Online Banking Authentication

Nov 14, 2014 at 11:12 PM
Hello Everyone,

I would really appreciate getting some help in regards to the following:-

I have an online banking application where customers can register using card number and PIN code (only at the registration process). I want to encrypt the entered clear PIN using TPK or ZPK and send the encrypted pin block to third party application that will verify user's PIN.

1) Do I need to generate PIN block from my application? or HSM can generate one for me?
2) How to encrypt PIN block? do I need to connect to HSM or I can do it from software level?
3) In case using the HSM to encrypt PIN block, do I need the clear ZPK or the encrypted one?
4) In case using software to encrypt PIN block, do I need clear or encrypted ZPK ?

Note: we are using payshield 9000.

Nov 16, 2014 at 11:22 PM
Edited Nov 16, 2014 at 11:24 PM

If you want to use HSM to encrypt PINs you need:

1) The CS (security) parameter "Select clear PINs" must be YES, it will allow clear PIN commands;
2) When customer enters PIN and PAN you should encrypt it under LMK first using BA host command;
3) After, you will be able to translate PIN from LMK encryption to ZPK using BQ command. You will be able to select the PIN block format you want to use.

If you want to encrypt PIN by application without HSM you will need:
1) Generate plain text ZPK component using KG console command (key type 001). This component will be used as key in application;
2) Encrypt key under LMK using FK console command. This encrypted key will be used to decrypt PIN block using HSM;

Your application will need to do the following:
1) Combine the PIN-block, for example EMV'96. The format of EMV'96 PIN-block is as follows (the example PIN is 1234):
First digit points to ISO standard PIN block format (ISO-2), secund digit is PIN length in HEX format (4 - C), after comes PIN itself and padding with F character till length of 8 bytes;
2) Just encrypt the 8 byte PIN-block with ZPK component. Do not add additional padding block. The result must be 8 bytes long.

Nov 18, 2014 at 5:29 PM
Hello Juris,

Thank you very much for your explanation.

I am sorry but it seems my message was not clear enough. when we issue a card for customer, we generate random PIN that can be used at the ATM.
The cardholder will register at online banking using his card and PIN (so we are not planning to issue new PIN for him).

My application will communicate to our Switch "through a web service call" and should pass PIN block and card ("the switch will connect to the HSM and validate")
My question here, how to generate encrypted PIN block? do I need to store clear ZPK? or I need to connect to HSM and encrypt PIN block using encrypted ZPK?

I would appreciate if you tell me about the exact flow.

Thanks for you collaboration.

Nov 19, 2014 at 10:01 AM

The best way is to use HSM on both sides if you are working with PIN codes. It is PCI-DSS requirement. The flow will be as follows:

1) Store encrypted ZPK under LMK on e-banking side. On switch side should be used the same ZPK key but under appropriate LMK. You can verify if key is the same using CK console command. It will return key check value. On both sides ZPK must have the same check value.

2) When customer enters PIN and PAN on e-banking side you should first encrypt PIN under LMK using BA host command, Note, the HSM Security parameter "Select clear PINs" must be "Yes" to use that command. The received PIN under LMK will have length which is defined in "Encrypted PIN length" HSM Security parameter.

Encrypted PIN length is always 1 digit longer than "PIN length" parameter

3) When you have the PIN under LMK you can translate it from LMK to ZPK encryption using JG host command. The result PIN-block will be 8 bytes long (16 characters). The best choice of PIN-block to use is ISO-9564 format 0 (01).

4) Send PIN-block to switch.

5) I am not sure what do you mean about "the switch will connect to the HSM and validate".

Nov 19, 2014 at 10:29 AM
Hello Juris,

I mean e-banking application will generate the PIN block and pass it to the switch over a web service call, The switch will verify recieved data and validate the PIN.

When using "BA" command, i need to pass clear PIN and PAN, is it recommeended to pass clear PIN over TCP/IP to the HSM?

Nov 20, 2014 at 12:33 PM

I am not sure what actually you need to implement, but if you want to generate new PINs you can use JA host command. It will return PIN encrypted under LMK. After you can translate PIN under ZPK encryption using JG host command.

Nov 21, 2014 at 9:12 PM

My requirement is very simple, I want to authenticate the cardholder using his ATM card and PIN through e-banking.
The e-banking application has to call a web service "provided by switch" to validate the PIN. one of the parameter to pass is the encrypted PIN block under ZPK.

My question, what is the best way to achieve this? how to generate encrypted PIN block?

You have suggested to use BA & JG commands. Using the BA command has some risk behind it since you have to pass clear PIN over TCPIP, right?

I believe that our security team will not accept using this command, so what is the other options?

Nov 22, 2014 at 9:22 AM
Edited Nov 22, 2014 at 9:25 AM

Ok, now I understand what actually you need.

You can encrypt the PIN-block by your software, but it is not the best practice from security point of view. The PIN-blocks will be transmited in encrypted manner over TCP/IP but you are able to access the key. You can make yous software ask 2/3 ZPK components to be entered during start up by 2/3 security officers, but the key will be accessible in the process (you are able to dump it).

The second way is to use HSM. But you will need to pass clear PIN to encrypt it

Why you do not use the code cards to authenticate users, eg. I have the card with 72 codes and when I am logging into my e-bank the authentication screes asks me to enter the code number X. Each time code number is different. It is very simple to create such authentication and you do not require to pass PINs over TCP/IP.