Issuing focuses on issuing payment cards and provisioning mobile payment tokens. The following sections cover these issuing topics:

For both PIN generation methods described in this section, the issuing bank associates PINs with an algorithm based on a 3DES encryption key, referred to as a PIN Verification Key (PVK). A PIN, generated based on the customer's account or card number and the PIN Verification Key, is called the natural PIN.

In the past, issuers did not allow customers to select their PIN. Instead, the bank would send the natural PIN to customers in the mail and force them to use the designated PIN. Now, most banks allow customers to select their own PIN. This is done by taking the PIN Verification Key, customer account number, and the chosen PIN, then sending that to an HSM to compare the natural PIN against the customer-selected PIN and determine the difference. The difference is referred to as the PIN Verification Value for the VISA PVV method and the offset for the IBM 3624 method.

The VISA PVV algorithm performs a multiple encipherment of a value, called the transformed security parameter (TSP), and an extraction of a 4-digit PVV from the ciphertext.

The IBM 3624 algorithm generates an n-digit PIN based on account or person-related validation data. The assigned PIN length parameter specifies the length of the generated PIN.

This section contains PIN and offset generation commands for Excrypt, Standard, and International command sets:

Europay, Mastercard, and Visa created the EMV standard, a payment method based on a technical standard for smart payment cards, payment terminals, and ATMs that can accept them.

EMV cards are smart cards, also called chip cards, which store their data on integrated circuit chips (ICCs), in addition to magnetic stripes for backward compatibility. These include cards that you physically insert (or dip) into a reader and contactless cards that can be read over a short distance using near-field communication technology.

Payment cards that comply with the EMV standard are often called chip and PIN or chip and signature cards, depending on the authentication methods employed by the card issuer, such as a personal identification number (PIN) or digital signature.

Outside the United States, the chip and PIN process is more common. It requires a secret four-digit PIN code known only by the cardholder to validate the EMV payment, making it significantly more secure. In the U.S., companies have opted for issuing chip and signature cards, weighing the risk of fraudulent transactions against the desire to make the purchasing process as seamless as possible for consumers.

This section contains EMV key generation and derivation commands for Excrypt, Standard, and International command sets:

The pay brands (such as Google Pay, Apple Pay, Samsung Pay, and so on) govern mobile payment tokens. To issue mobile payment tokens to a device, the card issuer (such as Wells Fargo, Chase, Bank of America, and so on) must have a relationship with the particular pay brand to which it plans to issue the mobile payment token. Each pay brand has specific data structures and encryption methods required to communicate a token to a device, so the card issuer must support those methods for it to work.

This section contains mobile payment token issuance commands for the Excrypt command set:

A Card Verification Value (CVV) is similar to a PIN, except it is not a secret value. A CVV is generated based on a Card Verification Key (CVK). So the CVK is the base key, and the CVV value is based on that key and the customer account or card number.

Originally, CVV validated that a user has the original card and not a cloned card.

This section contains CVV generation commands for Excrypt, Standard, and International command sets: