1270A308-8.4 HSM 8000 MasterCard ESP Commands Manual

HOST SECURITY MODULE 8000

ESP COMMAND REFERENCE MANUAL

1270A308 Issue 8.4

HSM 8000 ESP Command Reference Manual

2 1270A308 Issue 8.4 August 2010

List of Chapters

Chapter 1 - Introduction .............................................................................................................................. 9Chapter 2 - Console Commands ................................................................................................................ 12Chapter 3 - Host Commands ...................................................................................................................... 13


3

Table of Contents

List of Chapters ............................................................................................................................................... 2Table of Contents ........................................................................................................................................... 3Revision Status ................................................................................................................................................. 4Contact Information ...................................................................................................................................... 5End User License Agreement ...................................................................................................................... 6References ........................................................................................................................................................ 8Chapter 1 - Introduction .............................................................................................................................. 9

List of Host Commands (Alphabetical) ............................................................................................... 10List of Host Commands (Functional) ................................................................................................... 11

Chapter 2 - Console Commands ................................................................................................................ 12Set KMC Sequence Number .................................................................................................................. 12

Chapter 3 - Host Commands ...................................................................................................................... 13General ........................................................................................................................................................ 13Key Type Table ......................................................................................................................................... 14Decrypt R1 and validate the MACLSAM ................................................................................................. 15Compute HCEP ........................................................................................................................................... 17Validate the S1 MAC (Load and Unload) ............................................................................................. 18Validate the S1 MAC (Currency Exchange) ........................................................................................ 20Generate the S2 MAC (Linked load, declined unlinked load, unload) ......................................... 22Generate the S2 MAC (Currency Exchange) ..................................................................................... 23Generate the S2 MAC (Approved Unlinked Load) ........................................................................... 25Validate the S3 MAC (Currency Exchange transactions) ................................................................. 27Validate the S3 MAC (Load or Unload transactions) ....................................................................... 29Validate the H2LSAM ............................................................................................................................... 31Unlinked Load Transaction Request .................................................................................................... 32Release RLSAM .............................................................................................................................................. 34Release R2LSAM ........................................................................................................................................... 35Verify RCEP ................................................................................................................................................... 36Validate S6 MAC ........................................................................................................................................ 37Validate S6 MAC ....................................................................................................................................... 39Validate S6 MAC ....................................................................................................................................... 40Validate S5,DLT MAC ................................................................................................................................. 41Validate S5,ISS MAC ................................................................................................................................... 42Validate the S4 MAC Old Terminals ................................................................................................. 43Validate the S4 MAC New Terminals ............................................................................................... 44Validate the S5 MAC Old Terminals ................................................................................................. 45Validate the S5 MAC (MAC of the PSAM for a Transaction) New Terminals ....................... 46Validate the S5 Variant MAC (MAC of the PSAM for an Issuer Total) New Terminals ......... 48Create the Acknowledgement MAC Old Terminals .................................................................... 50Create the Acknowledgement MAC New Terminals .................................................................. 51Create the Update MAC......................................................................................................................... 52Validate the SADMIN MAC (Administrative MAC of the PSAM) ...................................................... 53Create the Merchant Acquirer MAC ................................................................................................... 54Validate the Card Issuer MAC ............................................................................................................... 55Generate Issuer RSA Key Set (MasterCard/Europay) ..................................................................... 56Validate a Certification Authority Self-Signed Certificate (MasterCard/Europay) .................... 58Import Transport Key Set ...................................................................................................................... 60Export Magnetic Stripe Card Key Set .................................................................................................. 62Export Chip Card Key Set ...................................................................................................................... 64Export Electronic Purse Card Key Set ................................................................................................ 71


4 1270A308 Issue 8.4 August 2010


Revision Status

Revision HSM

Functional Revision

Changes Release Date

1270A308-001 RG7000 V1.06/5.06 First Issue Februrary 2002

1270A308-002 RG7000 V2.01/6.02 Second Issue December 2003

1270A308-006 HSM 8000 V2.x Third Issue February 2007

1270A308-007 HSM 8000 V3.0 Fourth Issue March 2008

1270A308-008.1 HSM 8000 V3.1b Compatibility with OBKM spec

Sept 2007 October 2009

1270A308-008.2 HSM 8000 V3.1c Fifth Issue March 2010

1270A308-008.3 HSM 8000 V3.1c Sixth Issue April 2010

1270A308-008.4 HSM 8000 v3.1d Seventh Issue August 2010

This manual describes the functionality within the 3.1d base release of HSM 8000 software. For all other versions please refer to appropriate manual and associated HSM software specifications.


5

Contact Information THALES e-SECURITY

Europe, Middle East, Africa Americas Asia Pacific Meadow View House

Crendon Ind. Estate

Long Crendon

Aylesbury

Buckinghamshire HP18 9EQ

UK

Suite 200

2200 North Commerce Parkway

Weston, FL 33326

USA

Unit 4101, 41/F

248 Queen's Road East,

Wanchai

Hong Kong, PRC

Telephone: +44 1844 201800

Fax: +44 1844 208550

Telephone: 1-888-744-4976 (in US)

+1 954-888-6200 (outside US)

Fax: +1 954-888-6211

Telephone: +852 2815 8633

Fax: +852 2815 8141

Support Support Support

Telephone: +44 1844 202566 Telephone: 800-521-6261 (in U.S.)

+1 954-888-6277 (outside U.S.) Telephone: +852 2815 8633

Fax: +44 1844 208356 Fax: +1 954-888-6233 Fax: +852 2815 8141

[email protected] [email protected] [email protected]

http://www.thalesgroup.com/iss

Copyright 1987 2010 THALES e-SECURITY Ltd. This document is issued by Thales e-Security Limited (hereinafter referred to as Thales) in confidence and is not to be reproduced in whole or in part without the prior written approval of Thales. The information contained herein is the property of Thales and is to be used only for the purpose for which it is submitted and is not to be released in whole or in part without the prior written permission of Thales.


6 1270A308 Issue 8.4 August 2010

End User License Agreement (EULA)

Please read this Agreement carefully. Use of the Product constitutes your acceptance of the terms and conditions of this License.

This document is a legal agreement between Thales eSecurity Ltd., (THALES) and the company that has purchased a THALES product

containing a computer program (Customer). If you do not agree to the terms of this Agreement, promptly return the product and all

accompanyingitems(includingcables,writtenmaterials,softwaredisks,etc.)atyourmailingordeliveryexpensetothecompanyfromwhom

youpurchaseditortoThaleseSecurity,Ltd,MeadowViewHouse,CrendonIndustrialEstate,LongCrendon,Aylesbury,BucksHP189EQ,United

Kingdomandyouwillreceivearefund.

