1270A308-8.4 HSM 8000 MasterCard ESP Commands Manual
description
Transcript of 1270A308-8.4 HSM 8000 MasterCard ESP Commands Manual
-
HOST SECURITY MODULE 8000
ESP COMMAND REFERENCE MANUAL
1270A308 Issue 8.4
-
HSM 8000 ESP Command Reference Manual
2 1270A308 Issue 8.4 August 2010
List of Chapters
Chapter 1 - Introduction .............................................................................................................................. 9Chapter 2 - Console Commands ................................................................................................................ 12Chapter 3 - Host Commands ...................................................................................................................... 13
-
HSM 8000 ESP Command Reference Manual
3
Table of Contents
List of Chapters ............................................................................................................................................... 2Table of Contents ........................................................................................................................................... 3Revision Status ................................................................................................................................................. 4Contact Information ...................................................................................................................................... 5End User License Agreement ...................................................................................................................... 6References ........................................................................................................................................................ 8Chapter 1 - Introduction .............................................................................................................................. 9
List of Host Commands (Alphabetical) ............................................................................................... 10List of Host Commands (Functional) ................................................................................................... 11
Chapter 2 - Console Commands ................................................................................................................ 12Set KMC Sequence Number .................................................................................................................. 12
Chapter 3 - Host Commands ...................................................................................................................... 13General ........................................................................................................................................................ 13Key Type Table ......................................................................................................................................... 14Decrypt R1 and validate the MACLSAM ................................................................................................. 15Compute HCEP ........................................................................................................................................... 17Validate the S1 MAC (Load and Unload) ............................................................................................. 18Validate the S1 MAC (Currency Exchange) ........................................................................................ 20Generate the S2 MAC (Linked load, declined unlinked load, unload) ......................................... 22Generate the S2 MAC (Currency Exchange) ..................................................................................... 23Generate the S2 MAC (Approved Unlinked Load) ........................................................................... 25Validate the S3 MAC (Currency Exchange transactions) ................................................................. 27Validate the S3 MAC (Load or Unload transactions) ....................................................................... 29Validate the H2LSAM ............................................................................................................................... 31Unlinked Load Transaction Request .................................................................................................... 32Release RLSAM .............................................................................................................................................. 34Release R2LSAM ........................................................................................................................................... 35Verify RCEP ................................................................................................................................................... 36Validate S6 MAC ........................................................................................................................................ 37Validate S6 MAC ....................................................................................................................................... 39Validate S6 MAC ....................................................................................................................................... 40Validate S5,DLT MAC ................................................................................................................................. 41Validate S5,ISS MAC ................................................................................................................................... 42Validate the S4 MAC Old Terminals ................................................................................................. 43Validate the S4 MAC New Terminals ............................................................................................... 44Validate the S5 MAC Old Terminals ................................................................................................. 45Validate the S5 MAC (MAC of the PSAM for a Transaction) New Terminals ....................... 46Validate the S5 Variant MAC (MAC of the PSAM for an Issuer Total) New Terminals ......... 48Create the Acknowledgement MAC Old Terminals .................................................................... 50Create the Acknowledgement MAC New Terminals .................................................................. 51Create the Update MAC......................................................................................................................... 52Validate the SADMIN MAC (Administrative MAC of the PSAM) ...................................................... 53Create the Merchant Acquirer MAC ................................................................................................... 54Validate the Card Issuer MAC ............................................................................................................... 55Generate Issuer RSA Key Set (MasterCard/Europay) ..................................................................... 56Validate a Certification Authority Self-Signed Certificate (MasterCard/Europay) .................... 58Import Transport Key Set ...................................................................................................................... 60Export Magnetic Stripe Card Key Set .................................................................................................. 62Export Chip Card Key Set ...................................................................................................................... 64Export Electronic Purse Card Key Set ................................................................................................ 71
-
HSM 8000 ESP Command Reference Manual
4 1270A308 Issue 8.4 August 2010
HSM 8000 ESP Command Reference Manual
Revision Status
Revision HSM
Functional Revision
Changes Release Date
1270A308-001 RG7000 V1.06/5.06 First Issue Februrary 2002
1270A308-002 RG7000 V2.01/6.02 Second Issue December 2003
1270A308-006 HSM 8000 V2.x Third Issue February 2007
1270A308-007 HSM 8000 V3.0 Fourth Issue March 2008
1270A308-008.1 HSM 8000 V3.1b Compatibility with OBKM spec
Sept 2007 October 2009
1270A308-008.2 HSM 8000 V3.1c Fifth Issue March 2010
1270A308-008.3 HSM 8000 V3.1c Sixth Issue April 2010
1270A308-008.4 HSM 8000 v3.1d Seventh Issue August 2010
This manual describes the functionality within the 3.1d base release of HSM 8000 software. For all other versions please refer to appropriate manual and associated HSM software specifications.
-
HSM 8000 ESP Command Reference Manual
5
Contact Information THALES e-SECURITY
Europe, Middle East, Africa Americas Asia Pacific Meadow View House
Crendon Ind. Estate
Long Crendon
Aylesbury
Buckinghamshire HP18 9EQ
UK
Suite 200
2200 North Commerce Parkway
Weston, FL 33326
USA
Unit 4101, 41/F
248 Queen's Road East,
Wanchai
Hong Kong, PRC
Telephone: +44 1844 201800
Fax: +44 1844 208550
Telephone: 1-888-744-4976 (in US)
+1 954-888-6200 (outside US)
Fax: +1 954-888-6211
Telephone: +852 2815 8633
Fax: +852 2815 8141
Support Support Support
Telephone: +44 1844 202566 Telephone: 800-521-6261 (in U.S.)
+1 954-888-6277 (outside U.S.) Telephone: +852 2815 8633
Fax: +44 1844 208356 Fax: +1 954-888-6233 Fax: +852 2815 8141
[email protected] [email protected] [email protected]
http://www.thalesgroup.com/iss
Copyright 1987 2010 THALES e-SECURITY Ltd. This document is issued by Thales e-Security Limited (hereinafter referred to as Thales) in confidence and is not to be reproduced in whole or in part without the prior written approval of Thales. The information contained herein is the property of Thales and is to be used only for the purpose for which it is submitted and is not to be released in whole or in part without the prior written permission of Thales.
-
HSM 8000 ESP Command Reference Manual
6 1270A308 Issue 8.4 August 2010
End User License Agreement (EULA)
Please read this Agreement carefully. Use of the Product constitutes your acceptance of the terms and conditions of this License.
This document is a legal agreement between Thales eSecurity Ltd., (THALES) and the company that has purchased a THALES product
containing a computer program (Customer). If you do not agree to the terms of this Agreement, promptly return the product and all
accompanyingitems(includingcables,writtenmaterials,softwaredisks,etc.)atyourmailingordeliveryexpensetothecompanyfromwhom
youpurchaseditortoThaleseSecurity,Ltd,MeadowViewHouse,CrendonIndustrialEstate,LongCrendon,Aylesbury,BucksHP189EQ,United
Kingdomandyouwillreceivearefund.
1. OWNERSHIP. Computer programs, ("Software") provided by THALES are provided either separately or as a bundled part of a computer
hardwareproduct.Softwareshallalsobedeemedtoincludecomputerprogramswhichareintendedtoberunsolelyonorwithinahardwaremachine,(Firmware).Software,includinganydocumentationfilesaccompanyingtheSoftware,("Documentation")distributedpursuanttothislicenseconsistsofcomponentsthatareownedorlicensedbyTHALESoritscorporateaffiliates.OthercomponentsoftheSoftwareconsistoffreesoftwarecomponents(FreeSoftwareComponents)thatareidentifiedinthetextfilesthatareprovidedwiththeSoftware.ONLYTHOSETERMSANDCONDITIONSSPECIFIEDFOR,ORAPPLICABLETO,EACHSPECIFICFREESOFTWARECOMPONENTSHALLBEAPPLICABLETOSUCHFREESOFTWARECOMPONENT.EachFreeSoftwareComponentisthecopyrightofitsrespectivecopyrightowner.TheSoftwareislicensedtoCustomerandnotsold.CustomerhasnoownershiprightsintheSoftware.Rather,CustomerhasalicensetousetheSoftware.TheSoftwareiscopyrightedbyTHALESand/oritssuppliers.Youagreetorespectandnottoremoveorconcealfromviewanycopyrightortrademarknoticeappearingon the SoftwareorDocumentation,and to reproduceany such copyrightor trademarknoticeonall copiesof the SoftwareandDocumentationoranyportionthereofmadebyyouaspermittedhereunderandonallportionscontained inormerged intootherprogramsandDocumentation.
2. LICENSEGRANT. THALESgrantsCustomeranonexclusive licensetousetheSoftwarewithTHALESprovidedcomputerequipmenthardware
solelyforCustomersinternalbusinessuseonly.ThislicenseonlyappliestotheversionofSoftwareshippedatthetimeofpurchase.Anyfutureupgrades are only authorised pursuant to a separate maintenance agreement. Customer may copy the Documentation for internal use.Customermaynotdecompile,disassemble,reverseengineer,copy,ormodifytheTHALESownedorlicensedcomponentsoftheSoftwareunlesssuchcopiesaremade inmachine readable form forbackuppurposes. Inaddition,Customermaynotcreatederivativeworksbasedon theSoftwareexceptasmaybenecessarytopermitintegrationwithothertechnologyandCustomershallnotpermitanyotherpersontodoanyofthe same. Any rights not expressly granted by THALES to Customer are reserved by THALES and its licensors and all implied licenses aredisclaimed. Anyotheruseof the Softwareby anyother entity is strictly forbidden and is a violationof this EULA. The Software and anyaccompanyingwrittenmaterialsareprotectedbyinternationalcopyrightandpatentlawsandinternationaltradeprovisions.
