To retrieve ATM Pin from the Base24 switch

[rams]

I have worked with generating balance enquiry request message with
JPOS for B24 switch interface.
Which basically sends ATM pin in its request with other parameters for
the validation of PIN.

I need to command or method which will give ATM pin directly from the
switch.
Please let me know any ideas

[Chhil]

I don't know the format of a b24 message but I assume the "encrypted" pinblock is being sent in a particular data element along with other information to validate the pin in the same or other data elements.

What does "give ATM pin directly" mean?
Are you trying to get the encrypted pin from the message or a decrypted pin aka clear pin aka non pci compliant?

-chhil

> --
> jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage.
> Please support jPOS, contact: sa...@jpos.org
>
> You received this message because you are subscribed to the "jPOS Users" group.
> Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
> To post to this group, send email to jpos-...@googlegroups.com
> To unsubscribe, send email to jpos-users+...@googlegroups.com
> For more options, visit this group at http://groups.google.com/group/jpos-users

[Mark Salter]

On 21/10/2011 13:32, rams wrote:

> I need to command or method which will give ATM pin directly from the
> switch.

> Please let me know any ideas
>

To produce a PIN block, you need the clear PIN, the card number, a
secure DES key (shared with the Issuer), an algorithm and a secure
'place' to do apply the algorithm to these components to produce a PIN
block.

You will need an HSM for production grade work and real PINs.

There are many best practices and PCI regs that you will also need to
follow to enable you to take a PIN from a cardholder and handle it
securely and appropriately.

I have guessed at your needs, but *if* you are really trying to retrieve
a PIN from a transaction as it passes, I hope you are really asking
about PIN translation and not trying to 'see' the real PIN as this would
not be allowed.

--
Mark

[Ramanath Pai]

Yes.
For validating the pin we create pin block (encrypted with key like ZPK) along with other details to switch.

But here i want to extract the pin (it can be encrypted, clear or any other form basically i should be able to extract clear pin from that) from switch.

-Ramanath Pai

[chhil]

All pin operations happen within a HSM. You should never have a pin in
the clear.
The Hsm will be provided the encrypted pin and encrypted keys ,pan
,pin block format and other data to validate and tell you if the pin
is correct or not.
In your system you should never have a clear pin.

Having said this in TEST you can emulate a software security module by
writing it yourself or search for a thales sim written in .Net or
search the list for Hairi who has a link to a software hsm written by
him/her.
-chhil

--
Sent from my mobile device

[Gang Deng]

I am assuming the message you sent to switch is in ISO 8583-1987 format, if that's the case then the PIN block is in DE52. 

Cheers

Gang

[Ramanath Pai]

I understand that pin should not be clear.
But my question is whether i can get the pin in Encrypted form (or PIN Block) FROM Switch through any command?

I know how to validate the ATM Pin by generating pin block format and sending it to switch.

- Ramanath Pai

[chhil]

It would be in a field of the isomsg and you would do a get on the
field and obtain it.
Not sure where the confusion is.

Chhil

On 10/21/2011, Ramanath Pai <pai.ra...@gmail.com> wrote:
> I understand that pin should not be clear.
> But my question is whether i can get the pin in Encrypted form (or PIN

> Block) *FROM Switch* through any command?

[Ramanath Pai]

Ok, i need to know the MTI to get this value in isomsg response.

For example:
To validate the ATM Pin we use Balance enquiry MTI i.e. 0200 for the request and in this message we put enc pin block in field 52  for validation.

Similary i need to know following things can be performed inside switch through ISO 8583 messages.
1. Assuming we have cardnumber and other details can we extract pin block (encrypted form)
   If yes, what is the MTI to fetch the same?
2. Can we generate and attach the random atm pin for a cardnumber inside the switch through ISO 8583



-Ramanath Pai

[Chhil]

Based on your questions I feel you are somehow trying to hack your way through an ISOMsg without going through the API or the framework or the protocol. 

Most operations that you would perform would be inside the switch. 

Is this Base24 switch written using JPOS?

Please provide a simple flow of your messages to better understand from where you are trying to change things. 

I have put some inline comments below. 

I would highly recommend 

1.getting the programmers guide. 

2.search the email list for various examples. 

-chhil

On 24-Oct-2011, at 11:15, Ramanath Pai <pai.ra...@gmail.com> wrote:

Ok, i need to know the MTI to get this value in isomsg response.

The ISOMsg object has a getMTI method to determine MTI. 

For example:
To validate the ATM Pin we use Balance enquiry MTI i.e. 0200 for the request and in this message we put enc pin block in field 52  for validation.