1. OWNERSHIP. Computer programs, ("Software") provided by THALES are provided either separately or as a bundled part of a computer

hardwareproduct.Softwareshallalsobedeemedtoincludecomputerprogramswhichareintendedtoberunsolelyonorwithinahardwaremachine,(Firmware).Software,includinganydocumentationfilesaccompanyingtheSoftware,("Documentation")distributedpursuanttothislicenseconsistsofcomponentsthatareownedorlicensedbyTHALESoritscorporateaffiliates.OthercomponentsoftheSoftwareconsistoffreesoftwarecomponents(FreeSoftwareComponents)thatareidentifiedinthetextfilesthatareprovidedwiththeSoftware.ONLYTHOSETERMSANDCONDITIONSSPECIFIEDFOR,ORAPPLICABLETO,EACHSPECIFICFREESOFTWARECOMPONENTSHALLBEAPPLICABLETOSUCHFREESOFTWARECOMPONENT.EachFreeSoftwareComponentisthecopyrightofitsrespectivecopyrightowner.TheSoftwareislicensedtoCustomerandnotsold.CustomerhasnoownershiprightsintheSoftware.Rather,CustomerhasalicensetousetheSoftware.TheSoftwareiscopyrightedbyTHALESand/oritssuppliers.Youagreetorespectandnottoremoveorconcealfromviewanycopyrightortrademarknoticeappearingon the SoftwareorDocumentation,and to reproduceany such copyrightor trademarknoticeonall copiesof the SoftwareandDocumentationoranyportionthereofmadebyyouaspermittedhereunderandonallportionscontained inormerged intootherprogramsandDocumentation.

2. LICENSEGRANT. THALESgrantsCustomeranonexclusive licensetousetheSoftwarewithTHALESprovidedcomputerequipmenthardware

solelyforCustomersinternalbusinessuseonly.ThislicenseonlyappliestotheversionofSoftwareshippedatthetimeofpurchase.Anyfutureupgrades are only authorised pursuant to a separate maintenance agreement. Customer may copy the Documentation for internal use.Customermaynotdecompile,disassemble,reverseengineer,copy,ormodifytheTHALESownedorlicensedcomponentsoftheSoftwareunlesssuchcopiesaremade inmachine readable form forbackuppurposes. Inaddition,Customermaynotcreatederivativeworksbasedon theSoftwareexceptasmaybenecessarytopermitintegrationwithothertechnologyandCustomershallnotpermitanyotherpersontodoanyofthe same. Any rights not expressly granted by THALES to Customer are reserved by THALES and its licensors and all implied licenses aredisclaimed. Anyotheruseof the Softwareby anyother entity is strictly forbidden and is a violationof this EULA. The Software and anyaccompanyingwrittenmaterialsareprotectedbyinternationalcopyrightandpatentlawsandinternationaltradeprovisions.

3. NOWARRANTY.EXCEPTASMAYBEPROVIDEDINANYSEPARATEWRITTENAGREEMENTBETWEENCUSTOMERANDTHALES,THESOFTWAREIS

PROVIDED"ASIS."TOTHEMAXIMUMEXTENTPERMITTEDBYLAW,THALESDISCLAIMSALLWARRANTIESOFANYKIND,EITHEREXPRESSEDORIMPLIED,INCLUDING,WITHOUTLIMITATION,IMPLIEDWARRANTIESOFMERCHANTABILITYANDFITNESSFORAPARTICULARPURPOSE.THALESDOESNOTWARRANTTHATTHEFUNCTIONSCONTAINEDINTHESOFTWAREWILLMEETANYREQUIREMENTSORNEEDSCUSTOMERMAYHAVE,OR THAT THE SOFTWARE WILL OPERATE ERROR FREE, OR IN AN UNINTERUPTED FASHION, OR THAT ANY DEFECTS OR ERRORS IN THESOFTWAREWILLBECORRECTED,ORTHATTHESOFTWAREISCOMPATIBLEWITHANYPARTICULARPLATFORM.SOMEJURISDICTIONSDONOTALLOW FOR THE WAIVER OR EXCLUSION OF IMPLIED WARRANTIES SO THEY MAY NOT APPLY. IF THIS EXCLUSION IS HELD TO BEUNENFORCEABLEBYACOURTOFCOMPETENTJURISDICTION,THENALLEXPRESSANDIMPLIEDWARRANTIESSHALLBELIMITEDINDURATIONTOAPERIODOFTHIRTY(30)DAYSFROMTHEDATEOFPURCHASEOFTHESOFTWARE,ANDNOWARRANTIESSHALLAPPLYAFTERTHATPERIOD.

4. LIMITATION OF LIABILITY. IN NO EVENT WILL THALES BE LIABLE TO CUSTOMER OR ANY THIRD PARTY FOR ANY INCIDENTAL OR

CONSEQUENTIAL DAMAGES, INCLUDING WITHOUT LIMITATION, INDIRECT, SPECIAL, PUNITIVE, OR EXEMPLARY DAMAGES FOR LOSS OF

BUSINESS,LOSSOFPROFITS,BUSINESS INTERRUPTION,ORLOSSOFBUSINESS INFORMATION)ARISINGOUTOFTHEUSEOFOR INABILITYTO

USETHEPROGRAM,ORFORANYCLAIMBYANYOTHERPARTY,EVENIFTHALESHASBEENADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGES.

THALESAGGREGATELIABILITYWITHRESPECTTOITSOBLIGATIONSUNDERTHISAGREEMENTOROTHERWISEWITHRESPECTTOTHESOFTWARE

ANDDOCUMENTATIONOROTHERWISESHALLBEEQUALTOTHEPURCHASEPRICE. HOWEVERNOTHING INTHESETERMSANDCONDITIONS

SHALL HOWEVER LIMIT OR EXCLUDE THALES LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM NEGLIGENCE, FRAUD OR

FRAUDULENTMISREPRESENTATIONORFORANYOTHERLIABILITYWHICHMAYNOTBEEXCLUDEDBYLAW.BECAUSESOMECOUNTRIESAND

STATESDONOTALLOWTHEEXCLUSIONORLIMITATIONOFLIABILITYFORCONSEQUENTIALORINCIDENTALDAMAGES,THEABOVELIMITATION

MAYNOTAPPLY.

5. EXPORTRESTRICTIONS. THE SOFTWARE IS SUBJECT TO THE EXPORTCONTROL LAWSOF THEUNITED KINGDOM, THEUNITED STATESAND

OTHERCOUNTRIES. THIS LICENSEAGREEMENT ISEXPRESSLYMADESUBJECTTOALLAPPLICABLE LAWS,REGULATIONS,ORDERS,OROTHER

RESTRICTIONSONTHEEXPORTOFTHESOFTWAREORINFORMATIONABOUTSUCHSOFTWAREWHICHMAYBEIMPOSEDFROMTIMETOTIME.


7

CUSTOMER SHALL NOT EXPORT THE SOFTWARE, DOCUMENTATION OR INFORMATION ABOUT THE SOFTWARE AND DOCUMENTATION

WITHOUTCOMPLYINGWITHSUCHLAWS,REGULATIONS,ORDERS,OROTHERRESTRICTIONS.

6. TERM&TERMINATION. ThisEULA iseffectiveuntilterminated. CustomermayterminatethisEULAatanytimebydestroyingorerasingall

copiesof the Software and accompanyingwrittenmaterials inCustomerspossessionor control. This licensewill terminate automatically,

withoutnotice fromTHALES ifCustomer failstocomplywiththetermsandconditionsofthisEULA. Uponsuchtermination,Customershall

destroyoreraseallcopiesoftheSoftware(togetherwithallmodifications,upgradesandmergedportionsinanyform)andanyaccompanying

writtenmaterialsinCustomerspossessionorcontrol.

