Regarding PIN-Blocks
The most common PIN-block formats are based on ISO 9564, but many more are in implemented worldwide. Another
common problem is that same PIN-block calculation methods are being called with their aliases, making sometimes difficult
to get a right one. This article brings a list of PIN-blocks applied in payments, their calculation methods and examples and bit
of related background.
Well worded Wikipedia's definition of a PIN-block format: The PIN is used to verify the identity of a customer (the user of a
bank card) within an electronic funds transfer system, and (typically) to authorize the transfer of funds, so it is important to
protect it against unauthorized disclosure or misuse. Modern banking systems require interoperability between different card
issuers, acquiring banks and retailers including transmission of PINs between those entities so a common set of rules for
handling and securing PINs is required, both to ensure technical compatibility and a mutually agreed level of security.
The most common PIN block format is ISO-0:
PIN Block
Alias
Format
ISO-0
Description
ISO 9564-1 Format 0. An ISO-0 PIN block format is equivalent to the ANSI X9.8, VISA-1, and ECI-1
Format 0, ANSI
PIN block formats and is similar to a VISA-4 PIN block format. The ISO-0 PIN block format supports a
X9.8, VISA-1,
PIN from 4 to 12 digits in length. A PIN that is longer than 12 digits is truncated on the right. The first
and ECI-0
nibble (which identifies the block format) has the value 0.
ISO-0 (Format 0)
Is the first and most common PIN block encoding format based on ISO 9564 - an international standard for personal
identification number (PIN) management and security in retail banking.
Calculation steps:
[Link] a PIN - L is length of the PIN, P is PIN digit, F is padding value "F"
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
P/ P/ P/ P/ P/ P/ P/ P/ P/
0 L P P P P
P/F
F F F F F F F F F
[Link] PAN - take 12 rightmost digits of the primary account number (excluding the check digit)
1 2 3 4 5
6
7
8
9
10
11
12
13
14
15
16
0 0 0 0 PAN PAN PAN PAN PAN PAN PAN PAN PAN PAN PAN PAN
[Link] both values
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
0
L
P
P
P
P
P/F P/F P/F P/F P/F P/F P/F P/F P/F P/F
XOR XOR XOR XOR XOR XOR XOR XOR XOR XOR XOR XOR XOR XOR XOR XOR
0
0
0
0
PAN PAN PAN PAN PAN PAN PAN PAN PAN PAN PAN PAN
Example:
PIN blocks: PIN block encrypt operation finished
****************************************
PAN: 43219876543210987
PIN: 1234
PAD: N/A
Format: Format 0 (ISO-0)
---------------------------------------Clear PIN block:0412AC89ABCDEF67
�PIN blocks: PIN block decode operation finished
****************************************
PIN block: 0412AC89ABCDEF67
PAN: 43219876543210987
PAD: N/A
Format: Format 0 (ISO-0)
---------------------------------------Decoded PIN: 1234
Online versus offline PIN Validation
The EMV specification allows PIN validation to be performed between the card and the
terminal (offline), eliminating the need to go online to verify the PIN. While it might be
beneficial in some applications to allow offline PIN validation - this will introduce additional
considerations for how PIN information is maintained and kept consistent between the card
and the issuer's host system.
Online versus offline transaction authorization
Another provision of the EMV specification allows transactions to be authorized between the
terminal and the card. Initial deployments of EMV in Europe used this feature where
communications infrastructures where not always reliable. Today, offline authorization is also
used for certain low-risk / small value transaction types and may be a consideration for
contactless and mobile payments.
