A PIN pad is an electronic device used in a debit or smart card-based transaction to input and encrypt the cardholder's PIN. PIN pads are normally used with integrated point of sale devices in which an electronic cash register is responsible for taking the sale amount and initiating/handling the transaction. The PIN pad is required so that the customer card can be accessed (in the case of chip cards) and the PIN can be securely entered and encrypted before it is sent upstream to the transaction manager of the switch or the bank. In some cases, with chip cards, the PIN is only transferred from the PIN pad to the chip (within the PIN pad itself) and it is verified by the chip card. In this case the PIN does not need to be sent to the bank or card scheme for verification. (This is known as 'offline PIN verification'.)
Like some stand-alone point of sale devices, PIN pads are equipped with hardware and software security features to ensure that the injected security keys and the PIN are erased if someone tries to tamper with the device. The PIN is encrypted immediately on entry and an encrypted PIN block is created. This encrypted PIN block is erased as soon as it has been sent from the PIN pad to the attached point of sale device and/or the chip card. PINs are encrypted using a variety of encryption schemes, the most common being triple DES.
PIN pads must be approved to the standards required by the payment card industry to ensure that they provide adequate security at the point of PIN entry and for the PIN encryption process. ISO 9564 is the international standard for PIN management and security.
Some well known PIN pad vendors include Hypercom (now including Thales e-Transactions division), Ingenico (now including Sagem), and VeriFone.