ISO 10202-6-1994 PDF

Full title and description

ISO 10202-6:1994 — Financial transaction cards — Security architecture of financial transaction systems using integrated circuit cards — Part 6: Cardholder verification. Specifies requirements for the security of cardholder verification when a discrete Cardholder Identification Value (CIV), such as a PIN, is used with an integrated circuit card (ICC); indicates where ISO 9564-1 applies and which ICC-specific aspects are covered by this part.

Abstract

This part of ISO 10202 defines requirements and safeguards for verifying that the card presenter is the legitimate cardholder when a discrete CIV (e.g., PIN or password) or biometric reference is used in conjunction with an ICC. It covers storage and protection of the reference CIV on the card, loading/re-loading/change procedures, verification at Common Data File (CDF) and Application Data File (ADF) levels, and restrictions so CIV data are protected from external reading.

General information

• Status: Withdrawn.
• Publication date: 1994-12 (First edition).
• Publisher: International Organization for Standardization (ISO).
• ICS / categories: 35.240.15 / Banking and related financial services; IT applications in banking.
• Edition / version: Edition 1 (1994).
• Number of pages: 6 (concise technical part with Annex A integral and additional informational annexes).

Scope

This part of ISO 10202 specifies security requirements for cardholder verification in systems using integrated circuit cards. It applies when a discrete CIV (for example a PIN) or biometric reference is used and addresses: whether verification is performed at CDF or ADF level; secure loading, re-loading and changing of CIVs under card issuer or application supplier control; secure storage on the IC (protected against external reading); and availability of CDF-level verification to any application on the card. It does not replace general PIN management rules in ISO 9564-1 except where ICC-specific provisions are required.

Key topics and requirements

• Definition and protection of Cardholder Identification Value (CIV), including discrete (PIN/password) and biometric CIVs.
• Requirements for secure loading, re-loading and change procedures for CIVs under issuer or application-supplier control.
• Rules for storing the discrete reference CIV in the IC such that it is protected from external reading.
• Specification of verification levels: Common Data File (CDF) vs Application Data File (ADF) verification, and who controls each.
• Requirements ensuring CDF-level CIV verification is available to any application on the card when applicable.
• Interaction and consistency with ISO 9564-1 PIN management where not ICC-specific.

Typical use and users

Intended for payment scheme security architects, card issuers, smart-card application suppliers, terminal/card-acceptance device manufacturers, system integrators and auditors working on integrated circuit card (smart card) based payment or secure transaction systems. Useful as a technical reference when designing cardholder verification processes and secure storage/handling of CIVs on ICCs.

Related standards

Part of the ISO 10202 series (Security architecture of financial transaction systems using integrated circuit cards). Related parts include ISO 10202-1 (Card life cycle), Part 2 (Transaction process), Part 3 (Cryptographic key relationships), Part 4 (Secure application modules), Part 5 (Use of algorithms), Part 7 (Key management), and Part 8 (General principles and overview). Cardholder verification provisions reference ISO 9564-1 for general PIN management.

Keywords

ISO 10202-6, cardholder verification, CIV, PIN, integrated circuit card, ICC, smart card security, CDF, ADF, payment card security, ISO 9564.

FAQ

Q: What is this standard?

A: ISO 10202-6:1994 is Part 6 of the ISO 10202 series addressing cardholder verification for financial transaction systems that use integrated circuit cards (ICCs). It specifies security requirements when a discrete CIV (e.g., PIN) or biometric reference is used with an ICC.

Q: What does it cover?

A: It covers secure storage and protection of the reference CIV on the IC, procedures for loading/re-loading/changing CIVs under appropriate control, verification at CDF and ADF levels, and interaction with ISO 9564-1 where applicable; plus informational annex material.

Q: Who typically uses it?

A: Payment scheme designers, card issuers, smart-card application suppliers, terminal manufacturers, system integrators and security auditors implementing or reviewing cardholder verification for ICC-based payment and transaction systems.

Q: Is it current or superseded?

A: ISO 10202-6:1994 is listed by ISO as Withdrawn. For current practices and any successor specifications, consult the ISO catalogue and the latest parts of the ISO 10202 family or related ISO standards (for example ISO 9564 for PIN management).

Q: Is it part of a series?

A: Yes — it is Part 6 of ISO 10202, a multi-part standard covering security architecture for financial transaction systems using integrated circuit cards; other parts address life cycle, transaction processes, keys, algorithms, key management and overview principles.

Q: What are the key keywords?

A: CIV, PIN, ICC, smart card, cardholder verification, CDF, ADF, integrated circuit card, payment card security, ISO 10202.