Payment Card PIN Storage Security on the Bank or Card Provider's Side

✨ Quic broadband | Apple TV | Samsung | AliExpress | Wise | Sharesies

Welcome Guest.

You haven't logged in yet. If you don't have an account you can register now.

Please note this sub-forum does not provide professional finance advice. You should seek advice from a licensed financial advisor.

To post in this sub-forum you must have made 100 posts or have Trust status or have completed our ID Verification.

If investing please consider our affiliate link for new accounts: Sharesies.

Forums › Finance and wealth management › Payment Card PIN Storage Security on the Bank or Card Provider's Side

geek3001

220 posts

Master Geek
+1 received by user: 330

ID Verified

#315055 10-Jun-2024 10:03

Send private message

I am hoping that a member who works in the banking security area might be able to answer a security related question.

With regard to credit and debit card four-digit PINs that we are expected to memorize, do the Banks, or perhaps more correctly, Visa / Mastercard, store that PIN number in their card info database as plain text numbers, a one way hash, a reversible hash, or some other way?

To be clear, I have no interest in attempting to crack or figure out what a card's PIN is, just understand how that piece of info is stored.

Thanks.

mentalinc

3384 posts

Uber Geek
+1 received by user: 1023

Trusted

#3246871 10-Jun-2024 10:40

Send private message

an HSM might even be an option

CPU: AMD 5900x | RAM: GSKILL Trident Z Neo RGB F4-3600C16D-32GTZNC-32-GB | MB: Asus X570-E | GFX: EVGA FTW3 Ultra RTX 3080Ti| Monitor: LG 27GL850-B 2560x1440

Quic: https://account.quic.nz/refer/473833 R473833EQKIBX

nic.wise

333 posts

Ultimate Geek
+1 received by user: 36

Trusted

#3246880 10-Jun-2024 11:03

Send private message

Yup, the answer is "likely more complicated".

At minimum, it'll be encrypted. As they are short, its likely with some other info like your account number (not the card number). This also means they can roll the card number and keep the pin.

For the "change your pin in the app" functions, they send down a public key, the app takes in the pin, encrpyts it with the PK, sends that block back, and the backend can decrypt it and process it as normal.

Giving the volume (which isn't high for modern HSMs) the pins are likely to be stored in the HSM. How THAT stores them is up to the HSM, tho they are usually both network and physically tamper resistant.

So the process is something like:

you enter your pin in the terminal
The terminal has a public key from the processor, so it encrypts that (and a load of other payload like account, amount etc) with the PK and sends it to the processor.
The processor has the PK of the next level up... so repeat a bit
Eventually it gets to your bank, who has the private key for the last level of encryption. They then re-encrypt the pin, submit it to the HSM, which gives them a "yes/no" answer back.
... and it all rolls back to the terminal.

Keep in mind that, and I might be under-selling the layers here, there are SO many levels between the terminal you're entering your pin into, and the storage of the pin.

Terminal
The processors, eg WorldPay, Stripe etc
There's usually an aggregator in here, tho Stripe is big enough to not need one for eg
Then Visa/MC etc
Then the bank

It's a wonder it works as well as it does.

Another way could even be:

Take the pin, and run it thru X rounds of a key derivation function with fixed, known parameters (goes from 10,000 possibilities (which is stuff all) to maybe a 256 bit or larger key)
Encrypt the transaction with this key (likely XML block, might be just amount=1234&cardnum=123412341234124 etc)
Send it to the processor (Worldpay)
they send it to the EFTPOS switch
... which sends it to your bank
... who push the encrpyted block + the parameters for the key derivation (or it's fixed and known) to the HSM, which tries to decrypt it with the known pin. If it fails: no transaction for you. If it works: pin was right, proceed

Nic Wise - fastchicken.co.nz

News and reviews »

New ECOVACS DEEBOT T80S OMNI Available Now
Posted 9-Apr-2026 11:11

Ring Brings 4K Video to Battery-Powered Doorbells
Posted 9-Apr-2026 11:01

Synology Announces a New Privacy-First Home Monitoring Experience for BeeStation Plus
Posted 9-Apr-2026 10:02

GIGABYTE X870E AERO X3D DARK WOOD Redefines the Motherboard
Posted 7-Apr-2026 14:06

Datacom Acquires Auckland Data Centre from T4
Posted 2-Apr-2026 09:43

Spark Launches Satellite Service with SMS and data options
Posted 2-Apr-2026 09:16

Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Support Geekzone »

You can support Geekzone with a one-off or recurring donation via PressPatron.

RSS feeds: Main feed; Forums feed
Copyright: ©2002-2026 Geekzone®

Site features: Geekzone BI dashboard; Geekzone Badges; Geekzone Status Page

Site Information: Subscribe to Geekzone; Privacy Statement; Forum Usage Guidelines (FUG); Advertising; Trademark and copyright