What is PVV Clashing?

The PVV generation algorithm is used every time a card's PIN is generated or changed (PVV generation) and every time a card's PIN is checked (PIN verification). Both cases are essentially the same - on PVV verification, the PVV is generated using the provided information and if it matches the PVV stored on the card or the host database, the PIN is assumed to be correct.

The steps to generate a PVV are quite straightforward.
  1. Create a block of data using the card PAN, PVKI and the PIN
  2. Triple-DES encrypt the above using the PVK.
  3. Extract the first four decimal digits from the result to get the PVV.
It is step (3) that gives rise to the PVV clashing problem. Suppose that the result of steps (1) and (2) is equal to F01FBCDE5A9F71C2..... and that this was produced using a PIN equal to 1234. This value yields a resulting PVV
equal to 0159.

If a different PIN is used, steps (1) and (2) will produce a different result - let's say that this is equal to AF0B15C9D208....Now, this value produces a PVV equal to 0159, just like before.

The result is that two (or more) PINs can be successfully verified using a given PVV, therefore a card can have two (or more) PINs that can be used to authorize a transaction. For more information, see this page.

PVVClashingDemo.gif

The PVV Clashing Demo application can be used to demonstrate this fact. The demo can be used with the Thales HSM simulator or with a real HSM.

Last edited Nov 13, 2010 at 8:23 AM by nickntg, version 6

Comments

shabber Apr 27, 2012 at 6:29 AM 
PVV Clashing Demo is not available.

Download link is for the simulator :(