Required commands

This verb requires the following commands to be enabled in the active role:

This verb also requires the DUKPT - PIN Verify, PIN Translate command (offset X'00E1') to be enabled in the active role if you employ UKPT processing.

An enhanced PIN security mode is available for extracting PINs from an IBM® 3624 encrypted PIN-block using the PADDIGIT PIN-extraction method. This mode limits checking of the PIN to decimal digits, and a minimum PIN length of four is enforced. No other PIN-block consistency checking will occur. To activate this mode, enable the Enhanced PIN Security command (offset X'0313') in the active role.

Whenever the ANSI X9.8 PIN - Use stored decimalization tables only command (offset X'0356') is enabled in the active role, the Decimalization_table element of the data_array value must match one of the PIN decimalization tables that are in the active state on the coprocessor. Use of this command provides improved security and control for PIN decimalization tables. The VISA-PVV, VISAPVV4, and INBK-PIN PIN calculation methods do not have a Decimalization_table element and are therefore not affected by this command.

When the Disallow PIN block format ISO-1 access control is enabled in the domain role, the PIN block format in the input_PIN_profile parameter must not be ISO-1.

The access control point ISO PIN blocks do not check PIN digits (X’0055’) is enabled by default in the default role. This prevents CCA from performing any integrity checks on the PIN digits themselves, to comply with the PCI-HSMv4 and ISO 9564.1 standards.

No action is needed by the users, unless they do not need to comply with the PCI-HSMv4 and ISO 9564.1 standards. In this case, they can disable the X’0055’ access control point to allow integrity checks directly on the PIN digits.