With 25 years of security industry leadership, SafeNet provides card issuers with a solution that
prevents disclosure of the PIN across the entire transaction, ensuring that the customer is the only person able to view their PIN online. SafeNet’s solution, ViewPIN+, allows PINs to be securely issued and managed over the Web, providing benefits
such as improved customer
service, cost savings, and peace
of mind to both the cardholder
and the card issuer.
Secure PIN Management How to Issue and Change PINs Securely over the Web
1. Secure PIN Management
How to Issue and Change PINs Securely
over the Web
whiTepaper
Table of Contents
Executive Summary............................................................................................................. 2
The Evolution of the PIN ...................................................................................................... 2
Properties of a Robust PIN .................................................................................................. 3
PIN Issuance ....................................................................................................................... 3
Failures and Limitations of Traditional PIN Issuance ........................................................... 4
SafeNet ViewPIN+: A Paradigm Shift for PIN Management .................................................. 5
ViewPIN+ Security .............................................................................................................. 6
ViewPIN+ Return on Investment .......................................................................................... 6
ViewPIN+ Ease of Use ......................................................................................................... 6
ViewPIN+ Ease of Deployment ............................................................................................ 6
Conclusion .......................................................................................................................... 7
About SafeNet..................................................................................................................... 7
Secure PIN Management Whitepaper 1
2. executive Summary
Overview More and more credit and debit cards are being issued by banks, credit card companies, an
With 25 years of security industry retailers, resulting in hundreds of thousands of PINs being sent through the mail daily to
leadership, SafeNet provides customers worldwide. Security is at the core of all PIN-based transactions. While cardholders
card issuers with a solution that must be cognizant of keeping their PIN secret, the matter of PIN privacy originates with the card
prevents disclosure of the PIN issuer. The ability to securely deliver PINs to cardholders must be a priority of every card issuer
across the entire transaction, and financial services provider. Sending PINs through traditional mail delivery is costly, time
ensuring that the customer is consuming, and highly insecure. In short, it is inefficient for today’s digital, on-demand world
the only person able to view their
With 25 years of security industry leadership, SafeNet provides card issuers with a solution
PIN online. SafeNet’s solution,
that prevents disclosure of the PIN across the entire transaction, ensuring that the customer
ViewPIN+, allows PINs to be
is the only person able to view their PIN online. SafeNet’s solution, ViewPIN+, allows PINs to
securely issued and managed
be securely issued and managed over the Web, providing benefits such as improved customer
over the Web, providing benefits
service, cost savings, and peace of mind to both the cardholder and the card issuer.
such as improved customer
service, cost savings, and peace This white paper addresses the security challenges faced by card issuers, financial services
of mind to both the cardholder providers, and telecom operators in relation to the management of Personal Identification
and the card issuer. Numbers (PINs) used to authenticate cardholders and authorize credit card transactions, such
as ATM withdrawals or retail purchases.
Readers of this paper will learn how card issuers can simplify and secure the rocesses
associated with PIN issuance and management, and how cardholders can be provided with a
safe and convenient way to retrieve their PIN over the Internet.
The evolution of the piN
Historically, recognition-based identification worked in small, closely-knit communities. Once
people started traveling, once migrant populations grew in numbers, once cities grew in size,
visual recognition did not suffice. Over time, methods of personal identification have evolved
from simple name and face recognition to today’s electronic-based techniques.
Much of the impetus for this evolution has been the advancement of computer-based financial
transactions. Invented more than 40 years ago, the Automated Teller Machine (ATM) has
revolutionized access to personal financial accounts. [1] The account card and corresponding
Personal Identification Number (PIN) came into existence at the same time as a means of
authenticating the cardholder. Today, the PIN is still most commonly used with ATM and credit/
debit cards, but is gaining momentum with retailers who link their customers to membership
accounts using a PIN card.
Today, more than 20 percent of Currently, debit and credit cards rely on two-factor authentication—something you have (the
the payment cards in the world card) and something you know (the PIN). Two-factor authentication provides the basis for
nonrepudiation of transactions, which is essential to card-based commerce, particularly in an
conform to a standard referred to
online environment. For even stronger security, a third authentication factor—biometrics—
as the EMV standard
provides an enhanced level of authentication.
