Parameters

Edit online

The parameters for CSNBFPED.

For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see Parameters common to all verbs.

rule_array_count
Direction: Input
Type: Integer
A pointer to an integer variable containing the number of elements in the rule_array variable. The minimum value is 5. The maximum value is 10.
rule_array
Direction: Input
Type: String array
Keywords that provide control information to the verb. The rule_array keywords are described in Table 1.
Note: At least one character set keyword is required.
Table 1. Keywords for FPE Decipher control information

Keywords for FPE Decipher control information
Keyword Description
Processing method (required)
VMDS Specifies that the VDSP method (Visa Data Secure Platform method, formally known as the Visa Merchant Data Secure (VMDS) method) is to be used for processing.
Key management method (one required)
STATIC Specifies the use of double length (2-key) triple-DES symmetric keys. This is a non-DUKPT key.
DUKPT Specifies the use of the transaction unique general purpose Data Encryption Keys generated by the DUKPT process at the point of service for data encryption. This is required if VFPE mode is specified. Otherwise, this is optional.

Both, the DES DUKPT and AES DUKPT key derivation methods are supported. The content of the derivation_data parameter determines which DUKPT method is used.

Algorithm (required)
TDES Specifies the use of CBC mode triple-DES encryption.
Mode (one required)
CBC Specifies the use of CBC mode. This is the mode for the standard encryption option.
VFPE Specifies the use of Visa format preserving encryption.
PAN input output character set (one required if the clear_PAN_length variable is greater than 0. Otherwise, it is not allowed.)
PAN8BITA Specifies that the PAN data character set is ASCII represented in binary form. Valid ASCII values are in the range 0 - 9 (X'30' - X'39').
PAN4BITX Specifies that the PAN data character set is 4-bit hex with two digits per byte. Valid 4-bit hexadecimal values are in the range X'0' - X'9'.
Cardholder name input output character set (required if the clear_cardholder_name_length variable is greater than 0. Otherwise, it is not allowed.)
CN8BITA Specifies that the cardholder name character set is ASCII represented in binary format, one character per byte. See Table 1 for valid characters.
Track_1 input output character set (required if the clear_dtrack1_data_length variable is greater than 0. Otherwise, it is not valid.)
TK18BITA Specifies that the track 1 discretionary data character set is ASCII represented in binary format, one character per byte. See Table 1 for valid characters.
Track_2 input output character set (required if the clear_dtrack2_data_length variable is greater than 0. Otherwise, it is not valid.)
TK28BITA Specifies that the track 2 discretionary data character set is ASCII represented in binary format, one character per byte. Valid ASCII values are in the range 0 - 9 (X'30' - X'39') and A - F (X'41' - X'46').
PIN encryption key output selection (one, optional, if DUKPT is specified. Otherwise, it is not valid.)
NOPINKEY Do not return a DUKPT PIN encryption key. This is the default.
PINKEY Return a DUKPT PIN encryption key.
PAN check digit compliance (one required if mode VFPE and the pan character set keyword is present. Otherwise, it is not allowed.)
CMPCKDGT Last digit of the PAN contains a compliant check digit per ISO/IEC 7812-1.
NONCKDGT Last digit of the PAN does not contain a compliant check digit per ISO/IEC 7812-1.
enc_PAN_length
Direction: Input
Type: Integer
Specifies the length of the enc_PAN parameter in bytes if the mode is CBC or the number of PAN digits if the mode is VFPE. The value is either 0 or in the range 15 - 19 for VFPE. The value must be 0 or 16 if the standard option with CBC mode is selected. The value is zero when the PAN has not been presented for decryption.
enc_PAN
Direction: Input
Type: String
The enciphered primary account number (PAN) that is to be decrypted. For VFPE mode, if the PAN contains an odd number of 4-bit digits, the data is left justified in the PAN variable and the right-most 4 bits are ignored.
enc_cardholder_name_length
Direction: Input
Type: Integer
Specifies the length of the enc_cardholder_name parameter in bytes. The input value is either 0 or in the range 1 - 32, inclusive for VFPE. For the standard method, the input value is either 0 or in the range 2 - 32 for VFPE. For CBC mode, the input value is 0, 16, 24, 32, or 40. The value is zero when the cardholder name has not been presented for decryption.
enc_cardholder_name
Direction: Input
Type: String
The enciphered cardholder full name that is to be decrypted. Only characters in Table 3 are valid.
enc_dtrack1_data_length
Direction: Input
Type: Integer
Specifies the length of the enc_dtrack1_data parameter in bytes. The input value is either 0 or in the range 1 - 56, inclusive for VFPE. For the standard method, the input value is either 0 or in the range 1 - 56 for VFPE. For CBC mode, the input value is 0 or 16, 24, 32, 40, 48, 56, or 64. The value is zero when the track 1 discretionary data has not been presented for decryption.
enc_dtrack1_data
Direction: Input
Type: String
The encrypted track 1 data that is to be decrypted. Only characters in Table 3 are valid.
enc_dtrack2_data_length
Direction: Input
Type: Integer
Specifies the length of the enc_dtrack2_data parameter in bytes. The input value is either 0 or in the range 1 - 19 for VFPE. For mode CBC, the input value is 0, 8, or 16. The value is zero when the track 2 discretionary data is not presented for decryption.
enc_dtrack2_data
Direction: Input
Type: String
The encrypted track 2 data that is to be decrypted.
key_identifier_length
Direction: Input
Type: Integer
Specifies the length of the key_identifier parameter in bytes.

