Required commands

Edit online

The required commands for CSNBPTR2

The Encrypted PIN Translate2 verb requires the commands shown in Table 1 to be enabled in the active role. The commands required for mode keywords REFORMAT and TRANSLAT depend on whether an AES key-token is used.
Table 1. Required commands for CSNBPTR2

Required commands for CSNBPTR2
Rule-array keyword At least one AES key-token used Offset Command
REFORMAT Yes X’0391’ Encrypted PIN Translate2 - REFORMAT
No X’00B7’ (See Note 1.) Encrypted PIN Translate - Reformat
TRANSLAT Yes X’0392’ Encrypted PIN Translate2 - TRANSLATE
No X’00B3’ (See Note 2.) Encrypted PIN Translate - Translate
DUKPTBH, DUKPT IP, DUKPTOP, UKPTBOTH, UKPTIPIN, or UKPTOPIN N/A X’00E1’ (See Note 3.) DUKPT - PIN Verify, PIN Translate
Note:
  1. A role with offset X’00B7’ enabled can also use the Encrypted PIN Translate verb and the Encrypted PIN Translate Enhanced verb.
  2. A role with offset X’00B3’ enabled can also use the Encrypted PIN Translate verb.
  3. A role with offset X’00E1’ can also use the verbs Encrypted PIN Translate, Encrypted PIN Translate Enhanced, Encrypted PIN Verify, FPE Decipher, FPE Encipher, and FPE Translate.

Authenticated PAN change support is only allowed when (1) PAN-CHG is specified in the rule array, (2) the PTR2 ISO-4 Reformat Requires Authenticated PAN Change to Change the PAN command (offset X'038B') is enabled in the active role, and (3) the input and output PIN-block formats are both ISO-4. Certain restrictions apply when selecting a PAN change request. With offset X'038B' enabled in the active role, only authenticated PAN change requests are allowed when the input and output PIN-block formats are both ISO-4. When only one PIN-block format is ISO-4 (for example, ISO-0 to ISO-4 or ISO-4 to ISO-0), offset X'038B' does not prevent a reformat when there is no PAN change (that is, the 12 rightmost digits of the PAN, excluding the check digit, are equal).

Table 2 shows the required access control command that must be enabled in the active role for each supported PIN-block format translation and allowed authenticated PAN-change option:
Table 2. CSNBPTR2 PIN-block format translations and required access control commands

CSNBPTR2 PIN-block format translations and required access control commands
PIN-block format Authenticated PAN-change option allowed Offset Command
Input Output
ISO-0 ISO-4 No X’038E’ Encrypted PIN Translate2 - Permit ISO-0 to ISO-4 Reformat
ISO-1 (See Note 1.) ISO-4 No X’038C’ (See Note 2.) Encrypted PIN Translate2 - Permit ISO-1 to ISO-4 Reformat
X’0393’ (See Note 2.) Encrypted PIN Translate2 - Permit ISO-1 to ISO-4 RFMT1TO4
ISO-4 ISO-0 No X’038F’ Encrypted PIN Translate2 - Permit ISO-4 to ISO-0 Reformat
ISO-4 ISO-1 (See Note 1.) No X’038D’ (See Note 3.) Encrypted PIN Translate2 - Permit ISO-4 to ISO-1 Reformat
X'0394' (See Note 3.) Encrypted PIN Translate2 - Permit ISO-4 to ISO-1 RFMT4TO1
ISO-4 ISO-4 No X’038A’ Encrypted PIN Translate2 - Permit ISO-4 to ISO-4 Translate
ISO-4 ISO-4 Yes X'038B' Encrypted PIN Translate2 - Permit ISO-4 Reformat w/ PAN Chg
X'0395' (See Note 4.) Encrypted PIN Translate2 – Permit ISO-4 to ISO-4 PTR2AUTH
Note:
  1. PIN-block format ISO-1 is not allowed when the Disallow PIN block format ISO-1 command (offset X'032F') is enabled in the active role.
  2. When the Encrypted PIN Translate2 - Permit ISO-1 to ISO-4 RFMT1TO4 command (offset X'0393') is enabled in the active role, it has the effect of disallowing REFORMAT requests from ISO-1 to ISO-4 PIN blocks unless the outbound PIN encrypting key has the RFMT1TO4 key-usage field bit on in the AES key-token. See Figure 1.
  3. When the Encrypted PIN Translate2 - Permit ISO-4 to ISO-1 RFMT4TO1 command (offset X'0394') is enabled in the active role, it has the effect of disallowing REFORMAT requests from ISO-4 to ISO-1 PIN blocks unless the inbound PIN encrypting key has the RFMT4TO1 key-usage field bit on in the AES key-token. See Figure 2.
  4. The Encrypted PIN Translate2 - Permit ISO-4 Reformat w/ PAN Chg command (offset X'038B') does not prevent a reformat when only one PIN-block format is ISO-4 (for example, ISO-0 to ISO-4 or ISO-4 to ISO-0) and the 12 rightmost digits of the PAN, excluding the check digit, are equal).
  5. When enabled, the Encrypted PIN Translate2 – Permit ISO-4 to ISO-4 PTR2AUTH command (offset X'0395') has the effect of disallowing REFORMAT requests from ISO-4 to ISO-4 PIN blocks unless the outbound PIN encrypting key has the PTR2AUTH key-usage field bit enabled in the AES key-token.
Figure 1. CSNBPTR2 access control behavior for REFORMAT ISO-1 to ISO-4 requests

