harold Deal, X9 Chairman Vincent DeSantis, X9 Vice-Chairman Cynthia Fuller, Executive D

22、irector Isabel Bailey, Managing Director Organization Represented Representative ACI Worldwide Cindy Rink ACI Worldwide Jim Shafer American Bankers Association Doug Johnson American Bankers Association Don Rhodes American Bankers Association Stephen Schutze American Bankers Association Michael Scull

23、y American Express Company Mike Jones American Express Company Gerry Smith American Express Company Barbara Wakefield American Financial Services Association John Freeman American Financial Services Association Mark Zalewski 1To be published Copyright American National Standards Institute Provided b

24、y IHS under license with ANSINot for ResaleNo reproduction or networking permitted without license from IHS-,-,-ANS X9.82003 2003 All rights reserved ixOrganization Represented Representative BancTec, Inc. Rosemary Buterfield BancTec, Inc. Christopher Dowdell BancTec, Inc. David Hunt Bank of America

25、 Mack Hicks Bank of America Richard Phillips Bank of America Daniel Welch Bank One Corporation Jacqueline Pagan BB and T Michael Saviak BB and T Woody Tyner Caradas John Gould Caradas Tom Johnston Caradas Rick (Richard P.) Kastner Careker Jery Bowman Careker Hary Hankla Careker Don Harman Careker Ro

26、n Schultz Citigroup, Inc. Daniel Schutzer Citigroup, Inc. Mark Scott Citgroup, Inc. Skip Zehnder Deluxe Corporation Maury Jansen Diebold, Inc. Bruce Chapa Diebold, Inc. Anne Doland Diebold, Inc. Judy Edwards Discover Financial Services Pamela Ellington Discover Financial Services Masood Mirza Discov

27、er Financial Services Patsie Rinchiuso eFunds Corporation Chuck Bram eFunds Corporation Richard Fird eFunds Corporation Daniel Rick eFunds Corporation Joseph Stein eFunds Corporation Cory Surges Electronic Data Systems Bud Beattie Electronic Data Systems Kevin Finn Electronic Data Systems Linda Low

28、Electronic Data Systems Dan Otten Federal Reserve Bank Jeannine M. DeLano Federal Reserve Bank Dexter Holt Federal Reserve Bank Laura Walker First Data Corporation Gene Kathol Griffin Consulting Harriette Griffin Griffin Consulting Phil Griffin Hewlet Packard Lary Hines Hewlet Packard Gary Lefkowitz

29、 IBM Corporation Todd Arnold IBM Corporation Michael Kely Inovant Dick Sweney KPMG LLP Mark Lundin KPMG LP Al Van Ranst KPMG LLP Jeff Stapleton Mag-Tek, Inc. Tery Benson Mag-Tek, Inc. Jef Duncan Mag-Tek, Inc. Mimi Hart Mag-Tek, Inc. Carlos Morales MasterCard International Caroline Dionisio Copyright

30、 American National Standards Institute Provided by IHS under license with ANSINot for ResaleNo reproduction or networking permitted without license from IHS-,-,-ANS X9.82003 x 2003 All rights reservedMasterCard International Naiyre Foster MasterCard International Ron Karlin Mellon Bank, N.A. Richard

31、 H. Adams Melon Bank, N.A. David Tadeo National Association of Convenience Stores John Hervey National Association of Convenience Stores Teri Richman National Association of Convenience Stores Robert Swanson National Security Agency Sheila Brand NCR Corporation David Noris NCR Corporation Steve Stev

32、ens New York Clearing House Vincent DeSantis New York Clearing House John Dunn Niteo Partners Charles Friedman Niteo Partners Michael Versace Silas Technologies Andrew Garner Silas Technologies Ray Gatland Star Systems, Inc. Elizabeth Lynn Star Systems, Inc. Michael Wade Symetricom John Bernardi Sym

33、metricom Sandra Lambert Symmetricom Jerry Willett Unisys Corporation David J. Concannon Unisys Corporation Navnit Shah VeriFone, Inc. David Ezel VeriFone, Inc. Dave Faoro VeriFone, Inc. Brad McGuines VeriFone, Inc. Brenda Watlington VISA International Patricia Greenhalgh Wells Fargo Bank Terry Leahy

34、 Wells Fargo Bank Gordon Martin Copyright American National Standards Institute Provided by IHS under license with ANSINot for ResaleNo reproduction or networking permitted without license from IHS-,-,-ANS X9.82003 2003 All rights reserved xiAt the time it approved this standard, the X9F Subcommitte

