Required commands

Edit online

The required commands for CSNBPTRE.

The Encrypted PIN Translate Enhanced verb requires the Encrypted PIN Translate Enhanced command (offset X'02D5') to be enabled in the active role. This ACP is ON by default. The following additional commands must be enabled depending on the capabilities that are requested:

The table lists the required command for the Encrypted PIN Translate Enhanced verb

Rule-array keyword Input profile format control keyword Output profile format control keyword Explanation Offset Command
REFORMAT NONE NONE X'00B7' Encrypted PIN Translate - Reformat
One or more of the following: IN-DUKPT, OUTDUKPT, DUKPT-OP, DUKPT-IP, or DUKPT-BH X'001E' Reencipher CKDS

An enhanced PIN security mode is available for extracting PINs from an IBM® 3624 encrypted PIN-block and formatting an encrypted PIN block into 3621 or 3624 format using the PADDIGIT PIN-extraction method. This mode limits checking of the PIN to decimal digits, and a minimum PIN length of 4 is enforced. No other PIN-block consistency checking occurs. To activate this mode, enable the Enhanced PIN Security command (offset X'0313') in the active role.

The verb returns an error indicating that the PAD digit is not valid if all of these conditions are met:

  1. The Enhanced PIN Security command is enabled in the active role.
  2. The output PIN profile specifies 3624 as the PIN-block format.
  3. The output PIN profile specifies a decimal digit (0 - 9) as the PAD digit.

Three additional commands should be considered (offsets X'0350', X'0351', X'0352', and X'032F'). If enabled, these three commands affect how PIN processing by this and other verbs is performed:

  1. Enable the ANSI X9.8 PIN - Enforce PIN block restrictions command (offset X'0350') in the active role to apply additional restrictions to PIN processing as follows:
    • Do not translate or reformat a non-ISO PIN block into an ISO PIN block. Specifically, do not allow an IBM 3624 PIN-block format in the output_PIN_profile variable when the PIN-block format in the input_PIN_profile variable is not 3624.
    • Constrain use of ISO-2 PIN blocks to offline PIN verification and PIN change operations in integrated circuit card environments only. Specifically, do not allow ISO-2 input or output PIN blocks.
    • Do not translate or reformat a PIN-block format that includes a PAN into a PIN-block format that does not include a PAN. Specifically, do not allow an ISO-1 PIN-block format in the output_PIN_profile variable when the PIN-block format in the input_PIN_profile variable is ISO-0 or ISO-3.
  2. Enable the ANSI X9.8 PIN - Allow modification of PAN command (offset X'0351') in the active role to override the restriction to not allow a change of PAN data. This override is applicable only when either the ANSI X9.8 PIN - Enforce PIN block restrictions command (offset X'0350') or the ANSI X9.8 PIN - Allow only ANSI PIN blocks command (offset X'0352') or both are enabled in the active role. This override supports environments that issue account number changes. Offset X'0351' has no effect if neither offset X'0350' nor offset X'0352' is enabled in the active role. This rule does not apply for PTRE. Also, PAN changes are not allowed.
  3. Enable the ANSI X9.8 PIN - Allow only ANSI PIN blocks command (offset X'0352') in the active role to apply a more restrictive variation of the ANSI X9.8 PIN - Enforce PIN block restrictions command (offset X'0350'). In addition to the previously described restrictions of offset X'0350', this command also restricts the input_PIN_profile and the output_PIN_profile parameters to contain only ISO-0, ISO-1, and ISO-3 PIN block formats. Specifically, the IBM 3624 PIN-block format is not allowed with this command. The command at offset X'0352' overrides the one at offset X'0350'.
  4. When the Disallow PIN block format ISO-1 (offset X'032F')access control is enabled in the domain role, the PIN block format in the input_PIN_profile and output_PIN_profile parameters is not allowed to be ISO-1.

In releases before Release 5.4 and Release 6.2, triple-length TDES keys are not supported, thus limiting an outbound TDES key to double length. Beginning with Release 5.4 and Release 6.2, triple-length TDES keys are supported, and an outbound TDES key can be double-length or triple-length. This makes it possible for data that is encrypted using a triple-length key to be translated to data encrypted using a weaker double-length key. Such a translation reduces the security of the data and causes a security exposure, and CCA normally restricts such a translation from occurring. To override this restriction, the Cipher Text Translate2 - Allow translate to weaker DES command (offset X'01C3') must be enabled in the active role.

The access control point ISO PIN blocks do not check PIN digits (X’0055’) is enabled by default in the default role. This prevents CCA from performing any integrity checks on the PIN digits themselves, to comply with the PCI-HSMv4 and ISO 9564.1 standards.

No action is needed by the users, unless they do not need to comply with the PCI-HSMv4 and ISO 9564.1 standards. In this case, they can disable the X’0055’ access control point to allow integrity checks directly on the PIN digits.