British Standards Institution

Source:: ISO
Committee:: IST/12 - Financial services
Categories:: IT applications. Banking
Number of comments:: 0

Scope

This document provides requirements and guidance for methods of Issuer PIN Management using AES. It additionally defines a method for generating and verifying Card Security Codes using AES.

The processes defined in this Standard (in order as presented) are:

— PIN Generation

— PIN Change

— PIN Verification

— Generation and Verification of Card Security Code

All AES key lengths (128 bits, 192 bits and 256 bits) are acceptable for this Standard

Within this document, references to CMAC refer to algorithm 5 in ISO/IEC 9797‑1 used with AES.

Assigned derived PINS, where PINs are derived from PANs and customer selection is supported by means of offsets, are not prohibited but are not recommended and so an AES-based method for this approach is not specified in this standard. One reason for not recommending this approach is that with this approach if a user PIN is discovered by a fraudster (along with non-secret PIN verification data) then to recover PIN security the card must be reissued with a new PAN.

Comment on proposal

Required form fields are indicated by an asterisk (*) character.

How important do you think standardization is in this area? *

Do you agree that a standard on this subject is feasible?: *

Please give reasons for your selections above: *

Would you or your organization use the standard? *

Would you or your organization be prepared to participate in the development of the standard or to comment on the draft when it is available? *

Are you aware of any regulation, existing standards and other good practice information in this area in the UK (e.g. Industry codes of practice; company specifications, international or European Standards)? *

Would the development of a standard(s) in this area have a particular impact/relevance to SME, consumer, environmental or societal interests? *

Are you aware of any other organizations to which this proposal may be relevant? If so please provide details below. *

Additional comments on the scope or proposal:

Although BSI will not usually enter into correspondence regarding individual comments or suggestions we may wish to contact you to seek further clarification. Please indicate whether this will be acceptable: *

Discard

Please email further comments to: debbie.stead@bsigroup.com

Standard timeline

1. Proposal (Complete)

Proposal start date:

2. Draft (Complete)

Draft start date:

10/02/2021

3. Public Comments

Public Comments start date:

14/04/2021

Public Comments end date:

07/06/2021

Learn more about the standards development process

Standards Development

BS ISO 9564-5 Financial services - Personal Identification Number (PIN) management and security. - Part 5: Methods for the generation, change, and verification of PINs and card security data using the advanced encryption standard

Scope

Comment on proposal

Discard changes?

Submit comment

Submit comment

Follow standard

Unfollow standard

Error