Similary i need to know following things can be performed inside switch through ISO 8583 messages.
1. Assuming we have cardnumber and other details can we extract pin block (encrypted form)
   If yes, what is the MTI to fetch the same?

As you have mentioned earlier that the pin block is coming in field 52 so you should simply use the getter on the ISOMsg object and get it. 

2. Can we generate and attach the random atm pin for a cardnumber inside the switch through ISO 8583

If you have control on the message I see no reason why you can't do this. 

[Ramanath Pai]

Hi Chillum,

If there is any API or framework or the protocol to interact with B24 to get the pin or create the pin inside switch, that is enough for me.
I am not aware of any such API so only trying from ISOMsg.

yes it is Base24 switch written using JPOS.
I have the programmers guide.

1. Repeatedly i am saying that given the pin block, i know to validate the pin block from switch. But here my question is i need to get the pin from Switch just
giving the cardnumber.

2. I need to know the MTI indicator to generate/create a PIN inside B24.

Regards,

On Mon, Oct 24, 2011 at 2:39 PM, Chhil <chi...@gmail.com> wrote:

Based on your questions I feel you are somehow trying to hack your way through an ISOMsg without going through the API or the framework or the protocol. 

Most operations that you would perform would be inside the switch. 

Is this Base24 switch written using JPOS?

Please provide a simple flow of your messages to better understand from where you are trying to change things. 

I have put some inline comments below. 

I would highly recommend 

1.getting the programmers guide. 

2.search the email list for various examples. 

-chhil

On 24-Oct-2011, at 11:15, Rams  wrote:

Ok, i need to know the MTI to get this value in isomsg response.

The ISOMsg object has a getMTI method to determine MTI. 

For example:
To validate the ATM Pin we use Balance enquiry MTI i.e. 0200 for the request and in this message we put enc pin block in field 52  for validation.

Similary i need to know following things can be performed inside switch through ISO 8583 messages.
1. Assuming we have cardnumber and other details can we extract pin block (encrypted form)
   If yes, what is the MTI to fetch the same?

As you have mentioned earlier that the pin block is coming in field 52 so you should simply use the getter on the ISOMsg object and get it. 

2. Can we generate and attach the random atm pin for a cardnumber inside the switch through ISO 8583

If you have control on the message I see no reason why you can't do this. 

[chhil]

I will leave this thread to more knowledgeable people on the list. I
fail to understand your requirement.

Chhil

[Eric Chaves]

Hi Ramanath,

If I'm getting you right, you want to figure a way to instruct the B24 switch to *create* a PIN for a card at the terminal when the cardholder uses it's card. If so, that's not how it usually done. The PIN is either generated by the issuer when the card is issued or, in certain scenarios like private labels, as a procedure initiated by the user at the terminal (ATM, POS or whatever). This protocol also is dependent  on the card technology (magnetic stripe, EMV chips, Mifare chips, and so on).

In this last scenario you have to either specify this feature so the terminal manufacture implement it in they're terminals or the manufacture has to have this feature already implemented and your authorization system has to support it.

To understand what everybody was telling you, you have to keep in mind that the switch is just a middle-man between the terminal and the authorization system.

At the end of the day, ISO 8583 messages are just a convention to be followed in order to exchange data between two parts (acquirers and issuers) with a lot of "workers" in the middle (switchs, card brands and others). Someone have to "write down the rules" and the others have to follows. The messages are tailored to fits the needs of the participants involved in the issuing/acquiring/authorization process.

For example, you are a issuer issuing a VISA card, your authorization system has to support the process (and therefore they're message set) designed by VISA. Visa for instance (as far as I know) does not have a procedure to allow the issuer to instruct the acquirer to create a pin, for example. As an acquirer if you want accept a VISA card you also have to make your terminal compliance with VISA process.

The same thing applies for example to private ATM networks (here in Brazil we have an ATM acquirer Rede24h). In this case if a issuer wants to allow they're card to be used in the Rede24h ATM machines, the issuer has to implement the procedures designed by this particular ATM company. In both cases, VISA and Rede24h uses ISO 8583 messages, but which messages and which fields are used to hold they're process (for exemple authorization, reversals, notifications and so on) are determined by them. 

In order for the people here to help you we need more details of what you are trying to do (for example: a user trying to reset it's PIN at an ATM).

Hope this helps you. Best regards,

Eric.

2011/10/25 Ramanath Pai <pai.ra...@gmail.com>

[Mark Salter]

On 25/10/2011 13:53, Ramanath Pai wrote:

> If there is any API or framework or the protocol to interact with B24 to get
> the pin or create the pin inside switch, that is enough for me.