CSNBPTR2 access control behavior for REFORMAT ISO-1 to ISO-4 requests
Figure 2. CSNBPTR2 access control behavior for REFORMAT ISO-4 to ISO-1 requests

CSNBPTR2 access control behavior for REFORMAT ISO-4 to ISO-1 requests
An enhanced PIN security mode is available for extracting PINs from a 3624 encrypted PIN-block and formatting an encrypted PIN-block into IBM 3624 format using the PADDIGIT PIN-extraction method. This mode limits checking of the PIN to decimal digits and a minimum PIN length of 4 is enforced. No other PIN-block consistency checking is performed. To activate this mode, enable the Enhanced PIN Security command (offset X’0313’) in the active role. See Table 3 for a list of verbs affected when offset X’0313’ is enabled in the active role.

ANSI X9.8 defines PIN rules that affect how PIN blocks can be reformatted. To have this verb enforce the PIN rules defined by ANSI X9.8, enable the ANSI X9.8 PIN - Enforce PIN block restrictions command (offset X'0350') or the more restrictive ANSI X9.8 PIN - Allow only ANSI PIN blocks command (offset X'0352') in the active role. If both of these commands are enabled, the more restrictive offset X'0352' overrides X'0350'.

Table 3 provides a matrix of allowed and not allowed reformatting between PIN-block formats when ANSI X9.8 PIN rules are being enforced (that is, offset X'0352', X'0350', or both are enabled in the active role), as well as any exceptions.
Table 3. CSNBPTR2 rules between PIN-block formats when ANSI X9.8 rules are being enforced

