Required commands

The DK PIN Change verb requires the DK PIN Change command (offset X'02C2') to be enabled in the active role.

When the Disallow PIN block format ISO-1 access control is enabled in the domain role, the PIN block format rule_array keyword ISO-1 is not allowed.

When the General ISO PIN Error Security access control (X'039F') is enabled, the return code is a general PIN block error (return code 8 reason code 2514) instead of some other existing specific PIN block error reason codes. The use of a general return code can prevent the abuse of PIN processing error messages due to information leakage derived from the return code reason codes returned under various conditions. For more details, see PIN block error processing mode.

The access control point ISO PIN blocks do not check PIN digits (X’0055’) is enabled by default in the default role. This prevents CCA from performing any integrity checks on the PIN digits themselves, to comply with the PCI-HSMv4 and ISO 9564.1 standards.

No action is needed by the users, unless they do not need to comply with the PCI-HSMv4 and ISO 9564.1 standards. In this case, they can disable the X’0055’ access control point to allow integrity checks directly on the PIN digits.