Encrypted PIN Translate (CSNBPTR)

Edit online

Use the Encrypted PIN Translate verb to re-encipher a PIN block from one PIN-encrypting key to another and, optionally, to change the PIN block format, such as the pad digit or sequence number.

Note: This service has been deprecated. New applications should use Encrypted PIN Translate2 (CSNBPTR2) instead. See for more information.

The unique-key-per-transaction key derivation for single and double-length keys is available for the Encrypted PIN Translate verb. This support is available for the input_PIN_encrypting_key_identifier and the output_PIN_encrypting_key_identifier parameters for both REFORMAT and TRANSLAT process rules. The rule_array keyword determines which PIN keys are derived keys.

The Encrypted PIN Translate verb can be used for unique-key-per-transaction key derivation.

For AES-DUKPT, there is a set of these keywords: ADUKPTIP, ADUKPTOP and ADUKPTBH. When the user wants to derive key(s) using the DES DUKPT algorithm, then the PIN profile will contain CKSN data. When the user wants to derive key(s) using the AES-DUKPT algorithm, then the PIN profile will contain the derived data structure as described in AES-DUKPT derivation data. CCA determines how to parse the PIN profile by inspecting the rule array keywords:

  • When the DES DUKPT algorithm is used, then the PIN profile contains CKSN extension and the total length is 48 bytes.
  • When AES DUKPT algorithm is used then PIN profile contains Derived Data extension and total length is 44 bytes containing single derived data block.

A user may wish to use AES DUKPT and DES DUKPT in a combination such that the input and output PIN encrypting keys are derived differently with DUKPT algorithms or a combination of DUKPT and static.

To use this verb, specify the following information:

  • The mode of operation with keyword: TRANSLAT or REFORMAT.
  • Optionally, the method of PIN extraction.
  • Optionally, DUKPT option on input or output with keywords: UKPTIPIN, UKPTOPIN, or UKPTBOTH for Single-DES method, or DUKPT-IP, DUKPT-OP, or DUKPT-BH for Triple-DES method.
  • Optionally, AES DUKPT can be specified for input PIN or output PIN encrypting keys, or both, with keywords ADUKPTIP, ADUKPTOP and ADUKPTBH.
  • Input and output PIN-block encrypting keys, or the base keys used to derive the PIN-block enciphering keys.
  • Input and output PIN profiles, which for DUKPT processing are extended to 48 bytes with a 24-byte current-key serial number (CKSN) extension. The first 24 bytes of the PIN profiles are ignored when keyword TRANSLAT is specified. See The PIN profile. When AES DUKPT keywords are specified, then input and output PIN profiles are extended with the derivation data structure which is 20 bytes of hex data and contains information necessary for AES-DUKPT derivation.
  • Input and output PAN data as required by the selected PIN-block formats.
  • An output PIN-block sequence number. Specify a value of 99999.
Note: This verb supports PCI-HSM 2016 compliant-tagged key tokens.