Impact of the PCI-HSM 2016 compliance mode on the callable verbs

When compliant-tagged key tokens are used, the request is processed according to the compliance mode in effect. A subset of callable services support compliant-tagged key tokens. Any attempt to use a compliant-tagged key token in a cryptographic operation within a service that does not accept compliant-tagged key tokens results in a failure.

Table 1 shows a list of callable services (verbs) that are not compliant with PCI-HSM 2016 compliance mode.

Table 1. Callable services not compliant with PCI-HSM 2016
Verb Service name Possible compliance alternatives
CSNBCKC CVV Key Combine Create double-length keys instead of single-length keys. This eliminates a need for the service.
Note: Though this service does not accept or create compliant-tagged key tokens, the key tokens that are created by this service can be converted to compliant-tagged key tokens.
CSNBCKI Clear Key Import
  • Use the TKE workstation to create a compliant-tagged key token from key parts.
  • Use the Key Generate (CSNBKGN) callable service to create a compliant-tagged key token with a random key value.
CSNBCKM Multiple Clear Key Import
  • Use the TKE workstation to create a compliant-tagged key token from key parts.
  • Use the Key Generate (CSNBKGN) callable service to create a compliant-tagged key token with a random key value.
CSNBCVE Cryptographic Variable Encipher Create double-length keys instead of single-length keys. This eliminates a need for the service.
CSNBCVT Control Vector Translate
  • Recreate the source key token with the wanted control vector.
  • Wrap the source key such that the wanted attributes are bound to the key. You can use the Key Import/Key Export (CSNBKIM/CSNBKEX) or TR31 Key Import/TR31 Translate (CSNBT31I/CSNBT31X) verbs.
CSNBDKM Data Key Import DATA keys are not compliant. Create compliant-tagged CIPHER or MAC keys that can be imported by using the Key Import (CSNBKIM) or TR31 Key Import (CSNBT31I) callable services.
CSNBDKX Data Key Export DATA keys are not compliant. Create compliant-tagged CIPHER or MAC keys that can be exported by using the Key Export (CSNBKEX) or TR31 Translate (CSNBT31X) callable services.
CSNBKPI Key Part Import Use the TKE workstation to create a compliant-tagged key token from key parts.
CSNBKPI2 Key Part Import2 Use the TKE workstation to create a compliant-tagged key token from key parts.
CSNBSKY Secure Messaging for Keys None.
CSNDPKX PKA Public Key Extract Use the CSNDPIC service to create a certificate signing request from a compliant-tagged private key token. Create a certificate from the CSR and use that in place of a public key token.
CSNDRKX Remote Key Export Use the TR34 and TR31 set of services to exchange compliant-tagged keys with a remote device.
CSNDSXD Symmetric Key Export with Data You can use the TR31 Translate (CSNBT31X) to export a compliant-tagged symmetric key token with data.
CSNDTBC Trusted Block Create Use the TR34 and TR31 set of services to exchange compliant-tagged keys with a remote device.

Table 2 shows a list of services that are both compliant with PCI-HSM 2016 and accept key tokens which could become compliant-tagged, but do not support compliant-tagged key tokens.

Table 2. Callable services that do not support compliant-tagged key tokens
Verb Service name
CSNDEDH EC Diffie-Hellman

Table 3 shows the list of services that support compliant-tagged key tokens when running in PCI-HSM 2016 compliance mode.

Table 3. Callable services that support compliant-tagged key tokens in cryptographic operations
Verb Service name
CSNBAPG Authentication Parameter Generate
CSNBCPA Clear PIN Generate Alternate
CSNBCPE Clear PIN Encrypt
CSNBCSG CVV Generate
CSNBCSV CVV Verify
CSNBCTT2 Cipher Text Translate2
CSNBDDPG DK Deterministic Generate
CSNBDEC Decipher
CSNBDKG Diversified Key Generate
CSNBENC Encipher
CSNBEPG Encrypted PIN Generate
CSNBFPED FPE Decipher
CSNBFPEE FPE Encipher
CSNBFPET FPE Translate
CSNBKEX Key Export
CSNBKGN Key Generate
CSNBKIM Key Import
CSNBKTR Key Translate
CSNBKTR2 Key Translate2
CSNBKYT Key Test
CSNBKYTX Key Test Extended
CSNBKYT2 Key Test2
CSNBMGN MAC Generate
CSNBMGN2 MAC Generate2
CSNBMMS Multi-MAC Scheme
CSNBMVR MAC Verify
CSNBPCU PIN Change/Unblock
CSNBPEX Prohibit Export
CSNBPEXX Prohibit Export Extended
CSNBPFO Recover PIN from Offset
CSNBPGN Clear PIN Generate
CSNBPTR Encrypted PIN Translate
CSNBPTRE Encrypted PIN Translate Enhanced
CSNBPVR Encrypted PIN Verify
CSNBRKA Restrict Key Attribute
CSNBSPN Secure Messaging for PINs
CSNBT31I TR31 Key Import
CSNBT31X TR31 Translate
CSNBT31C TR31 Key Create
CSNBTRV Transaction Validation
CSNBUKD Unique Key Derive
CSNBDMP DK Migrate PIN
CSNBDPC DK PIN Change
CSNBDPCG DK PRW CMAC Generate
CSNBDPMT DK PAN Modify in Transaction
CSNBDPNU DK PRW Card Number Update
CSNBDPT DK PAN Translate
CSNBDPV DK PIN Verify
CSNBDRP DK Regenerate PRW
CSNBDRPG DK Random PIN Generate
CSNDSYX Symmetric Key Export
CSNDSYG Symmetric Key Generate
CSNDSYI Symmetric Key Import
CSNDSYI2 Symmetric Key Import2
CSNBDCU2 DK PRW Card Number Update2
CSNBDDK Diversify Directed Key
CSNBDDPG DK Deterministic Generate
CSNBDKG2 Diversified Key Generate2
CSNBDRG2 DK Random PIN Generate2
CSNBKGN2 Key Generate2
CSNBKIM Key Import
CSNBMGN2 MAC Generate2
CSNBMMS Multi-MAC Scheme
CSNBMVR2 MAC Verify2
CSNBPTR2 Encrypted PIN Translate2
CSNBSAD Symmetric Algorithm Decipher
CSNBSAE Symmetric Algorithm Encipher
CSNDDSG Digital Signature Generate
CSNDDSV Digital Signature Verify
CSNDPIC Public Infrastructure Certificate
CSNDPKD PKA Decrypt
CSNDPKE PKA Encrypt
CSNDPKG PKA Key Generate
CSNDPKI PKA Key Import
CSNDPKT PKA Key Translate
CSNDT34B TR-34 Bind-Begin
CSNDT34D TR-34 Key Distribution
CSNDT34R TR-34 Key Receive