This Standard specifies the minimum security measures required for effective PIN management. Standard means of interchanging PIN data are provided. This Standard does not cover the following:

(a) The protection of the PIN against loss or intentional misuse by the customer or authorized employees of the issuer.

(b) Privacy of non-PIN transaction data (see AS 2805.9).

(c) Protection of transaction messages against alteration or substitution, e.g. an authorization response to a PIN verification (see AS 2805.4.1).

(d) Protection against replay of the PIN or transaction.

(e) Specific key management techniques (see AS 2805.6 series).

(f) PIN management and security for transactions in which the PIN is locally verified by an integrated circuit card.

(g) The use of asymmetric encipherment algorithms for PIN management.

NOTES:

1 For a detailed discussion on the need for PIN protection, see Appendix A.

2 Further information on PIN management for security is given in Appendices A and C.