PIN Block Format and Encryption

When a card holder enters his PIN, the information is first encoded into a plain text PIN block, derived from the PIN length, the PIN digits, a portion of the PAN (primay account number) and padding. The plain text PIN block is then encrypted using a standard algorithm.

Security

PIN numbers are entered on a PIN entry device, which provides a trusted and secure environment. Such devices are tamper resistant and responsive, which means that they can detect and respond to attempts to retreive sensitive data.

Security measures include encapsulating membranes, potting, physical sensors, secure microcontrollers and software countermeasures. The tamper response is erasure of protected data and the disabling of the device.

ISO-0 PIN block format

The ISO-0 PIN block format consists of the PIN length, PIN digits, and 'F' character padding, exclusive-ORed with the rightmost 12 PAN digits, excluding the check digit.

For example, for PIN 1234, PAN 4987654321098765, we need to work out 04.1234.FFFFFFFFFF XOR 0000.765432109876 which gives us 0412.42AB.CDEF.6789.

Some PIN block encryption standards

Standard Mechanism PIN block format Encryption
ANS X9.8 (1995) MK/SK ISO-0 DES
ANS X9.8 (2003) MK/SK ISO-0 triple DES
ANS X9.24 (1998) DUKPT ISO-0 DES
ANS X9.24 (2004) DUKPT ISO-0 triple DES

Abbreviations

DES Data encryption standard
DUKPT Derived unique key per transaction
HSM Hardware security module
MK/SK Master key / session key
PAN Primary account number
PED PIN entry device
PIN Personal identification number
TRSM Tamper resistant/responsive security module