3. NOWARRANTY.EXCEPTASMAYBEPROVIDEDINANYSEPARATEWRITTENAGREEMENTBETWEENCUSTOMERANDTHALES,THESOFTWAREIS
PROVIDED"ASIS."TOTHEMAXIMUMEXTENTPERMITTEDBYLAW,THALESDISCLAIMSALLWARRANTIESOFANYKIND,EITHEREXPRESSEDORIMPLIED,INCLUDING,WITHOUTLIMITATION,IMPLIEDWARRANTIESOFMERCHANTABILITYANDFITNESSFORAPARTICULARPURPOSE.THALESDOESNOTWARRANTTHATTHEFUNCTIONSCONTAINEDINTHESOFTWAREWILLMEETANYREQUIREMENTSORNEEDSCUSTOMERMAYHAVE,OR THAT THE SOFTWARE WILL OPERATE ERROR FREE, OR IN AN UNINTERUPTED FASHION, OR THAT ANY DEFECTS OR ERRORS IN THESOFTWAREWILLBECORRECTED,ORTHATTHESOFTWAREISCOMPATIBLEWITHANYPARTICULARPLATFORM.SOMEJURISDICTIONSDONOTALLOW FOR THE WAIVER OR EXCLUSION OF IMPLIED WARRANTIES SO THEY MAY NOT APPLY. IF THIS EXCLUSION IS HELD TO BEUNENFORCEABLEBYACOURTOFCOMPETENTJURISDICTION,THENALLEXPRESSANDIMPLIEDWARRANTIESSHALLBELIMITEDINDURATIONTOAPERIODOFTHIRTY(30)DAYSFROMTHEDATEOFPURCHASEOFTHESOFTWARE,ANDNOWARRANTIESSHALLAPPLYAFTERTHATPERIOD.
4. LIMITATION OF LIABILITY. IN NO EVENT WILL THALES BE LIABLE TO CUSTOMER OR ANY THIRD PARTY FOR ANY INCIDENTAL OR
CONSEQUENTIAL DAMAGES, INCLUDING WITHOUT LIMITATION, INDIRECT, SPECIAL, PUNITIVE, OR EXEMPLARY DAMAGES FOR LOSS OF
BUSINESS,LOSSOFPROFITS,BUSINESS INTERRUPTION,ORLOSSOFBUSINESS INFORMATION)ARISINGOUTOFTHEUSEOFOR INABILITYTO
USETHEPROGRAM,ORFORANYCLAIMBYANYOTHERPARTY,EVENIFTHALESHASBEENADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGES.
THALESAGGREGATELIABILITYWITHRESPECTTOITSOBLIGATIONSUNDERTHISAGREEMENTOROTHERWISEWITHRESPECTTOTHESOFTWARE
ANDDOCUMENTATIONOROTHERWISESHALLBEEQUALTOTHEPURCHASEPRICE. HOWEVERNOTHING INTHESETERMSANDCONDITIONS
SHALL HOWEVER LIMIT OR EXCLUDE THALES LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM NEGLIGENCE, FRAUD OR
FRAUDULENTMISREPRESENTATIONORFORANYOTHERLIABILITYWHICHMAYNOTBEEXCLUDEDBYLAW.BECAUSESOMECOUNTRIESAND
STATESDONOTALLOWTHEEXCLUSIONORLIMITATIONOFLIABILITYFORCONSEQUENTIALORINCIDENTALDAMAGES,THEABOVELIMITATION
MAYNOTAPPLY.
5. EXPORTRESTRICTIONS. THE SOFTWARE IS SUBJECT TO THE EXPORTCONTROL LAWSOF THEUNITED KINGDOM, THEUNITED STATESAND
OTHERCOUNTRIES. THIS LICENSEAGREEMENT ISEXPRESSLYMADESUBJECTTOALLAPPLICABLE LAWS,REGULATIONS,ORDERS,OROTHER
RESTRICTIONSONTHEEXPORTOFTHESOFTWAREORINFORMATIONABOUTSUCHSOFTWAREWHICHMAYBEIMPOSEDFROMTIMETOTIME.
-
HSM 8000 ESP Command Reference Manual
7
CUSTOMER SHALL NOT EXPORT THE SOFTWARE, DOCUMENTATION OR INFORMATION ABOUT THE SOFTWARE AND DOCUMENTATION
WITHOUTCOMPLYINGWITHSUCHLAWS,REGULATIONS,ORDERS,OROTHERRESTRICTIONS.
6. TERM&TERMINATION. ThisEULA iseffectiveuntilterminated. CustomermayterminatethisEULAatanytimebydestroyingorerasingall
copiesof the Software and accompanyingwrittenmaterials inCustomerspossessionor control. This licensewill terminate automatically,
withoutnotice fromTHALES ifCustomer failstocomplywiththetermsandconditionsofthisEULA. Uponsuchtermination,Customershall
destroyoreraseallcopiesoftheSoftware(togetherwithallmodifications,upgradesandmergedportionsinanyform)andanyaccompanying
writtenmaterialsinCustomerspossessionorcontrol.
7. SPECIALPROCEDUREFORU.S.GOVERNMENT. IftheSoftwareandDocumentation isacquiredbytheU.S.Governmentoron itsbehalf,the
Softwareisfurnishedwith"RESTRICTEDRIGHTS,"asdefinedinFederalAcquisitionRegulation("FAR")52.22719(c)(2),andDFAR252.2277013
to7019,asapplicable.Use,duplicationordisclosureof theSoftwareandDocumentationby theU.S.Governmentandpartiesactingon its
behalfisgovernedbyandsubjecttotherestrictionssetforthinFAR52.22719(c)(1)and(2)orDFAR252.2277013to7019,asapplicable.
8. TRANSFERRIGHTS
Customermay transfer theSoftware,and this license toanotherparty if theotherpartyagrees toaccept the termsand conditionsof this
Agreement. IfCustomer transfers theSoftware, itmustat thesame timeeither transferallcopieswhether inprintedormachinereadable
form,togetherwiththecomputerhardwaremachineonwhichSoftwarewasintendedtooperatetothesamepartyordestroyanycopiesnot
transferred;thisincludesallderivativeworksoftheSoftware.FORTHEAVOIDANCEOFDOUBT,IFCUSTOMERTRANSFERSPOSSESSIONOFANY
COPY OF THE SOFTWARE TO ANOTHER PARTY, EXCEPT AS PROVIDED IN THIS SECTION 8, CUSTOMERS LICENSE IS AUTOMATICALLY
TERMINATED.
9. GOVERNINGLAWANDVENUEThisLicenseAgreementshallbeconstrued,interpretedandgovernedbythelawsofEnglandandWaleswithout
regardtoconflictsoflawsandprovisionsthereoforintheeventthattheSoftwarewasdeliveredintheUnitedStates,LatinAmericaorCanada,
thelawsoftheStateofFlorida.TheexclusiveforumforanydisputesarisingoutoforrelatingtothisEULAshallbeanappropriatecourtsitting
inEngland,UnitedKingdomorintheeventthattheSoftwarewasdeliveredintheUnitedStates,LatinAmericaorCanada,thecourtsofFlorida,
UnitedStates.
-
HSM 8000 ESP Command Reference Manual
8 1270A308 Issue 8.4 August 2010
References The following documents are referenced in this document:
1 Thales Host Security Module 8000 Installation Manual Document Number: 1270A338-8
2 Thales Host Securty Module 8000 Host Reference Manual Document Number: 1270A351-8
3 Thales Host Security Module 8000 Host Programmers Manual Document Number: 1270A337-8
4 Thales Host Security Module 8000 Console Reference Manual Document Number: 1270A349-8
5 Thales Host Security Module 8000 Security Operations Manual Document Number: 1270A350-8
6 MasterCard On-Behalf Key Management (OBKM) Document Set Publication Code: Y3, September 2007.
-
HSM 8000 ESP Command Reference Manual Host Commands
9
Chapter 1 - Introduction The following commands have been implemented in the HSM to meet the requirements specified in the MasterCard OBKM [6] specifications and the Thales requirements specification.
ESP specific console commands are described in Chapter 2.
ESP specific host commands are described in Chapter 3.