Today, more than 20 percent of the payment cards in the world conform to a standard referred
to as the EMV standard[2]. The EMV standard was devised by Europay, MasterCard and Visa in
the 1990s as a means of reducing card fraud by replacing the magnetic stripe on a card with
an embedded chip. The chip contains either encrypted or non-encrypted personal data of the
cardholder to authenticate the user’s identity, including the PIN itself. As such, most chip cards
now require the use of a PIN, instead of a signature to authenticate the cardholder making
transactions with a debit or credit card. EMV also standardizes the use of a cryptogram to
further enhance nonrepudiation of a transaction. This cryptogram relies on, among other things,
successful PIN verification by the EMV chip on the card.
[1] See http://news.bbc.co.uk/2/hi/business/6230194.stm for information on the origins of ATM and PIN.
[2] Source : MasterCard International.
Secure PIN Management Whitepaper 2
3. Within a financial institution, a validated PIN and its associated card carry the same legal
binding as a signature on a check. The PIN, as an equivalent to the signature, is an essential part
of a bank’s fiduciary obligations in maintaining a cardholder’s account.
Properties of a Robust PIN
Secrecy is a fundamental tenet of a PIN. As having someone’s PIN goes a long way towards
gaining access to that person’s financial resources, it is important to protect it and keep it
confidential. This is why card issuers stress the following to their cardholders:
• Do not disclose your PIN to anyone
• Do not write your PIN down or carry it in written form anywhere.
Traditionally, card issuers have While much responsibility to safeguard their PIN lies with the cardholder, another key factor
sent the PIN to the cardholder of PIN privacy is the robustness of the security protecting the PIN. Robustness is the ability of
using PIN mailers, which can be the PIN to remain secret even under attack. One way to enhance robustness is to use a random,
machinegenerated PIN as opposed to a cardholder-selected PIN, since cardholders will typically
intercepted en route, along with
select a number that is personal and easy to remember and, therefore, easier for fraudsters to
the card, resulting in fraudulent
crack.
transactions on the account
The PIN will always be a target because it is a valuable piece of information in a system that
deals with financial assets.
PIN Issuance
Card issuers provide PINs to their cardholders as part of the overall card issuance process. The
card itself is prepared and personalized to a given cardholder and, at that time, a PIN is assigned
and linked to the card permanent account number (PAN).
Traditionally, card issuers have sent the PIN to the cardholder using PIN mailers, which can be
intercepted en route, along with the card, resulting in fraudulent transactions on the account[3].
Some card issuers prefer to issue cards and PINs in the local bank branch, where the cardholder
will be asked to select a PIN either through a dedicated terminal or at an ATM. Problems occur
here when fraudsters place overlays on ATM PIN pads to register cardholder key strokes, or
switch out dedicated terminals with dummy terminals to gather the sensitive PIN and cardholder
data, often unbeknownst to the ATM or terminal owners. Others perform PIN issuance through
an Interactive Voice Response system that allows a computer to detect voice and touch tones
through a phone call. Unfortunately, these systems cannot be secured in an effective manner.
Chip-based cards have the PIN stored in a secure zone on the chip itself; however, at some point,
the chip needs to be updated with the new PIN. In addition, some issuers use a PIN offset that
is encoded on the magnetic stripe, which must be re-encoded each time the PIN changes. ATMs
can accommodate PIN changes easily, while other technologies require the use of a PIN change
script to update the PIN in the chip.
Chip cards provide the ability to either unblock or change a PIN without having to visit a branch.
This process uses scripting commands that are described in EMV standards. Statistics available
from the U.K.’s implementation of Chip and PIN indicate that two percent of cards issued need
the PIN to be unblocked on a yearly basis[4].
Up to now, banks and retailers have not found an easy way to deliver a secure PIN to their
cardholders. Most card issuers have relied on paper-based PIN mailers, which create a delay
between issuance and usability of the card, along with a significant risk factor. Other issuers
allow customers to select their own PINs, which is costly to set up and often results in an
insecure PIN selection. Let’s face it—today’s mode of delivering a PIN to the cardholder needs a
paradigm shift.
[3] Fraud statistic : TBC
[4] Source : 2007 UK Chip and PIN Report, APACS
Secure PIN Management Whitepaper 3
4. For years, card issuers have benefited from the lucrative nature of a business that reshaped
personal banking and account access, but the PIN itself seems lagging in the promise of instant
access. Sending PINs through traditional mail is costly, time consuming, and more important,
highly insecure. In today’s digital world, consumers have become accustomed to instant and
secure delivery of financial services, be it shopping, banking, investing, etc. The Internet offers
the prospect of secure PIN issuance and management, providing a wide range of benefits to both
the cardholder and the card issuer.
