Impact of the PCI-HSM 2016 compliance mode on the callable verbs
When compliant-tagged key tokens are used, the request is processed according to the compliance mode in effect. A subset of callable services support compliant-tagged key tokens. Any attempt to use a compliant-tagged key token in a cryptographic operation within a service that does not accept compliant-tagged key tokens results in a failure.
Table 1 shows a list of callable services (verbs) that are not compliant with PCI-HSM 2016 compliance mode.
| Verb | Service name | Possible compliance alternatives |
|---|---|---|
| CSNBCKC | CVV Key Combine | Create double-length keys instead of single-length keys. This eliminates a need for the
service. Note: Though this service does not accept or create compliant-tagged key tokens, the key
tokens that are created by this service can be converted to compliant-tagged key
tokens. |
| CSNBCKI | Clear Key Import |
|
| CSNBCKM | Multiple Clear Key Import |
|
| CSNBCVE | Cryptographic Variable Encipher | Create double-length keys instead of single-length keys. This eliminates a need for the service. |
| CSNBCVT | Control Vector Translate |
|
| CSNBDKM | Data Key Import | DATA keys are not compliant. Create compliant-tagged CIPHER or MAC keys that can be imported by using the Key Import (CSNBKIM) or TR31 Key Import (CSNBT31I) callable services. |
| CSNBDKX | Data Key Export | DATA keys are not compliant. Create compliant-tagged CIPHER or MAC keys that can be exported by using the Key Export (CSNBKEX) or TR31 Translate (CSNBT31X) callable services. |
| CSNBKPI | Key Part Import | Use the TKE workstation to create a compliant-tagged key token from key parts. |
| CSNBKPI2 | Key Part Import2 | Use the TKE workstation to create a compliant-tagged key token from key parts. |
| CSNBSKY | Secure Messaging for Keys | None. |
| CSNDPKX | PKA Public Key Extract | Use the CSNDPIC service to create a certificate signing request from a compliant-tagged private key token. Create a certificate from the CSR and use that in place of a public key token. |
| CSNDRKX | Remote Key Export | Use the TR34 and TR31 set of services to exchange compliant-tagged keys with a remote device. |
| CSNDSXD | Symmetric Key Export with Data | You can use the TR31 Translate (CSNBT31X) to export a compliant-tagged symmetric key token with data. |
| CSNDTBC | Trusted Block Create | Use the TR34 and TR31 set of services to exchange compliant-tagged keys with a remote device. |
Table 2 shows a list of services that are both compliant with PCI-HSM 2016 and accept key tokens which could become compliant-tagged, but do not support compliant-tagged key tokens.
| Verb | Service name |
|---|---|
| CSNDEDH | EC Diffie-Hellman |
Table 3 shows the list of services that support compliant-tagged key tokens when running in PCI-HSM 2016 compliance mode.
| Verb | Service name |
|---|---|
| CSNBAPG | Authentication Parameter Generate |
| CSNBCPA | Clear PIN Generate Alternate |
| CSNBCPE | Clear PIN Encrypt |
| CSNBCSG | CVV Generate |
| CSNBCSV | CVV Verify |
| CSNBCTT2 | Cipher Text Translate2 |
| CSNBDDPG | DK Deterministic Generate |
| CSNBDEC | Decipher |
| CSNBDKG | Diversified Key Generate |
| CSNBENC | Encipher |
| CSNBEPG | Encrypted PIN Generate |
| CSNBFPED | FPE Decipher |
| CSNBFPEE | FPE Encipher |
| CSNBFPET | FPE Translate |
| CSNBKEX | Key Export |
| CSNBKGN | Key Generate |
| CSNBKIM | Key Import |
| CSNBKTR | Key Translate |
| CSNBKTR2 | Key Translate2 |
| CSNBKYT | Key Test |
| CSNBKYTX | Key Test Extended |
| CSNBKYT2 | Key Test2 |
| CSNBMGN | MAC Generate |
| CSNBMGN2 | MAC Generate2 |
| CSNBMMS | Multi-MAC Scheme |
| CSNBMVR | MAC Verify |
| CSNBPCU | PIN Change/Unblock |
| CSNBPEX | Prohibit Export |
| CSNBPEXX | Prohibit Export Extended |
| CSNBPFO | Recover PIN from Offset |
| CSNBPGN | Clear PIN Generate |
| CSNBPTR | Encrypted PIN Translate |
| CSNBPTRE | Encrypted PIN Translate Enhanced |
| CSNBPVR | Encrypted PIN Verify |
| CSNBRKA | Restrict Key Attribute |
| CSNBSPN | Secure Messaging for PINs |
| CSNBT31I | TR31 Key Import |
| CSNBT31X | TR31 Translate |
| CSNBT31C | TR31 Key Create |
| CSNBTRV | Transaction Validation |
| CSNBUKD | Unique Key Derive |
| CSNBDMP | DK Migrate PIN |
| CSNBDPC | DK PIN Change |
| CSNBDPCG | DK PRW CMAC Generate |
| CSNBDPMT | DK PAN Modify in Transaction |
| CSNBDPNU | DK PRW Card Number Update |
| CSNBDPT | DK PAN Translate |
| CSNBDPV | DK PIN Verify |
| CSNBDRP | DK Regenerate PRW |
| CSNBDRPG | DK Random PIN Generate |
| CSNDSYX | Symmetric Key Export |
| CSNDSYG | Symmetric Key Generate |
| CSNDSYI | Symmetric Key Import |
| CSNDSYI2 | Symmetric Key Import2 |
| CSNBDCU2 | DK PRW Card Number Update2 |
| CSNBDDK | Diversify Directed Key |
| CSNBDDPG | DK Deterministic Generate |
| CSNBDKG2 | Diversified Key Generate2 |
| CSNBDRG2 | DK Random PIN Generate2 |
| CSNBKGN2 | Key Generate2 |
| CSNBKIM | Key Import |
| CSNBMGN2 | MAC Generate2 |
| CSNBMMS | Multi-MAC Scheme |
| CSNBMVR2 | MAC Verify2 |
| CSNBPTR2 | Encrypted PIN Translate2 |
| CSNBSAD | Symmetric Algorithm Decipher |
| CSNBSAE | Symmetric Algorithm Encipher |
| CSNDDSG | Digital Signature Generate |
| CSNDDSV | Digital Signature Verify |
| CSNDPIC | Public Infrastructure Certificate |
| CSNDPKD | PKA Decrypt |
| CSNDPKE | PKA Encrypt |
| CSNDPKG | PKA Key Generate |
| CSNDPKI | PKA Key Import |
| CSNDPKT | PKA Key Translate |
| CSNDT34B | TR-34 Bind-Begin |
| CSNDT34D | TR-34 Key Distribution |
| CSNDT34R | TR-34 Key Receive |