7. SPECIALPROCEDUREFORU.S.GOVERNMENT. IftheSoftwareandDocumentation isacquiredbytheU.S.Governmentoron itsbehalf,the

Softwareisfurnishedwith"RESTRICTEDRIGHTS,"asdefinedinFederalAcquisitionRegulation("FAR")52.22719(c)(2),andDFAR252.2277013

to7019,asapplicable.Use,duplicationordisclosureof theSoftwareandDocumentationby theU.S.Governmentandpartiesactingon its

behalfisgovernedbyandsubjecttotherestrictionssetforthinFAR52.22719(c)(1)and(2)orDFAR252.2277013to7019,asapplicable.

8. TRANSFERRIGHTS

Customermay transfer theSoftware,and this license toanotherparty if theotherpartyagrees toaccept the termsand conditionsof this

Agreement. IfCustomer transfers theSoftware, itmustat thesame timeeither transferallcopieswhether inprintedormachinereadable

form,togetherwiththecomputerhardwaremachineonwhichSoftwarewasintendedtooperatetothesamepartyordestroyanycopiesnot

transferred;thisincludesallderivativeworksoftheSoftware.FORTHEAVOIDANCEOFDOUBT,IFCUSTOMERTRANSFERSPOSSESSIONOFANY

COPY OF THE SOFTWARE TO ANOTHER PARTY, EXCEPT AS PROVIDED IN THIS SECTION 8, CUSTOMERS LICENSE IS AUTOMATICALLY

TERMINATED.

9. GOVERNINGLAWANDVENUEThisLicenseAgreementshallbeconstrued,interpretedandgovernedbythelawsofEnglandandWaleswithout

regardtoconflictsoflawsandprovisionsthereoforintheeventthattheSoftwarewasdeliveredintheUnitedStates,LatinAmericaorCanada,

thelawsoftheStateofFlorida.TheexclusiveforumforanydisputesarisingoutoforrelatingtothisEULAshallbeanappropriatecourtsitting

inEngland,UnitedKingdomorintheeventthattheSoftwarewasdeliveredintheUnitedStates,LatinAmericaorCanada,thecourtsofFlorida,

UnitedStates.


8 1270A308 Issue 8.4 August 2010

References The following documents are referenced in this document:

1 Thales Host Security Module 8000 Installation Manual Document Number: 1270A338-8

2 Thales Host Securty Module 8000 Host Reference Manual Document Number: 1270A351-8

3 Thales Host Security Module 8000 Host Programmers Manual Document Number: 1270A337-8

4 Thales Host Security Module 8000 Console Reference Manual Document Number: 1270A349-8

5 Thales Host Security Module 8000 Security Operations Manual Document Number: 1270A350-8

6 MasterCard On-Behalf Key Management (OBKM) Document Set Publication Code: Y3, September 2007.

HSM 8000 ESP Command Reference Manual Host Commands

9

Chapter 1 - Introduction The following commands have been implemented in the HSM to meet the requirements specified in the MasterCard OBKM [6] specifications and the Thales requirements specification.

ESP specific console commands are described in Chapter 2.

ESP specific host commands are described in Chapter 3.

Host Commands HSM 8000 ESP Command Reference Manual

10 1270A308 Issue 8.4 August 2010

List of Host Commands (Alphabetical)

Host Command (Response)

Function Page

J0 (J1) Generate Issuer RSA Key Set (MasterCard/Europay) 56

JO (JP) Validate a Certification Authority Self-Signed Certificate (MasterCard/Europay)

58

R2 (R3) Export Electronic Purse Card Key Set 71

R4 (R5) Export Chip Card Key Set 64

R6 (R7) Export Magnetic Stripe Card Key Set 62

R8 (R9) Import Transport Key Set 60

T0 (T1) Unlinked Load Transaction Request 32

T2 (T3) Release RLSAM 34

T4 (T5) Release R2LSAM 35

T6 (T7) Verify RCEP 36

U0 (U1) Decrypt R1 and validate the MACLSAM 15

U2 (U3) Compute HCEP 17

U4 (U5) Validate the S1 MAC (Load and Unload) 18

U6 (U7) Validate the S1 MAC (Currency Exchange) 20

U8 (U9) Generate the S2 MAC (Linked load, declined unlinked load, unload) 22

V0 (V1) Generate the S2 MAC (Currency Exchange) 23

V2 (V3) Generate the S2 MAC (Approved Unlinked Load) 25

V4 (V5) Validate the S3 MAC (Currency Exchange transactions) 27

V6 (V7) Validate the S3 MAC (Load or Unload transactions) 29

V8 (V9) Validate the H2LSAM 31

W0 (W1) Validate S6 MAC 37



W6 (W7) Validate S5,DLT MAC 41

W8 (W9) Validate S5,ISS MAC 42

X0 (X1) Validate the S4 MAC Old Terminals 43

X2 (X3) Validate the S4 MAC New Terminals 44

X4 (X5) Validate the S5 MAC Old Terminals 45

X6 (X7) Validate the S5 MAC (MAC of the PSAM for a Transaction) New Terminals

46

X8 (X9) Validate the S5 Variant MAC (MAC of the PSAM for an Issuer Total) New Terminals

48

Y0 (Y1) Create the Acknowledgement MAC Old Terminals 50

Y2 (Y3) Create the Acknowledgement MAC New Terminals 51

Y4 (Y5) Create the Update MAC 52

Y6 (Y7) Validate the SADMIN MAC (Administrative MAC of the PSAM) 53

Y8 (Y9) Create the Merchant Acquirer MAC 54

Z0 (Z1) Validate the Card Issuer MAC 55


11

List of Host Commands (Functional)

Function Command Page

Decrypt R1 and validate the MACLSAM U0 15

Compute HCEP U2 17

Validate the S1 MAC (Load and Unload) U4 18

Validate the S1 MAC (Currency Exchange) U6 20

Generate the S2 MAC (Linked load, declined unlinked load, unload) U8 22

Generate the S2 MAC (Currency Exchange) V0 23

Generate the S2 MAC (Approved Unlinked Load) V2 25

Validate the S3 MAC (Currency Exchange transactions) V4 27

Validate the S3 MAC (Load or Unload transactions) V6 29

Validate the H2LSAM V8 31

Unlinked Load Transaction Request T0 32

Release RLSAM T2 34

Release R2LSAM T4 35

Verify RCEP T6 36

Validate S6 MAC W0 37



Validate S5,DLT MAC W6 41

Validate S5,ISS MAC W8 42

Validate the S4 MAC Old Terminals X0 43

Validate the S4 MAC New Terminals X2 44

Validate the S5 MAC Old Terminals X4 45

Validate the S5 MAC (MAC of the PSAM for a Transaction) New Terminals X6 46

Validate the S5 Variant MAC (MAC of the PSAM for an Issuer Total) New Terminals

X8 48

Create the Acknowledgement MAC Old Terminals Y0 50

Create the Acknowledgement MAC New Terminals Y2 51

Create the Update MAC Y4 52

Validate the SADMIN MAC (Administrative MAC of the PSAM) Y6 53

Create the Merchant Acquirer MAC Y8 54

Validate the Card Issuer MAC Z0 55

Generate Issuer RSA Key Set (MasterCard/Europay) J0 56

Validate a Certification Authority Self-Signed Certificate (MasterCard/Europay) JO 58

Import Transport Key Set R8 60

Export Magnetic Stripe Card Key Set R6 62

Export Chip Card Key Set R4 64

Export Electronic Purse Card Key Set R2 71


12 1270A308 Issue 8.4 August 2010

Chapter 2 - Console Commands

Set KMC Sequence Number Online : Offline ; Secure : Authorisation: Required Activity: misc.console

Command: A6

Function: To set the value of the KMC sequence number held within the HSM protected memory.