-
Host Commands HSM 8000 ESP Command Reference Manual
10 1270A308 Issue 8.4 August 2010
List of Host Commands (Alphabetical)
Host Command (Response)
Function Page
J0 (J1) Generate Issuer RSA Key Set (MasterCard/Europay) 56
JO (JP) Validate a Certification Authority Self-Signed Certificate (MasterCard/Europay)
58
R2 (R3) Export Electronic Purse Card Key Set 71
R4 (R5) Export Chip Card Key Set 64
R6 (R7) Export Magnetic Stripe Card Key Set 62
R8 (R9) Import Transport Key Set 60
T0 (T1) Unlinked Load Transaction Request 32
T2 (T3) Release RLSAM 34
T4 (T5) Release R2LSAM 35
T6 (T7) Verify RCEP 36
U0 (U1) Decrypt R1 and validate the MACLSAM 15
U2 (U3) Compute HCEP 17
U4 (U5) Validate the S1 MAC (Load and Unload) 18
U6 (U7) Validate the S1 MAC (Currency Exchange) 20
U8 (U9) Generate the S2 MAC (Linked load, declined unlinked load, unload) 22
V0 (V1) Generate the S2 MAC (Currency Exchange) 23
V2 (V3) Generate the S2 MAC (Approved Unlinked Load) 25
V4 (V5) Validate the S3 MAC (Currency Exchange transactions) 27
V6 (V7) Validate the S3 MAC (Load or Unload transactions) 29
V8 (V9) Validate the H2LSAM 31
W0 (W1) Validate S6 MAC 37
W2 (W3) Validate S6 MAC 39
W4 (W5) Validate S6 MAC 40
W6 (W7) Validate S5,DLT MAC 41
W8 (W9) Validate S5,ISS MAC 42
X0 (X1) Validate the S4 MAC Old Terminals 43
X2 (X3) Validate the S4 MAC New Terminals 44
X4 (X5) Validate the S5 MAC Old Terminals 45
X6 (X7) Validate the S5 MAC (MAC of the PSAM for a Transaction) New Terminals
46
X8 (X9) Validate the S5 Variant MAC (MAC of the PSAM for an Issuer Total) New Terminals
48
Y0 (Y1) Create the Acknowledgement MAC Old Terminals 50
Y2 (Y3) Create the Acknowledgement MAC New Terminals 51
Y4 (Y5) Create the Update MAC 52
Y6 (Y7) Validate the SADMIN MAC (Administrative MAC of the PSAM) 53
Y8 (Y9) Create the Merchant Acquirer MAC 54
Z0 (Z1) Validate the Card Issuer MAC 55
-
HSM 8000 ESP Command Reference Manual Host Commands
11
List of Host Commands (Functional)
Function Command Page
Decrypt R1 and validate the MACLSAM U0 15
Compute HCEP U2 17
Validate the S1 MAC (Load and Unload) U4 18
Validate the S1 MAC (Currency Exchange) U6 20
Generate the S2 MAC (Linked load, declined unlinked load, unload) U8 22
Generate the S2 MAC (Currency Exchange) V0 23
Generate the S2 MAC (Approved Unlinked Load) V2 25
Validate the S3 MAC (Currency Exchange transactions) V4 27
Validate the S3 MAC (Load or Unload transactions) V6 29
Validate the H2LSAM V8 31
Unlinked Load Transaction Request T0 32
Release RLSAM T2 34
Release R2LSAM T4 35
Verify RCEP T6 36
Validate S6 MAC W0 37
Validate S6 MAC W2 39
Validate S6 MAC W4 40
Validate S5,DLT MAC W6 41
Validate S5,ISS MAC W8 42
Validate the S4 MAC Old Terminals X0 43
Validate the S4 MAC New Terminals X2 44
Validate the S5 MAC Old Terminals X4 45
Validate the S5 MAC (MAC of the PSAM for a Transaction) New Terminals X6 46
Validate the S5 Variant MAC (MAC of the PSAM for an Issuer Total) New Terminals
X8 48
Create the Acknowledgement MAC Old Terminals Y0 50
Create the Acknowledgement MAC New Terminals Y2 51
Create the Update MAC Y4 52
Validate the SADMIN MAC (Administrative MAC of the PSAM) Y6 53
Create the Merchant Acquirer MAC Y8 54
Validate the Card Issuer MAC Z0 55
Generate Issuer RSA Key Set (MasterCard/Europay) J0 56
Validate a Certification Authority Self-Signed Certificate (MasterCard/Europay) JO 58
Import Transport Key Set R8 60
Export Magnetic Stripe Card Key Set R6 62
Export Chip Card Key Set R4 64
Export Electronic Purse Card Key Set R2 71
-
Host Commands HSM 8000 ESP Command Reference Manual
12 1270A308 Issue 8.4 August 2010
Chapter 2 - Console Commands
Set KMC Sequence Number Online : Offline ; Secure : Authorisation: Required Activity: misc.console
Command: A6
Function: To set the value of the KMC sequence number held within the HSM protected memory.
Authorisation: The HSM must be in the Offline state to run this command. Additionally, the HSM must be either in the Authorised State, or the activity misc.console must be authorised.
Inputs: New sequence number value.
Outputs: None.
Errors: Not Authorised - The HSM is not in Authorised State Not Offline The HSM must be offline to run this command Invalid Entry The value entered is invalid (Counter can have any value between 00000000 and FFFFFFFF).
Example: Offline-AUTH> A6 Current KMC sequence number is: 00000000 0 0F3 0000Enter new value or for no change: 2BAF Current KMC sequence number is: 00000000 00002BAF Offline-AUTH>
-
HSM 8000 ESP Command Reference Manual Host Commands
13
Chapter 3 - Host Commands General
This Chapter details all the commands available with their responses and possible error codes. A number of abbreviations are used throughout. They are:
L : Encrypted PIN length. Set at installation.
m : Message header length. Set at installation.
n : Variable length field.
A : Alphanumeric (can include any non-control type) characters.
H : Hexadecimal character.
N : Numeric Field.
C : Control character.
B : Binary data (byte), X00 to XFF.
For example: 32 H : Indicates that thirty-two hexadecimal characters are required. m A : Indicates the string of message header length alphanumeric characters.
For convenience, the STX and ETX control characters, which bracket every command and response, are not shown in the details that follow. In a command to the HSM, any key can be replaced by a reference to internal user storage. In the details that follow, a key is always shown as if it is to be sent with each command; in every case the key can be replaced by the index flag K and a three-digit pointer value. The HSM can be used in systems where there may be Atalla security equipment at other network nodes. This is achieved by the inclusion of an Atalla variant in those commands that translate a key from/to encryption under a ZMK. This has the effect of modifying the ZMK before it is used to decrypt/encrypt in accordance with the method used by the Atalla equipment. The HSM can support 1 or 2 digit Atalla variants. When a disabled host command is invoked, the error code 68 is returned. When a disabled console command is invoked, the message Function not defined or not allowed is displayed.
-
Host Commands HSM 8000 ESP Command Reference Manual
14 1270A308 Issue 8.4 August 2010
Key Type Table
Variant 0 1 2 3 4 5 6 7 8 9
LMK G E I G E I G E I G E I G E I G E I G E I G E I G E I G E I Pair Code
04 05 00
ZMK ZMK (Comp)
KML
A U A U U A U
06 07 01 ZPK
U A U
14 15 02
PVK TPK TMK
CSCK CVK
U A U U A U
16 - 17 03 TAK
U A U
18 19 04 DTAB IPB
20 21 05
KML
KMLISS
KMX
KMXISS
KMP
KMPISS
KIS,5' KM3L
KM3LISS
KM3X
KM3XISS
KMACS4 KMACS5 KMACACQ
KMACACK
U A U U A U U A U U A U U A U U A U U A U U A U U A U
22 23 06
WWK KMACUPD KMACMA KMACCI
KMACISS
KMSCISS BKEM BKAM
U A U U A U U A U U A U U A U
24 25 07
26 - 27 08 ZAK
U A U
28 29 09 BDK MK-AC MK-SMI MK-SMC MK-DAK MK-DN MK-CVC3
U A U U A U U A U U A U U A U U A U U A U
30 31 0A ZEK
U A U
32 33 0B
DEK TEK
U
34 35 0C RSA-SK HMAC
U A U
36 37 0D RSA-MAC
38 39 0E
Table of actions applied to each specific LMK pair and variant in generic HSM commands
G = Generate. E = Export. I = Import. A = allowed only in Authorise state; U = allowed Unconditionally, i.e. without Authorised state.
Blank = Not allowed.
-
HSM 8000 ESP Command Reference Manual Host Commands
15
Decrypt R1 and validate the MACLSAM Licence HSM8-LIC004 is required.
Authorisation: Not required
Command: To decrypt R1 and validate the MACLSAM.
Notes: This command is complementary to the SA command in the Load Acquirer commands that generates the encrypted R1.
Field Length & Type Details
COMMAND MESSAGE
Message Header m A Subsequently returned to the Host unchanged.
Command Code 2 A Value 'U0'.
TPK 16 H or
1 A + 32 H
The Terminal PIN key encrypted under LMK pair 14-15. A single length TPK will be input as 16 hexadecimal characters. A double length TPK will be input as a U character followed by 32 hexadecimal characters.
R1Length 1 N The length of the key R1: '1' : single length '2' : double length.
R1 16 / 32 H The session key encrypted under the TPK.
DDCEPLength 1 B The length in bytes of the DDCEP field. The length is specified in binary and must be in the range 00H to 20H (equivalent to 0 to 32 decimal).
IDISS 4 B The Issuer ID.
IDCEP 6 B The CEP Card Identifier.
NTCEP 2 B The transaction number assigned by the card.
CURRLDA 3 B The Currency Indicator.
IDLACQ 4 B Load Acquirer ID.
IDLDA 6 B The Identifier for the Load Device.
MLDA 4 B The Transaction amount.
S1 8 B The CEP Card signature produced by the card during 'Card Initialise for Load'.
HCEP 10 B The SHA-1 Hash generated by the CEP card on the Load Transaction data.
HLSAM 8 B SHA-1 hash of internally generated RLSAM.
H2LSAM 8 B SHA-1 hash of internally generated R2LSAM.
DDCEP 0 - 32 B Discretionary Data.
MACLSAM 4 B EMV MAC of Transactional data.
End Message Delimiter 1 C Must be present if a message trailer is present. Value X'19.
Message Trailer n A Optional. Maximum length 32 characters.
-
Host Commands HSM 8000 ESP Command Reference Manual
16 1270A308 Issue 8.4 August 2010
Field Length & Type Details
RESPONSE MESSAGE
Message Header m A Returned to the Host unchanged.
Response Code 2 A Value 'U1'.
Error Code 2 N '00' : No error (MAC validated successfully) '01' : MAC validation failed '11' : TPK parity error '70' : Invalid R1Length code '72' : R1 Parity Error
or a standard error code, as listed in Chapter 4 of [2].
End Message Delimiter 1 C Present only if present in the command message. Value X'19.
Message Trailer n A Present only if present in the command message. Maximum length 32 characters.
-
HSM 8000 ESP Command Reference Manual Host Commands
17
Compute HCEP Licence HSM8-LIC004 is required.
Authorisation: Not required
Command: Create RCEP and use the SHA-1 algorithm to compute HCEP.
Notes:
Field Length & Type Details
COMMAND MESSAGE
Message Header m A Subsequently returned to the Host unchanged.
Command Code 2 A Value 'U2'.
*KML 32 H or
1 A + 32 H
Double length KML encrypted under LMK pair 20-21 variant 1.
IDLACQ 4 B Load Acquirer ID.
IDLDA 6 B The Identifier for the Load Device.
IDISS 4 B The Issuer ID.
IDCEP 6 B The CEP Card Identifier.
NTCEP 2 B The transaction number assigned by the Load Acquirer.
