Required commands

The required commands for CSNBPCU.

This verb requires the following commands to be enabled in the active role based on the permissible key-type, IPINENC or OPINENC, used in the decryption of the input PIN blocks.

Required commands for the PIN Change/Unblock verb

PIN-block encrypting key-type Offset Command Comment
OPINENC X'00BC' PIN Change/Unblock - change EMV PIN with OPINENC Required if either the new_reference_PIN_key or the current_reference_PIN_key are permitted to be an OPINENC key type.
IPINENC X'00BD' PIN Change/Unblock - change EMV PIN with IPINENC Required if either the new_reference_PIN_key or the current_reference_PIN_key are permitted to be an IPINENC key type.

When a MAC-MDK or an ENC-MDK of key type DKYGENKY is specified with control vector bits (19 - 22) of B'1111', the Diversified Key Generate - DKYGENKY - DALL command (offset X'0290') must also be enabled in the active role.

Note: A role with offset X'0290' enabled can also use the Diversified Key Generate verb with a DALL key.

An enhanced PIN security mode is available for extracting PINs from an IBM® 3624 encrypted PIN-block using the PADDIGIT PIN-extraction method. This mode limits checking of the PIN to decimal digits, and a minimum PIN length of 4 is enforced; no other PIN-block consistency checking will occur. To activate this mode, enable the Enhanced PIN Security command (offset X'0313') in the active role.

When the Disallow PIN block format ISO-1 access control is enabled in the domain role, the PIN block format in the new_reference_PIN_profile, current_reference_PIN_profile, and output_PIN_profile parameters is not allowed to be ISO-1.

The access control point ISO PIN blocks do not check PIN digits (X’0055’) is enabled by default in the default role. This prevents CCA from performing any integrity checks on the PIN digits themselves, to comply with the PCI-HSMv4 and ISO 9564.1 standards.

No action is needed by the users, unless they do not need to comply with the PCI-HSMv4 and ISO 9564.1 standards. In this case, they can disable the X’0055’ access control point to allow integrity checks directly on the PIN digits.