CSNBPTR2 rules between PIN-block formats when ANSI X9.8 rules are being enforced
Input PIN-block format Output PIN-block format
IBM 3624 IS0 Format 0, 3, or 4 ISO Format 1 (See Note 6.) ISO Format 2
IBM 3624 Allowed (see Note 3). Allowed (see Note 3 and Note 4). Allowed (see Note 3). Not allowed.
ISO Format 0, 3, or 4 Not allowed. Allowed. Not allowed (see Note 5). Not allowed.
ISO Format 1 (See Note 6.) Not allowed. Allowed. Allowed. Not allowed.
ISO Format 2 Not allowed. Not allowed. Not allowed. Not allowed.
Note:
  1. ANS X9.8 PIN rules are enforced when the ANSI X9.8 PIN - Enforce PIN block restrictions command (offset X'0350'), the ANSI X9.8 PIN - Allow only ANSI PIN blocks command (offset X'0352'), or both are enabled in the active role.
  2. ISO formats 0, 3, and 4 have a PAN as part of the format, while IBM 3624 and ISO formats 1 and 2 do not.
  3. When the ANSI X9.8 PIN - Allow only ANSI PIN blocks command (offset X'0352') is enabled in the active role, the input and output PIN-block formats must both be ISO.
  4. When the ANSI X9.8 PIN - Allow only ANSI PIN blocks command is not enabled in the active role (offset X'0352'), the ANSI X9.8 PIN - Allow modification of PAN command (offset X'0351') overrides the restriction to not allow a change of PAN data. The Encrypted PIN Translate2 - Permit ISO-4 Reformat w/ PAN Chg command (offset X'038B') overrides offset X'0351' and does not allow a change of PAN except for ISO-4 to ISO-4 authenticated PAN change.
  5. When offsets X'0350' or X'0352' or both are enabled in the active role, the Encrypted PIN Translate2 - Permit ISO-4 to ISO-1 Reformat command (offset X'038D') overrides the ANSI X9.8 PIN rules restriction to not allow a reformat from an ISO-4 to an ISO-1 PIN-block format.
  6. PIN-block format ISO-1 is not allowed when Disallow PIN block format ISO-1 command (offset X'032F') is enabled in the active role.
The three commands that, when enabled in the active role, affect how PIN processing is performed are described in more detail below:
  1. Offset X’0350’ – ANSI X9.8 PIN - Enforce PIN block restrictions (see Table 3).
    Note: The ANSI X9.8 PIN - Allow only ANSI PIN blocks command (offset X'0352') overrides offset X'0350'.
    Enable offset X'0350' in the active role to apply additional restrictions to PIN processing as follows:
    • Do not translate or reformat an ISO PIN-block into a non-ISO PIN-block. Specifically, do not allow an IBM 3624 PIN-block format in the output_PIN_profile variable when the PIN-block format in the input_PIN_profile variable is not IBM 3624.
    • Constrain use of ISO-2 PIN blocks to offline PIN verification and PIN change operations in integrated circuit card environments only. Specifically, do not allow ISO-2 input or output PIN blocks.
    • Do not translate or reformat a PIN-block format that includes a PAN into a PIN-block format that does not include a PAN. Specifically, do not allow an ISO-1 PIN-block format in the output_PIN_profile variable when the PIN-block format in the input_PIN_profile variable is ISO-0, ISO-3, or ISO-4 (ISO-1 PIN blocks do not contain PAN data while ISO-0, ISO-3, and ISO-4 do contain PAN data).
      Note: The Encrypted PIN Translate2 - Permit ISO-4 to ISO-1 Reformat command (offset X’038D’) when enabled in the active role overrides this rule for ISO-4 PIN blocks. When X’038D’ is enabled in the active role and the keys involved have the correct usage, an ISO-4 PIN-block can be reformatted to an ISO-1 PIN-block.
    • Do not allow a change of PAN data. Specifically, when performing translations between PIN block formats that both include PAN data, do not allow the input_PAN_data and output_PAN_data variables to be different from the PAN data enciphered in the input PIN-block.
      Note: The ANSI X9.8 PIN - Allow modification of PAN command (offset X’0351’) overrides the restriction to not allow a change of PAN data when the ANSI X9.8 PIN - Enforce PIN block restrictions command (offset X’0350’) is enabled in the active role, and allows a PIN-block format change from 3624 to ISO-0, ISO-3, or ISO-4.
  2. Offset X’0351’ – ANSI X9.8 PIN - Allow modification of PAN
    Note: The Encrypted PIN Translate2 - Permit ISO-4 Reformat w/ PAN Chg command (offset X'038B') overrides offset X'0351'. When X'038B' is enabled in the active role, a change of PAN is not allowed. The PAN can only be reformatted and the input and output PANs must match.

    Enable offset X'0351' in the active role to override the restriction to not allow a change of PAN data. This override is applicable only when either the Enforce ANS X9.8 PIN Rules command (offset X'0350') is enabled in the active role, the ANSI X9.8 PIN - Allow only ANSI PIN blocks command (offset X'0352') is enabled in the active role, or both are enabled in the active role. This override is provided to support account number changes in issuing environments. Offset X'0351' has no effect if neither offset X'0350' nor offset X'0352' is enabled in the active role.

