Encrypted PIN Translate2 (CSNBPTR2)

Edit online

The Encrypted PIN Translate2 verb changes (translates) PIN-block encryption and optionally formats a PIN into a different PIN-block format (reformats). This verb can be used in an interchange-network application, or to change the PIN block to conform to the format and encryption key used in a PIN-verification database. This verb can also be used to perform derived unique key per transaction (DUKPT) PIN-block encryption (ANS X9.24) for both input and output PIN blocks.

This verb is a superset of the Encrypted PIN Translate (CSNBPTR) verb and deprecates CSNBPTR. In addition to providing all the function of CSNBPTR, it supports the AES encrypted ISO-4 PIN-block (as defined in ISO 9564-1) and authenticated PAN change support. Note that authenticated PAN change support only applies to ISO-4 to ISO-4 PIN-block format translations.

The derived unique-key-per-transaction (DUKPT) algorithm is available. Both DES-DUKPT (ANSI x9.24-1 2007) and AES-DUKPT (ANSI x9.24-3 2017) are supported. This support is available for the input_PIN_encrypting_key_identifier and the output_PIN_encrypting_key_identifier parameters for both REFORMAT and TRANSLAT process rules. The rule_array keyword determines which PIN key or PIN keys are derived keys.

These PIN-block formats are supported:

  • IBM® 3624
  • ISO-0 (same as ANS X9.8, VISA-1, and ECI-1)
  • ISO-1 (same as ECI-4)
  • ISO-2
  • ISO-3
  • ISO-4 (not supported by Encrypted PIN Translate)

The verb operates in one of two modes, either translate or reformat:

  • In translate mode, the verb decrypts a PIN block using the input key or that is derived from other information provided. The cleartext information is then encrypted using the output key or that is derived from other information provided. The cleartext is not examined.
  • In reformat mode, the verb performs the translate-mode functions and, in addition, processes the cleartext information. Following the rules specified in the rule array, the PIN is recovered from the input cleartext PIN-block and formatted into an output PIN-block for encryption.

ANSI X9.8 defines PIN rules that affect how PIN blocks can be reformatted. To have this verb enforce the PIN rules defined by ANSI X9.8, enable the ANSI X9.8 PIN - Enforce PIN block restrictions command (offset X'0350') or the more restrictive ANSI X9.8 PIN - Allow only ANSI PIN blocks command (offset X'0352') in the active role. If both of these commands are enabled, the more restrictive offset X'0352' overrides X'0350'. For more details on these commands see Required commands.

Table 3 provides a matrix of allowed and not allowed reformatting between PIN-block formats when ANSI X9.8 PIN rules are being enforced (that is, offset X'0350', X'0352', or both are enabled in the active role), as well as any exceptions.

The verb performs an authenticated PAN change when (1) PAN-CHG is specified in the rule array, (2) the Encrypted PIN Translate2 - Permit ISO-4 Reformat w/ PAN Chg command (offset X'038B') is enabled in the active role, and (3) the input and output PIN-block formats are both ISO-4.

If all three conditions are true, the authentication_data parameter must identify a length-value structure that includes a NIST SP 800-38B CMAC. This CMAC along with the AES MAC key identified by the authentication_key_identifier parameter are used to verify if the PAN change request is allowed. If the CMAC verification is successful, the PAN change request is allowed. Otherwise, it is not allowed.

Note:
  1. This verb supports PCI-HSM 2016 compliant-tagged key tokens.
  2. When running with host warning mode enabled, commands that may be performed using the CSNBPTR service because they are legacy commands duplicated between CSNBPTR and CSNBPTR2, are reported to warning mode logs using the CSNBPTR verb identifier.
  3. With the Encrypted PIN Translate2 - Permit ISO-4 Reformat w/ PAN Chg command (offset X'038B') enabled in the active role, all PAN change requests must be authenticated. Support for authenticated PAN changes is only available when the input and output PIN-block formats are both ISO-4.
  4. When both PIN blocks have a PAN, if only one is an ISO-4 PIN-block (for example, ISO-0 to ISO-4 or ISO-4 to ISO-3) and the 12 rightmost digits of the PANs are equal (which excludes the ISO-4 check digit), the Encrypted PIN Translate2 - Permit ISO-4 Reformat w/ PAN Chg command (offset X'038B') does not prevent a reformat and the reformat is allowed, provided that the reformat is otherwise authorized.
  5. Beginning with Release 5.5, the key used to verify the CMAC must have key usage PTR2AUTH when the Encrypted PIN Translate2 - Permit ISO-4 to ISO-4 PTR2AUTH command (offset X'0395') is enabled in the active role.
  6. When reformatting from an ISO-4 PIN block to a non-ISO-4 PIN block, or from a non-ISO-4 PIN block to an ISO-4 PIN block, the equivalence of the PANs must be determined so that the proper authorization can be evaluated. The test involves comparing the rightmost 12 digits of the ISO-4 PAN excluding the check digit with the rightmost 12 digits of the non-ISO-4 PAN excluding the check digit. If these values are equal, the equivalence test passes. Table 1 shows an example of how the comparison is done when you are reformatting from an ISO-4 PIN block to an ISO-0 PIN block and vice versa, where the rightmost 12 digits match.
    Table 1. Sample PAN comparison when reformatting between ISO-4 and non-ISO-4 PIN blocks