Authorisation: The HSM must be in the Offline state to run this command. Additionally, the HSM must be either in the Authorised State, or the activity misc.console must be authorised.

Inputs: New sequence number value.

Outputs: None.

Errors: Not Authorised - The HSM is not in Authorised State Not Offline The HSM must be offline to run this command Invalid Entry The value entered is invalid (Counter can have any value between 00000000 and FFFFFFFF).

Example: Offline-AUTH> A6 Current KMC sequence number is: 00000000 0 0F3 0000Enter new value or for no change: 2BAF Current KMC sequence number is: 00000000 00002BAF Offline-AUTH>


13

Chapter 3 - Host Commands General

This Chapter details all the commands available with their responses and possible error codes. A number of abbreviations are used throughout. They are:

L : Encrypted PIN length. Set at installation.

m : Message header length. Set at installation.

n : Variable length field.

A : Alphanumeric (can include any non-control type) characters.

H : Hexadecimal character.

N : Numeric Field.

C : Control character.

B : Binary data (byte), X00 to XFF.

For example: 32 H : Indicates that thirty-two hexadecimal characters are required. m A : Indicates the string of message header length alphanumeric characters.

For convenience, the STX and ETX control characters, which bracket every command and response, are not shown in the details that follow. In a command to the HSM, any key can be replaced by a reference to internal user storage. In the details that follow, a key is always shown as if it is to be sent with each command; in every case the key can be replaced by the index flag K and a three-digit pointer value. The HSM can be used in systems where there may be Atalla security equipment at other network nodes. This is achieved by the inclusion of an Atalla variant in those commands that translate a key from/to encryption under a ZMK. This has the effect of modifying the ZMK before it is used to decrypt/encrypt in accordance with the method used by the Atalla equipment. The HSM can support 1 or 2 digit Atalla variants. When a disabled host command is invoked, the error code 68 is returned. When a disabled console command is invoked, the message Function not defined or not allowed is displayed.


14 1270A308 Issue 8.4 August 2010

Key Type Table

Variant 0 1 2 3 4 5 6 7 8 9

LMK G E I G E I G E I G E I G E I G E I G E I G E I G E I G E I Pair Code

04 05 00

ZMK ZMK (Comp)

KML

A U A U U A U

06 07 01 ZPK

U A U

14 15 02

PVK TPK TMK

CSCK CVK

U A U U A U

16 - 17 03 TAK

U A U

18 19 04 DTAB IPB

20 21 05

KML

KMLISS

KMX

KMXISS

KMP

KMPISS

KIS,5' KM3L

KM3LISS

KM3X

KM3XISS

KMACS4 KMACS5 KMACACQ

KMACACK

U A U U A U U A U U A U U A U U A U U A U U A U U A U

22 23 06

WWK KMACUPD KMACMA KMACCI

KMACISS

KMSCISS BKEM BKAM

U A U U A U U A U U A U U A U

24 25 07

26 - 27 08 ZAK

U A U

28 29 09 BDK MK-AC MK-SMI MK-SMC MK-DAK MK-DN MK-CVC3

U A U U A U U A U U A U U A U U A U U A U

30 31 0A ZEK

U A U

32 33 0B

DEK TEK

U

34 35 0C RSA-SK HMAC

U A U

36 37 0D RSA-MAC

38 39 0E

Table of actions applied to each specific LMK pair and variant in generic HSM commands

G = Generate. E = Export. I = Import. A = allowed only in Authorise state; U = allowed Unconditionally, i.e. without Authorised state.

Blank = Not allowed.


15

Decrypt R1 and validate the MACLSAM Licence HSM8-LIC004 is required.

Authorisation: Not required

Command: To decrypt R1 and validate the MACLSAM.

Notes: This command is complementary to the SA command in the Load Acquirer commands that generates the encrypted R1.

Field Length & Type Details

COMMAND MESSAGE

Message Header m A Subsequently returned to the Host unchanged.

Command Code 2 A Value 'U0'.

TPK 16 H or

1 A + 32 H

The Terminal PIN key encrypted under LMK pair 14-15. A single length TPK will be input as 16 hexadecimal characters. A double length TPK will be input as a U character followed by 32 hexadecimal characters.

R1Length 1 N The length of the key R1: '1' : single length '2' : double length.

R1 16 / 32 H The session key encrypted under the TPK.

DDCEPLength 1 B The length in bytes of the DDCEP field. The length is specified in binary and must be in the range 00H to 20H (equivalent to 0 to 32 decimal).

IDISS 4 B The Issuer ID.

IDCEP 6 B The CEP Card Identifier.

NTCEP 2 B The transaction number assigned by the card.

CURRLDA 3 B The Currency Indicator.

IDLACQ 4 B Load Acquirer ID.

IDLDA 6 B The Identifier for the Load Device.

MLDA 4 B The Transaction amount.

S1 8 B The CEP Card signature produced by the card during 'Card Initialise for Load'.

HCEP 10 B The SHA-1 Hash generated by the CEP card on the Load Transaction data.

HLSAM 8 B SHA-1 hash of internally generated RLSAM.

H2LSAM 8 B SHA-1 hash of internally generated R2LSAM.

DDCEP 0 - 32 B Discretionary Data.

MACLSAM 4 B EMV MAC of Transactional data.

End Message Delimiter 1 C Must be present if a message trailer is present. Value X'19.

Message Trailer n A Optional. Maximum length 32 characters.


16 1270A308 Issue 8.4 August 2010


RESPONSE MESSAGE

Message Header m A Returned to the Host unchanged.

Response Code 2 A Value 'U1'.

Error Code 2 N '00' : No error (MAC validated successfully) '01' : MAC validation failed '11' : TPK parity error '70' : Invalid R1Length code '72' : R1 Parity Error

or a standard error code, as listed in Chapter 4 of [2].

End Message Delimiter 1 C Present only if present in the command message. Value X'19.

Message Trailer n A Present only if present in the command message. Maximum length 32 characters.


17

Compute HCEP Licence HSM8-LIC004 is required.


Command: Create RCEP and use the SHA-1 algorithm to compute HCEP.

Notes:


COMMAND MESSAGE



*KML 32 H or

1 A + 32 H

Double length KML encrypted under LMK pair 20-21 variant 1.





NTCEP 2 B The transaction number assigned by the Load Acquirer.




RESPONSE MESSAGE

Message Header m A Will be returned to the Host unchanged


Error Code 2 N '00' : No error '10' : KML parity error


HCEP 10 B SHA hash of input data and RCEP .




18 1270A308 Issue 8.4 August 2010

Validate the S1 MAC (Load and Unload) Licence HSM8-LIC004 is required.


