Encrypted PIN Translate Enhanced (CSNBPTRE)

The Encrypted PIN Translate Enhanced verb reformats a PIN into a different PIN-block format using an enciphered PAN field. You can use this verb in an interchange-network application, or to change the PIN block to conform to the format and encryption key used in a PIN-verification database.

The CSNBPTRE verb supports Visa Data Secure Platform (VDSP, formerly known as Visa Merchant Data Secure (VMDS)) processing. With this verb you can also use derived unique key per transaction (DUKPT) PIN-block encryption (ANS X9.24) for both input and output PIN blocks. The verb supports translation of PINs whose PAN information has been enciphered using the VDSP standard and Visa Format Preserving Encryption (VFPE) methods.

PIN blocks are sometimes formatted using the PAN information. For the CSNBPTRE verb, either the input PIN block profile or the output PIN block profile must specify a PIN block format that incorporates a PAN. The PIN block formats which incorporate a PAN are ISO-0, ISO-3, and Visa Format 4. VDSP enciphered PAN data can be enciphered using DUKPT key management or static TDES key management. The enciphered PAN could be enciphered with the CBC mode or the VFPE mode. VDSP requires that the same key management scheme and type of keys are used for both the PIN and PAN. For VDSP, the following pairings are supported:

Table 1. Pairings supported for VDSP

Pairings supported for VDSP described in table with columns Function, Source, and Target

Function Source Target
Key management VDSP option Key management VDSP option
Translation DUKPT Standard CBC Static TDES non-DUKPT (Zone Encryption Keys) Standard CBC
VFPE
Static TDES non-DUKPT Standard CBC
Terminology: The VDSP specification speaks of two key management methods: DUKPT (derived unique key per transaction) and Zone Encryption Keys. The process for deriving these keys is documented in ANS X9.24 Part 1. Zone Encryption Keys are called static keys in CCA. Static keys are presented for use and are not derived during verb processing. They are double length TDES keys for this service which are called static TDES keys in this document.

The verb operates in reformat mode. In reformat mode, the verb performs the translate-mode functions (changes the wrapping key) and, in addition, processes the cleartext information. Following the rules that you specify, the PIN is extracted from the recovered cleartext PIN block using the specified input PIN encrypting key and formatted into an output PIN block according to the output PIN profile for encryption. The PIN block is re-enciphered with the specified output PIN encrypting key. Change of PAN data is not allowed.

The Encrypted PIN Translate Enhanced verb performs the following processing:

  • It decrypts the input PIN-block by using the supplied IPINENC key in ECB mode, or derives the decryption key using the specified KEYGENKY key and the current-key serial number (CKSN), and then uses ANS X9.24-specified special decryption or the Triple-DES (TDES) method. The PAN must be deciphered using either the data decryption key derived from the base derivation key and CKSN or using the specified static TDES data decryption key (DECIPHER, CIPHER).
  • Checks the control vector of the input PIN encryption key to ensure that for an IPINENC key the REFORMAT bit (CV bit 22) is set to B'1' for reformat mode, or for a KEYGENKY key, that the UKPT bit (CV bit 18) is set to B'1'. Likewise the OPINENC key must have the REFORMAT bit set according to the requested mode.
  • In reformat mode, performs these steps:
    • It extracts the PIN from the specified PIN-block format using the method specified by default or by a rule-array keyword. If required by the PIN-block format, PAN data is used in the extraction process.
    • Formats the extracted-PIN into the format declared for the output PIN-block. As required by the PIN-block format, the verb incorporates PAN data, sequence number, and pad character information in formatting the output.
  • It enciphers the output PIN-block by using the supplied static OPINENC key in ECB mode, or derives the decryption key using the specified KEYGENKY key and the output current-key serial number (CKSN) from the output PIN profile and uses ANS X9.24-specified special encryption or Triple-DES method. The REFORMAT bit must be set to B'1' in the OPINENC control vector, or the UKPT bit must be set to B'1' in the KEYGENKY control vector.
Note: This verb supports PCI-HSM 2016 compliant-tagged key tokens.