CCA Release 2.54
PIN-Calculation Method and PIN-Block Format Summary
As described in the following sections, you can use a variety of PIN calculation
methods and a variety of PIN-block formats with the various PIN-processing verbs.
Figure 8-3 provides a summary of the supported combinations.
Figure 8-3. PIN Verb, PIN-Calculation Method, and PIN-Block-Format Support Summary
Verb / Calculation Method, PIN
3624 ISO-0 ISO-1 ISO-2
Clear_PIN_Encrypt CSNBCPE √√√ √
Clear_PIN_Generate CSNBPGN √√
Clear_PIN_Generate_Alternate CSNBCPA √√√ √√√√
Encrypted_PIN_Generate CSNBEPG √√√√√√√
Encrypted_PIN_Translate CSNBPTR √√√√√
Encrypted_PIN_Verify CSNBPVR √√√√√√ √√√ √
Providing Security for PINs
It is important to maintain the security of PINs. Unauthorized knowledge of a PIN
and its associated account number can result in fraudulent transactions. One
method of maintaining the security of a PIN is to store the PIN in a PIN block,
encrypt the PIN block, and only send or store a PIN in this form. A PIN block is 64
bits in length, which is the length of data on which the DES algorithm operates. A
PIN block consists of both PIN digits and non-PIN digits. The non-PIN digits pad
the PIN digits to a length of 64 bits. When discussing PINs, the term digit refers to
a 4-bit quantity that can be valued to the decimal values 0...9 and in some cases
also to the hexadecimal values A...F. Several different PIN-block formats are
supported. See “PIN-Block Formats” on page E-9.
The non-PIN digits can also add variability to a PIN block. Varying the value of the
non-PIN digits in a PIN block is a security measure used to create a large number
of different encrypted PIN-blocks, even though there are typically only 10,000 PIN
values in use. To enhance the security of a clear PIN during PIN processing, the
verbs generally operate with encrypted PIN-blocks. The PIN verbs provide
high-level services that typically insert or extract PIN values to or from a PIN block
internal to the verb.
The following verbs receive clear PINs from your application program or return
clear PINs to your program. None of the other PIN verbs reveals a clear PIN.
When your application program supplies a clear PIN to a verb or receives a clear
PIN from a verb, ensure that adequate access controls and auditing are provided to
protect this sensitive data. Also recognize that exhaustive use of certain verbs
such as Encrypted_PIN_Verify and Clear_PIN_Generate_Alternate can reveal the
value of a PIN. Therefore, if production level keys are available in a system, be
sure that you have usage controls and auditing in effect to detect inappropriate
usage of these verbs.
8-6 IBM 4758 CCA Basic Services, Release 2.54, February 2005