1、BSI Standards Publication BS ISO 9564-4:2016 Financial services Personal Identification Number (PIN) management and security Part 4: Requirements for PIN handling in eCommerce for Payment TransactionsBS ISO 9564-4:2016 BRITISH STANDARD National foreword This British Standard is the UK implementation
2、 of ISO 9564-4:2016. The UK committee supports this International Standard in principle, but notes that PINs are not commonly used in “e-commerce“ card payments in the UK and therefore does not envisage it being widely used. The UK participation in its preparation was entrusted to Technical Committe
3、e IST/12, Financial services. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Instituti
4、on 2016. Published by BSI Standards Limited 2016 ISBN 978 0 580 79381 3 ICS 35.240.40 Compliance with a British Standard cannot confer immunity from legal obligations. This British Standard was published under the authority of the Standards Policy and Strategy Committee on 31 March 2016. Amendments/
5、corrigenda issued since publication Date T e x t a f f e c t e dBS ISO 9564-4:2016 ISO 2016 Financial services Personal Identification Number (PIN) management and security Part 4: Requirements for PIN handling in eCommerce for Payment Transactions Sercices financiers Gestion et scurit du numro perso
6、nnel didentification (PIN) Partie 4: Exigences pour la manipulation PIN dans le commerce lectronique pour les transactions de paiement INTERNATIONAL STANDARD ISO 9564-4 First edition 2016-03-01 Reference number ISO 9564-4:2016(E)BS ISO 9564-4:2016ISO 9564-4:2016(E)ii ISO 2016 All rights reserved COP
7、YRIGHT PROTECTED DOCUMENT ISO 2016, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet,
8、without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www
9、.iso.orgBS ISO 9564-4:2016ISO 9564-4:2016(E)Foreword iv Introduction v 1 Scope . 1 2 Normative references 1 3 Terms and definitions . 2 4 eCommerce model 3 5 PIN handling requirements . 4 5.1 General . 4 5.2 Functionally secure PIN entry devices (FSPED) 4 5.3 Integrated circuit card PIN entry device
10、s (ICCPED) . 5 5.4 PIN entry devices with a keying relationship to an acquirer 5 5.5 PIN entry device with a keying relationship to an issuer . 6 5.6 PED class summary . 6 Annex A (informative) Example flows for PIN verification in eCommerce .7 Bibliography .14 ISO 2016 All rights reserved iii Conte
11、nts PageBS ISO 9564-4:2016ISO 9564-4:2016(E) Foreword ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each memb
12、er body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Ele
13、ctrotechnical Commission (IEC) on all matters of electrotechnical standardization. The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types
14、 of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be h
15、eld responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name used in this document is informat
16、ion given for the convenience of users and does not constitute an endorsement. For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the WTO principles in the Technical Barriers to Trade (TBT) see the
17、following URL: Foreword - Supplementary information The committee responsible for this document is ISO/TC 68, Financial services, Subcommittee SC 2, Financial Services, security. ISO 9564 consists of the following parts, under the general title Financial services Personal Identification Number (PIN)
18、 management and security: Part 1: Basic principles and requirements for PINs in card-based systems Part 2: Approved algorithms for PIN encipherment Part 4: Requirements for PIN handling in eCommerce for Payment Transactionsiv ISO 2016 All rights reservedBS ISO 9564-4:2016ISO 9564-4:2016(E) Introduct
19、ion The eCommerce environment is inherently high-risk. This is especially true for PIN-based transactions because if PIN security in this environment is deficient, there is a high probability, in some cases, that card and PIN data might be fraudulently captured and reused in the ATM, POS or eCommerc
20、e environments. For conducting eCommerce transactions, cardholders use network access devices (NAD) of their choice. ISO 9564-1 prohibits PINs from being entered on NADs. This part of ISO 9564 defines minimum security requirements and practices for acceptable devices used for the entry of the PINs i
21、n the eCommerce environment: devices that are compliant with ISO 9564-1 (i.e. PEDs); devices that are not compliant with ISO 9564-1 but are functionally secure devices for PIN entry (FSPED) for exclusive use with IC cards; devices that are not compliant with ISO 9564-1 b u t a r e I C c a r d s w i
22、t h i n t e g r a t e d k e y p a d a n d display (ICCPED). ISO 2016 All rights reserved vBS ISO 9564-4:2016BS ISO 9564-4:2016Financial services Personal Identification Number (PIN) management and security Part 4: Requirements for PIN handling in eCommerce for Payment Transactions 1 Scope This part
23、of ISO 9564 provides requirements for the use of personal identification numbers (PIN) in eCommerce. The PINs in scope are the same cardholder PINs used as a means of cardholder verification in card-based financial transactions; notably, automated teller machine (ATM) systems, point-of-sale (POS) te
24、rminals, automated fuel dispensers, and vending machines. It is applicable to financial card-originated transactions requiring verification of the PIN and to those organizations responsible for implementing techniques for the management of the PIN in eCommerce. The provisions of this part of ISO 956
25、4 are not intended to cover passwords, passcodes, pass phrases and other shared secrets used for customer authentication in online banking, telephone banking, digital wallets, mobile payment, etc., management of cardholder PINs for use as a means of cardholder verification in retail banking systems
26、in, notably, automated teller machine (ATM) systems, point-of-sale (POS) terminals, automated fuel dispensers, vending machines, banking kiosks and PIN selection/change systems, which are covered in ISO 9564-1, card proxies such as mobile phones or key fobs, approved algorithms for PIN encipherment,
27、 which are covered in ISO 9564-2, the protection of the PIN against loss or intentional misuse by the customer or authorized employees of the issuer, privacy of non-PIN transaction data, protection of transaction messages against alteration or substitution, e.g. an online authorization response, pro