End Message Delimiter 1 C Must be present if a message trailer is present. Value X'19.
Message Trailer n A Optional. Maximum length 32 characters.
Field Length & Type Details
RESPONSE MESSAGE
Message Header m A Will be returned to the Host unchanged
Response Code 2 A Value 'U3'.
Error Code 2 N '00' : No error '10' : KML parity error
or a standard error code, as listed in Chapter 4 of [2].
HCEP 10 B SHA hash of input data and RCEP .
End Message Delimiter 1 C Present only if present in the command message. Value X'19.
Message Trailer n A Present only if present in the command message. Maximum length 32 characters.
-
Host Commands HSM 8000 ESP Command Reference Manual
18 1270A308 Issue 8.4 August 2010
Validate the S1 MAC (Load and Unload) Licence HSM8-LIC004 is required.
Authorisation: Not required
Command: Validate the S1 MAC for load and unload transactions.
Notes:
Field Length & Type Details
COMMAND MESSAGE
Message Header m A Subsequently returned to the Host unchanged.
Command Code 2 A Value 'U4'.
*KML 32 H or
1A + 32 H
Double length KML encrypted under LMK pair 20-21 variant 1.
IDCEP 6 B The CEP Card Identifier. Used to create the *KDL.
NTCEP 2 B The transaction number assigned by the Load Acquirer.
TI 1 B Transaction Indicator: 0C : load transactions 0A : unload transactions.
DTHRLDA 5 B Transaction date and time.
CURRLDA 3 B The Currency Code.
IDLACQ 4 B Load Acquirer ID.
IDLDA 6 B The Identifier for the Load Device.
MLDA 4 B The Transaction amount.
NTLASTLOAD 2 B Transaction number of last load.
NTLASTCANCEL 2 B Transaction number of last cancel.
CSTATCEP 2 B Card Status.
TLfailCEP 1 B Tag and length of failed update.
DEXPCEP 3 B Expiry date of the card, YYMMDD.
BALCEP 4 B Balance of slot prior to completion.
BALmaxCEP 4 B Maximum balance of the slot.
PVSCEP 1 B PIN verification status.
S1 8 B Signature for verification.
End Message Delimiter 1 C Must be present if a message trailer is present. Value X'19.
Message Trailer n A Optional. Maximum length 32 characters.
-
HSM 8000 ESP Command Reference Manual Host Commands
19
Field Length & Type Details
RESPONSE MESSAGE
Message Header m A Returned to the Host unchanged.
Response Code 2 A Value 'U5'.
Error Code 2 N '00' : No error (S1 validated successfully) '01' : S1 validation failed '10' : KML parity error '70' : Invalid transaction indicator
or a standard error code, as listed in Chapter 4 of [2].
End Message Delimiter 1 C Present only if present in the command message. Value X'19.
Message Trailer n A Present only if present in the command message. Maximum length 32 characters.
-
Host Commands HSM 8000 ESP Command Reference Manual
20 1270A308 Issue 8.4 August 2010
Validate the S1 MAC (Currency Exchange) Licence HSM8-LIC004 is required.
Authorisation: Not required
Command: Validate the S1 MAC for currency exchange transactions.
Notes:
Field Length & Type Details
COMMAND MESSAGE
Message Header m A Subsequently returned to the Host unchanged.
Command Code 2 A Value 'U6'.
*KMX 32 H or
1A + 32 H
Double length KMX encrypted under LMK pair 20-21 variant 2.
IDCEP 6 B The CEP Card Identifier. Used to create the *KDX.
NTCEP 2 B The transaction number assigned by the Load Acquirer.
TI 1 B Transaction Indicator: 08 for currency exchange transactions.
DTHRLDA 5 B Transaction date and time.
CURRSOURCE 3 B The Currency Code for the source slot.
IDLACQ 4 B Load Acquirer ID.
IDLDA 6 B The Identifier for the Load Device.
MLDA 4 B The Transaction amount.
NTLASTLOAD 2 B Transaction number of last load.
NTLASTCANCEL 2 B Transaction number of last cancel.
CSTATCEP 2 B Card Status.
TLfailCEP 1 B Tag and Length of failed update.
DEXPCEP 3 B Expiry date of the card, YYMMDD.
CURRTARGET 3 B The Currency Code.
BALTARGET 4 B Balance of target slot .
BALmaxTARGET 4 B Maximum balance of the target slot.
BALSOURCE 4 B Balance of source slot.
S1 8 B Signature for verification.
End Message Delimiter 1 C Must be present if a message trailer is present. Value X'19.
Message Trailer n A Optional. Maximum length 32 characters.
-
HSM 8000 ESP Command Reference Manual Host Commands
21
Field Length & Type Details
RESPONSE MESSAGE
Message Header m A Returned to the Host unchanged.
Response Code 2 A Value 'U7'.
Error Code 2 N '00' : No error (S1 validated successfully) '01' : S1 validation failed '10' : KDX parity error '70' : Invalid transaction indicator
or a standard error code, as listed in Chapter 4 of [2].
End Message Delimiter 1 C Present only if present in the command message. Value X'19.
Message Trailer n A Present only if present in the command message. Maximum length 32 characters.
-
Host Commands HSM 8000 ESP Command Reference Manual
22 1270A308 Issue 8.4 August 2010
Generate the S2 MAC (Linked load, declined unlinked load, unload)
Licence HSM8-LIC004 is required.
Authorisation: Not required
Command: Generate the S2 MAC for Linked Load, Declined Unlinked Load or Unload transactions.
Notes:
Field Length & Type Details
COMMAND MESSAGE
Message Header m A Subsequently returned to the Host unchanged.
Command Code 2 A Value 'U8'.
*KML 32 H or
1A + 32 H
Double length KML encrypted under LMK pair 20-21 variant 1.
IDCEP 6 B The CEP Card Identifier. Used to create the *KDL.
NTCEP 2 B The transaction number assigned by the Load Acquirer.
Updates Length 2 N Length in bytes of the UPDATESISS field.
CCISS 2 B Completion Code.
TI 1 B Transaction Indicator: 0C : Linked Load or Declined Unlinked Load transactions 0A : unload transactions.
S1 8 B Signature.
BALISS 4 B Balance of card for this currency.
BALmaxISS 4 B Maximum balance of the target slot.
CALPHAISS 3 B Alphanumeric currency code.
UPDATESISS 0 - 24 B Updates to CEP card data.
End Message Delimiter 1 C Must be present if a message trailer is present. Value X'19.
Message Trailer n A Optional. Maximum length 32 characters.
Field Length & Type Details
RESPONSE MESSAGE
Message Header m A Returned to the Host unchanged.
Response Code 2 A Value 'U9'.
Error Code 2 N '00' : No error '10' : *KML parity error '70' : Invalid transaction indicator '71' : Invalid Updates Length
or a standard error code, as listed in Chapter 4 of [2].
S2 8 B Generated Signature.
End Message Delimiter 1 C Present only if present in the command message. Value X'19.
Message Trailer n A Present only if present in the command message. Maximum length 32 characters.
-
HSM 8000 ESP Command Reference Manual Host Commands
23
Generate the S2 MAC (Currency Exchange) Licence HSM8-LIC004 is required.
Authorisation: Not required
Command: Generate the S2 MAC for currency exchange transactions.
Notes:
Field Length & Type Details
COMMAND MESSAGE
Message Header m A Subsequently returned to the Host unchanged.
Command Code 2 A Value 'V0'.
*KMX 32 H or
1A + 32 H
Double length *KMX encrypted under LMK pair 20-21 variant 2.
IDCEP 6 B The CEP Card Identifier. Used to create the *KDX.
NTCEP 2 B The transaction number assigned by the Load Acquirer.
Updates Length 2 N Length in bytes of the UPDATESISS field.
CCISS 2 B Completion Code.
TI 1 B Transaction Indicator: 08 : currency exchange transactions
S1 8 B Signature.
BALISS,TARGET 4 B New Balance of target slot.
BALmaxISS,TARGET 4 B Maximum balance of the target slot.
CALPHAISS, TARGET 3 B Alphanumeric representation of the target currency code.
BALISS,SOURCE 4 B New Balance of the source slot.
UPDATESISS 0 - 24 B Updates to CEP card data.
End Message Delimiter 1 C Must be present if a message trailer is present. Value X'19.
Message Trailer n A Optional. Maximum length 32 characters.
-
Host Commands HSM 8000 ESP Command Reference Manual
24 1270A308 Issue 8.4 August 2010
Field Length & Type Details
RESPONSE MESSAGE
Message Header m A Returned to the Host unchanged.
Response Code 2 A Value 'V1'.
Error Code 2 N '00' : No error '10' : KML parity error '70' : Invalid transaction indicator '71' : Invalid Updates Length
or a standard error code, as listed in Chapter 4 of [2].
S2 8 B Generated Signature.
End Message Delimiter 1 C Present only if present in the command message. Value X'19.
Message Trailer n A Present only if present in the command message. Maximum length 32 characters.
-
HSM 8000 ESP Command Reference Manual Host Commands
25
Generate the S2 MAC (Approved Unlinked Load) Licence HSM8-LIC004 is required.
Authorisation: Not required
Command: Generate the S2 MAC for unlinked load transactions.
Notes:
Field Length & Type Details
COMMAND MESSAGE
Message Header m A Subsequently returned to the Host unchanged.
Command Code 2 A Value 'V2'.
*KML 32 H or
1A + 32 H
Double length KML encrypted under LMK pair 20-21 variant 1.
IDCEP 6 B The CEP Card Identifier. Used to create the *KDL.
NTCEP 2 B The transaction number assigned by the Load Acquirer.
Updates Length 2 N Length in bytes of the UPDATESISS field.
CCISS 2 B Completion Code.
TI 1 B Transaction Indicator: 0C : unlinked load transactions.
S1 8 B S1 Signature.
BALISS 4 B Balance of CEP card.
BALmaxISS 4 B Maximum balance of the target slot.
