Pin Verification Value

Bangladesh enters into e-commerce era

During an e-commerce transaction, the customer selects items to be purchased from a website and clicks at the "Check out" or "Pay" button on the merchant's website. This button contains a computer code called API supplied by the bank. When the button is clicked, it calls a bank's page. In this page, the customer provides his card information such as card number, PIN/CVV/CVC, date of expiry etc. While the card information is travelling through internet from customer's computer to the bank's server, a fraudster can easily capture it and use the information to buy valuable goods in the internet or may create a fake card using the captured information, and withdraw money from an ATM. As such while capturing card information from the customer, the bank's system must encrypt them instantly and bring into the server and decrypt them for further processing. Phishing is collection of user information by presenting a fake web-site address to the internet user either by sending email or as outcome of a search result. Assuming that the site is a genuine one, the user selects goods and enters card information & PIN into the fake web-page. The hacker records all such attempts made by different users and collect card information. It is not possible for customers to know the exact website address of all the merchants. It is also not possible to know the address of the bank to which the merchant is linked; the merchant can be linked to a bank while the customer may be using card of a different bank. It is, therefore, important that the website of a bank which collects card information should be certified by a Certifying Authority (CA) such as VeriSign. The page of the bank which collects card information will display seal of the certifying authority. If a customer clicks on the seal, the website of the certifying authority will appear. All the customers must know the web address of the established certifying authority and thus would be able to verify its correctness. If the website address of the certifying authority is correct, the website page of the bank is also correct. As such, the customer can insert the card information safely into this webpage. Sometimes some customers do some activity in the internet through e-commerce system and refuse that they have not done this, rather they blame the bank officers, saying that they could know their PIN from the system and do the transactions to transfer money from their account.

PCI DSS Compliance: Failure Is Not an Option – E

The average American credit cardholder carries 3.5 credit cards, according to the Federal Reserve Bank of Boston’s 2010 Survey of Consumer Payment Choice. Today, consumers use credit cards to pay for more than just large-ticket items. Everything from household items and utilities to insurance premiums and student loans are tallying up charges on the average monthly statement, demonstrating the growing reliance of consumers on credit cards and the importance of protecting these numbers.

So, whether you are a large retailer or a small Internet boutique, if you accept credit cards, you need to keep that information secure. It’s not just about compliance with the Payment Card Industry Data Security Standard (PCI DSS) — more importantly, you owe it to your customers.

PCI DSS was developed as part of a collaboration between MasterCard (NYSE: MA) Worldwide, Visa (NYSE: V) International, American Express (NYSE: AXP), Discover Financial Services and JCB. Their efforts have culminated in the standard that serves as a directive and guideline to help organizations prevent the misuse of credit card data.

All merchants and service providers who store, process and transmit credit card information must undergo quarterly self-assessments as well as audits (vulnerability scans) by an Approved Scanning Vendor (ASV) in accordance with PCI DSS Scanning Procedures.

Large merchants (i.e., more than 6 million transactions per year for all outlets including e-commerce) and service providers (i.e., more than 1 million transactions per year) must also undergo annual on-site audits performed by a PCI DSS Qualified Security Assessor (QSA).

The audit is inclusive of all systems, applications and technical measures, as well as policies and procedures used in to store, process and transmit cardholder and credit card information.

What Is Considered Sensitive Data

Per the standard, the following information is considered sensitive:

Primary Account Number (PAN) Cardholder name Service code Expiration date Pin Verification Value (PVV) Security code (3 or 4 digit)

In accordance with the standard, merchants or service providers are not allowed to store the PVV or the security code that uniquely identifies the piece of plastic in the cardholder’s possession at the time of the transaction. However, the PAN, cardholder name, service code and expiration date may be stored.

More Than Secure Databases have shown , enterprises also face challenges controlling access to and dissemination of spreadsheets and other documents that contain cardholder information.

Data & computer security, dictionary of standards, concepts, and terms

PIN management and security: Figure 263 PIN management and security Trade-offs ... PINs Retrievability controls PIN verification value storage Off -issuer ...

Implementing electronic card payment systems

7.8.2 Plaintext/enciphered PIN verification by ICC In case the card application adopts ... unsuccessful trial of the PIN must decrease the value of the PTC. ...

Payment Card Industry Data Security Standard Handbook

Furthermore, it is important to note that the requirement mandates that the card verification code or value or PIN verification must never be stored under ...

Java card for e-payment applications

The value of the validation flag is accessible via the method called isValidated . Another class method check allows the PIN value to be verified against a ...

Electronic Value Exchange, Origins of the VISA Payment System

The second field was a PIN verification value (PVV), which is generated through a one-way encryption algorithm. The PVV allows a terminal or ATM to verify a ...