DK PRW Card Number Update2 (CSNBDCU2)

Use the DK PRW Card Number Update2 verb to update a PIN reference value or word (PRW) with updated time-sensitive card data (and a newly generated random number), but without changing either the customer PIN, primary account number, or permanent card data. The updated PIN reference value and associated PRW random number are returned for later use by other PIN processes for PIN verification.

In addition to updating a PRW, the verb can optionally use the specified outbound PIN encryption key to return a new encrypted PIN block (EPB) together with a new PIN block MAC that can be used to validate the PIN block, a new chip-encrypted PIN block with the specified outbound PIN chip-encryption key, or both.

Finally, the verb can optionally test the clear PAN recovered from the input encrypted PIN block by comparing it to the clear PAN provided as input, and report the result in the return_code variable.

Note: This verb deprecates the DK PRW Card Number Update verb.

The CSNBDCU2 verb performs the following tasks:

  • It verifies the integrity and authenticity of the input PIN by comparing the MAC in the PIN_block_MAC variable to the one calculated over the concatenation of the input encrypted PIN block and permanent card data. The MAC is calculated using CMAC, a block cipher-based MAC algorithm defined by NIST SP 800-38B, and the inbound encrypted PIN block MAC key.
  • It recovers the PBF-1 PIN block from the encrypted_PIN_block variable using AES decryption in CBC mode and the inbound PIN encryption key. Then it checks the consistency of the PIN block, including the PIN length, PIN digits, and PAN digits.
  • It generates a 4-byte random number and uses the CMAC algorithm with the PRW key to calculate a PIN reference value based on the random number, the updated time-sensitive data in the card_t_data variable, the unchanged permanent data in the card_p_data variable, and data from the recovered PIN block. The calculated value and the random number are returned in the new_PIN_reference_value and PRW_random_number variables.
  • If EPB is specified in the rule array:
    1. AES encrypts the recovered PBF-1 PIN block in CBC mode using the outbound PIN encryption key, and returns the result in the new_encrypted_PIN_block variable.
    2. CSNBDCU2 calculates the MAC over the concatenation of the new encrypted PIN block and card_p_data variable using CMAC and the outbound EPB MAC key, and returns the 8 leftmost, high-order bytes of the result in the new_PIN_block_MAC variable.
    This information can be stored for later use in other processes for validation of the PIN and personalizing smart (chip) cards.
  • If CHIP-EPB is specified in the rule array, CSNBDCU2 encrypts the recovered PIN block in PBF-1 format using AES encryption in CBC mode and the outbound PIN chip encryption key. This encrypted PIN block can be stored for later use in other processes to personalize smart (chip) cards.
  • If PANTST is specified in the rule array, CSNBDCU2 tests the equality of the clear PAN recovered from the encrypted_PIN_block and the clear PAN provided by the PAN_data variable. The verb reports the result in the return_code variable. Return code 4 indicates that the clear PAN values are not equal, while return code 0 indicates that they are equal (success).
Note: This verb supports PCI-HSM 2016 compliant-tagged key tokens.

This verb does not need to document any Restrictions nor Usage notes.