1、BSI Standards PublicationBS ISO 9564-4:2016Financial services PersonalIdentification Number (PIN)management and securityPart 4: Requirements for PIN handling ineCommerce for Payment TransactionsBS ISO 9564-4:2016 BRITISH STANDARDNational forewordThis British Standard is the UK implementation of ISO
2、9564-4:2016. The UK committee supports this International Standard in principle, but notes that PINs are not commonly used in “e-commerce“ card payments in the UK and therefore does not envisage it being widely used.The UK participation in its preparation was entrusted to Technical Committee IST/12,
3、 Financial services.A list of organizations represented on this committee can be obtained on request to its secretary.This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2016.Pub
4、lished by BSI Standards Limited 2016ISBN 978 0 580 79381 3 ICS 35.240.40 Compliance with a British Standard cannot confer immunity from legal obligations.This British Standard was published under the authority of the Standards Policy and Strategy Committee on 31 March 2016.Amendments/corrigenda issu
5、ed since publicationDate T e x t a f f e c t e dBS ISO 9564-4:2016 ISO 2016Financial services Personal Identification Number (PIN) management and security Part 4: Requirements for PIN handling in eCommerce for Payment TransactionsSercices financiers Gestion et scurit du numro personnel didentificati
6、on (PIN) Partie 4: Exigences pour la manipulation PIN dans le commerce lectronique pour les transactions de paiementINTERNATIONAL STANDARDISO9564-4First edition2016-03-01Reference numberISO 9564-4:2016(E)BS ISO 9564-4:2016ISO 9564-4:2016(E)ii ISO 2016 All rights reservedCOPYRIGHT PROTECTED DOCUMENT
7、ISO 2016, Published in SwitzerlandAll rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permi
8、ssion. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester.ISO copyright officeCh. de Blandonnet 8 CP 401CH-1214 Vernier, Geneva, SwitzerlandTel. +41 22 749 01 11Fax +41 22 749 09 47copyrightiso.orgwww.iso.orgBS ISO 9564-4:2016ISO 9564
9、-4:2016(E)Foreword ivIntroduction v1 Scope . 12 Normative references 13 Terms and definitions . 24 eCommerce model 35 PIN handling requirements . 45.1 General . 45.2 Functionally secure PIN entry devices (FSPED) 45.3 Integrated circuit card PIN entry devices (ICCPED) . 55.4 PIN entry devices with a
10、keying relationship to an acquirer 55.5 PIN entry device with a keying relationship to an issuer . 65.6 PED class summary . 6Annex A (informative) Example flows for PIN verification in eCommerce . 7Bibliography .14 ISO 2016 All rights reserved iiiContents PageBS ISO 9564-4:2016ISO 9564-4:2016(E)Fore
11、wordISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a techni
12、cal committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of e
13、lectrotechnical standardization.The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of ISO documents should be noted. This document wa
14、s drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such pat
15、ent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name used in this document is information given for the convenience of users and does not
16、 constitute an endorsement.For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the WTO principles in the Technical Barriers to Trade (TBT) see the following URL: Foreword - Supplementary informationT
17、he committee responsible for this document is ISO/TC 68, Financial services, Subcommittee SC 2, Financial Services, security.ISO 9564 consists of the following parts, under the general title Financial services Personal Identification Number (PIN) management and security: Part 1: Basic principles and
18、 requirements for PINs in card-based systems Part 2: Approved algorithms for PIN encipherment Part 4: Requirements for PIN handling in eCommerce for Payment Transactionsiv ISO 2016 All rights reservedBS ISO 9564-4:2016ISO 9564-4:2016(E)IntroductionThe eCommerce environment is inherently high-risk. T
19、his is especially true for PIN-based transactions because if PIN security in this environment is deficient, there is a high probability, in some cases, that card and PIN data might be fraudulently captured and reused in the ATM, POS or eCommerce environments.For conducting eCommerce transactions, ca
20、rdholders use network access devices (NAD) of their choice. ISO 9564-1 prohibits PINs from being entered on NADs.This part of ISO 9564 defines minimum security requirements and practices for acceptable devices used for the entry of the PINs in the eCommerce environment: devices that are compliant wi
