Required commands
The required commands for CSNBPCU.
| PIN-block encrypting key-type | Offset | Command | Comment |
|---|---|---|---|
| OPINENC | X'00BC' | PIN Change/Unblock - change EMV PIN with OPINENC | Required if either the new_reference_PIN_key or the current_reference_PIN_key are permitted to be an OPINENC key type. |
| IPINENC | X'00BD' | PIN Change/Unblock - change EMV PIN with IPINENC | Required if either the new_reference_PIN_key or the current_reference_PIN_key are permitted to be an IPINENC key type. |
When a MAC-MDK or an ENC-MDK of key type DKYGENKY is specified with control vector bits (19 - 22) of B'1111', the Diversified Key Generate - DKYGENKY - DALL command (offset X'0290') must also be enabled in the active role.
An enhanced PIN security mode is available for extracting PINs from an IBM® 3624 encrypted PIN-block using the PADDIGIT PIN-extraction method. This mode limits checking of the PIN to decimal digits, and a minimum PIN length of 4 is enforced; no other PIN-block consistency checking will occur. To activate this mode, enable the Enhanced PIN Security command (offset X'0313') in the active role.
When the Disallow PIN block format ISO-1 access control is enabled in the domain role, the PIN block format in the new_reference_PIN_profile, current_reference_PIN_profile, and output_PIN_profile parameters is not allowed to be ISO-1.
The access control point ISO PIN blocks do not check PIN digits (X’0055’) is enabled by default in the default role. This prevents CCA from performing any integrity checks on the PIN digits themselves, to comply with the PCI-HSMv4 and ISO 9564.1 standards.
No action is needed by the users, unless they do not need to comply with the PCI-HSMv4 and ISO 9564.1 standards. In this case, they can disable the X’0055’ access control point to allow integrity checks directly on the PIN digits.