FPE Translate (CSNBFPET)

The FPE Translate verb is used to translate payment data from encryption under one key to encryption under another key with a possibly different format.

You should avoid having plaintext payment data in your environment. Translations can be performed with data that has been encrypted using the standard encryption option or with data that has been encrypted using the VFPE option. However, the target translation uses double length static TDES keys and the standard encryption option.

This service can be used to translate one or all of the following fields:

  • the primary account number (PAN),
  • the cardholder name,
  • the track 1 discretionary data,
  • or the track 2 discretionary data.

The following translation options are supported:

  1. Translate standard option with CBC mode TDES and DUKPT keys.
  2. Translate VFPE option with VFPE mode TDES andDUKPT keys.
  3. Translate standard option with CBC mode TDES and static TDES keys.

To use this service, you must specify the following:

  • the processing method, which is limited to Visa Data Secure Platform (VDSP)
  • the key management method, either STATIC or DUKPT
  • the algorithm, which is limited to TDES
  • the mode, either CBC or Visa Format Preserving Encryption (VFPE) for the inbound data
  • the ciphertext to be translated
  • the character set of each field to be translated using rule-array keywords
  • The base derivation key and either the key serial number for DES-DUKPT or the AES-DUKPT derivation data for AES-DUKPT, or a double-length TDES key if STATIC key management is used.
  • the double length static TDES key used to re-encrypt the data
  • Optionally, a check digit compliance indicator if VFPE is specified.

The service returns the translated fields and optionally, the DUKPT PIN encryption key, if the DUKPT key management is selected and the PINKEY rule is specified.

Note: This verb supports PCI-HSM 2016 compliant-tagged key tokens.

This verb does not need to document any Usage notes.