28、tection against replay of the transaction, functionality of devices used for PIN entry which is related to issuer functions other than PIN entry, specific key management techniques, and access to, and storage of, card data other than the PIN by applications such as wallets. 2 Normative references Th
29、e following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. INTERNATI
30、ONAL ST ANDARD ISO 9564-4:2016(E) ISO 2016 All rights reserved 1BS ISO 9564-4:2016ISO 9564-4:2016(E) ISO 9564-1, Financial services Personal Identification Number (PIN) management and security Part 1: Basic principles and requirements for PINs in card-based systems 3 Terms and definitions For the pu
31、rposes of this document, the following terms and definitions apply. 3.1 acquirer institution, or its agent, that acquires from the card acceptor the financial data relating to the transaction and initiates such data into an interchange system 3.2 compromise cryptography breaching of confidentiality
32、and/or integrity 3.3 contact IC reader reader of an IC card that requires the insertion of the card into the contact IC reader to establish communication between the contact IC reader and the IC card through a physical connection 3.4 eCommerce buying and selling of products or services over open net
33、works 3.5 encipherment transformation of intelligible data (plaintext) into an unintelligible form (ciphertext) 3.6 functionally secure PIN entry device FSPED device that communicates with a contact IC card for the purpose of using the PIN to generate an OTT offline, containing a contact IC reader,
34、an integrated numeric keypad, and an alpha-numeric display Note 1 to entry: An FSPED is not a PED in the sense of ISO 9564-1. 3.7 integrated circuit card ICC IC card ID-1 card type, as specified in ISO/IEC 7816 (all parts) into which one or more integrated circuits have been inserted 3.8 integrated
35、circuit card PIN entry device ICCPED ID-1 card type, as specified in ISO/IEC 7816 (all parts) into which one or more integrated circuits have been inserted, but which additionally is self-powered, has integrated keypad and display capabilities, for the purpose of using a PIN to generate an OTT offli
36、ne Note 1 to entry: Standards that describe these kinds of devices are under development (see Reference 8). Note 2 to entry: An ICCPED is not a PED in the sense of ISO 9564-12 ISO 2016 All rights reservedBS ISO 9564-4:2016ISO 9564-4:2016(E) 3.9 issuer institution holding the account identified by th
37、e primary account number (PAN) Note 1 to entry: For this standard, references to an issuer may extend to an agent acting on the issuers behalf, e.g. performing issuer functions such as card and PIN issuance, PIN verification and transaction authorization. 3.10 network access device NAD device capabl
38、e of allowing access to public endpoints via an open network, e.g. personal computer, TV, mobile phone or even household appliances Note 1 to entry: POS devices as defined in ISO 9564-1 with IP connectivity with access restricted to a limited number of acquirers are not NADs. 3.11 open network commu
39、nications network for public use EXAMPLE Internet, mobile phone networks. 3.12 personal identification number PIN string of numeric digits established as a shared secret between the cardholder and the issuer, for subsequent use to validate authorized card usage 3.13 PIN entry device PED device, as s
40、pecified in 9564-1, providing for the secure entry of PINs 3.14 primary account number PAN assigned number that identifies the card issuer and cardholder, composed of an issuer identification number, individual account identification and accompanying check digit, as defined in ISO/IEC 7812-1 3.15 on
41、e-time token OTT authentication data cryptographically generated by the IC card in response to PIN entry and optionally formatted (e.g. decimalized and/or truncated) by the FSPED 4 eCommerce model In eCommerce, the cardholder and the merchant are not typically in the same location at the time of pay
42、ment. eCommerce occurs in an open network environment and the cardholder uses a network access device (NAD) to perform an eCommerce transaction. In the open network environment, the NAD may initiate a transaction with any open-network-connected merchant. In eCommerce, the device into which the PIN i
43、s entered might not be under the control of the merchant or the merchants acquirer. For card payment transactions based on PIN, the eCommerce model introduces some fundamental changes with respect to the POS environment: the NAD may be a general purpose computing device connected to an open network
44、and therefore cannot be considered secure; the NAD, which may include a numeric keypad, has not been manufactured in order to be compliant to the requirements of the payments industry; ISO 2016 All rights reserved 3BS ISO 9564-4:2016ISO 9564-4:2016(E) the NAD is not under the control of the merchant
45、, issuer or the merchants acquirer. As a consequence, the NAD is not acceptable for PIN entry. Clause 5 specifies the requirements for the secure handling of PINs in the eCommerce environment. 5 PIN handling requirements 5.1 General A PIN shall not be entered into a network access device (NAD), incl
46、uding, but not limited to, personal computers, mobile phones, etc. Personal devices used for PIN entry in eCommerce shall be for the exclusive use of the cardholder. The use of public (shared) PIN entry devices is restricted to PEDs defined in 5.4 and 5.5. 5.2 Functionally secure PIN entry devices (
47、FSPED) Functionally secure PIN entry devices (FSPED) are limited functionality PIN entry devices that shall be approved by the issuer for use in conjunction with any of that issuers IC cards for offline OTT generation. FSPEDs that support software updates shall have a cryptographic relationship with
48、 the card issuer but the associated cryptographic keys shall not be used for PIN encipherment. The device shall only apply software updates that it has cryptographically authenticated and shall ensure that the software updates are applied in the correct order (an older update cannot be applied after
49、 a newer one has already been applied). An FSPED shall contain a contact IC reader for communication with an IC card. The device shall also contain a keypad for PIN entry and a display screen. Following entry of a PIN (which may be verified by the IC card), the FSPED interacts with the IC card to produce an OTT for subsequent verification by the issuer. The IC card generates a cryptographic value. This value may be used directly as the OTT or the FSPED may format this value to an
