Required commands

This verb requires the commands, as shown in the following table, to be enabled in the active role based on the keyword specified for the PIN-calculation methods.

This verb also requires the UKPT - PIN Verify, PIN Translate command (offset X'00E1') to be enabled if you employ UKPT processing.

An enhanced PIN security mode is available for extracting PINs from an IBM® 3624 encrypted PIN-block and formatting an encrypted PIN block into IBM 3624 format using the PADDIGIT PIN-extraction method. This mode limits checking of the PIN to decimal digits, and a minimum PIN length of 4 is enforced; no other PIN-block consistency checking will occur. To activate this mode, enable the Enhanced PIN Security command (offset X'0313') in the active role.

The following commands affect the PIN processing:

1. Enable the ANSI X9.8 PIN - Enforce PIN block restrictions command (offset X'0350') in the active role to apply additional restrictions to PIN processing as follows:
   • Do not translate or reformat a non-ISO PIN block into an ISO PIN block. Specifically, do not allow an IBM 3624 PIN-block format in the output_PIN_profile variable when the PIN-block format in the input_PIN_profile variable is not IBM 3624.
   • Constrain use of ISO-2 PIN blocks to offline PIN verification and PIN change operations in integrated circuit card environments only. Specifically, do not allow ISO-2 input or output PIN blocks.
   • Do not translate or reformat a PIN-block format that includes a PAN into a PIN-block format that does not include a PAN. Specifically, do not allow an ISO-1 PIN-block format in the output_PIN_profile variable when the PIN-block format in the input_PIN_profile variable is ISO-0 or ISO-3.
   • Do not allow a change of PAN data. Specifically, when performing translations between PIN block formats that both include PAN data, do not allow the input_PAN_data and output_PAN_data variables to be different from the PAN data enciphered in the input PIN block.
   Note: A role with offset X'0350' enabled also affects access control of the Clear PIN Generate Alternate and the Secure Messaging for PINs verbs.
2. Enable the ANSI X9.8 PIN - Allow modification of PAN command (offset X'0351') in the active role to override the restriction to not allow a change of PAN data. This override is applicable only when either the ANSI X9.8 PIN - Enforce PIN block restrictions command (offset X'0350') or the ANSI X9.8 PIN - Allow only ANSI PIN blocks command (offset X'0352') or both are enabled in the active role. This override is to support account number changes in issuing environments. Offset X'0351' has no effect if neither offset X'0350' nor offset X'0352' is enabled in the active role.
   Note: A role with offset X'0351' enabled also affects access control of the Secure Messaging for PINs verbs.
3. Enable the ANSI X9.8 PIN - Allow only ANSI PIN blocks command (offset X'0352') in the active role to apply a more restrictive variation of the ANSI X9.8 PIN - Enforce PIN block restrictions command (offset X'0350'). In addition to the previously described restrictions of offset X'0350', this command also restricts the input_PIN_profile and the output_PIN_profile to contain only ISO-0, ISO-1, and ISO-3 PIN block formats. Specifically, the IBM 3624 PIN-block format is not allowed with this command. Offset X'0352' overrides offset X'0350'.
   Note: A role with offset X'0352' enabled also affects access control of the Secure Messaging for PINs verbs.

When the Disallow translation from DES wrapping to weaker DES wrapping access control point (X'01C7') is enabled in the domain role, this service fails if the input_PIN_encrypting_key_identifier is stronger than the output_PIN_encrypting_key_identifier.

When the Disallow PIN block format ISO-1 access control point (X'032F') is enabled in the domain role, the PIN block format in the input_PIN_profile and output_PIN_profile parameters is not allowed to be ISO-1.

For more information, see ANSI X9.8 PIN restrictions.

In releases before Release 5.4 and Release 6.2, triple-length TDES keys are not supported, thus limiting a generated TDES key to double length. Beginning with Release 5.4 and Release 6.2, triple-length TDES keys are supported, and a generated TDES key can be double-length or triple-length.

When the Encrypted PIN Translate - Translate PIN Check Mode (X'03A0') access control is enabled, checking of the PIN block is performed. The checking is the same as the checking done when the REFORMAT keyword is specified.

When the General ISO PIN Error Security access control (X'039F') is enabled, the return code is a general PIN block error (return code 8 reason code 2514) instead of some other existing specific PIN block error reason codes. The use of a general return code can prevent the abuse of PIN processing error messages due to information leakage derived from the return codes and reason codes returned under various conditions. For more details, see PIN block error processing mode.

The access control point ISO PIN blocks do not check PIN digits (X’0055’) is enabled by default in the default role. This prevents CCA from performing any integrity checks on the PIN digits themselves, to comply with the PCI-HSMv4 and ISO 9564.1 standards.

No action is needed by the users, unless they do not need to comply with the PCI-HSMv4 and ISO 9564.1 standards. In this case, they can disable the X’0055’ access control point to allow integrity checks directly on the PIN digits.