Command: Validate the S1 MAC for load and unload transactions.

Notes:


COMMAND MESSAGE



*KML 32 H or

1A + 32 H


IDCEP 6 B The CEP Card Identifier. Used to create the *KDL.


TI 1 B Transaction Indicator: 0C : load transactions 0A : unload transactions.

DTHRLDA 5 B Transaction date and time.

CURRLDA 3 B The Currency Code.




NTLASTLOAD 2 B Transaction number of last load.

NTLASTCANCEL 2 B Transaction number of last cancel.

CSTATCEP 2 B Card Status.

TLfailCEP 1 B Tag and length of failed update.

DEXPCEP 3 B Expiry date of the card, YYMMDD.

BALCEP 4 B Balance of slot prior to completion.

BALmaxCEP 4 B Maximum balance of the slot.

PVSCEP 1 B PIN verification status.

S1 8 B Signature for verification.




19


RESPONSE MESSAGE



Error Code 2 N '00' : No error (S1 validated successfully) '01' : S1 validation failed '10' : KML parity error '70' : Invalid transaction indicator





20 1270A308 Issue 8.4 August 2010

Validate the S1 MAC (Currency Exchange) Licence HSM8-LIC004 is required.


Command: Validate the S1 MAC for currency exchange transactions.

Notes:


COMMAND MESSAGE



*KMX 32 H or

1A + 32 H

Double length KMX encrypted under LMK pair 20-21 variant 2.

IDCEP 6 B The CEP Card Identifier. Used to create the *KDX.


TI 1 B Transaction Indicator: 08 for currency exchange transactions.


CURRSOURCE 3 B The Currency Code for the source slot.




NTLASTLOAD 2 B Transaction number of last load.

NTLASTCANCEL 2 B Transaction number of last cancel.

CSTATCEP 2 B Card Status.

TLfailCEP 1 B Tag and Length of failed update.

DEXPCEP 3 B Expiry date of the card, YYMMDD.

CURRTARGET 3 B The Currency Code.

BALTARGET 4 B Balance of target slot .

BALmaxTARGET 4 B Maximum balance of the target slot.

BALSOURCE 4 B Balance of source slot.





21


RESPONSE MESSAGE



Error Code 2 N '00' : No error (S1 validated successfully) '01' : S1 validation failed '10' : KDX parity error '70' : Invalid transaction indicator





22 1270A308 Issue 8.4 August 2010

Generate the S2 MAC (Linked load, declined unlinked load, unload)

Licence HSM8-LIC004 is required.


Command: Generate the S2 MAC for Linked Load, Declined Unlinked Load or Unload transactions.

Notes:


COMMAND MESSAGE



*KML 32 H or

1A + 32 H




Updates Length 2 N Length in bytes of the UPDATESISS field.

CCISS 2 B Completion Code.

TI 1 B Transaction Indicator: 0C : Linked Load or Declined Unlinked Load transactions 0A : unload transactions.

S1 8 B Signature.

BALISS 4 B Balance of card for this currency.

BALmaxISS 4 B Maximum balance of the target slot.

CALPHAISS 3 B Alphanumeric currency code.

UPDATESISS 0 - 24 B Updates to CEP card data.




RESPONSE MESSAGE



Error Code 2 N '00' : No error '10' : *KML parity error '70' : Invalid transaction indicator '71' : Invalid Updates Length


S2 8 B Generated Signature.




23

Generate the S2 MAC (Currency Exchange) Licence HSM8-LIC004 is required.


Command: Generate the S2 MAC for currency exchange transactions.

Notes:


COMMAND MESSAGE


Command Code 2 A Value 'V0'.

*KMX 32 H or

1A + 32 H

Double length *KMX encrypted under LMK pair 20-21 variant 2.





TI 1 B Transaction Indicator: 08 : currency exchange transactions

S1 8 B Signature.

BALISS,TARGET 4 B New Balance of target slot.

BALmaxISS,TARGET 4 B Maximum balance of the target slot.

CALPHAISS, TARGET 3 B Alphanumeric representation of the target currency code.

BALISS,SOURCE 4 B New Balance of the source slot.





24 1270A308 Issue 8.4 August 2010


RESPONSE MESSAGE


Response Code 2 A Value 'V1'.

Error Code 2 N '00' : No error '10' : KML parity error '70' : Invalid transaction indicator '71' : Invalid Updates Length






25

Generate the S2 MAC (Approved Unlinked Load) Licence HSM8-LIC004 is required.


Command: Generate the S2 MAC for unlinked load transactions.

Notes:


COMMAND MESSAGE



*KML 32 H or

1A + 32 H






TI 1 B Transaction Indicator: 0C : unlinked load transactions.

S1 8 B S1 Signature.

BALISS 4 B Balance of CEP card.

BALmaxISS 4 B Maximum balance of the target slot.

CALPHAISS 3 B Alphanumeric representation of the currency code for this slot.

HLSAM 8 B Left 8 bytes from SHA-1 hash of: IDLACQ,IDLDA,IDISS,IDCEP,NTCEP,RLSAM





26 1270A308 Issue 8.4 August 2010


RESPONSE MESSAGE



Error Code 2 N '00' : No error '10' : KML parity error '70' : Invalid transaction indicator '71' : Invalid Updates Length






27

Validate the S3 MAC (Currency Exchange transactions)



Command: Validate the S3 MAC for currency exchange transactions.

Notes: After a CEP card completes processing, it generates an S3 MAC to prove to the issuer that the currency exchange transaction was completed successfully. The load processor uses this function to verify the S3 MAC.


COMMAND MESSAGE



*KM3X 32 H or

1A + 32 H

Double length KM3X encrypted under LMK pair 20-21 variant 6.



CCTRX 2 B Transaction Completion Code.

TI 1 B Transaction Indicator: 08 : currency exchanges.


CURRLDA,SOURCE 3 B The Currency Code.




CURRLDA,TARGET 3 B The Currency Code.

BALCEP,TARGET 4 B Balance of slot prior to completion.

BALCEP,SOURCE 4 B Balance of slot prior to completion.





28 1270A308 Issue 8.4 August 2010


RESPONSE MESSAGE



Error Code 2 N '00' : No error (S3 validated successfully) '01' : S3 validation failed '10' : KML parity error '70' : Invalid transaction indicator





29

Validate the S3 MAC (Load or Unload transactions) Licence HSM8-LIC004 is required.


Command: Validate the S3 MAC for load or unload transactions.

Notes: After a CEP card completes processing, it generates an S3 MAC to prove to the issuer that the load or unload transaction was completed successfully. This function is used by the load processor to verify the S3 MAC.


COMMAND MESSAGE



*KM3L 32 H or

1A + 32 H

Double length *KM3L encrypted under LMK pair 20-21 variant 5.

IDCEP 6 B The CEP Card Identifier. Used to create the *KD3L.


CCTRX 2 B Transaction Completion Code.

TI 1 B Transaction Indicator: 0C : load transactions 0A : unload transactions.


CURRLDA 3 B The Currency Code.




BALCEP 4 B Balance of slot prior to completion.





30 1270A308 Issue 8.4 August 2010


RESPONSE MESSAGE



Error Code 2 N '00' : No error (S3 validated successfully) '01' : S3 validation failed '10' : KMX parity error '70' : Invalid transaction indicator





31

Validate the H2LSAM Licence HSM8-LIC004 is required.


