Here we will explain the different environments that may exist around pin translation and answer such questions as:

  • What are they used for?
  • What are the other actors in the banking industry exchanging information with the Utimaco Atalla AT1000?
  • What is the ecosystem around the Utimaco offering?

PIN Translation: What is It?

One of the main reasons for using an Utimaco Atalla AT1000 like the Utimaco Atalla HSM is PIN Translation. This is the process of encrypting, deciphering, and converting ISO PINBlocks between different encryption keys.

Retail Payment Market Players: acquirer, switch, issuer

In the ecosystem described by the illustration, ISO PIN blocks are being transmitted from one network to another network for various reasons where the keys that are used on one network cannot be used on another network. Encrypted PINs that are transmitted across these networks must be securely “translated” from one encryption to another encryption. 

For example, a bank customer who is outside his country of residence is withdrawing money from an ATM. The ATM needs to access the customer's bank account in his country of residence. The PIN that is entered at the ATM is encrypted locally and then sent through various financial networks until it reaches the customer’s home bank. The home bank must verify the PIN (“online PIN”) and return authorization before the ATM can allow access. 

During the transit on intermediate systems (between networks), the different parties can use the PIN translation service to re-encrypt a PIN block from one key to another. The PIN Translation service ensures that PINs never appear in the clear and that the keys for encrypting the PIN are isolated on their own networks.

Overview of the Cryptographic Protocol Used for PIN Translation

The way the keys to decrypt and encrypt are communicated between the parties is relatively complex. It involves a ZMK (Zone Master Key) and a ZPK (Zone Pin Key). The ZPK is what will encrypt or decrypt the PIN blocks during the transfers.

A typical PIN translation will convert between different formats, for example, conversion from an ISO-1 to an ISO-2 format.

Here we represent a typical PIN translation from one zone to another:

Typical PIN Translation

Key Exchange in a PIN Translation flow

Here we represent how encryption (and decryption) keys are exchanged between the actors of a PIN verification flow. The minimal flow consists of the:

  1. Acquiring bank
  2. Processor (here Visa)
  3. Issuing bank

All keys used for PIN Translation are exchanged between the zone HSMs via a common key, the Zone Master Key ( ZMK)

key translation process Utimaco Atalla AT1000

The Zone 1:  ATM -> Acquiring bank will use a common key: the ZPK (Zone Pin Key ) or the BDK (base Derivation key found inside the DUKPT).

The Zone 2: Acquiring bank -> Processor will use a common key: the AWK, Acquirer Working Key.

The Zone 3: Processor -> Issuing bank will use a common key: the IWK , Issuer Working Key.

the PIN block is ciphered between the HSMs of the different zones so that it never transits in clear outside the security modules

Here we can see that the PIN block is ciphered between the HSMs of the different zones so that it never transits in clear outside the security modules.

Atalla HSMs and PIN Translation

Atalla HSMs are usually very good at PIN translation (Mohamed Atalla pioneered the use of the PIN in the banking industry).

Depending on the model, Utimaco Atalla HSMs have the following capacities:

10,000, 1060, 280, and 80 TPS (Visa PIN translates per second)

The Atalla AT-100 allows robust PIN translation via the following commands:

Translate PIN

Translate PIN – Visa DUKPT

Translate PIN – ANSI to PIN/Pad

Translate PIN – ANSI to PLUS and PLUS to ANSI

Translate PIN – IBM 3624 to IBM 3624

Translate PIN – IBM 3624 to PIN/Pad

Translate PIN – IBM 4731 to IBM 4731

Translate PIN – IBM 4731 to PIN/Pad

Translate PIN – PIN/Pad or Docutel to IBM 4731

Translate PIN – PIN/Pad or Docutel to PIN/Pad

Translate PIN – Double-Encrypted Input or Output

PIN Translate (ANSI to PIN/Pad) and MAC Verification

Translate PIN (ANSI to PLUS) and Verify MAC

Translate PIN and Generate MAC

PIN and PIN-Block Translate

PIN Translate – DUKPT to 3DES and Verify MAC

PIN Translate – DUKPT to 3DES and Generate MAC

Conclusion

The PIN Translation mechanism is essential for ensuring that PIN blocks are securely ciphered during transmission through the different zones of the PIN verification process. The Utimaco Atalla AT1000 has efficient PIN translation capacity.

Read more about the Utimaco Atalla AT1000 Hardware Security Module (HSM), a payments security module for protecting sensitive data and associated keys. Or access more articles on the Utimaco Atalla AT1000

New call-to-action