Required commands
The required commands for CSNBPVR2.
This table shows the access control points in the domain role that control the function of this service.
| Rule-array keyword | Access control point | Offset |
|---|---|---|
| REFPIN | Encrypted PIN Verify2 – REFPIN | X'03B0' |
| TRUNCPIN | Encrypted PIN Verify2 - TRUNCPIN | X'03B1' |
| UKPT, DUKPT, or ADUKPT | DUKPT - PIN Verify, PIN Translate | X'00E1' |
An enhanced PIN security mode is available for extracting PINs from a 3621 or 3624 encrypted PIN-block and formatting an encrypted PIN-block into IBM 3621 or 3624 format using the PADDIGIT PIN-extraction method. This mode limits checking of the PIN to decimal digits, and a minimum PIN length of 4 is enforced. No other PIN-block consistency checking will occur. To activate this mode, enable the Enhanced PIN Security command (offset X’0313’) in the active role.
| PIN-block format and PIN- extraction method | Verbs affected | PIN processing changes (when Enhanced PIN Security Mode command, offset X'0313', is enabled) |
|---|---|---|
| IBM 3624 format and HEXDIGIT, PADDIGIT, or PADEXIST |
|
PIN extraction determines the PIN length by scanning from right to left until a digit, not equal to the pad digit, is found. The minimum PIN length is set at four digits, so scanning ceases one digit after the position of the 4th PIN digit in the block. (No changes are made for any PIN- extraction method other than PADDIGIT.) |
|
PIN formatting does not examine the PIN in the output PIN block to see if it contains the pad digit. This affects only the PIN-extraction method of PADDIGIT |
If the ANSI X9.8 PIN - Use stored decimalization tables only (X'0356') access control point is enabled in the domain role, any decimalization table specified must match one of the active decimalization tables in the coprocessors.
When the Disallow PIN block format ISO-1 (X'032F') access control is enabled in the domain role, the PIN block format in the input_PIN_profile and reference_PIN_profile parameters is not allowed to be ISO-1.
The access control point ISO PIN blocks do not check PIN digits (X’0055’) is enabled by default in the default role. This prevents CCA from performing any integrity checks on the PIN digits themselves, to comply with the PCI-HSMv4 and ISO 9564.1 standards.
No action is needed by the users, unless they do not need to comply with the PCI-HSMv4 and ISO 9564.1 standards. In this case, they can disable the X’0055’ access control point to allow integrity checks directly on the PIN digits.