|
Command: |
Verify a PIN using the Encrypted PIN method. This command can optionally verify a MAC using a DUKPT MAC Key |
|
Notes: |
This command is similar to the CQ command. Other than: · The ANSI X9.24 2002 method for DUKPT PIN Key derivation is used. This derives a Triple-DES Pin Encrypting Key. CQ derives a Single length PIN Encrypting Key · Triple Length *BDK is supported using Key Scheme T. · DUKPT MAC Verification is supported The command performs the same function as BC and BE, except the Host supplies the HSM with the information necessary to compute the current key. The PIN Block and the KSN originate from the PIN Pad. The host stores the *BDK and the KSN descriptor. Source PIN Block formats are restricted to ANSI X9.8 Format 0 and others which produce a different enciphered result for the same PIN when encrypted with different accounts, as required by X9.8.
|
|
Field |
Length & Type |
Details | |
|
COMMAND MESSAGE |
|||
|
Message header |
m A |
(Subsequently returned to the Host unchanged). |
|
|
Command code |
2 A |
Value GU. |
|
|
Mode |
1N |
0 = PIN Verify Only 1 = PIN Verify and MAC Verify |
|
|
MAC Mode |
1N |
Present only for Mode 1 1 = Verify 8 byte MAC 2 = Verify leftmost 4 bytes of MAC 3 = Verify rightmost 4 bytes of MAC |
|
|
MAC Method |
1N |
Present only for Mode 1 1 = X9.19 |
|
|
*BDK |
32H or 1A+32H or 1A+48H |
The *BDK encrypted under LMK pair 28-29. |
|
|
KSN descriptor |
3 H |
The descriptor for the KSN (in the next field). |
|
|
Key serial number |
12 - 20 H |
The KSN supplied by the PIN pad. |
|
|
Source encrypted block |
16 H |
The encrypted PIN block received from the POS PIN terminal. |
|
|
PIN Block Format Code |
2N |
Restricted to the following: · 01 = ANSI X9.8 Format 0 · 04 = Plus format · 05 = ISO 9564-1 Format 1, ANSI X9.8 Format 1 · 47 = ISO 9564-1 Format 3 |
|
|
Account number |
12 N |
The 12 right-most digits of the PAN, excluding the check digit. |
|
|
Encrypted data base PIN |
L N |
The PIN from the Host database encrypted under LMK pair 02-03. |
|
|
MAC |
4B or 8B |
Only present for Mode 1 MAC to be verified. · If MAC Mode is 01 then this field will contain 8B. · If MAC Mode is 02 or 03 then this field contains 4B |
|
|
Message Data Length |
4N |
Only present for Mode 1 Length of next field in bytes. Must be multiple of 8 bytes |
|
|
Message Data |
nB |
Only present for Mode 1 Data for which MAC is to be verified |
|
|
End message delimiter |
1 C |
Present only if a message trailer is present. Value X’19. |
|
|
Message trailer |
n A |
Optional. Maximum length 32 characters. |
|
|
RESPONSE MESSAGE |
|||
|
Message header |
m A |
Returned to the Host unchanged. |
|
|
Response code |
2 A |
Value GV. |
|
|
Error code |
2 N |
00 : No error. 01 : PIN Verification failure 10 : *BDK parity error 11 : PVK error 12 : No keys loaded in user storage 13 : LMK Error; report to supervisor 15 : Error in input data 20 : PIN Block Error 23 : Invalid PIN Block Format Code 24 : PIN fewer than 4 or more than 12 digits 27 : *BDK not double or triple length |
|
|
MAC Error Code |
2N |
Present only for Modes 1 and 2 01 : MAC Verification failure 10 : *BDK parity error 12 : No keys loaded in user storage 15 : Error in input data 27 : *BDK not double or triple length |
|
|
End message delimiter |
1 C |
Present only if Message Trailer is present. Value X’19 |
|
|
Message trailer |
n A |
Optional. Maximum length 32 characters. |
|
|
|
|
|
|