Parameters
The parameters for CSNBDCU2.
For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see Parameters common to all verbs.
- rule_array_count
-
A pointer to an integer variable containing the number of elements in the rule_array variable. This value must be 0 or 1.Direction: Input Type: Integer - rule_array
-
Keywords that provide control information to the verb. The keywords are left-aligned in an 8-byte field and padded on the right with blanks. The keywords must be in contiguous storage. The rule_array keywords are described in Table 1.Direction: Input Type: String array Table 1. Keywords for DK PRW Card Number Update2 control information Keywords for DK PRW Card Number Update2 control information
Keyword Description PIN Block output selection keyword (One or two, optional) CHIP-EPB Specifies to return a chip-encrypted PIN block in PBF-1 format in the new_chip_encrypted_PIN_block variable. It is encrypted using the key identified by the OPIN_chip_encryption_key_identifier parameter. Cannot be combined with NOEPB. EPB Specifies to return an encrypted PIN (EPB) block together with a PIN block MAC: - The PIN block is returned in PBF-1 format in the new_encrypted_PIN_block variable, encrypted using the key identified by the OPIN_encryption_key_identifier parameter.
- The MAC is returned in the new_PIN_block_MAC variable, calculated using the key identified by the OEPB_MAC_key_identifier parameter with the CMAC algorithm (NIST SP 800-38B). The MAC is calculated over the concatenation of the encrypted PIN block and permanent card data (card_p_data).
NOEPB Specifies to not return an encrypted PIN block (EPB). This is the default. PAN test selection (One, optional) NOPANTST Specifies to not perform a PAN test. This is the default. PANTST Specifies to perform a PAN test of the equality of the PAN recovered from the encrypted_PIN_block variable and the clear PAN provided by the PAN_data variable. The result is returned in the return_code variable. Return code 4 indicates that the clear PAN values are not equal, while return code 0 indicates that they are equal (success).
- card_p_data_length
-
Specifies the length in bytes of the card_p_data parameter. The value must be in the range 2 - 256.Direction: Input Type: Integer - card_p_data
-
Direction: Input Type: String The time-invariant card data (CDp), determined by the card issuer, which is used to differentiate between multiple cards for one account.
- card_t_data_length
-
Specifies the length in bytes of the card_t_data parameter. The value must be in the range 2 - 256.Direction: Input Type: Integer - card_t_data
-
The time-sensitive card data, determined by the card issuer, which, together with the account number and the card_p_data parameter, specifies an individual card.Direction: Input Type: String - encrypted_PIN_block_length
-
Specifies the length in bytes of the encrypted_PIN_block parameter. The value must be 32.Direction: Input Type: Integer - encrypted_PIN_block
-
The 32-byte input encrypted PIN block in PBF-1 format.Direction: Input Type: String - PIN_block_MAC_length
-
Specifies the length in bytes of the PIN_block_MAC parameter. The value must be 8.Direction: Input Type: Integer - PIN_block_MAC
-
The 8-byte CMAC of the encrypted PIN block.Direction: Input Type: String - PRW_key_identifier_length
-
Specifies the length in bytes of the PRW_key_identifier parameter. If the PRW_key_identifier contains a label, the length must be 64. Otherwise, the value must be at least the actual token length, up to 725.Direction: Input Type: Integer - PRW_key_identifier
-
The identifier of the PRW generating key. The key identifier is an operational token or the key label of an operational token in key storage. The key algorithm of this key must be AES, the key type must be PINPRW, the key usage fields must indicate GENONLY, CMAC, and DKPINOP.Direction: Input/Output Type: String If the supplied token was encrypted under the old master key, the token is returned encrypted under the current master key.
- IPIN_encryption_key_identifier_length
-
Specifies the length in bytes of the IPIN_encryption_key_identifier parameter. If the IPIN_encryption_key_identifier contains a label, the length must be 64. Otherwise, the value must be at least the actual token length, up to 725.Direction: Input Type: Integer - IPIN_encryption_key_identifier
-
The identifier of the key that encrypts the input PIN block. The key identifier is an operational token or the key label of an operational token in key storage. The key algorithm of this key must be AES, the key type must be PINPROT, and the key usage fields must indicate DECRYPT, CBC, and DKPINOP.Direction: Input/Output Type: String If the token supplied was encrypted under the old master key, the token is returned encrypted under the current master key.
- IEPB_MAC_key_identifier_length
-
Specifies the length in bytes of the IEPB_MAC_key_identifier parameter. If the IEPB_MAC_key_identifier contains a label, the length must be 64. Otherwise, the value must be at least the actual token length, up to 725.Direction: Input Type: Integer - IEPB_MAC_key_identifier
-
The identifier of the key to verify the MAC of the input PIN block. The key identifier is an operational token or the key label of an operational token in key storage. The key algorithm of this key must be AES, the key type must be MAC, and the key usage fields must indicate CMAC, VERIFY, and DKPINOP.Direction: Input/Output Type: String If the token supplied was encrypted under the old master key, the token is returned encrypted under the current master key.
