A personal identification number (PIN) is a secret numeric or alpha-numeric password or identifier shared between a user and a system that may be used to authenticate or validate the user to the system. Typically, the user provides a non-confidential user identifier (ID) and a confidential PIN to gain access to the system. Upon receiving the user ID and PIN, the system looks up the PIN based upon the user ID and compares the looked-up PIN with the received PIN. The user is granted access only when the entered PIN matches with the PIN stored in the system. PINs are often used for automated teller machines (ATMs) as well as the point of sale for debit cards and credit cards. PINs are also used in gaming and promotional applications for prize awarding. Apart from financial uses, GSM mobile phones may also allow the user to enter a PIN of between 4 and 8 digits. The PIN is recorded in the SIM card. PIN management and security may be covered by one or more standards such as ISO 9564-1.
There are several well-known methods for generating a PIN number. For example, the IBM method may be used to generate what is termed a natural PIN. The natural PIN is generated by encrypting the primary account number (PAN), using an encryption key generated specifically for the purpose. This key is sometimes referred to as the PIN generation key (PGK). To validate the PIN, the issuing bank regenerates the PIN using the above method, and compares this with the entered PIN. Natural PINs cannot be user selectable because they are derived from the PAN. If the card is reissued with a new PAN, a new PIN must be generated.
A Variation of the IBM method is to store a PIN offset value. The Offset is found by subtracting natural PIN from the customer selected PIN using modulo 10. The offset may be stored either on in card track data, or in a database at the card issuer. To validate the PIN, the issuing bank calculates the natural PIN as set out above, then adds the offset and compares this value to the entered PIN.
The VISA method is used by many card schemes. The VISA method generates a PIN verification value (PVV). Similar to the offset value, it may be stored on the card's track data, or in a database at the card issuer. This is called the reference PVV. The rightmost 11 digits of the PAN excluding the checksum value, a PIN validation key index (PVKI, chosen from 1 to 6) and the required PIN value are used to make a 64 bit number. The PVKI selects a validation key (PVK, of 128 bits) to encrypt this number. From this encrypted value, the PVV is found. To validate the PIN, the issuing bank calculates a PVV value from the entered PIN and PAN and compares this value to the reference PVV. If the reference PVV and the calculated PVV match, the correct PIN was entered. Unlike the IBM method, the VISA method doesn't derive a PIN. The PVV value is used to confirm the PIN entered at the terminal and was also used to generate the reference PVV. The PIN used to generate a PVV can be randomly generated or user selected or even derived using the IBM method.