21、th ISO 9564-1 (i.e. PEDs); devices that are not compliant with ISO 9564-1 but are functionally secure devices for PIN entry (FSPED) for exclusive use with IC cards; devices that are not compliant with ISO 9564-1 but are IC cards with integrated keypad and display (ICCPED). ISO 2016 All rights reserv
22、ed vBS ISO 9564-4:2016BS ISO 9564-4:2016Financial services Personal Identification Number (PIN) management and security Part 4: Requirements for PIN handling in eCommerce for Payment Transactions1 ScopeThis part of ISO 9564 provides requirements for the use of personal identification numbers (PIN) i
23、n eCommerce. The PINs in scope are the same cardholder PINs used as a means of cardholder verification in card-based financial transactions; notably, automated teller machine (ATM) systems, point-of-sale (POS) terminals, automated fuel dispensers, and vending machines.It is applicable to financial c
24、ard-originated transactions requiring verification of the PIN and to those organizations responsible for implementing techniques for the management of the PIN in eCommerce.The provisions of this part of ISO 9564 are not intended to cover passwords, passcodes, pass phrases and other shared secrets us
25、ed for customer authentication in online banking, telephone banking, digital wallets, mobile payment, etc., management of cardholder PINs for use as a means of cardholder verification in retail banking systems in, notably, automated teller machine (ATM) systems, point-of-sale (POS) terminals, automa
26、ted fuel dispensers, vending machines, banking kiosks and PIN selection/change systems, which are covered in ISO 9564-1, card proxies such as mobile phones or key fobs, approved algorithms for PIN encipherment, which are covered in ISO 9564-2, the protection of the PIN against loss or intentional mi
27、suse by the customer or authorized employees of the issuer, privacy of non-PIN transaction data, protection of transaction messages against alteration or substitution, e.g. an online authorization response, protection against replay of the transaction, functionality of devices used for PIN entry whi
28、ch is related to issuer functions other than PIN entry, specific key management techniques, and access to, and storage of, card data other than the PIN by applications such as wallets.2 Normative referencesThe following documents, in whole or in part, are normatively referenced in this document and
29、are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.INTERNATIONAL STANDARD ISO 9564-4:2016(E) ISO 2016 All rights reserved 1BS ISO 9564-4:2016ISO 9564-4:2
30、016(E)ISO 9564-1, Financial services Personal Identification Number (PIN) management and security Part 1: Basic principles and requirements for PINs in card-based systems3 Terms and definitionsFor the purposes of this document, the following terms and definitions apply.3.1acquirerinstitution, or its
31、 agent, that acquires from the card acceptor the financial data relating to the transaction and initiates such data into an interchange system3.2compromisecryptography breaching of confidentiality and/or integrity3.3contact IC readerreader of an IC card that requires the insertion of the card into t
32、he contact IC reader to establish communication between the contact IC reader and the IC card through a physical connection3.4eCommercebuying and selling of products or services over open networks3.5enciphermenttransformation of intelligible data (plaintext) into an unintelligible form (ciphertext)3
33、.6functionally secure PIN entry deviceFSPEDdevice that communicates with a contact IC card for the purpose of using the PIN to generate an OTT offline, containing a contact IC reader, an integrated numeric keypad, and an alpha-numeric displayNote 1 to entry: An FSPED is not a PED in the sense of ISO
34、 9564-1.3.7integrated circuit cardICCIC cardID-1 card type, as specified in ISO/IEC 7816 (all parts) into which one or more integrated circuits have been inserted3.8integrated circuit card PIN entry deviceICCPEDID-1 card type, as specified in ISO/IEC 7816 (all parts) into which one or more integrate
35、d circuits have been inserted, but which additionally is self-powered, has integrated keypad and display capabilities, for the purpose of using a PIN to generate an OTT offlineNote 1 to entry: Standards that describe these kinds of devices are under development (see Reference 8).Note 2 to entry: An
