Here we will explain the different environments that may exist around pin translation and answer such questions as:

• What are they used for?
• What are the other actors in the banking industry exchanging information with the Utimaco Atalla AT1000?
• What is the ecosystem around the Utimaco offering?

PIN Translation: What is It?

One of the main reasons for using an Utimaco Atalla AT1000 like the Utimaco Atalla HSM is PIN Translation. This is the process of encrypting, deciphering, and converting ISO PINBlocks between different encryption keys.

In the ecosystem described by the illustration, ISO PIN blocks are being transmitted from one network to another network for various reasons where the keys that are used on one network cannot be used on another network. Encrypted PINs that are transmitted across these networks must be securely “translated” from one encryption to another encryption.

For example, a bank customer who is outside his country of residence is withdrawing money from an ATM. The ATM needs to access the customer’s bank account in his country of residence. The PIN that is entered at the ATM is encrypted locally and then sent through various financial networks until it reaches the customer’s home bank. The home bank must verify the PIN (“online PIN”) and return authorization before the ATM can allow access.

During the transit on intermediate systems (between networks), the different parties can use the PIN translation service to re-encrypt a PIN block from one key to another. The PIN Translation service ensures that PINs never appear in the clear and that the keys for encrypting the PIN are isolated on their own networks.

Overview of the Cryptographic Protocol Used for PIN Translation

The way the keys to decrypt and encrypt are communicated between the parties is relatively complex. It involves a ZMK (Zone Master Key) and a ZPK (Zone Pin Key). The ZPK is what will encrypt or decrypt the PIN blocks during the transfers.

A typical PIN translation will convert between different formats, for example, conversion from an ISO-1 to an ISO-2 format.

Here we represent a typical PIN translation from one zone to another:

Key Exchange in a PIN Translation flow

Here we represent how encryption (and decryption) keys are exchanged between the actors of a PIN verification flow. The minimal flow consists of the:

1. Acquiring bank
2. Processor (here Visa)
3. Issuing bank

All keys used for PIN Translation are exchanged between the zone HSMs via a common key, the Zone Master Key ( ZMK)

The Zone 1:  ATM -> Acquiring bank will use a common key: the ZPK (Zone Pin Key ) or the BDK (base Derivation key found inside the DUKPT).

The Zone 2: Acquiring bank -> Processor will use a common key: the AWK, Acquirer Working Key.

The Zone 3: Processor -> Issuing bank will use a common key: the IWK , Issuer Working Key.

Here we can see that the PIN block is ciphered between the HSMs of the different zones so that it never transits in clear outside the security modules.

Atalla HSMs and PIN Translation

Atalla HSMs are usually very good at PIN translation (Mohamed Atalla pioneered the use of the PIN in the banking industry).

Depending on the model, Utimaco Atalla HSMs have the following capacities:

10,000, 1060, 280, and 80 TPS (Visa PIN translates per second)

The Atalla AT-100 allows robust PIN translation via the following commands:

Conclusion

The PIN Translation mechanism is essential for ensuring that PIN blocks are securely ciphered during transmission through the different zones of the PIN verification process. The Utimaco Atalla AT1000 has efficient PIN translation capacity.

Read more about the Utimaco Atalla AT1000 Hardware Security Module (HSM), a payments security module for protecting sensitive data and associated keys. Or access more articles on the Utimaco Atalla AT1000