Required commands

The required commands for CSNBSPN.

This verb requires the Secure Messaging for PINs command (offset X'0274') to be enabled in the active role.

The following three commands at offsets X'0350', X'0351', and X'0352' affect how PIN processing is performed as described below:
  1. Enable the ANSI X9.8 PIN - Enforce PIN block restrictions command (offset X'0350') in the active role to apply additional restrictions to PIN processing as follows:
    • Constrain use of ISO-2 PIN blocks to offline PIN verification and PIN change operations in integrated circuit card environments only. Specifically, do not allow ISO-2 input or output PIN blocks.
    • Do not reformat a PIN-block format that includes a PAN into a PIN-block format that does not include a PAN.
    • Do not allow a change of PAN data. Specifically, when performing translations between PIN block formats that both include PAN data, do not allow the input_PAN_data and output_PAN_data variables to be different from the PAN data enciphered in the input PIN block.
    Note: A role with offset X'0350' enabled also affects access control of the Clear PIN Generate Alternate and the Encrypted PIN Translate verbs.
  2. Enable the ANSI X9.8 PIN - Allow modification of PAN command (offset X'0351') in the active role to override the restriction to not allow a change of PAN data. This override is applicable only when either the ANSI X9.8 PIN - Enforce PIN block restrictions command (offset X'0350') or the ANSI X9.8 PIN - Allow only ANSI PIN blocks command (offset X'0352') or both are enabled in the active role. This override is to support account number changes in issuing environments. Offset X'0351' has no effect if neither offset X'0350' nor offset X'0352' is enabled in the active role.
    Note: A role with offset X'0351' enabled also affects access control of the Encrypted PIN Translate verbs.
  3. Enable the ANSI X9.8 PIN - Allow only ANSI PIN blocks command (offset X'0352') in the active role to apply a more restrictive variation of the ANSI X9.8 PIN - Enforce PIN block restrictions command (offset X'0350'). In addition to the previously described restrictions of offset X'0350', this command also restricts the input_PIN_profile and the output_PIN_profile to contain only ISO-0, ISO-1, and ISO-3 PIN block formats. Specifically, the IBM® 3624 PIN-block format is not allowed with this command. Offset X'0352' overrides offset X'0350'.
    Note: A role with offset X'0352' enabled also affects access control of the Encrypted PIN Translate verbs.

When the Disallow PIN block format ISO-1 access control is enabled in the domain role, the PIN block format in the input_PIN_profile and output_PIN_profile parameters is not allowed to be ISO-1.

For more information, see ANSI X9.8 PIN restrictions.

The access control point ISO PIN blocks do not check PIN digits (X’0055’) is enabled by default in the default role. This prevents CCA from performing any integrity checks on the PIN digits themselves, to comply with the PCI-HSMv4 and ISO 9564.1 standards.

No action is needed by the users, unless they do not need to comply with the PCI-HSMv4 and ISO 9564.1 standards. In this case, they can disable the X’0055’ access control point to allow integrity checks directly on the PIN digits.

To use a P0 TR-31 token as a SECMSG key in the secmsg_key_identifier parameter, the SPN - Allow P0 for secmsg key identifier command (offset X’03F4') must be enabled.