Failures and Limitations of Traditional piN issuance
The traditional methods of PIN issuance, delivery, and management have been shown to fail in
many ways. With issues of cost, time, and weak security of the current methods, it’s clear that
there is an opportunity for innovative means of issuing PINs to cardholders. Every card issuer
and financial service provider must focus squarely on providing secure delivery of PINs to
cardholders. Here are a few examples of how current methods fail to deliver on this fundamental
principle:
• attacks on piN Mailers - PIN mailers are notoriously insecure. There are known technical
issues with PIN mailers, as well as the fact that they are easy to intercept before they
reach the cardholder, which remains one of the leading causes of loss in the payment
card business. For example, tamper-evident laser-printed PIN mailers are used by many
institutions to issue PINs and other secrets to individuals in a secure manner. These mailers
are created by printing the PIN with a normal laser onto special stationery and with a special
font. The background of the envelope and stationary disguises the PIN so that it cannot
be read with the naked eye without tampering. Although a standard method of issuance,
these tamper-evident, laser-printed PIN mailers are known to be vulnerable to attacks that
reveal the PIN without tampering[5]; for instance, angled-light attacks, where the reflective
properties of the toner and stationery are exploited to allow the naked eye to separate the
PIN from the backing pattern. In fact, all laserprinted mailers examined so far have been
shown to be insecure.[6]
• Social engineering - PINs are prone to capture through social engineering, where people are
The traditional methods of
tricked or manipulated into divulging confidential data either through information gathering
PIN issuance, delivery, and
or computer access. As a result, PINs may need to be changed regularly, which presents
management have been shown issuers with many significant challenges [7].
to fail in many ways. With issues
Back End System Attacks - PINs have shown vulnerability to various attacks on the card
of cost, time, and weak security
payment systems. For example, according to an article on PIN cracking, new attacks directly
of the current methods, it’s clear
target the financial PIN processing API, and apply to network switches, as well as to verification
that there is an opportunity for facilities. According to the research, ’the attacks are extremely severe allowing an attacker to
innovative means of issuing PINs expose customer PINs by executing only one or two API calls in order to expose a PIN. One of
to cardholders. the attacks uses only the translate function, which is a required function in every switch. The
other attacks abuse functions that are used to allow customers to select their PINs online. Some
of the attacks can be applied on a switch even though the attacked functions require issuer’s
keys which do not exist on a switch. This is particularly disturbing as it was widely believed that
functions requiring issuer’s cryptographic keys cannot do any harm if the respective keys are
unavailable’.[8]
[5] Fraud statistic : TBC
[6] Source : http://www.cl.cam.ac.uk/~mkb23/research/PIN-Mailer.pdf
[7] Emily Finch, of the University of East Anglia, has researched criminals and how they adapt their fraud techniques
to identity cards, especially the “chip and PIN” system that is currently being adapted in the UK.
[8] Source : http://www.arx.com/documents/The_Unbearable_Lightness_of_PIN_Cracking.pdf
Secure PIN Management Whitepaper 4
5. • point-of-Sale attacks - Fraudsters gather PIN and cardholder information by tampering
with PIN pad readers at the point-of-sale (POS) terminals. Recent criminal investigations
have found fraudsters switching out POS terminals with dummy terminals right before
stores close. They then go home that night and extract the cardholder and PIN information
from the POS terminals. The next morning, they return to the store and replace the terminal
once again, unbeknownst to the shop owner.
• iVr attacks - Interactive voice response (IVR) systems are impossible to secure as they use
public telecom networks and phones that cannot provide for end-to-end encryption of the
message. With such a system, the PIN is always available in the clear during its transmission
to the card issuer.
SafeNet ViewpiN+: a paradigm Shift for piN Management
Since card-based payment is convenient and effective, the industry strives to better secure the
system to reduce fraud while maintaining its usability. SafeNet ViewPIN+ revolutionizes the PIN
issuance process by providing cardholders with a secure and easy way to quickly retrieve their
PIN over the Web. This fully automated solution saves card issuers millions of dollars each year,
is safe, fast, and environmentally responsible. The level of security provided by ViewPIN+ far
surpasses that of paper-based PIN mailers or voice-based interactive systems, thereby reducing
fraud and identity theft.
