Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
Please note this sub-forum does not provide professional finance advice. You should seek advice from a licensed financial advisor.

To post in this sub-forum you must have made 100 posts or have Trust status or have completed our ID Verification.

If investing please consider our affiliate link for new accounts: Sharesies.



ForumsFinance and wealth managementPayment Card PIN Storage Security on the Bank or Card Provider's Side
geek3001

63 posts

Master Geek

ID Verified
Subscriber

#315055 10-Jun-2024 10:03
Send private message

I am hoping that a member who works in the banking security area might be able to answer a security related question.

 

With regard to credit and debit card four-digit PINs that we are expected to memorize, do the Banks, or perhaps more correctly, Visa / Mastercard, store that PIN number in their card info database as plain text numbers, a one way hash, a reversible hash, or some other way?

 

To be clear, I have no interest in attempting to crack or figure out what a card's PIN is, just understand how that piece of info is stored.

 

Thanks.

 

 

Create new topic
mentalinc
3226 posts

Uber Geek

Trusted

  #3246871 10-Jun-2024 10:40
Send private message

an HSM might even be an option




CPU: AMD 5900x | RAM: GSKILL Trident Z Neo RGB F4-3600C16D-32GTZNC-32-GB | MB:  Asus X570-E | GFX: EVGA FTW3 Ultra RTX 3080Ti| Monitor: LG 27GL850-B 2560x1440

 

Quic: https://account.quic.nz/refer/473833 R473833EQKIBX 



nic.wise
333 posts

Ultimate Geek

Trusted

  #3246880 10-Jun-2024 11:03
Send private message

Yup, the answer is "likely more complicated".

 

At minimum, it'll be encrypted. As they are short, its likely with some other info like your account number (not the card number). This also means they can roll the card number and keep the pin.

 

For the "change your pin in the app" functions, they send down a public key, the app takes in the pin, encrpyts it with the PK, sends that block back, and the backend can decrypt it and process it as normal.

 

 

 

Giving the volume (which isn't high for modern HSMs) the pins are likely to be stored in the HSM. How THAT stores them is up to the HSM, tho they are usually both network and physically tamper resistant.

 

So the process is something like:

 

  • you enter your pin in the terminal
  • The terminal has a public key from the processor, so it encrypts that (and a load of other payload like account, amount etc) with the PK and sends it to the processor.
  • The processor has the PK of the next level up... so repeat a bit
  • Eventually it gets to your bank, who has the private key for the last level of encryption. They then re-encrypt the pin, submit it to the HSM, which gives them a "yes/no" answer back.
  • ... and it all rolls back to the terminal.

Keep in mind that, and I might be under-selling the layers here, there are SO many levels between the terminal you're entering your pin into, and the storage of the pin.

 

  • Terminal
  • The processors, eg WorldPay, Stripe etc
  • There's usually an aggregator in here, tho Stripe is big enough to not need one for eg
  • Then Visa/MC etc
  • Then the bank

It's a wonder it works as well as it does.

 

 

 

Another way could even be:

 

  • Take the pin, and run it thru X rounds of a key derivation function with fixed, known parameters (goes from 10,000 possibilities (which is stuff all) to maybe a 256 bit or larger key)
  • Encrypt the transaction with this key (likely XML block, might be just amount=1234&cardnum=123412341234124 etc)
  • Send it to the processor (Worldpay)
  • they send it to the EFTPOS switch
  • ... which sends it to your bank
  • ... who push the encrpyted block + the parameters for the key derivation (or it's fixed and known) to the HSM, which tries to decrypt it with the known pin. If it fails: no transaction for you. If it works: pin was right, proceed




Nic Wise - fastchicken.co.nz

Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00

eero Pro 7 Review
Posted 23-Jul-2025 12:07

BeeStation Plus Review
Posted 21-Jul-2025 14:21

eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01

WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32

RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26

Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24

Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05

Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01

Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01

Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22

Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46

Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42

D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34

Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

RSS feeds
Main feed
Forums feed
Copyright
©2002-2025 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Affiliate links
Samsung
AliExpress
Wise
Sharesies
GoodSync
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright