One of the most important advances when making a purchase is the appearance of the PIN code. Before its existence, we had to sign our name and surname as a security method and to prove our identity both in purchases through e-commerce and in physical purchases through POS (point-of-sale terminals). Nowadays, you only have to put that PIN code made up of four digits, for a faster, simpler and safer way to buy. But technology never stops and now a new twist has been given to the security of purchases with the Online PIN or Digital PIN that benefits both the buyer and end user of the card as well as the financial institution and issuer to verify it (as ATMs already do).

Through this online PIN process, the PIN is validated at the card issuer’s HSM, rather than at the point-of-sale terminal. This PIN validation is done in the same way as when the PIN is validated when withdrawing cash from an ATM. The validation at the POS is purely a “comparison” validation, whereas the validation done at the issuer is a cryptographic validation.

What is the Online Pin?

The Online PIN or Digital PIN is a new way for bank card users to create, modify or activate their PIN code online. Before, you had to wait for the code to be sent by mail, go to an ATM or call by phone. Now, it is done digitally and instantly to make it more secure. With this system, the user can control everything at all times, and this requires the financial and methods of payment infrastructure to be equipped with HSMs.

Its operation is very simple. When the card arrives at home, the user receives a message in his bank application or an SMS. The user opens this message and can do whatever s/he wants with the PIN. Create it, modify it, etc. This is aligned with the PCI DSS regulation (Payment Card Industry Data Security Standard), the highest certification in security matters.

Furthermore, for this process to be secure, it must be aligned with the ANSI X9.24 regulation on DUKPT (Derive Unique Key Per Transaction), which is exactly what the POS PIN ON LINE “asks” to be done.

One of the countries where the Digital PIN is going to start being used is Mexico, where banks and Fintech are obliged to comply with it.

Advantages of having the Online PIN on credit cards

This new security mechanism offers a number of very interesting advantages for users when making purchases with a credit card:

• More security. With this system we avoid receiving letters with personal and sensitive information, which can be intercepted at any time or can be lost. We can also avoid having to enter our credit card data in an ATM or in a device, where the possibility of thieves stealing from us increases.
• Faster and more environmentally friendly process. It is no longer a procedure in which days passed from the time the contract was signed at the bank until the card and PIN were received at home. In addition, the Digital PIN also saves on paper because while previously two letters were sent home, one with the card and the other with the PIN code, now only one is sent with the card.
• Users can create their own code directly from the application. This provides greater convenience to the user, since this type of management can be done from home.
• The Online PIN on credit cards can be recovered if it is lost. In case of loss of the card, you can recover the Online PIN without any problem through the application.
• The code can also be modified in case of theft or loss. The same as in the previous case. All instantly and with complete user control.

Protecting the Digital PIN through an HSM

The creation, activation and change of an online PIN is done through data encryption protected by a hardware security module (HSM). It is important to implement this type of security because with the digital transformation we are going through, we are increasingly using online shopping and electronic payment. This makes it a major target for cybercriminals.

At Realsec by Utimaco we have HSM data encryption solutions. As a cybersecurity company, we have an HSM that is responsible for generating, storing and custodying the life cycle of cryptographic keys capable of creating the Online PIN.