When DES DUKPT method is specified, set the value to 64 for a CCA token, or up to 9992 for a TR-31 token. When AES DUKPT method is used the maximum value is 3500 for a CCA token, and 9992 for a TR-31 token.

key_identifier
Direction: Input/Output
Type: String
The identifier of the key that is used to either decrypt the card data (key management STATIC) or derive the DUKPT_PIN_key_identifer (key management DUKPT). The key identifier is an operational token or the key label of an operational token in key storage.

For the DES DUKPT key derivation method, the base derivation key is the one from which the operational keys are derived using the DUKPT algorithm defined in ANS X9.24-1 2017 (Part 1). If the key is a CCA token, then the key type must be KEYGENKY. In addition, it must have a control vector with bit 18 equal to B'1' (UKPT).

If the key is a TR-31 token, it must have the following attributes:

  • TR-31 key usage: B0
  • Algorithm: T
  • TR-31 mode of key use: X

For the AES DUKPT key derivation method, the BDK is the one from which the operational keys are derived using the DUKPT algorithm defined in ANSI x9.24-3 2017. If the key is a CCA token, then it is an AES DKYGENKY key type with the A-DUKPT bit set to 1 in the low-order byte of key usage field 1, indicating this key is allowed to be used as base derivation key (BDK).

If the key is a TR-31 token, it must have the following attributes:

  • TR-31 key usage: B0
  • Algorithm: A
  • TR-31 mode of key use: X

For key management STATIC, (Zone Encryption Key in the VDSP specification), the key type must be either a CCA DES CIPHER or ENCIPHER key, or a TR-31 key with the following attributes:

  • TR-31 key usage: D0
  • Algorithm: T
  • TR-31 mode of key use: B or D

For production purposes, it is recommended that the key have left and right halves that are not equal.

Note: Data keys are not supported.

If the token supplied was encrypted under the old master key, the token is returned encrypted under the current master key.

derivation_data_length
Direction: Input
Type: Integer
Specifies the length of the derivation_data parameter in bytes. To specify the DES DUKPT method, set the value to 10 if the key management method DUKPT is specified in the rule array. To specify the AES DUKPT method, set the value to 20 if the key management method DUKPT is specified in the rule array. Otherwise, this value must be 0.
derivation_data
Direction: Input
Type: String

When specifying the DES DUKPT method, the derivation_data parameter contains the 80 bit (10 byte) derivation data that is used as input to the DUKPT derivation process. The derivation data contains the current key serial number (CKSN), which is composed of the 59 bit initial key serial number, and concatenated with the 21 bit value of the current encryption counter, which the device increments for each new transaction. This field is in binary format.

