Required commands
The required commands for CSNBPFO.
This verb requires the Recover PIN From Offset command (offset X'02B0') to be enabled in the active role.
When the ANSI X9.8 PIN - Enforce PIN block restrictions command (offset X'0350') is enabled in the active role, only a PIN-block format keyword of ISO-0 or ISO-3 is allowed in the input PIN_profile parameter. Note that offset X'0350' also affects access control of the Encrypted PIN Translate and the Secure Messaging for PINs verbs.
When the ANSI X9.8 PIN - Use stored decimalization tables only command (offset X'0356') is enabled in the active role, the Decimalization_table element of the data_array value must match one of the PIN decimalization tables that are in the active state on the coprocessor. Use of this command provides improved security and control for PIN decimalization tables.
An enhanced PIN security mode is available for formatting an encrypted PIN-block into IBM 3624 format. This mode limits checking of the PIN to decimal digits; no other PIN-block consistency checking will occur. To activate this mode, enable the Enhanced PIN Security command (offset X'0313') in the active role.
When the Disallow translation from DES wrapping to weaker DES wrapping access control point (offset X'01C7') is enabled in the domain role, this service will fail if the PIN_encryption_key_identifier is stronger than the PIN_generation_key_identifier.
When the Disallow PIN block format ISO-1 access control (offset X'032F') is enabled in the domain role, the PIN block format in the PIN_profile parameter is not allowed to be ISO-1.
In releases before Release 5.4 and Release 6.2, triple-length TDES keys are not supported, thus limiting an outbound TDES key to double length. Beginning with Release 5.4, Triple-length TDES keys are supported, and an outbound TDES key can be double-length or triple-length. This makes it possible for data that is encrypted using a triple-length key to be translated to data encrypted using a weaker double-length key. Such a translation reduces the security of the data and causes a security exposure, and CCA normally restricts such a translation from occurring. To override this restriction, the Cipher Text Translate2 - Allow translate to weaker DES command (offset X’01C3’) must be enabled in the active role.