Command: Validate the H2LSAM, creating a SHA-1 hash over the transaction data and comparing with the input H2LSAM.

Notes:


COMMAND MESSAGE








R2LSAM 16 B Random Number .

H2LSAM 8 B Verification code (SHA-1 hash).




RESPONSE MESSAGE



Error Code 2 N '00' : No error (H2LSAM validated successfully) '01' : H2LSAM validation failed '10' : KML parity error '70' : Invalid transaction indicator





32 1270A308 Issue 8.4 August 2010

Unlinked Load Transaction Request Licence HSM8-LIC004 is required.


Command: Unlinked Load Transaction Request.

Notes:


COMMAND MESSAGE


Command Code 2 A Value 'T0'.

S1 8 B The CEP Card MAC produced by the card during 'Card Initialise for Load'.

HCEP 10 B The SHA-1 Hash generated by the CEP card on the Load Transaction data.

TPK 16 H or

1A + 32 H

The Terminal PIN key encrypted under LMK pair 14-15

REFNO 3 B The Transaction Reference Number.

R1Length 1 N The required length of the generated key R1: '1' : single length '2' : double length.




CURRLDA 3 B The Currency Indicator.




DDCEPLength 1 B The length in bytes of the DDCEP field that follows.

DDCEP 0 - 32 B Discretionary Data.




33


RESPONSE MESSAGE


Response Code 2 A Value 'T1'.

Error Code 2 N '00' : No error '11' : TPK Parity Error


(DES)R1 16 / 32 H The generated session key encrypted under the TPK. (Note, if the supplied TPK is double length then this will also be double length.)

(DES)RLSAM 64 H The generated double length key RLSAM and other data CBC encrypted under LMK pair 10-11.

(DES)R2LSAM 64 H The generated double length key R2LSAM and other data CBC encrypted under LMK pair 10-11.

HLSAM 8 B SHA-1 hash of internally generated RLSAM.

H2LSAM 8 B SHA-1 hash of internally generated R2LSAM.

(DES)HCEP 64 H The HCEP, concatenated with REFNO and IDLACQ and CBC encrypted under LMK pair 10-11.

MACLSAM 4 B EMV MAC of Transactional data.




34 1270A308 Issue 8.4 August 2010

Release RLSAM Licence HSM8-LIC004 is required.


Command: Release RLSAM.

Notes:


COMMAND MESSAGE





(DES)RLSAM 64 H The generated double length key RLSAM and other data CBC encrypted under LMK pair 10-11.




RESPONSE MESSAGE



Error Code 2 N '00' : No error '01' : Validation Error '10' : RLSAM parity error


RLSAM 32 H The clear text value of RLSAM returned as 32 HEX characters.




35

Release R2LSAM Licence HSM8-LIC004 is required.


Command: Release R2LSAM.

Notes:


COMMAND MESSAGE





(DES)R2LSAM 64 H The generated double length key R2LSAM and other data CBC encrypted under LMK pair 10-11.




RESPONSE MESSAGE



Error Code 2 N '00' : No error '01' : Validation Error '10' : R2LSAM parity error


R2LSAM 32 H The clear text value of R2LSAM returned as 32 HEX characters.




36 1270A308 Issue 8.4 August 2010

Verify RCEP Licence HSM8-LIC004 is required.


Command: Verify RCEP.

Notes:


COMMAND MESSAGE




(DES)HCEP 64 H The HCEP, concatenated with REFNO and IDLACQ and CBC encrypted under LMK pair 10-11.






RCEP 16 B The 16 Byte value returned by the CEP card following a Credit for Load rejection.




RESPONSE MESSAGE



Error Code 2 N '00' : No error '01' : Verification Failure





37

Validate S6 MAC Licence HSM8-LIC004 is required.


Command: To validate an S6 Message Authentication Code (MAC) calculated by a CEP card on a detailed transaction record.

Notes:


COMMAND MESSAGE


Command Code 2 A Value 'W0'.

KMP 32 H Master Purchase Key, encrypted under variant 3 of LMK pair 20-21.

ALGP2 1 B Algorithm code for S6 in purchase transactions: must equal X10.

IDCEP 6 B CEP card serial number.

NTCEP 2 B CEP card transaction number.

DEXPPCEP 3 B CEP card expiration date for offline transactions.

TICEP 1 B CEP card transaction indicator.

DTHRPDA 5 B PDA transaction date and time.

CURRPDA 3 B PDA currency.

AMCEP 1 B CEP card authentication method.

RIDPSAM 5 B Registered identity of the entity assigning PSAM Creator IDs.

IDPSAMCREATOR 4 B Identifier for the creator of a PSAM.

IDPSAM 4 B Identifier of a PSAM.

NTPSAM 4 B PSAM transaction number.

MTOTCEP 4 B CEP card total transaction amount.

MPDA 4 B PDA transaction amount.

BALCEP 4 B CEP card slot balance.

S6 8 B Transaction MAC, to be validated.




38 1270A308 Issue 8.4 August 2010


RESPONSE MESSAGE


Response Code 2 A Value 'W1'.

Error Code 2 N '00' : No error (S6 verification successful) '01' : S6 verification failure '10' : KMP parity error '70' : Invalid ALGP2





39



Command: To validate an S6 Message Authentication Code (MAC) calculated by a CEP card on an aggregated transaction.

Notes:


COMMAND MESSAGE







MAC Type 1 B MAC type; must equal X01.


MTOTAGG 4 B Amount of aggregated transactions in the current record.

NTAGG 2 B Number of aggregated transactions in the current record.

IDBATCH 2 B Identifier of batch containing the aggregated transactions.









RESPONSE MESSAGE



Error Code 2 N '00' : No error (S6 verification successful) '01' : S6 verification failure '10' : KMP parity error '70' : Invalid ALGP2 '71' : Invalid MAC type





40 1270A308 Issue 8.4 August 2010



Command: To validate an S6 Message Authentication Code (MAC) calculated by a CEP card on an Issuer backup total.

Notes:


COMMAND MESSAGE


Command Code m A Value 'W4'.





MAC Type 1 B MAC type; must equal X02.


MTOToldIB 4 B Signed amount of transactions in the batch for the Issuer.

NToldIB 2 B Signed number of transactions in the batch for the Issuer.










RESPONSE MESSAGE



Error Code 2 N '00' : No error (S6 verification successful) '01' : S6 verification failure '70' : Invalid ALGP2 '71' : Invalid MAC type '10' : KMP parity error





41

Validate S5,DLT MAC Licence HSM8-LIC004 is required.


Command: To validate an S5,DLT Message Authentication Code (MAC), which provides the Issuer with the ability to verify the integrity of a non-CEP transaction.

Notes:


COMMAND MESSAGE



KIS5 32 H S5 Issuer Key, encrypted under variant 4 of LMK pair 20-21.

ALGKS 1 B Algorithm code for S5 transactions; must equal X01.


TIPDA 1 B PDA transaction indicator.

DTHRPDA 5 B PDA transaction date and time.


MPDA 4 B PDA transaction amount.

DEXPCARD 3 B Card expiry date.

AMCEP 1 B CEP card authentication method.