CALPHAISS 3 B Alphanumeric representation of the currency code for this slot.
HLSAM 8 B Left 8 bytes from SHA-1 hash of: IDLACQ,IDLDA,IDISS,IDCEP,NTCEP,RLSAM
UPDATESISS 0 - 24 B Updates to CEP card data.
End Message Delimiter 1 C Must be present if a message trailer is present. Value X'19.
Message Trailer n A Optional. Maximum length 32 characters.
-
Host Commands HSM 8000 ESP Command Reference Manual
26 1270A308 Issue 8.4 August 2010
Field Length & Type Details
RESPONSE MESSAGE
Message Header m A Returned to the Host unchanged.
Response Code 2 A Value 'V3'.
Error Code 2 N '00' : No error '10' : KML parity error '70' : Invalid transaction indicator '71' : Invalid Updates Length
or a standard error code, as listed in Chapter 4 of [2].
S2 8 B Generated Signature.
End Message Delimiter 1 C Present only if present in the command message. Value X'19.
Message Trailer n A Present only if present in the command message. Maximum length 32 characters.
-
HSM 8000 ESP Command Reference Manual Host Commands
27
Validate the S3 MAC (Currency Exchange transactions)
Licence HSM8-LIC004 is required.
Authorisation: Not required
Command: Validate the S3 MAC for currency exchange transactions.
Notes: After a CEP card completes processing, it generates an S3 MAC to prove to the issuer that the currency exchange transaction was completed successfully. The load processor uses this function to verify the S3 MAC.
Field Length & Type Details
COMMAND MESSAGE
Message Header m A Subsequently returned to the Host unchanged.
Command Code 2 A Value 'V4'.
*KM3X 32 H or
1A + 32 H
Double length KM3X encrypted under LMK pair 20-21 variant 6.
IDCEP 6 B The CEP Card Identifier. Used to create the *KDX.
NTCEP 2 B The transaction number assigned by the Load Acquirer.
CCTRX 2 B Transaction Completion Code.
TI 1 B Transaction Indicator: 08 : currency exchanges.
DTHRLDA 5 B Transaction date and time.
CURRLDA,SOURCE 3 B The Currency Code.
IDLACQ 4 B Load Acquirer ID.
IDLDA 6 B The Identifier for the Load Device.
MLDA 4 B The Transaction amount.
CURRLDA,TARGET 3 B The Currency Code.
BALCEP,TARGET 4 B Balance of slot prior to completion.
BALCEP,SOURCE 4 B Balance of slot prior to completion.
S3 8 B Signature for verification.
End Message Delimiter 1 C Must be present if a message trailer is present. Value X'19.
Message Trailer n A Optional. Maximum length 32 characters.
-
Host Commands HSM 8000 ESP Command Reference Manual
28 1270A308 Issue 8.4 August 2010
Field Length & Type Details
RESPONSE MESSAGE
Message Header m A Returned to the Host unchanged.
Response Code 2 A Value 'V5'.
Error Code 2 N '00' : No error (S3 validated successfully) '01' : S3 validation failed '10' : KML parity error '70' : Invalid transaction indicator
or a standard error code, as listed in Chapter 4 of [2].
End Message Delimiter 1 C Present only if present in the command message. Value X'19.
Message Trailer n A Present only if present in the command message. Maximum length 32 characters.
-
HSM 8000 ESP Command Reference Manual Host Commands
29
Validate the S3 MAC (Load or Unload transactions) Licence HSM8-LIC004 is required.
Authorisation: Not required
Command: Validate the S3 MAC for load or unload transactions.
Notes: After a CEP card completes processing, it generates an S3 MAC to prove to the issuer that the load or unload transaction was completed successfully. This function is used by the load processor to verify the S3 MAC.
Field Length & Type Details
COMMAND MESSAGE
Message Header m A Subsequently returned to the Host unchanged.
Command Code 2 A Value 'V6'.
*KM3L 32 H or
1A + 32 H
Double length *KM3L encrypted under LMK pair 20-21 variant 5.
IDCEP 6 B The CEP Card Identifier. Used to create the *KD3L.
NTCEP 2 B The transaction number assigned by the Load Acquirer.
CCTRX 2 B Transaction Completion Code.
TI 1 B Transaction Indicator: 0C : load transactions 0A : unload transactions.
DTHRLDA 5 B Transaction date and time.
CURRLDA 3 B The Currency Code.
IDLACQ 4 B Load Acquirer ID.
IDLDA 6 B The Identifier for the Load Device.
MLDA 4 B The Transaction amount.
BALCEP 4 B Balance of slot prior to completion.
S3 8 B Signature for verification.
End Message Delimiter 1 C Must be present if a message trailer is present. Value X'19.
Message Trailer n A Optional. Maximum length 32 characters.
-
Host Commands HSM 8000 ESP Command Reference Manual
30 1270A308 Issue 8.4 August 2010
Field Length & Type Details
RESPONSE MESSAGE
Message Header m A Returned to the Host unchanged.
Response Code 2 A Value 'V7'.
Error Code 2 N '00' : No error (S3 validated successfully) '01' : S3 validation failed '10' : KMX parity error '70' : Invalid transaction indicator
or a standard error code, as listed in Chapter 4 of [2].
End Message Delimiter 1 C Present only if present in the command message. Value X'19.
Message Trailer n A Present only if present in the command message. Maximum length 32 characters.
-
HSM 8000 ESP Command Reference Manual Host Commands
31
Validate the H2LSAM Licence HSM8-LIC004 is required.
Authorisation: Not required
Command: Validate the H2LSAM, creating a SHA-1 hash over the transaction data and comparing with the input H2LSAM.
Notes:
Field Length & Type Details
COMMAND MESSAGE
Message Header m A Subsequently returned to the Host unchanged.
Command Code 2 A Value 'V8'.
IDLACQ 4 B Load Acquirer ID.
IDLDA 6 B The Identifier for the Load Device.
IDISS 4 B The Issuer ID.
IDCEP 6 B The CEP Card Identifier.
NTCEP 2 B The transaction number assigned by the Load Acquirer.
R2LSAM 16 B Random Number .
H2LSAM 8 B Verification code (SHA-1 hash).
End Message Delimiter 1 C Must be present if a message trailer is present. Value X'19.
Message Trailer n A Optional. Maximum length 32 characters.
Field Length & Type Details
RESPONSE MESSAGE
Message Header m A Returned to the Host unchanged.
Response Code 2 A Value 'V9'.
Error Code 2 N '00' : No error (H2LSAM validated successfully) '01' : H2LSAM validation failed '10' : KML parity error '70' : Invalid transaction indicator
or a standard error code, as listed in Chapter 4 of [2].
End Message Delimiter 1 C Present only if present in the command message. Value X'19.
Message Trailer n A Present only if present in the command message. Maximum length 32 characters.
-
Host Commands HSM 8000 ESP Command Reference Manual
32 1270A308 Issue 8.4 August 2010
Unlinked Load Transaction Request Licence HSM8-LIC004 is required.
Authorisation: Not required
Command: Unlinked Load Transaction Request.
Notes:
Field Length & Type Details
COMMAND MESSAGE
Message Header m A Subsequently returned to the Host unchanged.
Command Code 2 A Value 'T0'.
S1 8 B The CEP Card MAC produced by the card during 'Card Initialise for Load'.
HCEP 10 B The SHA-1 Hash generated by the CEP card on the Load Transaction data.
TPK 16 H or
1A + 32 H
The Terminal PIN key encrypted under LMK pair 14-15
REFNO 3 B The Transaction Reference Number.
R1Length 1 N The required length of the generated key R1: '1' : single length '2' : double length.
IDISS 4 B The Issuer ID.
IDCEP 6 B The CEP Card Identifier.
NTCEP 2 B The transaction number assigned by the Load Acquirer.
CURRLDA 3 B The Currency Indicator.
IDLACQ 4 B Load Acquirer ID.
IDLDA 6 B The Identifier for the Load Device.
MLDA 4 B The Transaction amount.
DDCEPLength 1 B The length in bytes of the DDCEP field that follows.
DDCEP 0 - 32 B Discretionary Data.
End Message Delimiter 1 C Must be present if a message trailer is present. Value X'19.
Message Trailer n A Optional. Maximum length 32 characters.
-
HSM 8000 ESP Command Reference Manual Host Commands
33
Field Length & Type Details
RESPONSE MESSAGE
Message Header m A Returned to the Host unchanged.
Response Code 2 A Value 'T1'.
Error Code 2 N '00' : No error '11' : TPK Parity Error
or a standard error code, as listed in Chapter 4 of [2].
(DES)R1 16 / 32 H The generated session key encrypted under the TPK. (Note, if the supplied TPK is double length then this will also be double length.)
(DES)RLSAM 64 H The generated double length key RLSAM and other data CBC encrypted under LMK pair 10-11.
(DES)R2LSAM 64 H The generated double length key R2LSAM and other data CBC encrypted under LMK pair 10-11.
HLSAM 8 B SHA-1 hash of internally generated RLSAM.
H2LSAM 8 B SHA-1 hash of internally generated R2LSAM.
(DES)HCEP 64 H The HCEP, concatenated with REFNO and IDLACQ and CBC encrypted under LMK pair 10-11.
MACLSAM 4 B EMV MAC of Transactional data.
End Message Delimiter 1 C Present only if present in the command message. Value X'19.
Message Trailer n A Present only if present in the command message. Maximum length 32 characters.
-
Host Commands HSM 8000 ESP Command Reference Manual
34 1270A308 Issue 8.4 August 2010
Release RLSAM Licence HSM8-LIC004 is required.
Authorisation: Not required
Command: Release RLSAM.
Notes:
Field Length & Type Details
COMMAND MESSAGE
Message Header m A Subsequently returned to the Host unchanged.
Command Code 2 A Value 'T2'.
REFNO 3 B The Transaction Reference Number.
IDLACQ 4 B Load Acquirer ID.
(DES)RLSAM 64 H The generated double length key RLSAM and other data CBC encrypted under LMK pair 10-11.
