Required commands

The required commands for CSNBCPA.

This verb requires the commands shown in the following table to be enabled in the active role based on the keyword specified for the PIN-calculation method:

Required commands for the Clear PIN Generate Alternate verb

Rule-array keyword Offset Command
IBM-PINO X'00A4' Clear PIN Generate Alternate - 3624 Offset
VISA-PVV X'00BB' Clear PIN Generate Alternate - VISA PVV

An enhanced PIN security mode, on the CEX*C is available for extracting PINs from encrypted PIN blocks. This mode only applies when specifying a PIN-extraction method for an IBM® 3624 PIN-block. To do this, you must enable the Enhanced PIN Security (offset X'0313') access control point in the default role. When activated, this mode limits checking of the PIN to decimal digits and a PIN length minimum of 4 is enforced. No other PIN-block consistency checking will occur.

An enhanced PIN security mode is available to implement restrictions required by the ANSI X9.8 PIN standard. The restrictions are to accept only a PIN_profile variable that contains a PIN-block format of ISO-0 or ISO-3. To enforce these restrictions, you must enable the following access control points in the default role:
  • ANSI X9.8 PIN - Enforce PIN block restrictions (X'0350')
For more information, see ANSI X9.8 PIN restrictions.
Note: A role with offset X'0350' enabled also affects access control of the Encrypted PIN Translate and the Secure Messaging for PINs verbs.

Whenever the ANSI X9.8 PIN - Use stored decimalization tables only command (offset X'0356') is enabled in the active role, the Decimalization_table element of the data_array value must match one of the PIN decimalization tables that are in the active state on the coprocessor. Use of this command provides improved security and control for PIN decimalization tables. The VISA-PVV PIN-calculation method does not have a Decimalization_table element and is therefore not affected by this command.

When the Disallow PIN block format ISO-1 access control is enabled in the domain role, the PIN block format in the PIN_profile parameter is not allowed to be ISO-1.

The access control point ISO PIN blocks do not check PIN digits (X’0055’) is enabled by default in the default role. This prevents CCA from performing any integrity checks on the PIN digits themselves, to comply with the PCI-HSMv4 and ISO 9564.1 standards.

No action is needed by the users, unless they do not need to comply with the PCI-HSMv4 and ISO 9564.1 standards. In this case, they can disable the X’0055’ access control point to allow integrity checks directly on the PIN digits.