|This article needs additional citations for verification. (August 2012)|
A PIN pad or PIN entry device is an electronic device used in a debit, credit or smart card-based transaction to accept and encrypt the cardholder's personal identification number (PIN). PIN pads are normally used with integrated point of sale devices in which an electronic cash register is responsible for taking the sale amount and initiating/handling the transaction. The PIN pad is required so that the customer card can be accessed (in the case of chip cards) and the PIN can be securely entered and encrypted before it is sent to the transaction manager of the switch or the bank. In some cases, with chip cards, the PIN is only transferred from the PIN pad to the chip (within the PIN pad itself) and it is verified by the chip card. In this case the PIN does not need to be sent to the bank or card scheme for verification. (This is known as "offline PIN verification".)
Like some stand-alone point of sale devices, PIN pads are equipped with hardware and software security features to ensure that the injected security keys and the PIN are erased if someone tries to tamper with the device. The PIN is encrypted immediately on entry and an encrypted PIN block is created. This encrypted PIN block is erased as soon as it has been sent from the PIN pad to the attached point of sale device and/or the chip card. PINs are encrypted using a variety of encryption schemes, the most common being triple DES.
PIN pads must be approved to the standards required by the payment card industry to ensure that they provide adequate security at the point of PIN entry and for the PIN encryption process. ISO 9564 is the international standard for PIN management and security, and specifies some required and recommended characteristics of PIN entry devices.
Although PIN pads nominally allow entry of numeric values, some PIN pads also have letters assigned to most of the digits, to allow use of alphabetic characters or a words as a mnemonic for the numeric PIN. Not all PIN pads necessarily have the same letters for the same numbers. ISO 9564 does not mandate any particular assignment of letters, and includes two examples that differ in the digit to which Q and Z are assigned.
- ISO 9564-1:2002 Banking — Personal Identification Number (PIN) management and security — Part 1: Basic principles and requirements for online PIN handling in ATM and POS systems, clause 5 PIN entry devices
- ISO 9564-1:2002, Annex E.4 Alpha-to-numeric mapping