SAF may be invoked to verify the caller is authorized to use this callable service, the key label, or internal secure key tokens that are stored in the CKDS or PKDS.

The first time the SET Block Compose service is invoked to form an RSA-OAEP block and DES-encrypt data for communication between a specific source and destination (for example, between the merchant and payment gateway), do not specify the DES-ONLY keyword. A DES key will be generated by the service and returned in the key token contained in the DES_key_block. On subsequent calls to the Compose SET Block service for communication between the same source and destination, the DES key can be re-used. The caller of the service must supply the DES_key_block, the DES_key_block_length, the data_to_encrypt, the data_to_encrypt_length, and the rule-array keywords SET1.00 and DES-ONLY. You do not need to supply the block contents identifier, XDATA string and length, RSA-OAEP block and length, and RSA public key information, although you must still specify the parameters. For this invocation, the RSA-OAEP formatting is bypassed and only DES encryption is performed, using the supplied DES key.

The SET Block Compose access control point controls the function of this service.

This table lists the required cryptographic hardware for each server type and describes restrictions for this callable service.

Table 211. SET block compose required hardware

Server	Required cryptographic hardware	Restrictions
IBM zSeries 900	Cryptographic Coprocessor Feature	If there are no PCI Cryptographic Coprocessors online, the request is routed to the Cryptographic Coprocessor Feature.
	PCI Cryptographic Coprocessor	This service routes the request to a PCI Cryptographic Coprocessor to perform the RSA-OAEP processing.
IBM zSeries 990 IBM zSeries 890	PCI X Cryptographic Coprocessor Crypto Express2 Coprocessor
IBM System z9 EC IBM System z9 BC	Crypto Express2 Coprocessor