BALCEP 4 B CEP card slot balance.




S5,DLT 8 B Transaction MAC, to be validated.




RESPONSE MESSAGE



Error Code 2 N '00' : No error (S5,DLT verification successful) '01' : S5,DLT verification failure '10' : KIS5 parity error '70' : Invalid ALGKS





42 1270A308 Issue 8.4 August 2010

Validate S5,ISS MAC Licence HSM8-LIC004 is required.


Command: To validate an S5,ISS Message Authentication Code (MAC) which provides the Issuer with the ability to verify the integrity of a non-CEP transaction.

Notes:


COMMAND MESSAGE



KIS5 32 H S5 Issuer Key, encrypted under variant 4 of LMK pair 20-21.

ALGKS 1 B Algorithm code for S5 transactions; must equal X01.


MAC Type 1 B MAC type; must equal X01 or X02.

MTOT 4 B MTOToldIB or MTOTAGG.


NT 2 B NToldIB or NTAGG.





S5,ISS 8 B Transaction MAC, to be validated.




RESPONSE MESSAGE



Error Code 2 N '00' : No error (S5,ISS verification successful) '01' : S5,ISS verification failure '02' : Invalid ALGKS '03' : Invalid MAC type '10' : KIS5 parity error





43

Validate the S4 MAC Old Terminals Licence HSM8-LIC004 is required.


Command: Validate the S4 MAC (MAC of the PSAM for a Batch) for old terminals.

Notes:


COMMAND MESSAGE


Command Code 2 A Value 'X0'.

*KMACS4 32 H Double length KMACS4 encrypted under LMK pair 20-21 variant 7.

S4 16 H Signature for verification.

IDCAD 4 B Identifier for the CAD.

IDMCARD 4 B Identifier for the MCard.

Collection Number 1 B Collection Number.

MCard Date 1 B Month number as known by the MCard.

MTOTBATCH 4 B Total of all successful payments in the batch.

CURRMCARD 2 B Currency code for the batch.

NTBATCH 2 B Number of payment records in the batch.

NTENQBATCH 2 B Number of successful balance enquiries in the batch.

NTREJBATCH 2 B Total number of invalid records in the batch.

NTFLTBATCH 2 B Number of non-readable ICCs.

NTSFLTBATCH 2 B Number of system faults.

MCard Version 1 B Firmware version of the MCard.

CEXPMCARD 1 B Currency exponent.

Batch Close Date Time 2 B Batch close date and time (may be all a zeroes).




RESPONSE MESSAGE


Response Code 2 A Value 'X1'.

Error Code 2 N '00' : No error (S4 validated successfully) '01' : S4 validation failed '10' : KMAC parity error





44 1270A308 Issue 8.4 August 2010

Validate the S4 MAC New Terminals Licence HSM8-LIC004 is required.


Command: Validate the S4 MAC for new terminals.

Notes: This command does not check the contents of the data block over which the MAC is generated. It is the responsibility of the user of the command to ensure the data format is correct.


COMMAND MESSAGE





IDPSAM 4 B Identifier for a PSAM.

IDBATCH 2 B Identifier for a POS Transaction Batch.

NTBATCH 2 B The number of payment and cancellation transactions in this batch.

Data Length 3 N Length in bytes of the following data block.

Data Block D4 n B Binary data block.




RESPONSE MESSAGE



Error Code 2 N '00' : No error (S4 validated successfully) '01' : S4 validation failed '10' : KMAC parity error '70' : Data D4 length error





45

Validate the S5 MAC Old Terminals Licence HSM8-LIC004 is required.


Command: Validate the S5 MAC (MAC of the PSAM for a Batch) for old terminals.

Notes: The MACing process for old terminals has a different pad process than standard.


COMMAND MESSAGE





IDMCARD 4 B MCard Identifier.

Collection Number 1 B Collection Number.

NTMCARD 4 B MCard Transaction Number.

C.C. 1 B Proprietary Completion Codes.

Card Balance 4 B New Card Balance.

MTOTMCARD 4 B Total Transaction Amount.

CURRMCARD 2 B Currency Code.

CEXPMCARD 1 B Currency Exponent.

IDISS, MCARD 3 B Issuer BIN or zeroes (For reloadable or disposable cards).

IDCARD, MCARD 5 B Card Identifier.

NTIEP 2 B Card Transaction Number.

RFU 1 B Reserved.




RESPONSE MESSAGE








46 1270A308 Issue 8.4 August 2010

Validate the S5 MAC (MAC of the PSAM for a Transaction) New Terminals



Command: Validate the S5 MAC for new terminals.

Notes:


COMMAND MESSAGE





Length of DDCEP 1 B Length of DDCEP field: range 0 6.

Record Length 2 B Record Length.

Record Type 1 B Record Type.

IDRECORD 2 B Record number within batch.

RIDPSAM 5 B The RID of the PSAM creator.

IDPSAMCREATOR 4 B The identifier assigned to the PSAM creator by the RIDPSAM owner.



NTPSAM 4 B PSAM Transaction Number.

MTOTPDA 4 B Net value of transaction.

CURRPDA 3 B Currency of transaction.

IDSCHEME 1 B Reference number assigned to AIDCEP in AID table.

IDISS 4 B Issuer Identifier.

IDCEP 6 B ID of CEP or IEP application.


S6 8 B Signature from CEP card.

CCPDA 2 B CEPS completion code.

CCPROP 2 B Proprietary completion code.

Slot Balance 4 B Slot balance at end of transaction.

TIPDA 1 B Transaction indicator.

MPDA 4 B Value of last successful increment.

DTHRPDA 5 B Date & Time stamp for transaction.

DEXPCARD 3 B Card expiration date.

ALGKS 1 B Algorithm to calculate S4 & S5.

AMCEP 1 B Authentication Method.

VKPCA, ISS, CEP 1 B Version number of the issuer CA key.

IDREG, ISS 4 B Issuer region ID.

VKPREG, ISS 1 B Version number of the regional CA key.

CSNISS, CEP 3 B Issuer certificate serial number.


47

LDDCEP 1 B Length of the DDCEP field.

DDCEP n B DDCEP response.

NUMSEG 1 B Number of Segments.




RESPONSE MESSAGE








48 1270A308 Issue 8.4 August 2010

Validate the S5 Variant MAC (MAC of the PSAM for an Issuer Total) New Terminals



Command: Validate the S5 Variant MAC for new terminals.

Notes:


COMMAND MESSAGE




S5 Variant 16 H Signature for verification.

Length of DDCEP 1 B Length of DDCEP field: range 0 to 16.

Record Length 2 B Record Length.


IDRECORD 2 B Record number within batch.

RIDPSAM 5 B The RID of the PSAM creator.




NTPSAM 4 B PSAM Transaction Number.

MTOTSIGNED 4 B Net value of record.

CURRPDA 3 B Currency of transaction.

IDSCHEME 1 B Reference number assigned to AIDCEP in AID table.

IDISS 4 B Issuer Identifier.

IDCEP 6 B ID of CEP or IEP application.


S6 or S6 8 B Signature from CEP card.

NTISS, SIGNED 2 B Number of transactions accounted for in the signed MTOT in this summary.

MTOTNOSIG 4 B Unsigned net value of record.

