Encrypted PIN Verify (CSNBPVR)

Edit online

Use the Encrypted PIN Verify verb to verify that one of the customer selected trial PINs is valid.

Use the Encrypted PIN Verify verb to extract a trial PIN (T-PIN) from an encrypted PIN-block and verify this value by comparing it to an account PIN (A-PIN) calculated by using the specified PIN-calculation method. Certain PIN calculation methods modify the value of the A-PIN with the clear offset (O-PIN) value prior to the comparison. The verb also supports derived unique key per transaction (DUKPT) PIN-block encryption (ANS X9.24) for decrypting the input PIN-block.

The following PIN block formats are supported:

  • IBM 3624
  • ISO-0 (same as ANS X9.8, VISA-1, and ECI-1)
  • ISO-1 (same as ECI-4)
  • ISO-2
  • ISO-3
  • ISO-4

To use this verb, specify:

  • Processing choices using rule-array keywords:
    • A PIN-calculation method.
    • Optionally, a PIN-extraction method.
    • Optionally, derived unique key per transaction (DUKPT) processing with the UKPTIPIN keyword for the single-DES method or DUKPT-IP keyword for the triple-DES method.
  • An input PIN-block decrypting key, or the base key used to derive the PIN-block enciphering key.
  • A PIN-verifying key to be used to calculate the PIN.
  • A PIN profile for the input PIN-block, which for DUKPT processing must be extended from 24 bytes to 48 bytes with the current-key serial number (CKSN) extension. See The PIN profile.
  • When using the ISO-0, ISO-3, or ISO-4 PIN-block format, a PAN to be used in extracting the PIN. See Primary account number.
  • The PIN block that contains the PIN to be verified.
  • The length of the PIN to be checked if you specify the IBM-PIN or the IBM-PINO PIN calculation methods in the rule array.
  • In the data array: a decimalization table, account validation data, and for certain PIN calculation methods, an offset value.

The verb does the following:

  • For a DES PIN encrypting key: Decrypts the input PIN-block by using the supplied IPINENC key in ECB mode, or derives the decryption key using the specified KEYGENKY key and CKSN and uses ANS X9.24-specified special decryption or Triple-DES method. The EPINVER bit must be valued to B'1' in the IPINENC control vector, or the UKPT bit must be valued to B'1' in the KEYGENKY control vector.
  • For an AES PIN encrypting key: Decrypts the input ISO-4 PIN format block by using the supplied AES PIN_encrypting_key_identifier, or derives the decryption key using the specified AES-DUKPT derivation key and CKSN. The AES key must have key type of PINPROT. In addition, the key usage fields must indicate that the key can be used for decryption (DECRYPT), the encryption mode must be Cipher Block Chaining (CBC), common usage control must be NOFLDFMT, PIN block format usage must be ISO-4, and PIN function usage EPINVER must be enabled.
  • Extracts the trial PIN (T-PIN) from the specified PIN-block format using the method specified by default or by a rule array keyword. If required by the PIN-block format, PAN data or the pad digit is used in the extraction process. For ISO-4, the extraction step is part of the decryption step.
  • Verifies use of a PINVER or PINGEN key type having the EPINVER bit valued to B'1' in the control vector of the PIN-verifying key • Calculates the account-number-based PIN (A-PIN).For methods that employ an offset, modify the A-PIN value with the offset (O-PIN) value entered in the third element of the data_array variable. The NOOFFSET bit must be valued to zero in the control vector of the PIN-verifying key when employing the IBM 3624 PIN-offset calculation method.
  • Compares the extracted trial (T-PIN) with the possibly modified account PIN (A-PIN) and reports the results in the return_code variable. Return code 4 indicates a verification failure, while return code 0 indicates success.
Use this verb to verify that one of the following PINs is valid:
  • IBM® 3624 (IBM-PIN)
  • IBM 3624 PIN offset (IBM-PINO)
  • IBM German Bank Pool (GBP-PIN)
  • VISA PIN validation value (VISA-PVV)
  • VISA PIN validation value (VISAPVV4)
  • Interbank PIN (INBK-PIN)

The derived unique-key-per-transaction (DUKPT) algorithm is available. Both DES-DUKPT (ANSI x9.24-1 2007) and AES-DUKPT (ANSI x9.24-3 2017) are supported. This support is available for the input_PIN_encrypting_key_identifier parameter.

The unique-key-par-transaction key derivation for single and double-length keys is available for the input_PIN_encrypting_key_identifier parameter.

Note: This verb supports PCI-HSM 2016 compliant-tagged key tokens.

This verb does not need to document any Usage notes.