PIN Tools Documentation - ISO8583Studio

Introduction

A PIN block is a fixed-format encoding of a cardholder PIN designed to be encrypted under a key (TPK, ZPK, or DUKPT-derived) and transmitted across a payment network. ISO 9564 defines the canonical formats; vendors and legacy networks add a few non-standard variants you may still encounter.

PIN Block Formats

Format	Source	PAN-bound?	Notes
ISO-0	ISO 9564-1	Yes	PIN XOR PAN. Most common in legacy systems. Equivalent to ANSI X9.8.
ISO-1	ISO 9564-1	No	PIN + random padding. Used when PAN is not available.
ISO-2	ISO 9564-1	No	PIN + `F` padding. EMV ICC offline PIN.
ISO-3	ISO 9564-1	Yes	Like ISO-0 but with random fill nibbles instead of zeros.
ISO-4	ISO 9564-1 (2017)	Yes	16-byte block; AES-only. Currently mandated for new deployments.
OEM-1	Diebold / Docutel / NCR	Varies	Vendor-specific historical formats — rarely needed for new work.
ECI 1-4	Eurocheque / EFT	Varies	European legacy variants.

Use ISO-4 for new work

If you have flexibility, target ISO Format 4 with AES — it’s the only format approved for new PCI-PIN evaluations.

PIN Block Calculator

The PIN Block Calculator is a multi-tab tool with one tab per supported format. Each tab can run in Encode mode (PIN → encrypted PIN block) or Decode mode (encrypted PIN block → PIN).

Common Inputs

PIN — 4–12 numeric digits.
PAN — Primary Account Number, format-dependent (ISO-0/3/4 only).
Encryption Key — The key under which the PIN block will be (or has been) encrypted.
Encrypted PIN Block — In decode mode, the cipher text to recover the PIN from.

Walk-through (Encode, ISO-0)

Open the PIN Block Calculator from Tools → Payments → PIN Block.
Switch to the ISO-0 tab.
Set mode to Encode.
Enter the PIN (e.g. 1234).
Enter the PAN. The tool extracts the rightmost 12 digits excluding the check digit automatically.
Enter the encryption key (32 hex chars for 3DES).
Click Calculate. The clear PIN block, PAN block, and encrypted PIN block are all shown.

Format Walk-throughs

ISO-0 / ANSI X9.8

Step 1 (PIN block):  04 12 34 FF FF FF FF FF
   - 04 = PIN length (4 digits)
   - 1234 = PIN
   - FF padding to 8 bytes

Step 2 (PAN block):  00 00 12 34 56 78 90 12
   - leading zeros + rightmost 12 digits of PAN excluding check digit

Step 3 (XOR):        04 12 26 CB A9 87 6F ED
Step 4 (Encrypt):    encrypted under TPK / ZPK

ISO-1

No PAN; the PIN is followed by random fill bytes. Use when PAN is not transmitted (e.g. some IVR / VRU flows).

ISO-3

Like ISO-0 but the padding nibbles are random in the range 0xA–0xF. Each generated PIN block is unique even for the same PIN + PAN combination.

ISO-4 (AES)

16-byte clear PIN block: control field, PIN length, PIN digits, then a random fill. Encrypted with AES (128 / 192 / 256-bit) and XOR-combined with a derived PAN block. Use the dedicated AES PIN Block tab for ISO-4 work.

OEM-1 / ECI

Reserved for compatibility with legacy ATM and POS networks. The exact layout differs per vendor; the calculator labels each tab with the vendor name.

AES PIN Block (ISO-4) Calculator

The PIN Block AES tab focuses on the modern ISO Format 4 design.

Inputs

PIN — 4–12 digits.
PAN — Required for the PAN block XOR step.
AES Key — 32 / 48 / 64 hex chars.
Cipher Mode — ECB or CBC (CBC requires an IV).

Output

Clear PIN block (16 bytes)
PAN block (16 bytes)
Intermediate ciphertext (after AES of clear PIN block)
Final encrypted PIN block (after XOR with PAN block)

DUKPT-AES

For DUKPT AES PIN translation, derive the AES PIN working key in the DUKPT Tools first, then plug it in here.

VISA PVV Calculator

The PIN Verification Value (PVV) is a 4-digit value computed from the PIN, PAN, and a PVK that lets the issuer verify a PIN without storing it. Specified by VISA.

Inputs

PAN — 12 or more digits.
PIN — 4–12 digits.
PVK Index — Single digit 0–6.
PDK / PVK — 32 hex chars (2-key 3DES).

Modes

Generate — Produces a 4-digit PVV from PAN + PIN + PVK.
Validate — Compares an entered PVV against the recomputed value.

Algorithm Summary

Build the Transformed Security Parameter (TSP): rightmost 11 digits of PAN (excluding check digit) + PVK index + leftmost 4 digits of PIN.
3DES-encrypt the TSP under the PVK.
Scan the result hex left-to-right and pick the first 4 decimal digits. If fewer than 4 are found, scan again picking hex digits A–F mapped via X mod 10.

PAN:        4111111111111111
PIN:        1234
PVK Index:  1
PVK:        0123456789ABCDEFFEDCBA9876543210

TSP:        1111111111111234
Encrypted:  82A5...   (16 hex chars)
PVV:        8254

IBM 3624 PIN Offset Calculator

The IBM 3624 method derives a "natural PIN" from the PAN under a PIN Generation Key (PGK), then computes an offset that, added (mod 10) to the natural PIN, produces the customer’s chosen PIN.

Inputs

PAN — 12+ digits.
Customer PIN — 4–12 digits.
PGK — 32 hex chars (2-key 3DES).
Decimalisation Table — Default 0123456789012345; can be customised per issuer.
PIN Length — Default 4.

Modes

Generate Offset — Compute the offset given the PIN.
Verify PIN — Re-derive the natural PIN, add the offset, and compare to entered PIN.

Algorithm Summary

3DES-encrypt the PAN block under the PGK.
Apply the decimalisation table to the result to obtain a natural PIN.
Truncate to the desired PIN length.
Offset = customer PIN − natural PIN (digit-wise mod 10).

Custom decimalisation

Custom decimalisation tables let issuers prevent specific natural PINs (a known IBM 3624 attack). The tool exposes the table directly so you can match issuer configuration.

Tips

If the host rejects your PIN block, verify the format on both sides — ISO-0 and ISO-3 look identical at a glance but produce different blocks.
For PVV / Offset workflows, capture both the customer PIN and the verification value at the same time. Comparing recomputed values to known-good ones is the fastest way to find a misconfigured key.
When testing DUKPT-protected PIN flows, derive the working key first (DUKPT Tools), then use it here. The activity log shows both the input PIN block and the decrypted clear PIN for cross-checking.