    Sample PAN comparison when reformatting between ISO-4 and non-ISO-4 PIN blocks
    Reformat from ISO-4 to ISO-0 / ISO-0 to ISO-4. Example PAN = 546623467890456387 Check Digit
    Digit 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1
    ISO-0 out/input PAN data 4 6 7 8 9 0 4 5 6 3 8 7
    ISO-4 in/output data 5 4 6 6 2 3 4 6 7 8 9 0 4 5 6 3 8 7 0

When the verb needs to perform an authenticated PAN change, the authentication_data variable must contain a length-value structure that includes the NIST SP 800-38B CMAC to be verified, and the authentication_key_identifier parameter must identify the key to use to verify the CMAC. The CMAC is generated or verified using the following message:


Message = Old PAN ∥ New PAN ∥ Optional additional authentication data

The MAC Generate2 verb can be used to generate the CMAC.

When the PAN format rule is PANAUTAS, the PAN data must be ASCII character data.


Authentication value = 
CMAC( (Old PAN) || (New PAN) || (Optional additional authentication data) )

When the PAN format rule is PANAUTI4, the PAN data is formatted according to ISO 9564-1 PAN format. 


Authentication value = 
CMAC( (Old PAN) ISO 9564 FMT || (New PAN) ISO 9564 FMT 
|| (Optional additional authentication data) )
Table 2 shows the format of an ISO 9564-1 plaintext PAN field.
Table 2. ISO 9564-1 plaintext PAN field format

ISO 9564-1 plaintext PAN field format
First 8 bytes of 16-byte ISO 9564-1 plaintext PAN field
ISO 9564-1 PAN field Bits 01 – 08 Bits 09 – 16 Bits 17 – 24 Bits 25 – 32 Bits 33 – 40 Bits 41 – 48 Bits 49 – 56 Bits 57 – 64
Part 1 of 2 M A A A A A A A A A A A A A/0 A/0 A/0
Second 8 bytes of 16-byte ISO 9564-1 plaintext PAN field
ISO 9564-1 PAN field Bits 65 – 72 Bits 73 – 80 Bits 81 – 88 Bits 89 – 96 Bits 97 – 104 Bits 105 – 112 Bits 113 – 120 Bits 121 – 128
Part 2 of 2 A/0 A/0 A/0 A/0 0 0 0 0 0 0 0 0 0 0 0 0
where:
M
PAN length, a 4-bit field with permissible values X'0' – X'7' that indicates a PAN length of 12 plus the value of the field (ranging from 12 – 19). If the PAN is less than 12 digits, the digits are right justified and padded to the left with binary zeros, and M is set to X'0'.
A
PAN digit, a 4-bit field with permissible values of X'0' – X'9'.
0
Pad digit, a 4-bit field with the only permissible value of X'0'.
A/0
PAN/Pad digit, where the designation of these fields is determined by the PAN length field, M.
Table 3 shows the supported PIN-block format translations along with the algorithm, key type, and required key usage attributes of each key for this verb based on the combination of input and output PIN-block formats and whether the authenticated PAN-change option is allowed.
Note: PIN-block format ISO-1 is not allowed when Disallow ISO-1 PIN Format Usage command (offset X'032F') is enabled in the active role.
Note on DUKPT on Table 3: Any AES input or output key can only specify AES DUKPT methods, because AES DUKPT can generate both DES and AES keys. In contrast, DES DUKPT can only generate DES keys.
Table 3. Supported PIN-block format translations for CSNBPTR2

Supported PIN-block format translations along with the algorithm, key type, and required key usage attributes of each key for this verb based on the combination of input and output PIN-block formats and whether the authenticated PAN-change option is allowed
PIN-block format Authenticated PAN-change option allowed Input key Output key Authentication key
Input Output
ISO-0 ISO-4 No DES IPINENC with REFORMAT AES PINPROT with ENCRYPT, REFORMAT, and ISO-4 N/A
ISO-1 ISO-4 No DES IPINENC with REFORMAT AES PINPROT with ENCRYPT, REFORMAT, and ISO-4, without RFMT1TO4 N/A
AES PINPROT with ENCRYPT, REFORMAT, and ISO-4, with RFMT1TO4 N/A
ISO-4 ISO-0 No AES PINPROT with DECRYPT, REFORMAT, and ISO-4 DES OPINENC with REFORMAT N/A
ISO-4 ISO-1 No AES PINPROT with DECRYPT, REFORMAT, and ISO-4, without RFMT4TO1 DES OPINENC with REFORMAT N/A
AES PINPROT with DECRYPT, REFORMAT, and ISO-4, with RFMT4TO1 (Release 5.5 or later)
ISO-4 ISO-4 No AES PINPROT with DECRYPT, PINXLATE, and ISO-4 AES PINPROT with ENCRYPT, PINXLATE, and ISO-4 N/A
Yes AES PINPROT with DECRYPT, REFORMAT, and ISO-4 AES PINPROT with ENCRYPT, REFORMAT, and ISO-4 AES MAC with VERIFY and CMAC. In addition, if offset X'0395' is enabled in the active role, the key must include PTR2AUTH usage.
Each supported PIN-block format translation requires its own access-control command to be enabled in the active role. These commands are shown in Table 2.