36、ICCPED is not a PED in the sense of ISO 9564-12 ISO 2016 All rights reservedBS ISO 9564-4:2016ISO 9564-4:2016(E)3.9issuerinstitution holding the account identified by the primary account number (PAN)Note 1 to entry: For this standard, references to an issuer may extend to an agent acting on the issu
37、ers behalf, e.g. performing issuer functions such as card and PIN issuance, PIN verification and transaction authorization.3.10network access deviceNADdevice capable of allowing access to public endpoints via an open network, e.g. personal computer, TV, mobile phone or even household appliancesNote
38、1 to entry: POS devices as defined in ISO 9564-1 with IP connectivity with access restricted to a limited number of acquirers are not NADs.3.11open networkcommunications network for public useEXAMPLE Internet, mobile phone networks.3.12personal identification numberPINstring of numeric digits establ
39、ished as a shared secret between the cardholder and the issuer, for subsequent use to validate authorized card usage3.13PIN entry devicePEDdevice, as specified in 9564-1, providing for the secure entry of PINs3.14primary account numberPANassigned number that identifies the card issuer and cardholder
40、, composed of an issuer identification number, individual account identification and accompanying check digit, as defined in ISO/IEC 7812-13.15one-time tokenOTTauthentication data cryptographically generated by the IC card in response to PIN entry and optionally formatted (e.g. decimalized and/or tr
41、uncated) by the FSPED4 eCommerce modelIn eCommerce, the cardholder and the merchant are not typically in the same location at the time of payment. eCommerce occurs in an open network environment and the cardholder uses a network access device (NAD) to perform an eCommerce transaction. In the open ne
42、twork environment, the NAD may initiate a transaction with any open-network-connected merchant. In eCommerce, the device into which the PIN is entered might not be under the control of the merchant or the merchants acquirer.For card payment transactions based on PIN, the eCommerce model introduces s
43、ome fundamental changes with respect to the POS environment: the NAD may be a general purpose computing device connected to an open network and therefore cannot be considered secure; the NAD, which may include a numeric keypad, has not been manufactured in order to be compliant to the requirements o
44、f the payments industry; ISO 2016 All rights reserved 3BS ISO 9564-4:2016ISO 9564-4:2016(E) the NAD is not under the control of the merchant, issuer or the merchants acquirer.As a consequence, the NAD is not acceptable for PIN entry. Clause 5 specifies the requirements for the secure handling of PIN
45、s in the eCommerce environment.5 PIN handling requirements5.1 GeneralA PIN shall not be entered into a network access device (NAD), including, but not limited to, personal computers, mobile phones, etc.Personal devices used for PIN entry in eCommerce shall be for the exclusive use of the cardholder.
46、 The use of public (shared) PIN entry devices is restricted to PEDs defined in 5.4 and 5.5.5.2 Functionally secure PIN entry devices (FSPED)Functionally secure PIN entry devices (FSPED) are limited functionality PIN entry devices that shall be approved by the issuer for use in conjunction with any o
47、f that issuers IC cards for offline OTT generation.FSPEDs that support software updates shall have a cryptographic relationship with the card issuer but the associated cryptographic keys shall not be used for PIN encipherment. The device shall only apply software updates that it has cryptographicall
48、y authenticated and shall ensure that the software updates are applied in the correct order (an older update cannot be applied after a newer one has already been applied).An FSPED shall contain a contact IC reader for communication with an IC card. The device shall also contain a keypad for PIN entr
49、y and a display screen.Following entry of a PIN (which may be verified by the IC card), the FSPED interacts with the IC card to produce an OTT for subsequent verification by the issuer. The IC card generates a cryptographic value. This value may be used directly as the OTT or the FSPED may format this value to an OTT (e.g. by decimalization and/or truncation) that is convenient for a user to enter manually. The OTT is then either entered into or transferred to the NAD as part of the eCommerce transaction and s