NTISS, NOSIG 4 B Number of transactions included in unsigned net value.

ALGKS 1 B Algorithm used to calculate S4 and S5 MACs.

LDDCEP 1 B Length of the DDCEP field.

DDCEP N B DDCEP response.

NUMSEG 1 B Number of Segments.




49


RESPONSE MESSAGE



Error Code 2 N '00' : No error (S5 variant validated successfully) '01' : S5 variant validation failed '10' : KMAC parity error





50 1270A308 Issue 8.4 August 2010

Create the Acknowledgement MAC Old Terminals



Command: Create the Acknowledgement MAC for old terminals.

Notes:


COMMAND MESSAGE


Command Code 2 A Value 'Y0'.

*KMACACQ 32 H Double length KMACACQ encrypted under LMK pair 20-21 variant 9.

Rec. IDMCARD 4 B ID of the receiving Mcard.

Gen. IDMCARD 4 B ID of the MCard that generated the collection batch.

Coll. No. 1 B Collection Number.

NTBATCH 2 B The total number of purchase and cancellation transactions included in the batch.




RESPONSE MESSAGE


Response Code 2 A Value 'Y1'.

Error Code 2 N '00' : No error '10' : KMAC parity error


SAQC 16 H Acknowledgement MAC.




51

Create the Acknowledgement MAC New Terminals



Command: Create the Acknowledgement MAC for new terminals.

Notes:


COMMAND MESSAGE



Mode Flag 1 N Mode Flag: '0' : *KMACACK supplied '1' : No *KMACACK supplied.

*KMACACK 32 H Double length KMACACK encrypted under LMK pair 20-21 variant 9, only supplied if Mode Flag = '0'.

CLA 1 B CLA.

INS 1 B INS.

P1P2 2 B P1P2.

LC 1 B LC.

IDTHREAD 1 B IDTHREAD.

Action Requested 1 B Action Requested.

RIDPSAM 5 B The RID of the PSAM Creator.



DATEPSAM 2 B Current month.


NTRECORD 2 B The number of payment records in a batch.




RESPONSE MESSAGE



Error Code 2 N '00' : No error '10' : KMAC parity error '70' : Invalid Mode Flag


SACK 16 H Acknowledgement MAC




52 1270A308 Issue 8.4 August 2010

Create the Update MAC Licence HSM8-LIC004 is required.


Command: Create the Update MAC.

Notes:


COMMAND MESSAGE



*KMACUPD 32 H Double length KMACUPD encrypted under LMK pair 22-23 variant 1.


IDPSAM 4 B PSAM Identifier assigned by the PSAM creator.

CLA 1 B CLA.

INS 1 B INS.

P1P2 2 B P1P2.

LC 1 B LC.

IDTHREAD 1 B IDTHREAD.

Update Number 1 B Update Number.

TAG 2 B Tag identifying data in the update.

LEN 1 B Length of the following data.

Update data n B Update data.




RESPONSE MESSAGE





SUPD 16 H Update MAC.




53

Validate the SADMIN MAC (Administrative MAC of the PSAM)



Command: Validate the SADMIN MAC.

Notes:


COMMAND MESSAGE



SADMIN 16 H Signature for verification.

Length 2 B Length.


RIDPSAM 5 B The RID of the PSAM Creator.


IDPSAM 4 B PSAM Identifier assigned by the PSAM creator.

Administrative Record ID

1 B Operating data table content status.

CNTTABLE 1 B Number of tables whose status is being reported in this record.

Table IDN 1 B Identifies the table being reported.

HASH valueN 8 B Hash value of data in the table.




RESPONSE MESSAGE



Error Code 2 N '00' : No error (SADMIN validated successfully) '01' : SADMIN validation failed '10' : KMAC parity error





54 1270A308 Issue 8.4 August 2010

Create the Merchant Acquirer MAC Licence HSM8-LIC004 is required.


Command: Create the Merchant Acquirer MAC.

Notes:


COMMAND MESSAGE



*KMACMA 32 H Double length KMACMA encrypted under LMK pair 22-23 variant 2.

Date & Time 6 B Date and Time.

Function Code 2 B Function Code.

IDSOURCE 4 B IDSOURCE.

CURRCPDA 2 B CURRCPDA, can be all zeroes.

Block 1 9 B Block 1 containing CNTBATCH, CNTACCEPT, IDBATCH, NTBATCH and RESEND.

Block 2 9 B Block 2 containing Amount and Net Reconciliation.




RESPONSE MESSAGE





SMA 16 H Merchant Acquirer MAC.




55

Validate the Card Issuer MAC Licence HSM8-LIC004 is required.


Command: Validate the Card Issuer MAC.

Notes:


COMMAND MESSAGE


Command Code 2 A Value 'Z0'.

*KMACCI 32 H Double length KMACCI encrypted under LMK pair 22-23 variant 3.

SCI 16 H Signature for Verification.

Date & Time 6 B Date and Time.

Function Code 2 B Function Code.

IDDEST 4 B IDDEST.

Block 1 2 B Block 1, fixed to all zeroes.

Block 2 9 B Block 2 containing CNTBATCH, CNTACCEPT, IDBATCH, NTBATCH and RESEND.

Block 3 9 B Block 3 containing Amount and Net Reconciliation.




RESPONSE MESSAGE


Response Code 2 A Value 'Z1'.

Error Code 2 N '00' : No error (SCI validated successfully) '01' : SCI validation failed '10' : KMAC parity error





56 1270A308 Issue 8.4 August 2010

Generate Issuer RSA Key Set (MasterCard/Europay)

Licence HSM8-LIC002 is required. Licence HSM8-LIC004 is required.

Authorisation: Required Activity: generate.rsa-sk.host

Command: To generate an Issuer RSA Key Set and return the Public Key in the form of a MasterCard/Europay-format Self-Signed Issuer Public Key Certificate.

Notes: Depending on key size, this function may take up to a minute or more to execute. This command may be used with either an odd Public Exponent or a Public Exponent = 2. This command uses the Europay method of generating key pairs.


COMMAND MESSAGE


Command Code 2 A Value 'J0' (J-zero).

Hash Identifier 2 N Identifier of algorithm used to hash data.

Signature Identifier 2 N Identifier of signature algorithm.

Key Length 4 N Modulus length in bits (must be a multiple of 8) Range: '0400' '2040'.

Data Block 10 B Data block to be included in the Self-Signed Certificate (comprises Certificate Subject ID (5 bytes), Expiry Date (2 bytes) and Certificate Serial Number (3 bytes)).

Issuer Public Key Index 3 B Issuer Public Key Index.

Authentication Data n A Optional; additional data to be included in the MAC calculation (must not include ';').

Delimiter 1 A Delimiter to indicate end of Authentication Data field: Value ';'.

Public Exponent Length 4 N Optional; length in bits of the Public Exponent; must be supplied if Public Exponent present in command message.

Public Exponent n B Optional; if supplied then it must be odd or equal to 2; if not supplied then a default exponent of 65537 is assumed.




57


RESPONSE MESSAGE


Response

1270A308-8.4 HSM 8000 MasterCard ESP Commands Manual

Documents

Transcript of 1270A308-8.4 HSM 8000 MasterCard ESP Commands Manual