End Message Delimiter 1 C Must be present if a message trailer is present. Value X'19.
Message Trailer n A Optional. Maximum length 32 characters.
Field Length & Type Details
RESPONSE MESSAGE
Message Header m A Returned to the Host unchanged.
Response Code 2 A Value 'T3'.
Error Code 2 N '00' : No error '01' : Validation Error '10' : RLSAM parity error
or a standard error code, as listed in Chapter 4 of [2].
RLSAM 32 H The clear text value of RLSAM returned as 32 HEX characters.
End Message Delimiter 1 C Present only if present in the command message. Value X'19.
Message Trailer n A Present only if present in the command message. Maximum length 32 characters.
-
HSM 8000 ESP Command Reference Manual Host Commands
35
Release R2LSAM Licence HSM8-LIC004 is required.
Authorisation: Not required
Command: Release R2LSAM.
Notes:
Field Length & Type Details
COMMAND MESSAGE
Message Header m A Subsequently returned to the Host unchanged.
Command Code 2 A Value 'T4'.
REFNO 3 B The Transaction Reference Number.
IDLACQ 4 B Load Acquirer ID.
(DES)R2LSAM 64 H The generated double length key R2LSAM and other data CBC encrypted under LMK pair 10-11.
End Message Delimiter 1 C Must be present if a message trailer is present. Value X'19.
Message Trailer n A Optional. Maximum length 32 characters.
Field Length & Type Details
RESPONSE MESSAGE
Message Header m A Returned to the Host unchanged.
Response Code 2 A Value 'T5'.
Error Code 2 N '00' : No error '01' : Validation Error '10' : R2LSAM parity error
or a standard error code, as listed in Chapter 4 of [2].
R2LSAM 32 H The clear text value of R2LSAM returned as 32 HEX characters.
End Message Delimiter 1 C Present only if present in the command message. Value X'19.
Message Trailer n A Present only if present in the command message. Maximum length 32 characters.
-
Host Commands HSM 8000 ESP Command Reference Manual
36 1270A308 Issue 8.4 August 2010
Verify RCEP Licence HSM8-LIC004 is required.
Authorisation: Not required
Command: Verify RCEP.
Notes:
Field Length & Type Details
COMMAND MESSAGE
Message Header m A Subsequently returned to the Host unchanged.
Command Code 2 A Value 'T6'.
REFNO 3 B The Transaction Reference Number.
(DES)HCEP 64 H The HCEP, concatenated with REFNO and IDLACQ and CBC encrypted under LMK pair 10-11.
IDLACQ 4 B Load Acquirer ID.
IDLDA 6 B The Identifier for the Load Device.
IDISS 4 B The Issuer ID.
IDCEP 6 B The CEP Card Identifier.
NTCEP 2 B The transaction number assigned by the Load Acquirer.
RCEP 16 B The 16 Byte value returned by the CEP card following a Credit for Load rejection.
End Message Delimiter 1 C Must be present if a message trailer is present. Value X'19.
Message Trailer n A Optional. Maximum length 32 characters.
Field Length & Type Details
RESPONSE MESSAGE
Message Header m A Returned to the Host unchanged.
Response Code 2 A Value 'T7'.
Error Code 2 N '00' : No error '01' : Verification Failure
or a standard error code, as listed in Chapter 4 of [2].
End Message Delimiter 1 C Present only if present in the command message. Value X'19.
Message Trailer n A Present only if present in the command message. Maximum length 32 characters.
-
HSM 8000 ESP Command Reference Manual Host Commands
37
Validate S6 MAC Licence HSM8-LIC004 is required.
Authorisation: Not required
Command: To validate an S6 Message Authentication Code (MAC) calculated by a CEP card on a detailed transaction record.
Notes:
Field Length & Type Details
COMMAND MESSAGE
Message Header m A Subsequently returned to the Host unchanged.
Command Code 2 A Value 'W0'.
KMP 32 H Master Purchase Key, encrypted under variant 3 of LMK pair 20-21.
ALGP2 1 B Algorithm code for S6 in purchase transactions: must equal X10.
IDCEP 6 B CEP card serial number.
NTCEP 2 B CEP card transaction number.
DEXPPCEP 3 B CEP card expiration date for offline transactions.
TICEP 1 B CEP card transaction indicator.
DTHRPDA 5 B PDA transaction date and time.
CURRPDA 3 B PDA currency.
AMCEP 1 B CEP card authentication method.
RIDPSAM 5 B Registered identity of the entity assigning PSAM Creator IDs.
IDPSAMCREATOR 4 B Identifier for the creator of a PSAM.
IDPSAM 4 B Identifier of a PSAM.
NTPSAM 4 B PSAM transaction number.
MTOTCEP 4 B CEP card total transaction amount.
MPDA 4 B PDA transaction amount.
BALCEP 4 B CEP card slot balance.
S6 8 B Transaction MAC, to be validated.
End Message Delimiter 1 C Must be present if a message trailer is present. Value X'19.
Message Trailer n A Optional. Maximum length 32 characters.
-
Host Commands HSM 8000 ESP Command Reference Manual
38 1270A308 Issue 8.4 August 2010
Field Length & Type Details
RESPONSE MESSAGE
Message Header m A Returned to the Host unchanged.
Response Code 2 A Value 'W1'.
Error Code 2 N '00' : No error (S6 verification successful) '01' : S6 verification failure '10' : KMP parity error '70' : Invalid ALGP2
or a standard error code, as listed in Chapter 4 of [2].
End Message Delimiter 1 C Present only if present in the command message. Value X'19.
Message Trailer n A Present only if present in the command message. Maximum length 32 characters.
-
HSM 8000 ESP Command Reference Manual Host Commands
39
Validate S6 MAC Licence HSM8-LIC004 is required.
Authorisation: Not required
Command: To validate an S6 Message Authentication Code (MAC) calculated by a CEP card on an aggregated transaction.
Notes:
Field Length & Type Details
COMMAND MESSAGE
Message Header m A Subsequently returned to the Host unchanged.
Command Code 2 A Value 'W2'.
KMP 32 H Master Purchase Key, encrypted under variant 3 of LMK pair 20-21.
ALGP2 1 B Algorithm code for S6 in purchase transactions: must equal X10.
IDCEP 6 B CEP card serial number.
NTCEP 2 B CEP card transaction number.
MAC Type 1 B MAC type; must equal X01.
CURRPDA 3 B PDA currency.
MTOTAGG 4 B Amount of aggregated transactions in the current record.
NTAGG 2 B Number of aggregated transactions in the current record.
IDBATCH 2 B Identifier of batch containing the aggregated transactions.
RIDPSAM 5 B Registered identity of the entity assigning PSAM Creator IDs.
IDPSAMCREATOR 4 B Identifier for the creator of a PSAM.
IDPSAM 4 B Identifier of a PSAM.
NTPSAM 4 B PSAM transaction number.
S6 8 B Transaction MAC, to be validated.
End Message Delimiter 1 C Must be present if a message trailer is present. Value X'19.
Message Trailer n A Optional. Maximum length 32 characters.
Field Length & Type Details
RESPONSE MESSAGE
Message Header m A Returned to the Host unchanged.
Response Code 2 A Value 'W3'.
Error Code 2 N '00' : No error (S6 verification successful) '01' : S6 verification failure '10' : KMP parity error '70' : Invalid ALGP2 '71' : Invalid MAC type
or a standard error code, as listed in Chapter 4 of [2].
End Message Delimiter 1 C Present only if present in the command message. Value X'19.
Message Trailer n A Present only if present in the command message. Maximum length 32 characters.
-
Host Commands HSM 8000 ESP Command Reference Manual
40 1270A308 Issue 8.4 August 2010
Validate S6 MAC Licence HSM8-LIC004 is required.
Authorisation: Not required
Command: To validate an S6 Message Authentication Code (MAC) calculated by a CEP card on an Issuer backup total.
Notes:
Field Length & Type Details
COMMAND MESSAGE
Message Header m A Subsequently returned to the Host unchanged.
Command Code m A Value 'W4'.
KMP 32 H Master Purchase Key, encrypted under variant 3 of LMK pair 20-21.
ALGP2 1 B Algorithm code for S6 in purchase transactions: must equal X10.
IDCEP 6 B CEP card serial number.
NTCEP 2 B CEP card transaction number.
MAC Type 1 B MAC type; must equal X02.
CURRPDA 3 B PDA currency.
MTOToldIB 4 B Signed amount of transactions in the batch for the Issuer.
NToldIB 2 B Signed number of transactions in the batch for the Issuer.
IDBATCH 2 B Identifier of batch containing the aggregated transactions.
RIDPSAM 5 B Registered identity of the entity assigning PSAM Creator IDs.
IDPSAMCREATOR 4 B Identifier for the creator of a PSAM.
IDPSAM 4 B Identifier of a PSAM.
NTPSAM 4 B PSAM transaction number.
S6 8 B Transaction MAC, to be validated.
End Message Delimiter 1 C Must be present if a message trailer is present. Value X'19.
Message Trailer n A Optional. Maximum length 32 characters.
Field Length & Type Details
RESPONSE MESSAGE
Message Header m A Returned to the Host unchanged.
Response Code 2 A Value 'W5'.
Error Code 2 N '00' : No error (S6 verification successful) '01' : S6 verification failure '70' : Invalid ALGP2 '71' : Invalid MAC type '10' : KMP parity error
or a standard error code, as listed in Chapter 4 of [2].
End Message Delimiter 1 C Present only if present in the command message. Value X'19.
Message Trailer n A Present only if present in the command message. Maximum length 32 characters.
-
HSM 8000 ESP Command Reference Manual Host Commands
41
Validate S5,DLT MAC Licence HSM8-LIC004 is required.
Authorisation: Not required
Command: To validate an S5,DLT Message Authentication Code (MAC), which provides the Issuer with the ability to verify the integrity of a non-CEP transaction.
