Parameters

Edit online

The parameters for CSNBFPET.

For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see Parameters common to all verbs.

rule_array_count
A pointer to an integer variable containing the number of elements in the rule_array variable. The minimum value is 4. The maximum value is 10.
rule_array
Keywords that provide control information to the verb. The rule_array keywords are described in Table 1.
Note: At least one character set keyword is required.
Table 1. Keywords for FPE Translate control information
Keyword Description
Processing method (required)
VMDS Specifies that the VDSP method (Visa Data Secure Platform method, formally known as the Visa Merchant Data Secure (VMDS) method) is to be used for processing.
Key management method (one required)
STATIC Specifies the use of double length (2-key) triple-DES symmetric keys. This is a non-DUKPT key.
DUKPT Specifies the use of the transaction unique general purpose Data Encryption Keys generated by the DUKPT process at the point of service for data encryption. This is required if VFPE mode is specified. Otherwise, this is optional.

Both DES DUKPT and AES DUKPT key derivation methods are supported. The content of the derivation_data parameter determines which DUKPT method is used.
Algorithm (required)
TDES Specifies the use of CBC mode triple-DES encryption.
Mode (one required)
CBC Specifies the use of CBC mode. This is the mode for the standard encryption option.
VFPE Specifies the use of Visa format preserving encryption.
PAN input output character set (one required if the clear_PAN_length variable is greater than 0. Otherwise, it is not allowed.)
PAN8BITA Specifies that the PAN data character set is ASCII represented in binary form. Valid only for VFPE mode.
PAN4BITX Specifies that the PAN data character set is 4-bit hex with two digits per byte. Valid only for VFPE mode.
PAN-EBLK Specifies that the PAN data is in a CBC encrypted block. Valid only for CBC mode.
Cardholder name input output character set (required if the clear_cardholder_name_length variable is greater than 0.)
CN8BITA Specifies that the cardholder name character set is ASCII represented in binary format, one character per byte. See Table 1 for valid characters.
CN-EBLK Specifies that the cardholder name data is in a CBC-encrypted block.
Track_1 input output character set (required if the clear_dtrack1_data_length variable is greater than 0. Otherwise, it is not valid.)
TK18BITA Specifies that the track 1 discretionary data character set is ASCII represented in binary format, one character per byte. See Table 1 for valid characters.
TK1-EBLK Specifies that the track 1 discretionary data is in a CBC-encrypted block. Valid only for CBC mode.
Track_2 input output character set (required if the clear_dtrack2_data_length variable is greater than 0. Otherwise, it is not valid.)
TK28BITA Specifies that the track 2 discretionary data character set is ASCII represented in binary format. Valid only for VFPE mode.
TK2-EBLK Specifies that the track 2 discretionary data is in a CBC encrypted block. Valid only for CBC mode.
PIN encryption key output selection (one, optional, if DUKPT is specified. Otherwise, it is not valid.)
NOPINKEY Do not return a DUKPT PIN encryption key. This is the default.
PINKEY Return a DUKPT PIN encryption key.
PAN check digit compliance (one required if mode VFPE and the PAN input character set keyword is present. Otherwise, it is not allowed.)
CMPCKDGT Last digit of the PAN contains a compliant check digit per ISO/IEC 7812-1.
NONCKDGT Last digit of the PAN does not contain a compliant check digit per ISO/IEC 7812-1.
input_PAN_length
Specifies the length of the input_PAN parameter in bytes if the mode is CBC. Specifies the number of PAN digits if the mode is VFPE. The value is 0 if PAN data has not been presented for translation. Otherwise, the value is in the range 15 - 19 for VFPE. The value must be 16 if the standard option with CBC mode is selected.
input_PAN
The enciphered primary account number (PAN) that is to be translated. For VFPE mode, if the PAN contains an odd number of 4-bit digits, the data is left justified in the PAN variable and the right-most 4 bits are ignored.
input_cardholder_name_length
Specifies the length of the input_cardholder_name parameter in bytes. This value must be 0 if cardholder name is not presented for translation. Otherwise, the value is in the range 1 - 32 for VFPE. For CBC mode, the input value is either 16, 24, 32, or 40.
input_cardholder_name
The enciphered cardholder full name that is to be translated. Only characters in Table 3 are valid.
input_dtrack1_data_length
Specifies the length of the input_dtrack1_data parameter in bytes. This value must be 0 if track 1 discretionary data is not presented for translation. Otherwise, the value is in the range 1 - 56 for VFPE. For CBC mode, the input value is either 16, 24, 32, 40, 48, 56, or 64.
input_dtrack1_data
The encrypted track 1 data that is to be translated. Only characters in Table 3 are valid.
input_dtrack2_data_length
Specifies the length of the input_dtrack2_data parameter in bytes. This value must be 0 if track 2 discretionary data is not presented for translation. Otherwise, the value is in the range 1 - 19 for VFPE. For CBC mode, the input value is either 8 or 16.
input_dtrack2_data
The encrypted track 2 data that is to be translated.
input_key_identifier_length
Specifies the length of the input_key_identifier parameter in bytes.

When DES DUKPT method is specified, set the value to 64 for a CCA token, or up to 9992 for a TR-31 token. When AES DUKPT method is used the maximum value is 3500 for a CCA token, and 9992 for a TR-31 token.

input_key_identifier
The identifier of the key that is used to either decrypt the card data (key management STATIC) or derive the DUKPT_PIN_key_identifer (key management DUKPT). The key identifier is an operational token or the key label of an operational token in key storage.

For the DES-DUKPT key derivation method, the base derivation key is the one from which the operational keys are derived using the DUKPT algorithm defined in ANS X9.24-1 2017 (Part 1). If the key is a CCA token, then the key type must be KEYGENKY. In addition, it must have a control vector with bit 18 equal to B'1' (UKPT).