Please confirm that you are seeking to get the PIN and not a PIN block?

Perhaps explaining what you seek to do with the PIN once you have it
would help?

> 1. Repeatedly i am saying that given the pin block, i know to validate the
> pin block from switch. But here my question is i need to get the pin from
> Switch just
> giving the cardnumber.

Can you explain why you want to do this? What do you want the PIN for?

If you are trying to validate the PIN then you will need to speak to the
card's issuers :-).

--
Mark

[Ramanath Pai]

Hi Eric,

Yes. You are right i want  to create a PIN and send the pin in the mail to customer.

We will be doing this in issuer premises only. So just wanted to know what is the command used/procedure followed in B24 from issuer side or standard procedures followed to generate this PIN and to extract this value.

So that i can develop the code and put this in issuer premises.

- Rams

On Tue, Oct 25, 2011 at 7:36 PM, Eric Chaves <er...@craftti.com.br> wrote:

Hi Rams,

If I'm getting you right, you want to figure a way to instruct the B24 switch to *create* a PIN for a card at the terminal when the cardholder uses it's card. If so, that's not how it usually done. The PIN is either generated by the issuer when the card is issued or, in certain scenarios like private labels, as a procedure initiated by the user at the terminal (ATM, POS or whatever). This protocol also is dependent  on the card technology (magnetic stripe, EMV chips, Mifare chips, and so on).

In this last scenario you have to either specify this feature so the terminal manufacture implement it in they're terminals or the manufacture has to have this feature already implemented and your authorization system has to support it.

To understand what everybody was telling you, you have to keep in mind that the switch is just a middle-man between the terminal and the authorization system.

At the end of the day, ISO 8583 messages are just a convention to be followed in order to exchange data between two parts (acquirers and issuers) with a lot of "workers" in the middle (switchs, card brands and others). Someone have to "write down the rules" and the others have to follows. The messages are tailored to fits the needs of the participants involved in the issuing/acquiring/authorization process.

For example, you are a issuer issuing a VISA card, your authorization system has to support the process (and therefore they're message set) designed by VISA. Visa for instance (as far as I know) does not have a procedure to allow the issuer to instruct the acquirer to create a pin, for example. As an acquirer if you want accept a VISA card you also have to make your terminal compliance with VISA process.

The same thing applies for example to private ATM networks (here in Brazil we have an ATM acquirer Rede24h). In this case if a issuer wants to allow they're card to be used in the Rede24h ATM machines, the issuer has to implement the procedures designed by this particular ATM company. In both cases, VISA and Rede24h uses ISO 8583 messages, but which messages and which fields are used to hold they're process (for exemple authorization, reversals, notifications and so on) are determined by them. 

In order for the people here to help you we need more details of what you are trying to do (for example: a user trying to reset it's PIN at an ATM).

Hope this helps you. Best regards,

Eric.

2011/10/25 Rams

> - Rams

>
>
> On Fri, Oct 21, 2011 at 7:03 PM, chhil <chi...@gmail.com> wrote:
>
>> All pin operations happen within a HSM. You should never have a pin in
>> the clear.
>> The Hsm will be provided the encrypted pin and encrypted keys ,pan
>> ,pin block format and other data to validate and tell you if the pin
>> is correct or not.
>> In your system you should never have a clear pin.
>>
>> Having said this in TEST you can emulate a software security module by
>> writing it yourself or search for a thales sim written in .Net or
>> search the list for Hairi who has a link to a software hsm written by
>> him/her.
>> -chhil
>>

>> On 10/21/2011, Rams wrote:
>> > Yes.
>> > For validating the pin we create pin block (encrypted with key like ZPK)
>> > along with other details to switch.
>> >
>> > But here i want to extract the pin (it can be encrypted, clear or any
>> other
>> > form basically i should be able to extract clear pin from that) from
>> switch.
>> >

>> > -Rams

[Emeka Onwuka]

Hi Rams

card production and PIN generation are usually issuer side functionality, most HSMs provide the ability to generate PINs and PIN-Mailers. B24 would not be able to "query" for the  PIN except you have the issuer side application which is usually a Card Management System "expose" some API over ISO 8583 to the switch and then let your implementation query for such, however i am not sure how possible it would be for you to "extract" and "decrypt" and send this PIN to the customer, this is NOT how it is done.

Your best bet would be to interact with the HSM.

[Gang Deng]

Emeka is right, Usually you have those old dot printer attached to HSM to print the pin mailers out. Security practise will not allow you to decrypt and print pin anywhere else but through the HSM.  Also the PIN mail printing work should be done by card issuer rather than B24 or any switch. 

Cheers

Gang