Notes:
Field Length & Type Details
COMMAND MESSAGE
Message Header m A Subsequently returned to the Host unchanged.
Command Code 2 A Value 'W6'.
KIS5 32 H S5 Issuer Key, encrypted under variant 4 of LMK pair 20-21.
ALGKS 1 B Algorithm code for S5 transactions; must equal X01.
NTPSAM 4 B PSAM transaction number.
TIPDA 1 B PDA transaction indicator.
DTHRPDA 5 B PDA transaction date and time.
IDPSAM 4 B Identifier of a PSAM.
MPDA 4 B PDA transaction amount.
DEXPCARD 3 B Card expiry date.
AMCEP 1 B CEP card authentication method.
BALCEP 4 B CEP card slot balance.
RIDPSAM 5 B Registered identity of the entity assigning PSAM Creator IDs.
IDPSAMCREATOR 4 B Identifier for the creator of a PSAM.
NTPSAM 4 B PSAM transaction number.
S5,DLT 8 B Transaction MAC, to be validated.
End Message Delimiter 1 C Must be present if a message trailer is present. Value X'19.
Message Trailer n A Optional. Maximum length 32 characters.
Field Length & Type Details
RESPONSE MESSAGE
Message Header m A Returned to the Host unchanged.
Response Code 2 A Value 'W7'.
Error Code 2 N '00' : No error (S5,DLT verification successful) '01' : S5,DLT verification failure '10' : KIS5 parity error '70' : Invalid ALGKS
or a standard error code, as listed in Chapter 4 of [2].
End Message Delimiter 1 C Present only if present in the command message. Value X'19.
Message Trailer n A Present only if present in the command message. Maximum length 32 characters.
-
Host Commands HSM 8000 ESP Command Reference Manual
42 1270A308 Issue 8.4 August 2010
Validate S5,ISS MAC Licence HSM8-LIC004 is required.
Authorisation: Not required
Command: To validate an S5,ISS Message Authentication Code (MAC) which provides the Issuer with the ability to verify the integrity of a non-CEP transaction.
Notes:
Field Length & Type Details
COMMAND MESSAGE
Message Header m A Subsequently returned to the Host unchanged.
Command Code 2 A Value 'W8'.
KIS5 32 H S5 Issuer Key, encrypted under variant 4 of LMK pair 20-21.
ALGKS 1 B Algorithm code for S5 transactions; must equal X01.
NTPSAM 4 B PSAM transaction number.
MAC Type 1 B MAC type; must equal X01 or X02.
MTOT 4 B MTOToldIB or MTOTAGG.
CURRPDA 3 B PDA currency.
NT 2 B NToldIB or NTAGG.
IDBATCH 2 B Identifier of batch containing the aggregated transactions.
RIDPSAM 5 B Registered identity of the entity assigning PSAM Creator IDs.
IDPSAMCREATOR 4 B Identifier for the creator of a PSAM.
IDPSAM 4 B Identifier of a PSAM.
S5,ISS 8 B Transaction MAC, to be validated.
End Message Delimiter 1 C Must be present if a message trailer is present. Value X'19.
Message Trailer n A Optional. Maximum length 32 characters.
Field Length & Type Details
RESPONSE MESSAGE
Message Header m A Returned to the Host unchanged.
Response Code 2 A Value 'W9'.
Error Code 2 N '00' : No error (S5,ISS verification successful) '01' : S5,ISS verification failure '02' : Invalid ALGKS '03' : Invalid MAC type '10' : KIS5 parity error
or a standard error code, as listed in Chapter 4 of [2].
End Message Delimiter 1 C Present only if present in the command message. Value X'19.
Message Trailer n A Present only if present in the command message. Maximum length 32 characters.
-
HSM 8000 ESP Command Reference Manual Host Commands
43
Validate the S4 MAC Old Terminals Licence HSM8-LIC004 is required.
Authorisation: Not required
Command: Validate the S4 MAC (MAC of the PSAM for a Batch) for old terminals.
Notes:
Field Length & Type Details
COMMAND MESSAGE
Message Header m A Subsequently returned to the Host unchanged.
Command Code 2 A Value 'X0'.
*KMACS4 32 H Double length KMACS4 encrypted under LMK pair 20-21 variant 7.
S4 16 H Signature for verification.
IDCAD 4 B Identifier for the CAD.
IDMCARD 4 B Identifier for the MCard.
Collection Number 1 B Collection Number.
MCard Date 1 B Month number as known by the MCard.
MTOTBATCH 4 B Total of all successful payments in the batch.
CURRMCARD 2 B Currency code for the batch.
NTBATCH 2 B Number of payment records in the batch.
NTENQBATCH 2 B Number of successful balance enquiries in the batch.
NTREJBATCH 2 B Total number of invalid records in the batch.
NTFLTBATCH 2 B Number of non-readable ICCs.
NTSFLTBATCH 2 B Number of system faults.
MCard Version 1 B Firmware version of the MCard.
CEXPMCARD 1 B Currency exponent.
Batch Close Date Time 2 B Batch close date and time (may be all a zeroes).
End Message Delimiter 1 C Must be present if a message trailer is present. Value X'19.
Message Trailer n A Optional. Maximum length 32 characters.
Field Length & Type Details
RESPONSE MESSAGE
Message Header m A Returned to the Host unchanged.
Response Code 2 A Value 'X1'.
Error Code 2 N '00' : No error (S4 validated successfully) '01' : S4 validation failed '10' : KMAC parity error
or a standard error code, as listed in Chapter 4 of [2].
End Message Delimiter 1 C Present only if present in the command message. Value X'19.
Message Trailer n A Present only if present in the command message. Maximum length 32 characters.
-
Host Commands HSM 8000 ESP Command Reference Manual
44 1270A308 Issue 8.4 August 2010
Validate the S4 MAC New Terminals Licence HSM8-LIC004 is required.
Authorisation: Not required
Command: Validate the S4 MAC for new terminals.
Notes: This command does not check the contents of the data block over which the MAC is generated. It is the responsibility of the user of the command to ensure the data format is correct.
Field Length & Type Details
COMMAND MESSAGE
Message Header m A Subsequently returned to the Host unchanged.
Command Code 2 A Value 'X2'.
*KMACS4 32 H Double length KMACS4 encrypted under LMK pair 20-21 variant 7.
S4 16 H Signature for verification.
IDPSAM 4 B Identifier for a PSAM.
IDBATCH 2 B Identifier for a POS Transaction Batch.
NTBATCH 2 B The number of payment and cancellation transactions in this batch.
Data Length 3 N Length in bytes of the following data block.
Data Block D4 n B Binary data block.
End Message Delimiter 1 C Must be present if a message trailer is present. Value X'19.
Message Trailer n A Optional. Maximum length 32 characters.
Field Length & Type Details
RESPONSE MESSAGE
Message Header m A Returned to the Host unchanged.
Response Code 2 A Value 'X3'.
Error Code 2 N '00' : No error (S4 validated successfully) '01' : S4 validation failed '10' : KMAC parity error '70' : Data D4 length error
or a standard error code, as listed in Chapter 4 of [2].
End Message Delimiter 1 C Present only if present in the command message. Value X'19.
Message Trailer n A Present only if present in the command message. Maximum length 32 characters.
-
HSM 8000 ESP Command Reference Manual Host Commands
45
Validate the S5 MAC Old Terminals Licence HSM8-LIC004 is required.
Authorisation: Not required
Command: Validate the S5 MAC (MAC of the PSAM for a Batch) for old terminals.
Notes: The MACing process for old terminals has a different pad process than standard.
Field Length & Type Details
COMMAND MESSAGE
Message Header m A Subsequently returned to the Host unchanged.
Command Code 2 A Value 'X4'.
*KMACS5 32 H Double length KMACS5 encrypted under LMK pair 20-21 variant 8.
S5 16 H Signature for verification.
IDMCARD 4 B MCard Identifier.
Collection Number 1 B Collection Number.
NTMCARD 4 B MCard Transaction Number.
C.C. 1 B Proprietary Completion Codes.
Card Balance 4 B New Card Balance.
MTOTMCARD 4 B Total Transaction Amount.
CURRMCARD 2 B Currency Code.
CEXPMCARD 1 B Currency Exponent.
IDISS, MCARD 3 B Issuer BIN or zeroes (For reloadable or disposable cards).
IDCARD, MCARD 5 B Card Identifier.
NTIEP 2 B Card Transaction Number.
RFU 1 B Reserved.
End Message Delimiter 1 C Must be present if a message trailer is present. Value X'19.
Message Trailer n A Optional. Maximum length 32 characters.
Field Length & Type Details
RESPONSE MESSAGE
Message Header m A Returned to the Host unchanged.
Response Code 2 A Value 'X5'.
Error Code 2 N '00' : No error (S5 validated successfully) '01' : S5 validation failed '10' : KMAC parity error
or a standard error code, as listed in Chapter 4 of [2].
End Message Delimiter 1 C Present only if present in the command message. Value X'19.
Message Trailer n A Present only if present in the command message. Maximum length 32 characters.
-
Host Commands HSM 8000 ESP Command Reference Manual
46 1270A308 Issue 8.4 August 2010
Validate the S5 MAC (MAC of the PSAM for a Transaction) New Terminals
Licence HSM8-LIC004 is required.
Authorisation: Not required
Command: Validate the S5 MAC for new terminals.
Notes:
Field Length & Type Details
COMMAND MESSAGE
Message Header m A Subsequently returned to the Host unchanged.
Command Code 2 A Value 'X6'.
*KMACS5 32 H Double length KMACS5 encrypted under LMK pair 20-21 variant 8.
S5 16 H Signature for verification.
Length of DDCEP 1 B Length of DDCEP field: range 0 6.
Record Length 2 B Record Length.
Record Type 1 B Record Type.
IDRECORD 2 B Record number within batch.
RIDPSAM 5 B The RID of the PSAM creator.
IDPSAMCREATOR 4 B The identifier assigned to the PSAM creator by the RIDPSAM owner.