    For ISO-4, the Encrypted PIN Translate2 - Permit ISO-4 Reformat w/ PAN Chg command (offset X'038B') enables the authenticated PAN change feature. This feature occurs when offset X'038B' is enabled in the active role and the input and output PIN-block formats are both ISO-4.
  3. Offset X’0352’ – ANSI X9.8 PIN - Allow only ANSI PIN blocks (see Table 3).

    Enable the ANSI X9.8 PIN - Allow only ANSI PIN blocks command (offset X'0352') in the active role to apply a more restrictive version of the ANSI X9.8 PIN - Enforce PIN block restrictions command (offset X'0350'). In addition to the previously described restrictions of offset X’0350’, this command also restricts the input_PIN_profile and the output_PIN_profile to contain only ISO-0, ISO-1, ISO-3 or ISO-4 PIN block formats. Specifically, the IBM 3624 PIN-block format is not allowed with this command. Offset X'0352' overrides offset X'0350'.

Each of the above three commands affects multiple verbs. For a list of the affected verbs, see offsets X’0350’, X’0351’, and X’0352’ in Table 1.

Additional restrictions can be put in place or lessened to allow or disallow TRANSLAT and REFORMAT operations when ISO-4 PIN blocks are specified in either the input PIN profile or the output PIN profile. The following options are available:

Additional restrictions can be put in place or lessened to allow or disallow TRANSLAT and REFORMAT operations when ISO-4 PIN blocks are specified in either the input PIN profile or the output PIN profile. The following options are available:
PIN-block format Offset Command
Input Output
ISO-0 ISO-4 X’038E’ Encrypted PIN Translate2 - Permit ISO-0 to ISO-4 Reformat
ISO-1 (See note.) ISO-4 X’038C’ Encrypted PIN Translate2 - Permit ISO-1 to ISO-4 Reformat
ISO-4 ISO-0 X’038F’ Encrypted PIN Translate2 - Permit ISO-4 to ISO-0 Reformat
ISO-4 ISO-4 X’038A’ Encrypted PIN Translate2 - Permit ISO-4 to ISO-4 Translate
Note: PIN-block format ISO-1 is not allowed when Disallow PIN block format ISO-1 command (offset X'032F') is enabled in the active role (Release 5.5.12 or later).

It is possible to do a translation using an output key that is weaker than the input key. To disallow this, set the appropriate commands shown in the table below:

It is possible to do a translation using an output key that is weaker than the input key. To disallow this, set the appropriate commands shown in the table below
Algorithm of PIN-encrypting key Offset Command to disallow translation using a weaker key
Input Output
AES DES X'01C5' Disallow translation from AES wrapping to DES wrapping
AES AES X'01C6' Disallow translation from AES wrapping to weaker AES wrapping
DES DES X'01C7' Disallow translation from DES wrapping to weaker DES wrapping
Each of these commands affects multiple verbs. See Table 1.

When the Disallow PIN block format ISO-1 access control is enabled in the domain role, the PIN block format in the input_PIN_profile and output_PIN_profile parameters is not allowed to be ISO-1.

When the Encrypted PIN Translate - Translate PIN Check Mode (X'03A0') access control is enabled, checking of the PIN block is performed. The checking is the same as the checking done when the REFORMAT keyword is specified.

When the General ISO PIN Error Security access control (X'039F') is enabled, the return code is a general PIN block error (return code 8 reason code 2514) instead of some other existing specific PIN block error reason codes. The use of a general return code can prevent the abuse of PIN processing error messages due to information leakage derived from the return code reason codes returned under various conditions. For more details, see PIN block error processing mode.

The access control point ISO PIN blocks do not check PIN digits (X’0055’) is enabled by default in the default role. This prevents CCA from performing any integrity checks on the PIN digits themselves, to comply with the PCI-HSMv4 and ISO 9564.1 standards.

No action is needed by the users, unless they do not need to comply with the PCI-HSMv4 and ISO 9564.1 standards. In this case, they can disable the X’0055’ access control point to allow integrity checks directly on the PIN digits.