SAF may be invoked to verify the caller is authorized to use this callable service, the key label, or internal secure key tokens that are stored in the CKDS or PKDS.

SAF will be invoked to check authorization to use the Encrypted PIN Generate service and any key labels specified as input.

This table shows the access control points in the ICSF role that control the function of this service.

If the ANSI X9.8 PIN - Use stored decimalization tables only access control point is enabled in the ICSF role, any decimalization table specified must match one of the active decimalization tables in the coprocessors.

This table lists the required cryptographic hardware for each server type and describes restrictions for this callable service.

Table 191. Encrypted PIN generate required hardware

Server	Required cryptographic hardware	Restrictions
IBM zSeries 900	PCI Cryptographic Coprocessor	ISO-3 PIN block format is not supported.
IBM zSeries 990 IBM zSeries 890	PCI X Cryptographic Coprocessor Crypto Express2 Coprocessor	ISO-3 PIN block format is not supported.
IBM System z9 EC IBM System z9 BC	Crypto Express2 Coprocessor	ISO-3 PIN block format requires the Nov. 2007 or later licensed internal code (LIC).