When specifying the AES-DUKPT method, the derivation_data parameter contains the 20 byte AES-DUKPT derivation data. See AES-DUKPT reference for the layout of the AES-DUKPT derivation data. The algorithm indicator must be set to X'0000' (2- key TDES). The key usage indicator must be set to X'1000' (PIN Encryption).

clear_PAN_length
Direction: Input/Output
Type: Integer
Specifies the number of PAN digits in the clear_PAN parameter. This value must either be 0 or in the range 15 - 19, inclusive on output.
clear_PAN
Direction: Output
Type: String
This parameter returns the deciphered primary account number. The full account number, including check digit, is recovered. The data for this parameter is returned in binary format. It is the binary representation of 4-bit hex (keyword PAN4BITX) or ASCII (keyword PAN8BITA) as indicated by the supplied rule array keyword. The clear PAN is left justified in this field.
clear_cardholder_name_length
Direction: Input/Output
Type: Integer
Specifies the length of the clear_cardholder_name parameter in bytes. This output value is either 0 or in the range 2 - 32 on output. The variable can be larger on input. However, on output, this field is updated to indicate the actual number of bytes returned by the service.
clear_cardholder_name
Direction: Output
Type: String
This parameter returns the deciphered cardholder full name. The output data for this parameter is in binary format. It is the binary representation of ASCII as indicated by the supplied rule array keyword.
clear_dtrack1_data_length
Direction: Input/Output
Type: Integer
Specifies the length of the clear_dtrack1_data parameter in bytes. The output value is either 0 or in the range 1 - 56. The value can be larger on input. However, on output, this field is updated to indicate the actual number of bytes returned by the service.
clear_dtrack1_data
Direction: Output
Type: String
This parameter returns the deciphered discretionary track 1 data.
clear_dtrack2_data_length
Direction: Input/Output
Type: Integer
Specifies the length of the clear_dtrack2_data parameter in bytes. The output value is either 0 or in the range 1 - 19. The value can be larger on input. However, on output, this field is updated to indicate the actual number of bytes returned by the service.
clear_dtrack2_data
Direction: Output
Type: String
This parameter returns the deciphered discretionary track 2 data.
DUKPT_PIN_key_identifier_length
Direction: Input/Output
Type: Integer
Specifies the length of the DUKPT_PIN_key_identifier parameter in bytes. If the PINKEY rule-array keyword is specified, set this value to 64 for a CCA token, and up to 9992 for a TR-31 token. Otherwise, set this value to 0. On output, the variable is updated with the length of the data returned in the DUKPT_PIN_key_identifier variable.
DUKPT_PIN_key_identifier
Direction: Input/Output
Type: String
On input, this parameter must contain either a CCA or TR-31 skeleton token. For a CCA token, it must be a DES OPINENC or IPINENC skeleton token. On output, it contains the DES token with the derived DES OPINENC or IPINENC key.

For a TR-31 token, it must be a DES skeleton token with the following attributes:

  • TR-31 key usage: P0
  • Algorithm: T
  • TR-31 mode of key use: B, D, or E

On output, it contains the TR-31 DES token with the newly derived key.

reserved1_length
Direction: Input
Type: Integer
Specifies the length of the reserved1 parameter in bytes. The value must be 0.
reserved1
Direction: Input
Type: String
This parameter is ignored.
reserved2_length
Direction: Input/Output
Type: Integer
Specifies the length of the reserved2 parameter in bytes. The value must be 0.
reserved2
Direction: Input
Type: String
This parameter is ignored.