Analysis of Applicability of ISO 9564 PIN based Authentication to Closed-Loop Mobile Payment Systems

Payment transactions initiated through a mobile device are growing and security concerns must be ad-dressed. People coming from payment card industry often talk passionately about porting ISO 9564 PIN standard based authentication in open-loop card payment to closed-loop mobile financial transactions and certification of closed-loop payment product or solution against this standard. In reality, so far this standard has not been adopted in closed-loop mobile payment authentication and applicability of this ISO standard must be studied carefully before adoption. The authors do a critical analysis of the applicability of this ISO specification and makes categorical statement about relevance of compliance to closed-loop mobile payment. Security requirements for authentication in closed-loop mobile payment systems are not standardized through ISO 9564 standard, Common Criteria, etc. Since closed-loop mobile payment is a relatively new field, the authors make a case for Common Criteria Recognition Agreement (CCRA) or other standards organization to push for publication of a mobile device-agnostic Protection Profile or standard for it, incorporating the suggested authentication approaches.

💡 Research Summary

The paper provides a systematic examination of whether the ISO 9564 PIN‑based authentication standard, originally designed for open‑loop card‑payment environments, can be directly applied to closed‑loop mobile payment systems. It begins by outlining the rapid growth of mobile‑initiated transactions and the accompanying security concerns such as phishing, rooting/jailbreaking, and man‑in‑the‑middle attacks. The authors note that many industry participants cite ISO 9564 as a “gold standard” for authentication, yet no closed‑loop mobile solution has actually adopted it.

The technical foundation of ISO 9564 is then described in detail. The standard assumes the existence of a dedicated PIN Entry Device (PEM) that is physically isolated, a secure communication channel, and a set of long‑term cryptographic keys (ZMK, ZPK, etc.). PINs are entered on the PEM, encrypted into a PIN block, transmitted to a PIN Validation Device (PVD), and finally decrypted and verified. This model relies heavily on hardware‑based security and strict key‑management procedures.

In contrast, the architecture of typical closed‑loop mobile payment solutions is dissected. Such systems usually consist of a mobile application or digital wallet, a token‑issuing backend, and a merchant‑side acceptance component. Authentication is performed primarily through user‑level mechanisms (biometrics, device‑PIN, pattern lock) and the validation of payment tokens rather than the transmission of a raw PIN. Even when a PIN is used (e.g., to unlock the wallet), it is processed inside the device’s Trusted Execution Environment (TEE), Secure Enclave, or TrustZone, which are not equivalent to the PEM defined by ISO 9564.

The authors compare the security models of the two domains. ISO 9564 focuses on PIN secrecy, integrity, and non‑reuse, with an emphasis on physical device security and dedicated cryptographic keys. Closed‑loop mobile payments, however, prioritize device integrity, application sandboxing, strong user authentication, and token lifecycle management. Threats such as OS‑level vulnerabilities, malicious apps, and device compromise are central to mobile environments but are absent from the ISO 9564 threat model.

To assess practical applicability, three hypothetical deployment scenarios are evaluated: (1) treating every mobile device as a PEM and pre‑provisioning ISO 9564 keys, which would create massive key‑distribution overhead and frequent re‑keying on device upgrades; (2) inserting a PIN‑exchange step into existing mobile payment flows, which would degrade user experience and introduce new phishing vectors; and (3) leveraging hardware security modules (e.g., TPM, Secure Enclave) to implement ISO 9564 encryption while still lacking the dedicated communication channel and key‑management infrastructure required by the standard. In each case, the authors find that the technical and operational costs outweigh any marginal security benefit.

Consequently, the paper concludes that ISO 9564 is not suitable as a direct authentication framework for closed‑loop mobile payments. Instead, the authors advocate for the development of a mobile‑centric protection profile under the Common Criteria Recognition Agreement (CCRA) or the creation of a new international standard that explicitly addresses token‑based authentication, biometric verification, and hardware‑rooted security mechanisms. Such a standard would provide clear, interoperable security requirements, facilitate regulatory compliance, and ultimately strengthen trust in the emerging closed‑loop mobile payment ecosystem.