If the key is a TR-31 token, it must have the following attributes:

  • TR-31 key usage: B0
  • Algorithm: T
  • TR-31 mode of key use: X

For the AES-DUKPT key derivation method, the BDK is the one from which the operational keys are derived using the DUKPT algorithm defined in ANSI x9.24-3 2017. If the key is a CCA token, then it is an AES DKYGENKY with the A-DUKPT bit set to 1 in the low-order byte of key usage field 1, indicating this key is allowed to be used as base derivation key (BDK).

If the key is a TR-31 token, it must have the following attributes:

  • TR-31 key usage: B0
  • Algorithm: A
  • TR-31 mode of key use: X

For key management STATIC, (Zone Encryption Key in the VDSP specification), the key type must be either a CCA DES CIPHER or ENCIPHER key, or a TR-31 key with the following attributes:

  • TR-31 key usage: D0
  • Algorithm: T
  • TR-31 mode of key use: B or D

For production purposes, it is recommended that the key have left and right halves that are not equal.

Note: Data keys are not supported.

If the token supplied was encrypted under the old master key, the token is returned encrypted under the current master key.

output_key_identifier_length
Specifies the length of the output_key_identifier parameter in bytes. The value must be 64 for a CCA token, and up to 9992 for a TR-31 token.
output_key_identifier
The identifier of the key that is used to decrypt the output card data. The key identifier is an operational token or the key label of an operational token in key storage.

The key type must be either a CCA DES CIPHER or ENCIPHER key, or a TR-31 key with the following attributes:

  • TR-31 key usage: D0
  • Algorithm: T
  • TR-31 mode of key use: B or E

For production purposes, it is recommended that the key have left and right halves that are not equal.

Note: Data keys are not supported.

If the token supplied was encrypted under the old master key, the token is returned encrypted under the current master key.

derivation_data_length
Specifies the length of the derivation_data parameter in bytes. To specify the DES DUKPT method, set the value to 10 if the key management method DUKPT is specified in the rule array. To specify the AES DUKPT method, set the value to 20 if the key management method DUKPT is specified in the rule array. Otherwise, this value must be 0.
derivation_data
When specifying the DES-DUKPT method, the derivation_data parameter contains the 80 bit (10 byte) derivation data that is used as input to the DUKPT derivation process. The derivation data contains the current key serial number (CKSN), which is composed of the 59 bit initial key serial number concatenated with the 21 bit value of the current encryption counter, which the device increments for each new transaction. This field is in binary format.
When specifying the AES DUKPT method, parameter derivation_data contains the 20 byte AES DUKPT Derivation Data structure. See Table 1 for the layout of the AES DUKPT derivation data. Bytes 4 and 5, algorithm indicator, must be set to 0x0000 (2-key TDEA) or 0x0001 (3-key TDEA). Bytes 2 and 3, key usage indicator, must be se t to 0x1000 (PIN Encryption).
output_PAN_length
Specifies the number of bytes of data in the output_PAN parameter. This value is 0 or 16 on output.
output_PAN
This parameter returns the translated primary account number with which the PIN is associated. The full account number, including check digit, is translated. The data for this parameter is returned as TDES-encrypted data in binary format. The 16 byte output is left justified in this field.
output_cardholder_name_length
Specifies the length of the output_cardholder_name parameter in bytes. This output value is either 0 or 16, 24, 32, or 40 bytes on output. The variable can be larger on input. However, on output, this field is updated to indicate the actual number of bytes returned by the card.
output_cardholder_name
This parameter returns the translated cardholder full name. The data for this parameter is returned as TDES-encrypted data in binary format.
output_dtrack1_data_length
Specifies the length of the output_dtrack1_data parameter in bytes. The output value is either 0 or 16, 24, 32, 40, 48, 56, or 64 bytes. The value can be larger on input. However, on output, this field is updated to indicate the actual number of bytes returned by the service.
output_dtrack1_data
This parameter returns the translated discretionary track 1 data. This is the discretionary data from track 1 of a magnetic stripe card. The data for this parameter is returned as TDES-encrypted data in binary format.
output_dtrack2_data_length
Specifies the length of the output_dtrack2_data parameter in bytes. The output value is either 0, 8, or 16. The value can be larger on input. However, on output, this field is updated to indicate the actual number of bytes returned by the service.
output_dtrack2_data
This parameter returns the translated discretionary track 2 data. This is the discretionary data from track 2 of a magnetic stripe card. The data for this parameter is returned as TDES-encrypted data in binary format.
DUKPT_PIN_key_identifier_length
Specifies the length of the DUKPT_PIN_key_identifier parameter in bytes. If the PINKEY rule-array keyword is specified, set this value to 64 for a CCA token, and up to 9992 for a TR-31 token. Otherwise, set this value to 0. On output, the variable is updated with the length of the data returned in the DUKPT_PIN_key_identifier variable.
DUKPT_PIN_key_identifier
On input, this parameter must contain either a CCA or TR-31 skeleton token. For a CCA token, it must be a DES OPINENC or IPINENC skeleton token. On output, it contains the DES token with the derived DES OPINENC or IPINENC key.

For a TR-31 token, it must be a DES skeleton token with the following attributes:

  • TR-31 key usage: P0
  • Algorithm: T
  • TR-31 mode of key use: B, D, or E

On output, it contains the TR-31 DES token with the newly derived key.

reserved1_length
Specifies the length of the reserved1 parameter in bytes. The value must be 0.
reserved1
This parameter is ignored.
reserved2_length
Specifies the length of the reserved2 parameter in bytes. The value must be 0.
reserved2
This parameter is ignored.