The short answer
A PIN block is the standardized, encrypted format in which a cardholder's PIN is transmitted from the point of entry (a terminal, ATM, or unattended kiosk) to the card issuer for verification. Defined by ISO 9564, the PIN block combines the PIN with the card number in a specific way, then encrypts it under a key shared between the terminal and the issuer via a key hierarchy. The merchant's terminal creates the PIN block, the acquirer passes it through unchanged, and only the issuer can decrypt and verify.
The four ISO 9564 PIN block formats
- Format 0: Combines PIN with PAN via XOR. Most common historically. Deprecated by newer network rules but still widely deployed.
- Format 1: Used when PAN isn't available (certain ATM scenarios). No PAN combination — less secure, discouraged.
- Format 2: For offline EMV chip-card PIN verification. No encryption needed because it's verified on-card.
- Format 3: The modern preferred format. Randomized padding reduces predictability against cryptographic attack. Visa and Mastercard mandate format 3 on new deployments from 2023 onward.
How the encryption key hierarchy works
- Terminal Master Key (TMK): Resides securely in the terminal's tamper-resistant hardware.
- PIN Encryption Key (PEK): Derived/rotated per session. Encrypts the PIN block for transmission.
- Zone Master Key (ZMK) / Key Exchange Key (KEK): Used between acquirer and issuer to re-encrypt PIN blocks at the zone boundary.
- Hardware Security Module (HSM): Dedicated cryptographic hardware at the acquirer and issuer performing the PIN-block translations.
The PIN never exists in cleartext outside the terminal's tamper-resistant hardware and the issuer's HSM. Any cleartext PIN exposure — even briefly — is a PCI PIN violation and a major incident.
What operators need to know
- PCI PIN is a separate certification. If you handle PIN transactions (debit, PIN-based), your terminals and infrastructure must be PCI PIN-certified — a distinct audit beyond PCI DSS. Key management is the hard part.
- Unattended terminals have stricter requirements. ATMs, fuel pumps, parking kiosks all have PCI PIN PTS (PIN Transaction Security) requirements for the physical hardware.
- PIN-on-glass (PIN entry on consumer phone/tablet). New-ish regime where customers enter PIN on a merchant tablet running an SCRP (Secure Card Reader PIN) or CPoC (Contactless Payments on COTS). Required special PCI certifications.
- PIN-less debit exists. Some low-value or card-absent transactions can run PIN-less via signature or no-CVM — different interchange and liability.
- Key rotation is not optional. Under PCI PIN, terminal keys must rotate on a schedule. Terminals with stale keys (or that fail key-rotation commands) have to be pulled from service.
- Merchants don't configure PIN blocks directly. Your terminal vendor and acquirer handle format selection and key hierarchy. Your job is to deploy certified terminals and follow the key-injection / decommissioning procedures.
- CNP merchants can skip most of this. PIN isn't used in e-commerce — CVV and 3DS are the CNP equivalents.