ViewPIN+ introduces a competitive advantage by offering an enhanced customer experience of
instantly issuing a new PIN over a secure Web session. With ViewPIN+ card issuers eliminate
any delay between the time an account holder requests a new PIN and the time they receive it,
thereby minimizing the opportunity for a customer to use a competitor’s card during the waiting
process.
Cardholder
Card Issuer Datacenter
DMZ Private Network
Retail
Banking
Transaction System
Authorization
Web Server System
Internet
Firewall Firewall PIN
Database
SafeNet ViewPIN+ ATM, POS SafeNet ViewPIN+
PIN Agent Branch PIN Authority
Figure 1: SafeNet ViewPIN+ Deployment
Secure PIN Management Whitepaper 5
6. ViewpiN+ Security
Traditional SSL-secured Web sites are not entirely secure because they require encrypted data
to be decrypted at the Web server as part of the delivery process. SafeNet’s award-winning
ViewPIN+ overcomes this critical vulnerability by providing an end-to-end encrypted transaction
between the cardholder and the card issuer.
First, ViewPIN+ provides increased security over current PIN issuance processes through the
use of two-factor authentication of the cardholder. To obtain a PIN with ViewPIN+, the customer
submits their online banking user ID and password, and the card PAN and CVV. In contrast,
with a PIN mailer, anyone can intercept the card and the PIN mailer; all they need is access to a
mailbox! With an IVR system, the PIN is transmitted in the clear over a public telecom network;
yet another highly insecure environment. With ViewPIN+, the PIN is always encrypted using
robust, proven encryption algorithms and robust keys.
SafeNet’s award-winning To provide the highest level of security, ViewPIN+ FIPS 140-2 Level 3-validated hardware security
ViewPIN+ overcomes critical modules (HSMs) combine an integrated secure application execution environment with key
vulnerability by providing an management at the card issuer’s data center. All cryptographic keys and processes are stored
and managed exclusively within HSM at all times, making compromise of the system virtually
end-to-end encrypted
impossible. In addition, code signing and verification maintain the integrity of the ViewPIN+ Java
transaction between the
application code, which is only executed within the confines of the HSM to prevent unauthorized
cardholder and the card issuer.
application execution. To provide further protection against compromise, ViewPIN+ also
maintains separation between the cardholder identity and the PIN.
Security is further enhanced by the separation of PIN data management from system
administration, keeping critical data hidden from administrators. In addition the ViewPIN+ server
only deals with CVV2 and PIN data; therefore, the user is anonymous to the system, meaning any
probing cannot associate a PIN to a card.
ViewpiN+ return on investment
ViewPIN+ reduces operational costs, increases revenue, and saves resources for card issuers.
SafeNet’s first ViewPIN+ customer was U.K.-based Egg Banking, plc, a Citigroup company. With
over 3.2 million customers, Egg is the world’s largest online-only bank and one of the U.K.’s
leading online financial services providers. Using ViewPIN+, Egg eliminated paper-based PIN
issuance, saving thousands of resource hours and upwards of $6 million annually. These savings
will continue as new card customers come to Egg, or existing customers need new PINs or
replacement cards.
ViewpiN+ ease of Use
ViewPIN+ provides both the cardholder and card issuer with a secure, reliable, convenient, and
easy-to-use PIN access solution. Used not only for original PIN issuance, additional functionality
allows for PIN reminders, changes, and reissuance, in the case of lost or forgotten PINs. For
the cardholder, there is virtually no learning curve when interacting with the issuer’s Web site,
resulting in drastically reduced support calls.
ViewpiN+ ease of Deployment
ViewPIN+ uses the card issuer’s existing Web site and user authentication system to facilitate
the delivery of PINs across the Internet, or other communications network, to the customer.
The ViewPIN+ application is delivered and runs on the SafeNet Luna SP HSM as a secure
application, using standard Web security protocols that require no applets or browser plug-ins
on the customer side. The browser requirements are simple, making ViewPIN+ available from
any browser, including those on mobile devices. The issuer will need to integrate ViewPIN+ to
its back end systems in order to retrieve the PIN or, if the option is offered to cardholders, to
transmit a PIN change request and record the new PIN.
Secure PIN Management Whitepaper 6