PIN_Change/Unblock CCA Release 2.54
PIN_Change/Unblock (CSNBPCU)
Platform/
Product
OS/2 AIX Win NT/
2000
OS/400
IBM 4758-23 X
Use the PIN_Change/Unblock verb to prepare an encrypted message-portion for
communicating an original or replacement PIN for an EMV smart-card. The verb
embeds the PIN(s) in an encrypted PIN-block from information that you supply.
You incorporate the information created with the verb in a message sent to the
smart card.
The processing is consistent with the specifications provided in these documents:
EMV 2000 Integrated Circuit Card Specification for Payment Systems Version
4.0 (EMV4.0) Book 2
Design VISA Integrated Circuit Card Specification Manual.
You specify:
Through the optional choice of one rule-array keyword, the key-diversification
process to employ in deriving the session key used to encrypt the PIN block.
See “VISA and EMV-Related Smart Card Formats and Processes” on
page E-17 for processing details.
TDES-XOR An exclusive-OR process described in the appendix. You can
omit this keyword as it is the default process.
TDESEMV2 The tree-based-diversification process with a “branch factor” of 2.
TDESEMV4 The tree-based-diversification process with a “branch factor” of 4.
Through the required choice of one rule-array keyword, if you are providing a
PIN for a smart card with, or without, an existing (current) PIN:
VISAPCU1 For a card without a PIN, you provide the new PIN in an
encrypted PIN-block in the new_reference_PIN_block variable.
The contents of current_reference_PIN... variables are ignored.
VISAPCU2 For a card with a current PIN, you provide the existing PIN in an
encrypted PIN-block in the current_reference_PIN_block variable,
and supply the new PIN-value in an encrypted PIN-block in the
new_reference_PIN_block variable.
Issuer-provided master-derivation keys (MDK). The card-issuer provides two
keys for diversifying the same data:
– The MAC-MDK key which you incorporate in the variable specified by the
authentication_key_identifier parameter. The verb uses this key to derive
an authentication value incorporated in the PIN block. The control vector
for the MAC-MDK key must specify a DKYGENKY key type with DKYL0
(level-0), and DMAC or DALL permissions. See Figure C-3 on page C-5.
– The ENC-MDK key which you incorporate in the variable specified by the
encryption_key_identifier parameter. The verb uses this key to derive the
PIN-block encryption key. The control vector for the ENC-MDK key must
specify a DKYGENKY key type with DKYL0 (level-0), and DMPIN or DALL
permissions.
8-52 IBM 4758 CCA Basic Services, Release 2.54, February 2005