AS 2805.3.2-2008

Specifies requirements for addressing offline PIN management using IC cards.

This Standard specifies the minimum security measures required for PIN management in an off-line environment. It is applicable to financial transaction card originated transactions requiring offline PIN verification by an IC card and to those institutions responsible for implementing techniques for the management and protection of the PIN at Automated Teller Machines (ATM) and Point-of-Sale (POS) terminals. The provisions of this part of AS 2805.3 are not intended to cover:(a) PIN management and security in the online PIN environment, which is covered in AS 2805.3.1.(b) The protection of the PIN against loss or intentional misuse by the customer or authorized employees of the issuer or their agents.(c) Privacy of non-PIN transaction data.(d) Protection of transaction messages against alteration or substitution, e.g. an online authorisation response.(e) Protection against replay of the PIN or transaction.(f) Specific key management techniques.(g) The decision as to whether the IC card is to receive the PIN enciphered.(h) Contactless IC cards. Requirements associated with multi-application IC cards are considered to be the responsibility of the issuer and are not included in this Standard. This Standard is described in terms applicable to IC card technology, however this language is not meant to restrict the applicability of this part to IC card technology.

First published as AS 2805.3-1985.
Second edition 2000.
Revised in part and redesignated AS 2805.3.2-2008.
Reconfirmed 2019. Originated as part of AS 2805.3-1985. Previous edition part of AS 2085.3-2000. Revised in part and redesignated AS 2805.3.2-2008.