35、e on Data and Information Security had the following members: Dick Sweeney, Chairman Organization Representative 3PEA Technologies, Inc. Mark Newcomer 3PEA Technologies, Inc. Daniel Spence ACI Worldwide Cindy Rink ACI Worldwide Jim Shafer American Bankers Association Doug Johnson American Bankers As

36、sociation Don Rhodes American Express Company William J. Gray American Express Company Mike Jones American Express Company Mark Merkow American Express Company Gerry Smith American Financial Services Association John Freeman American Financial Services Association Mark Zalewski BancTec, Inc. Christo

37、pher Dowdell Bank of America Andi Coleman Bank of America Mack Hicks Bank of America Richard Phillips Bank of America Daniel Welch Bank of America Craig Worstell Bank One Corporation Jacqueline Pagan BB and T Michael Saviak BB and T Woody Tyner Caradas John Gould Caradas Tom Johnston Caradas Rick (R

38、ichard P.) Kastner Careker Jery Bowman Careker Hary Hankla Careker Ron Schultz Certicom Corporation Daniel Brown Chrysalis-ITS Tery Fletcher Communications Security Establishment Mike Chawrun Communications Security Establishment Alan Poplove Deluxe Corporation Maury Jansen Diebold, Inc. Bruce Chapa

39、 Diebold, Inc. Anne Doland Diebold, Inc. Judy Edwards Discover Financial Services Pamela Ellington Discover Financial Services Masood Mirza Diversinet Corporation Michael Crerar eFunds Corporation Chuck Bram Electronic Industries Alliance Edward Mikoski Electronic Industries Alliance Kevin M. Nixon

40、CISSP Electronic Industries Alliance Donald L. Skillman Entrust, Inc. Miles Smid Federal Reserve Bank Neil Hersch Ferris and Associates, Inc. J. Martin Ferris First Data Corporation Gene Kathol Griffin Consulting Harriette Griffin Griffin Consulting Phil Griffin Copyright American National Standards

41、 Institute Provided by IHS under license with ANSINot for ResaleNo reproduction or networking permitted without license from IHS-,-,-ANS X9.82003 xii 2003 All rights reservedHewlet Packard Lary Hines Hewlet Packard Gary Lefkowitz IBM Corporation Todd Arnold IBM Corporation Michael Kely IBM Corporati

42、on Allen Roginsky Identrus Brandon Brown Identrus Trent Henry Ingenico Canada Ltd. John Sheets Ingenico Canada Ltd. John Spence Inovant Dick Sweney International Biometric Group Mcken Mak, CISSP International Biometric Group Mike Thieme Jones Futurex, Inc. Ray Bryan Jones Futurex, Inc. Scot Davis Jo

43、nes Futurex, Inc. Bary Golden Jones Futurex, Inc. Steve Junod KPMG LP Azita Amini KPMG LP Mark Lundin KPMG LP Al Van Ranst KPMG LP Jef Stapleton Mag-Tek, Inc. Tery Benson Mag-Tek, Inc. Mimi Hart MasterCard International Ron Karlin MasterCard International William Poletti Melon Bank, N.A. David Tadeo

44、 National Association of Convenience Stores John Hervey National Association of Convenience Stores Robert Swanson National Security Agency Sheila Brand NCR Corporation Wayne Doran NCR Corporation Charlie Harow NCR Corporation David Noris NCR Corporation Steve Stevens Niteo Partners Charles Friedman

45、Niteo Partners Michael Versace NIST Elaine Barker NIST Lawrence Bassham III NIST Moris Dworkin NIST Annabelle Lee NTRU Cryptosystems, Inc. Ari Singer NTRU Cryptosystems, Inc. William Whyte Pitney Bowes, Inc. Matthew Campagna Pitney Bowes, Inc. Andrei Obrea Pitney Bowes, Inc. Leon Pintsov R Squared A

46、cademy Ltd. Richard E. Overfield Jr. R Squared Academy Ltd. Ralph Spencer Poore RSA Security Burt Kaliski Star Systems, Inc. Elizabeth Lynn Star Systems, Inc. Michael Wade Surety, Inc. Dimitrios Andivahis Symmetricom Sandra Lambert TECSEC Incorporated Pud Reaver TECSEC Incorporated Ed Scheidt TECSEC Incorporated Dr. Wai Tsang TECSEC Incorporated Jay Wack Thales e-Security, Inc. Ron Carter Thales e-Security, Inc. Paul Meadowcroft Copyright American National Standards Institute Provided by IHS under license with ANSINot