Required commands

The required commands for CSNBDPV.

The DK PIN Verify verb requires the DK PIN Verify command (offset X'02C1') to be enabled in the active role.

When the Disallow PIN block format ISO-1 access control is enabled in the domain role, the PIN block format rule array keyword ISO-1 is not allowed.

When the General ISO PIN Error Security access control (X'039F') is enabled, the return code is a general PIN block error (return code 8 reason code 2514) instead of some other existing specific PIN block error reason codes. The use of a general return code can prevent the abuse of PIN processing error messages due to information leakage derived from the return code reason codes returned under various conditions. For more details, see PIN block error processing mode.

The access control point ISO PIN blocks do not check PIN digits (X’0055’) is enabled by default in the default role. This prevents CCA from performing any integrity checks on the PIN digits themselves, to comply with the PCI-HSMv4 and ISO 9564.1 standards.

No action is needed by the users, unless they do not need to comply with the PCI-HSMv4 and ISO 9564.1 standards. In this case, they can disable the X’0055’ access control point to allow integrity checks directly on the PIN digits.