In the context of a Retail financial transaction, card number serves the purpose of USER ID and PIN (Personal Identification Number) the password. Card number serves as the  non-confidential user identifier and the PIN as the confidential pass-code before a user gets access to the system. Upon receiving the user ID and PIN, the system validates the user. A Hardware Security Module (HSM) is used to do generate and validate PINs.

What should be the length of the PIN? While PIN lengths of up to 12 could be configured, we come across PIN lengths up to 6. The real problem is that customers tend to forget longer PINs thereby increasing the chances of transaction failures. Therefore the adopted standard is 4.

Generating PINs using HSM:

• If the PIN length is not defined, a PIN of four digits is generated by HSM.

• This process will optionally ensure that the generated PIN does not match any entry in the ‘Excluded PIN Table’ in order to prevent ‘weak’ PINs being returned.

If we set the “Enable Weak PIN checking?” to “Yes” in the HSM, then the generated PIN field is checked to ensure that it does not match one of the entries in the appropriate global ‘Excluded PIN Table’. If present, the local ‘Excluded PIN Table’ is also checked. If a match is found in either list, then that PIN is discarded, another PIN is generated, and the checking process is repeated.

• A PIN offset is the difference between two PINs. For example, a PIN offset may be the difference between a PIN that is generated by the HSM and one that is assigned by the institution. Let us take the Card Number as the number assigned by the Institution. This card number is encrypted by the HSM using DES algorithm. It then takes the first 4 characters of the encrypted card number (say 9876), subtracts the Random PIN (say 2534), and stores the result (7342) in the Issuer Switch Software. This is known as the PIN Offset.

• We should remember that PINs for the cards issued are not stored anywhere in the system (not even in encrypted format). Whenever a PIN is entered by the customer, its PIN offset is dynamically generated every time using the card number and PIN, and the computed offset is compared with the offset stored in the system. If PINs are stored in the system, then it is a weak arrangement and vulnerable for attacks too.

Despite the name, a PIN does not personally identify the user. The PIN is not printed or embedded on the card but is manually entered by the cardholder during ATM or POS transaction, and in card not present transactions, such as over the Internet or for phone banking.