|
Command: |
Verify a PIN using the IBM method. This command can optionally verify a MAC using a DUKPT MAC Key |
|
Notes: |
The command performs the same function as DA and EA, plus it computes the PIN pad key.The PIN block is assumed to be in the ANSI X9.8 format; no source PIN block format codes are required. If a double or triple length PVK is used, Error Code 02 is returned as a warning but processing continues verifying the PIN using TDES in place of DES. The ANSI X9.24 2002 method for DUKPT PIN Key derivation is used. This derives a Triple-DES Pin Encrypting Key. CK derives a Single length PIN Encryptng Key Triple Length *BDK is supported using Key Scheme T. DUKPT MAC Verification is supported The command performs the same function as DA and EA, except the Host supplies the HSM with the information necessary to compute the current key. The PIN Block and the KSN originate from the PIN Pad. The host stores the *BDK and the KSN descriptor. Source PIN Block formats are restricted to ANSI X9.8 Format 0 and others which produce a different enciphered result for the same PIN when encrypted with different accounts, as required by X9.8. For base software 2.0 and later, the decimalisation table will be encrypted as the default state, However for backward compatibility the console CS command may be used to configure the HSM unit for plaintext decimalisation tables. It is recommended that encrypted decimalisation tables are used whenever possible. The plaintext decimalisation table of 16 digits must contain at least 8 different digits, with no digit occurring more than 4 times. If this condition is not met, Error Code 25 is returned. Checking of the table is the default condition, but may be disabled using the CS console command. Disabling of the check is not recommended. If MAC verification is required then the response code will contain 2 values. The first is the response code for PIN verification, the second is the response code for MAC verification.
|
|
Field |
Length & Type |
Details | |
|
COMMAND MESSAGE |
|||
|
Message header |
m A |
(Subsequently returned to the Host unchanged). | |
|
Command code |
2 A |
Value GO | |
|
Mode |
1N |
0 = PIN Verify Only 1 = PIN Verify and MAC Verify | |
|
MAC Mode |
1N |
Present only for Mode 1 1 = Verify 8 byte MAC 2 = Verify leftmost 4 bytes of MAC 3 = Verify rightmost 4 bytes of MAC | |
|
MAC Method |
1N |
Present only for Mode 1 1 = X9.19 | |
|
*BDK |
32H or 1A+32H or 1A+48H |
The *BDK encrypted under LMK pair 28-29. | |
|
PVK |
16H or |
The PVK encrypted under LMK pair 14-15 | |
|
KSN descriptor |
3 H |
The descriptor for the KSN (in the next field). | |
|
Key serial number |
12 - 20 H |
The KSN supplied by the PIN pad. | |
|
Source encrypted block |
16 H |
Encrypted PIN block received from the POS PIN terminal. | |
|
PIN Block Format Code |
2N |
Restricted to the following: 01 = ANSI X9.8 Format 0 04 = Plus format 05 = ISO 9564-1 Format 1, ANSI X9.8 Format 1 47 = ISO 9564-1 Format 3 | |
|
Account number |
12N |
The 12 right-most digits of the PAN excluding the check digit. | |
|
Decimalisation Table |
16N or 16H |
Table for converting encrypted characters to decimal digits 16H if Configure Security is set for Encrypted decimalisation tables 16N if Configure Security is set for Plaintext decimalisation tables | |
|
PIN validation data |
12 A |
User-defined data consisting of hexadecimal characters, and the letter N, which indicates where the HSM is to insert the last five digits of the account number specified in the Host request message (the digits must be left-justified). | |
|
Offset |
12 H |
The IBM offset value, left-justified and padded with “F”. | |
|
MAC |
4B or 8B |
Only present for Mode 1 MAC to be verified. If MAC Mode is 01 then this field will contain 8B. If MAC Mode is 02 or 03 then this field contains 4B | |
|
Field |
Length & Type |
Details |
|
Message Data Length |
4N |
Only present for Mode 1 Length of next field in bytes. Must be multiple of 8 bytes |
|
Message Data |
nB |
Only present for Mode 1 Data for which MAC is to be verified |
|
End message delimiter |
1 C |
Present only if a message trailer is present. Value X’19. |
|
Message trailer |
n A |
Optional. Maximum length 32 characters. |
|
RESPONSE MESSAGE |
||
|
Message header |
m A |
Returned to the Host unchanged. |
|
Response code |
2 A |
Value GP. |
|
Error code |
2 N |
00 : No errors 01 : PIN Verification failure 10 : *BDK parity error 11 : PVK error 12 : No keys loaded in user storage 24 : PIN fewer than 4 or more than 12 digits 25 : Decimalisation table error 15 : Error in input data 27 : *BDK not double length |
|
MAC Error Code |
2N |
Present only for Modes 1 and 2 01 : MAC Verification failure 10 : *BDK parity error 12 : No keys loaded in user storage 15 : Error in input data 23 : Invalid PIN Block Format Code 27 : *BDK not double or triple length |
|
End message delimiter |
1 C |
Present only if present in the command message. Value X’19 |
|
Message trailer |
n A |
Present only if present in the command message. Maximum length 32 characters. |