A typical example of a PIN used to validate a financial transaction is as follows:
· The card issuer generates a unique PIN for the account holder (it may also be unique for each card held by the account holder), in accordance with a defined algorithm. A value known as an ‘Offset' can be stored on the card.
· The cardholder enters the card at an Automated Teller Machine (ATM), and enters the PIN at a keypad.
· The ATM forms a PIN block from the account number and the entered PIN, and encrypts it under the TPK. The encrypted PIN block is sent to the acquirer.
· The acquirer translates the PIN block from encryption under the TPK to encryption under the ZPK to send to the card issuer. While in plain text (inside the HSM), a different PIN block format can be created, as agreed between the acquirer and card issuer. The new encrypted PIN block is sent to the card issuer.
· The card issuer supplies the encrypted PIN block with some other data to the HSM, which verifies that the PIN is correct for this account (or card), according to the algorithm.
To support PIN transactions, the HSM provides a range of PIN management functions including:
· PIN Generation.
· PIN Block Translation.
· PIN Verification.
A PIN can be selected by the cardholder in an online environment, depending on the type of algorithm and whether the card can be written-on by the ATM (or similar); or, using a manual selection technique on a form known as a “PIN Solicitation Mailer”.
A solicitation mailer is a turnaround form which is sent to the cardholder. The cardholder records the PIN selection on the form and returns it to the issuer. The mailer data consists of the cardholder name and address, and a reference number (an encrypted account number). As a security measure, the form returned to the issuer contains only the reference number and the PIN selection.