Acquirer/Card Issuer processing is used where the Acquirer is not the Card Issuer. The Request Message MAC verification where no PIN is involved, and the Completion Confirmation/Completion Response MAC processing are the same as in the Acquirer-Only Processing section.
The Acquirer Host performs the Request Message MAC verification and returns the PIN Encrypting Key (PEK) under which the PIN block is encrypted. The PIN block is double encrypted, first by the Card Key, a value not normally available to an Acquirer, then by the PEK. The Acquirer can perform the decryption using the PEK but cannot carry out the second decryption to reveal the plain PIN block.
However, the Acquirer can perform a translation so that the PIN block, encrypted under the Card Key, is returned encrypted under a zone (‘interchange’) key previously set-up between Acquirer and Card Issuer. The translation is a separate function because at the time of message authentication, most software packages are not aware of the ultimate Card Issuer and hence the Zone Key. This is normally available to the Card Issuer handling part of the software that invokes the translate function.
The last Acquirer function generates the MAC for the outgoing response message. Auth Para, if included, is obtained from the Card Issuer. It is transported to the Acquirer encrypted under a variant of another zone key.
It is assumed that all messages going to and from the Card Issuer are protected by MACs. Two binary MACing functions (not shown in the diagram) are provided for this purpose, using traditional master/session keys: one generates a MAC for a given binary message, the other validates the MAC.
The Card Issuer receives the message containing the encrypted PIN block from the Acquirer Host, and verifies the PIN, using one of the PIN verification algorithms (IBM, Diebold, Visa PVV) or straight comparison. The verification function also generates Auth Para and encrypts it under a variant of a zone key for sending to the Acquirer.
If no PIN has been used with a transaction, a function to generate Auth Para and encrypt it under a variant of a zone key is available.