Hi,
PIN policy could include the following technical areas . Depending on the
delivery channel and its strengths/limitations the specific standards and
guidelines for each channel can be built. e.g. Internet Banking might allow
8 characters while ATM and IVR might be limited to 4 .
**Strength of PIN**
*
Minimum length of PIN should be 8 or whatever maximum is permitted
by the application
*
PIN should include alphabets, numerals and special characters
**PIN generation and communication**
*
PIN generation and communication process should ensure that only the
customer has access to it.
*
User-ID and PIN should be communicated separately to customer.
**PIN usage **
*
Application should force user to change PIN at first login.
**PIN security**
*
PIN should be transmitted in encrypted/hashed format from client to
server
*
Application should have facility for user to change PIN at any time
without IT-staff assistance.
*
Application should ensure PIN is stored with one-way encryption to
ensure system administrator cannot access PIN information.
*
Application should lockout users after fixed number of unauthorized
attempts.
**PIN recovery**
*
Lost PIN recovery process should ensure that random PIN are
generated. Application should force change of PIN at next login.
Jose Varghese
Paladion Networks
Application Security Magazine
http://palisade.paladion.net
_____
From: Murli Nambiar [mailto:murli.n@rediffmail.com]
Sent: Friday, July 08, 2005 12:33 PM
To: security-management@securityfocus.com
Subject: PIN policy
Hi everyone,
I have a requirement to have a policy on PIN (Personal Identification
Number), would anyone have a PIN policy which could be shared or guide me
towards some resource. I checked across many of the sites like NIST, SANS
but was not able to find anything.
The policy has to be more from a technical angle which every channel (ATM,
IVR or Internet Banking) needs to follow or consider.
Thanks in advance.
Murli
<http://clients.rediff.com/signature/track_sig.asp>
