Required commands
The required commands for CSNBCPA.
This verb requires the commands shown in the following table to be enabled in the active role based on the keyword specified for the PIN-calculation method:
| Rule-array keyword | Offset | Command |
|---|---|---|
| IBM-PINO | X'00A4' | Clear PIN Generate Alternate - 3624 Offset |
| VISA-PVV | X'00BB' | Clear PIN Generate Alternate - VISA PVV |
An enhanced PIN security mode, on the CEX*C is available for extracting PINs from encrypted PIN blocks. This mode only applies when specifying a PIN-extraction method for an IBM® 3624 PIN-block. To do this, you must enable the Enhanced PIN Security (offset X'0313') access control point in the default role. When activated, this mode limits checking of the PIN to decimal digits and a PIN length minimum of 4 is enforced. No other PIN-block consistency checking will occur.
- ANSI X9.8 PIN - Enforce PIN block restrictions (X'0350')
Whenever the ANSI X9.8 PIN - Use stored decimalization tables only command (offset X'0356') is enabled in the active role, the Decimalization_table element of the data_array value must match one of the PIN decimalization tables that are in the active state on the coprocessor. Use of this command provides improved security and control for PIN decimalization tables. The VISA-PVV PIN-calculation method does not have a Decimalization_table element and is therefore not affected by this command.
When the Disallow PIN block format ISO-1 access control is enabled in the domain role, the PIN block format in the PIN_profile parameter is not allowed to be ISO-1.
The access control point ISO PIN blocks do not check PIN digits (X’0055’) is enabled by default in the default role. This prevents CCA from performing any integrity checks on the PIN digits themselves, to comply with the PCI-HSMv4 and ISO 9564.1 standards.
No action is needed by the users, unless they do not need to comply with the PCI-HSMv4 and ISO 9564.1 standards. In this case, they can disable the X’0055’ access control point to allow integrity checks directly on the PIN digits.