5

I live in France, and I have a debit card issued by my bank. When it expires, I receive a new one with the same pin number. I recently asked my banker to issue another card (a different one, for another bank account), and he told me it can have the same pin number as the previous card.

Does that mean that my bank, or Visa, is actually storing, or is able to access, pin numbers of every credit card they issue? If so, is a specific method used to ensure the security of this information?

TonioElGringo
  • 151
  • 4
  • are you sure that when you fill the new credit card form, do not check a sentence like this "reorder the same card number with the same pin number"? – Ali May 07 '15 at 14:11

3 Answers3

1

Chip and pin (EMV) credit cards support online PIN verification, which means the PIN has to be stored somewhere (I don't know whether it's at a central location controlled by VISA/MasterCard or at the bank), I assume its hash is stored securely as VISA/MC are usually pretty up to date in terms of security, though it's still very easy to bruteforce a 4-digit PIN even when salted,

Now what I suspect is actually happening is that your bank also keeps the PINs on their side in encrypted format, though it's still reversible and someone working there will have no problems getting it out. Depending on the system on which they're actually stored, getting it out would be logged, but the encryption itself is still reversible.

  • Chipless credit cards also support online PIN verification — that's all they support. I doubt that a bank would store the PIN carelessly, that would open them to easy lawsuits if a customer wanted to contest a charge. – Gilles 'SO- stop being evil' May 07 '15 at 19:37
  • The problem is, you really can't securely store a 4-digit number. It can easily be cracked no matter how much hashing and salting is used. –  May 07 '15 at 19:59
  • Yes, hashing is useless. That doesn't mean the PIN is stored in plain text. It's probably stored in an HSM, so that getting it out is logged. – Gilles 'SO- stop being evil' May 07 '15 at 20:03
  • 2
    According to [this document](https://www.google.fr/url?sa=t&source=web&rct=j&ei=d8ZLVYv6LMj_ygOyooEQ&url=http://usa.visa.com/download/merchants/visa-issuer-pin-security-guideline.pdf&ved=0CCUQFjAC&usg=AFQjCNE2grfEvNWINxWRRmQTQSn2AVP6QQ&sig2=eeJ4qYzVVm3nDtuY0refHQ), issuers are required to encrypt PINs as to ISO 9564. It lists also several requirements about storage systems. – TonioElGringo May 07 '15 at 20:33
0

New visa debit card will the pin be the same?

also read this answer it is same as you: A second bank card arrived with the same PIN

They are probably stored encrypted, for local employees etc, but for an engineer working there it won't be a big problem to get the PIN out of the database. The only place where PIN records are stored is HSM.

Community
  • 1
Ali
  • 2,694
  • 1
  • 14
  • 23
0

Just like store password. Your PIN will be one-way-hashed, salted, and then stored in HSM in an encrypted format. Internal staff would be restricted (using access control policy) to get your PIN info. Even there is a way to get your PIN, it is hashed and hard to get your original PIN number.

By this means, your bank would be able to associate your hashed PIN with other account in the backend. When you login with the raw PIN, bank system will hash it and compare it with the backend one.

mitkook
  • 1
  • 1
  • While I would hope this to always be the case, add some proof that visa stores your pin encrypted. Also note that 'banks' to not generally know the PINs as those are managed by the card processor (eg Visa). – Matthew Peters May 07 '15 at 17:26
  • I doubt this is the right answer, since pin codes are only about 10 bits of entropy. Cracking such pins would be quite simple. Also, my understanding is that, at least in France, the ship on the card is doing the pin check. The banks ability to provide same-pin cards means that they store them somewhere, and it seems like a big security issue to me. – TonioElGringo May 07 '15 at 17:35
  • Well, I am afraid Bank will store your PIN in encrypted format and in highly regulated HSM (please refer to PCI DSS doc https://www.pcisecuritystandards.org/documents/PCI_PIN_Security_Requirements.pdf). Otherwise, they are not able to build another card with the same PIN. – mitkook May 07 '15 at 17:48
  • 1
    True about HSM with restricted access, but wrong about hashing. There's no point to hash something with so little entropy as a PIN. – Gilles 'SO- stop being evil' May 07 '15 at 19:38
  • mitkook, it would be helpful if you could cite authoritative statements necessitating one-way hashing. As it stands, this is merely anecdotal. @Gilles, while it may not prevent an individual PIN from being revealed, hashing or encrypting a PIN could make revealing all PINs much harder e.g. if decryption took half a second per PIN, though I am not saying that this is what banks are doing. Think of how much power they could save by not encrypting securely. – Arc May 08 '15 at 06:17
  • I believe each bank has their own solution to secure the PIN. Some of them even allows users to enter partial PIN character (http://www.smartarchitects.co.uk/news/9/15/Partial-Passwords---How.html). Hashing could be part of their solutions. I don't have "authentic" doc to prove it. But here are some reports for you reference (http://www.pcworld.com/article/212969/keep_your_credit_cards_safe_from_skimmers.html, http://money.howstuffworks.com/personal-finance/debt-management/credit-card2.htm). This paper illustrate the process in details (http://www.jhlee.org/writings/pubs/TD-1997-PIN.pdf). – mitkook May 08 '15 at 22:30