- OPIN_encryption_key_identifier_length
-
Specifies the length in bytes of the OPIN_encryption_key_identifier parameter.Direction: Input Type: Integer If the keyword EPB in the rule array is not specified, this value must be 0.
If the OPIN_encryption_key_identifier contains a label, the length must be 64. Otherwise, the value must be at least the actual token length, up to 725.
- OPIN_encryption_key_identifier
-
The identifier of the key to wrap the new PIN block. The key identifier is an operational token or the key label of an operational token in key storage. When the OPIN_encryption_key_identifier_length is 0, this value is ignored. The key algorithm of this key must be AES, the key type must be PINPROT, and the key usage fields must indicate ENCRYPT, CBC, and DKPINOP.Direction: Input/Output Type: String If the token supplied was encrypted under the old master key, the token is returned encrypted under the current master key.
- OEPB_MAC_key_identifier_length
-
Specifies the length in bytes of the OEPB_MAC_key_identifier parameter. When the keyword EPB in the rule array is not specified, this value must be 0.Direction: Input Type: Integer If the OEPB_MAC_key_identifier contains a label, the length must be 64. Otherwise, the value must be at least the actual token length, up to 725.
- OEPB_MAC_key_identifier
-
The identifier of the key to generate the MAC of the PIN block.. The key identifier is an operational token or the key label of an operational token in key storage. If the OEPB_MAC_key_identifier_length is 0, this parameter is ignored. The key algorithm of this key must be AES, the key type must be MAC, and the key usage fields must indicate GENONLY, CMAC, and DKPINOP.Direction: Input/Output Type: String If the token supplied was encrypted under the old master key, the token is returned encrypted under the current master key.
- OPIN_chip_encryption_key_identifier_length
-
Specifies the length in bytes of the OPIN_chip_encryption_key_identifier parameter. If the keyword CHIP-EPB in the rule array is not specified, this value must be 0. If the OPIN_chip_encryption_key_identifier contains a label, the length must be 64. Otherwise, the value must be between the actual length of the token and 725.Direction: Input Type: Integer - OPIN_chip_encryption_key_identifier
-
The identifier of the key to encrypt the optional PIN block for the personalization unit. The key identifier is an operational token or the key label of an operational token in key storage. When the OPIN_chip_encryption_key_identifier_length is 0, this parameter is ignored. The key algorithm of this key must be AES, the key type must be PINPROT, and the key usage fields must indicate ENCRYPT, CBC, and DKPINOP.Direction: Input Type: String If the token supplied was encrypted under the old master key, the token is returned encrypted under the current master key.
- PAN_data_length
-
Specifies the length in bytes of the PAN_data parameter. The value must be in the range 10 – 19 when the PANTST keyword is specified. Otherwise, the value must be 0.Direction: Input Type: Integer - PAN_data
-
The primary account number (PAN) data used to generate PIN. Include the full account number, including the check digit. When the PAN_data_length value is 0, this parameter is ignored.Direction: Input Type: String - PIN_reference_value_length
-
Specifies the length in bytes of the PIN_reference_value parameter. This value must be 16. On output, it is set to 16.Direction: Input/Output Type: Integer - PIN_reference_value
-
The calculated 16-byte PIN reference value.Direction: Output Type: String - PRW_random_number_length
-
Specifies the length in bytes of the PRW_random_number parameter. The value must be 4. On output, it is set to 4.Direction: Input/Output Type: Integer - PRW_random_number
-
The 4-byte random number associated with the PIN reference value.Direction: Output Type: String - new_encrypted_PIN_block_length
-
Specifies the length in bytes of the new_encrypted_PIN_block parameter. If the keyword EPB is not specified in the rule array, this parameter must be zero. Otherwise, the parameter should be at least 32.Direction: Input/Output Type: Integer - new_encrypted_PIN_block
-
The new 32-byte encrypted PIN block in PBF-1 format. If the new_encrypted_PIN_block_length value is zero, this parameter is ignored.Direction: Output Type: String - new_PIN_block_MAC_length
-
Specifies the length in bytes of the new_PIN_block_MAC parameter. If the EPB keyword is not specified in the rule array, this value must be zero. Otherwise, it must be at least 8.Direction: Input/Output Type: Integer - new_PIN_block_MAC
-
The new 8-byte CMAC of the new PIN block. If the new_PIN_block_MAC_length value is zero, this parameter is ignored.Direction: Output Type: String - new_chip_encrypted_PIN_block_length
-
Specifies the length in bytes of the new_chip_encrypted_PIN_block parameter. If the CHIPEPB keyword is not specified in the rule array, the value to 0. Otherwise, on input the value must be at least 32.Direction: Input/Output Type: Integer - new_chip_encrypted_PIN_block
-
The 32-byte chip encrypted PIN block. If the new_chip_encrypted_PIN_block_length value is zero, this parameter is ignored.Direction: Input/Output Type: String