A unique master key variant enciphers each type of key. For further key separation, an installation can choose to have each PIN block format enciphered under a different PIN-encrypting key. The PIN-encrypting keys can have a 16-byte PIN block variant constant exclusive ORed on them prior to using to translate or verify PIN blocks. This is specified in the format control field in the Encrypted PIN translate and Encrypted PIN verify callable services.

You should only use PIN block variant constants when you are communicating with another host processor with the Integrated Cryptographic Service Facility.

Derived Unique Key Per Transaction Algorithms

ICSF supports ANSI X9.24 derived unique key per transaction algorithms to generate PIN-encrypting keys from user data. ICSF supports both single- and double-length key generation. Keywords for single- and double-length key generation can not be mixed. A PCICC, PCIXCC, CEX2C, or CEX3C is required for this support. Double-length key generation is only supported on z990 with the May 2004 LIC or higher, z890, z9 EC and z9 BC.

Encrypted PIN Translate

The UKPTIPIN, IPKTOPIN and UKPTBOTH keywords will cause the service to generate single-length keys. DUKPT-IP, DKPT-OP and DUKPT-BH are the respective keywords to generate double-length keys. The input_PIN_profile and output_PIN_profile must supply the current key serial number when these keywords are specified.

Encrypted PIN Verify

The UKPTIPIN keyword will cause the service to generate single-length keys. DUKPT-IP is the keyword for double-length key generation. The input_PIN_profile must supply the current key serial number when these keywords are specified.

For more information about PIN-encrypting keys, see z/OS Cryptographic Services ICSF Administrator’s Guide.