PIN Block Translation
Re-encrypt PIN blocks between working keys (ZPK/TPK) with optional ISO 9564 format conversion
16 hex characters (8 bytes). The PIN block encrypted under the source key.
32 hex chars. The key the PIN block is currently encrypted under.
32 hex chars. The key to re-encrypt the PIN block under.
Process: Decrypt the PIN block with the source key → (optionally convert format) → re-encrypt with the destination key. The clear PIN is never exposed outside the secure boundary.
Format Conversion: When converting between Format 0 (PAN-dependent) and Format 1 (PAN-independent), the PAN is required. Format 0 binds the PIN block to the PAN via XOR, while Format 1 includes random padding.
Security Note: In production, PIN translation MUST happen inside a tamper-resistant HSM. This tool is for testing, debugging, and educational purposes only.
Related Tools
PIN translation is a core cryptographic operation used by Hardware Security Modules (HSMs) when routing transactions across different payment networks. It decrypts an incoming PIN block using a source working key (e.g., ZPK from the acquirer), optionally converts its ISO 9564 format, and immediately re-encrypts it under a destination working key (e.g., ZPK for the issuer) without ever exposing the clear PIN outside the secure boundary.
- Input the 16-character hexadecimal PIN block currently encrypted under the source key.
- Enter the 32-character hexadecimal Source Key (ZPK/TPK) and Destination Key (ZPK/TPK) to re-encrypt under.
- Choose the correct ISO 9564 format (Format 0 or Format 1) for both the source and destination. If converting between formats, provide the 13–19 digit PAN.
- Click Translate PIN Block to decrypt the block with the source key, apply format conversion if needed, and re-encrypt under the destination key.
When is a PAN required for PIN translation?
The Primary Account Number (PAN) is strictly required when converting between ISO 9564 Format 0 (which is PAN-dependent via XOR operations) and Format 1 (which is PAN-independent and uses random padding). If both the source and destination formats are the same, the PAN is not needed for the re-encryption process.