Editing Personal identification number (section)

==Financial services==
=== PIN usage===
In the context of a financial transaction, usually both a private "PIN code" and public user identifier are required to authenticate a user to the system. In these situations, typically the user is required to provide a non-confidential user identifier or token (the ''user ID'') and a confidential PIN to gain access to the system. Upon receiving the user ID and PIN, the system looks up the PIN based upon the user ID and compares the looked-up PIN with the received PIN. The user is granted access only when the number entered matches the number stored in the system. Hence, despite the name, a PIN does not ''personally'' identify the user.<ref>[http://webb-site.com/articles/identity.asp Your ID number is not a password], Webb-site.com, 8 November 2010</ref> The PIN is not printed or embedded on the card but is manually entered by the cardholder during [[automated teller machine]] (ATM) and [[point of sale]] (PO) transactions (such as those that comply with [[EMV]]), and  in [[card not present]] transactions, such as over the Internet or for phone banking.

=== PIN length===
The international standard for financial services PIN management, [[ISO 9564]]-1, allows for PINs from four up to twelve digits, but recommends that for usability reasons the card issuer not assign a PIN longer than six digits.<ref>[http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=54083 ISO 9564-1:2011 ''Financial services &mdash; Personal Identification Number (PIN) management and security &mdash; Part 1: Basic principles and requirements for PINs in card-based systems''], clause 8.1 PIN length</ref> The inventor of the ATM, [[John Shepherd-Barron]], had at first envisioned a six-digit numeric code, but his wife could only remember four digits, and that has become the most commonly used length in many places,<ref name=milligan>
{{cite web
  | url=http://news.bbc.co.uk/2/hi/business/6230194.stm
  | title=The man who invented the cash machine
  | publisher=BBC
  | access-date = 2014-06-15 | date=2007-06-25}}
</ref> although banks in Switzerland and many other countries require a six-digit PIN.

=== PIN validation ===
There are several main methods of validating PINs. The operations discussed below are usually performed within a [[hardware security module]] (HSM).

==== IBM 3624 method====
One of the earliest ATM models was the [[IBM 3624]], which used the IBM method to generate what is termed a ''natural PIN''.  The natural PIN is generated by encrypting the primary account number (PAN), using an encryption key generated specifically for the purpose.<ref>{{cite web
  | url=http://publib.boulder.ibm.com/infocenter/zos/v1r9/index.jsp?topic=/com.ibm.zos.r9.csfb400/csfb4z80539.htm
  | title=3624 PIN Generation Algorithm
  | publisher=IBM
  }}</ref> This key is sometimes referred to as the PIN generation key (PGK).  This PIN is directly related to the primary account number.  To validate the PIN, the issuing bank regenerates the PIN using the above method, and compares this with the entered PIN.

Natural PINs cannot be user selectable because they are derived from the PAN.  If the card is reissued with a new PAN, a new PIN must be generated.

Natural PINs allow banks to issue PIN reminder letters as the PIN can be generated.

==== IBM 3624 + offset method====
To allow user-selectable PINs it is possible to store a PIN offset value.  The offset is found by subtracting the natural PIN from the customer selected PIN using [[modular arithmetic|modulo]] 10.<ref>{{cite web
  | url=http://publib.boulder.ibm.com/infocenter/zos/v1r9/index.jsp?topic=/com.ibm.zos.r9.csfb400/csfb4z80541.htm
  | title=PIN Offset Generation Algorithm
  | publisher=IBM}}</ref> For example, if the natural PIN is 1234, and the user wishes to have a PIN of 2345, the offset is 1111.

The offset can be stored either on the card track data,<ref>{{cite web
    | url=http://www.gae.ucm.es/~padilla/extrawork/tracks.html
    | title=Track format of magnetic stripe cards
    | publisher=Gae.ucm.es
    | access-date=2010-04-25
    | archive-date=2014-09-28
    | archive-url=https://web.archive.org/web/20140928190852/http://www.gae.ucm.es/~padilla/extrawork/tracks.html
    | url-status=dead
    }}</ref> or in a database at the card issuer.

To validate the PIN, the issuing bank calculates the natural PIN as in the above method, then adds the offset and compares this value to the entered PIN.

==== VISA method ====
[[File:VeriFone credit card terminal Servebase.jpg|thumb|When using this credit card terminal, a VISA cardholder swipes or inserts their credit card, and enters their PIN on the keypad.]]

The VISA method is used by many card schemes and is not VISA-specific.  The VISA method generates a PIN verification value (PVV).  Similar to the offset value, it can be stored on the card's track data, or in a database at the card issuer. This is called the reference PVV.

The VISA method takes the rightmost eleven digits of the PAN excluding the checksum value, a PIN validation key index (PVKI, chosen from one to six, a PVKI of 0 indicates that the PIN cannot be verified through PVS<ref>{{Cite web|title=Sun Crypto Accelerator 6000 Board User's Guide for Version 1.0|url=https://docs.oracle.com/cd/E19321-01/819-5536-12/4_FS.html|access-date=2021-06-22|website=docs.oracle.com|language=en-US}}</ref>) and the required PIN value to make a 64-bit number, the PVKI selects a validation key (PVK, of 128 bits) to encrypt this number.  From this encrypted value, the PVV is found.<ref>{{cite web|title=PVV Generation Algorithm|url=https://www.ibm.com/docs/en/linux-on-systems?topic=linuxonibm/com.ibm.linux.z.wskc.doc/wskc_c_appdpvvgenalg.html|publisher=IBM}}</ref>

To validate the PIN, the issuing bank calculates a PVV value from the entered PIN and PAN and compares this value to the reference PVV. If the reference PVV and the calculated PVV match, the correct PIN was entered.

Unlike the IBM method, the VISA method does not derive a PIN. The PVV value is used to confirm the PIN entered at the terminal, was also used to generate the reference PVV. The PIN used to generate a PVV can be randomly generated, user-selected or even derived using the IBM method.