IDPSAM 4 B Identifier for a PSAM.
IDBATCH 2 B Identifier for a POS Transaction Batch.
NTPSAM 4 B PSAM Transaction Number.
MTOTPDA 4 B Net value of transaction.
CURRPDA 3 B Currency of transaction.
IDSCHEME 1 B Reference number assigned to AIDCEP in AID table.
IDISS 4 B Issuer Identifier.
IDCEP 6 B ID of CEP or IEP application.
NTCEP 2 B CEP card transaction number.
S6 8 B Signature from CEP card.
CCPDA 2 B CEPS completion code.
CCPROP 2 B Proprietary completion code.
Slot Balance 4 B Slot balance at end of transaction.
TIPDA 1 B Transaction indicator.
MPDA 4 B Value of last successful increment.
DTHRPDA 5 B Date & Time stamp for transaction.
DEXPCARD 3 B Card expiration date.
ALGKS 1 B Algorithm to calculate S4 & S5.
AMCEP 1 B Authentication Method.
VKPCA, ISS, CEP 1 B Version number of the issuer CA key.
IDREG, ISS 4 B Issuer region ID.
VKPREG, ISS 1 B Version number of the regional CA key.
CSNISS, CEP 3 B Issuer certificate serial number.
-
HSM 8000 ESP Command Reference Manual Host Commands
47
LDDCEP 1 B Length of the DDCEP field.
DDCEP n B DDCEP response.
NUMSEG 1 B Number of Segments.
End Message Delimiter 1 C Must be present if a message trailer is present. Value X'19.
Message Trailer n A Optional. Maximum length 32 characters.
Field Length & Type Details
RESPONSE MESSAGE
Message Header m A Returned to the Host unchanged.
Response Code 2 A Value 'X7'.
Error Code 2 N '00' : No error (S5 validated successfully) '01' : S5 validation failed '10' : KMAC parity error
or a standard error code, as listed in Chapter 4 of [2].
End Message Delimiter 1 C Present only if present in the command message. Value X'19.
Message Trailer n A Present only if present in the command message. Maximum length 32 characters.
-
Host Commands HSM 8000 ESP Command Reference Manual
48 1270A308 Issue 8.4 August 2010
Validate the S5 Variant MAC (MAC of the PSAM for an Issuer Total) New Terminals
Licence HSM8-LIC004 is required.
Authorisation: Not required
Command: Validate the S5 Variant MAC for new terminals.
Notes:
Field Length & Type Details
COMMAND MESSAGE
Message Header m A Subsequently returned to the Host unchanged.
Command Code 2 A Value 'X8'.
*KMACS5 32 H Double length KMACS5 encrypted under LMK pair 20-21 variant 8.
S5 Variant 16 H Signature for verification.
Length of DDCEP 1 B Length of DDCEP field: range 0 to 16.
Record Length 2 B Record Length.
Record Type 1 B Record Type.
IDRECORD 2 B Record number within batch.
RIDPSAM 5 B The RID of the PSAM creator.
IDPSAMCREATOR 4 B The identifier assigned to the PSAM creator by the RIDPSAM owner.
IDPSAM 4 B Identifier for a PSAM.
IDBATCH 2 B Identifier for a POS Transaction Batch.
NTPSAM 4 B PSAM Transaction Number.
MTOTSIGNED 4 B Net value of record.
CURRPDA 3 B Currency of transaction.
IDSCHEME 1 B Reference number assigned to AIDCEP in AID table.
IDISS 4 B Issuer Identifier.
IDCEP 6 B ID of CEP or IEP application.
NTCEP 2 B CEP card transaction number.
S6 or S6 8 B Signature from CEP card.
NTISS, SIGNED 2 B Number of transactions accounted for in the signed MTOT in this summary.
MTOTNOSIG 4 B Unsigned net value of record.
NTISS, NOSIG 4 B Number of transactions included in unsigned net value.
ALGKS 1 B Algorithm used to calculate S4 and S5 MACs.
LDDCEP 1 B Length of the DDCEP field.
DDCEP N B DDCEP response.
NUMSEG 1 B Number of Segments.
End Message Delimiter 1 C Must be present if a message trailer is present. Value X'19.
Message Trailer n A Optional. Maximum length 32 characters.
-
HSM 8000 ESP Command Reference Manual Host Commands
49
Field Length & Type Details
RESPONSE MESSAGE
Message Header m A Returned to the Host unchanged.
Response Code 2 A Value 'X9'.
Error Code 2 N '00' : No error (S5 variant validated successfully) '01' : S5 variant validation failed '10' : KMAC parity error
or a standard error code, as listed in Chapter 4 of [2].
End Message Delimiter 1 C Present only if present in the command message. Value X'19.
Message Trailer n A Present only if present in the command message. Maximum length 32 characters.
-
Host Commands HSM 8000 ESP Command Reference Manual
50 1270A308 Issue 8.4 August 2010
Create the Acknowledgement MAC Old Terminals
Licence HSM8-LIC004 is required.
Authorisation: Not required
Command: Create the Acknowledgement MAC for old terminals.
Notes:
Field Length & Type Details
COMMAND MESSAGE
Message Header m A Subsequently returned to the Host unchanged.
Command Code 2 A Value 'Y0'.
*KMACACQ 32 H Double length KMACACQ encrypted under LMK pair 20-21 variant 9.
Rec. IDMCARD 4 B ID of the receiving Mcard.
Gen. IDMCARD 4 B ID of the MCard that generated the collection batch.
Coll. No. 1 B Collection Number.
NTBATCH 2 B The total number of purchase and cancellation transactions included in the batch.
End Message Delimiter 1 C Must be present if a message trailer is present. Value X'19.
Message Trailer n A Optional. Maximum length 32 characters.
Field Length & Type Details
RESPONSE MESSAGE
Message Header m A Returned to the Host unchanged.
Response Code 2 A Value 'Y1'.
Error Code 2 N '00' : No error '10' : KMAC parity error
or a standard error code, as listed in Chapter 4 of [2].
SAQC 16 H Acknowledgement MAC.
End Message Delimiter 1 C Present only if present in the command message. Value X'19.
Message Trailer n A Present only if present in the command message. Maximum length 32 characters.
-
HSM 8000 ESP Command Reference Manual Host Commands
51
Create the Acknowledgement MAC New Terminals
Licence HSM8-LIC004 is required.
Authorisation: Not required
Command: Create the Acknowledgement MAC for new terminals.
Notes:
Field Length & Type Details
COMMAND MESSAGE
Message Header m A Subsequently returned to the Host unchanged.
Command Code 2 A Value 'Y2'.
Mode Flag 1 N Mode Flag: '0' : *KMACACK supplied '1' : No *KMACACK supplied.
*KMACACK 32 H Double length KMACACK encrypted under LMK pair 20-21 variant 9, only supplied if Mode Flag = '0'.
CLA 1 B CLA.
INS 1 B INS.
P1P2 2 B P1P2.
LC 1 B LC.
IDTHREAD 1 B IDTHREAD.
Action Requested 1 B Action Requested.
RIDPSAM 5 B The RID of the PSAM Creator.
IDPSAMCREATOR 4 B The identifier assigned to the PSAM creator by the RIDPSAM owner.
IDPSAM 4 B Identifier for a PSAM.
DATEPSAM 2 B Current month.
IDBATCH 2 B Identifier for a POS Transaction Batch.
NTRECORD 2 B The number of payment records in a batch.
End Message Delimiter 1 C Must be present if a message trailer is present. Value X'19.
Message Trailer n A Optional. Maximum length 32 characters.
Field Length & Type Details
RESPONSE MESSAGE
Message Header m A Returned to the Host unchanged.
Response Code 2 A Value 'Y3'.
Error Code 2 N '00' : No error '10' : KMAC parity error '70' : Invalid Mode Flag
or a standard error code, as listed in Chapter 4 of [2].
SACK 16 H Acknowledgement MAC
End Message Delimiter 1 C Present only if present in the command message. Value X'19.
Message Trailer n A Present only if present in the command message. Maximum length 32 characters.
-
Host Commands HSM 8000 ESP Command Reference Manual
52 1270A308 Issue 8.4 August 2010
Create the Update MAC Licence HSM8-LIC004 is required.
Authorisation: Not required
Command: Create the Update MAC.
Notes:
Field Length & Type Details
COMMAND MESSAGE
Message Header m A Subsequently returned to the Host unchanged.
Command Code 2 A Value 'Y4'.
*KMACUPD 32 H Double length KMACUPD encrypted under LMK pair 22-23 variant 1.
IDBATCH 2 B Identifier for a POS Transaction Batch.
IDPSAM 4 B PSAM Identifier assigned by the PSAM creator.
CLA 1 B CLA.
INS 1 B INS.
P1P2 2 B P1P2.
LC 1 B LC.
IDTHREAD 1 B IDTHREAD.
Update Number 1 B Update Number.
TAG 2 B Tag identifying data in the update.
LEN 1 B Length of the following data.
Update data n B Update data.
End Message Delimiter 1 C Must be present if a message trailer is present. Value X'19.
Message Trailer n A Optional. Maximum length 32 characters.
Field Length & Type Details
RESPONSE MESSAGE
Message Header m A Returned to the Host unchanged.
Response Code 2 A Value 'Y5'.
Error Code 2 N '00' : No error '10' : KMAC parity error
or a standard error code, as listed in Chapter 4 of [2].
SUPD 16 H Update MAC.
End Message Delimiter 1 C Present only if present in the command message. Value X'19.
Message Trailer n A Present only if present in the command message. Maximum length 32 characters.
-
HSM 8000 ESP Command Reference Manual Host Commands
53
Validate the SADMIN MAC (Administrative MAC of the PSAM)
Licence HSM8-LIC004 is required.
Authorisation: Not required
Command: Validate the SADMIN MAC.
Notes:
Field Length & Type Details
COMMAND MESSAGE
Message Header m A Subsequently returned to the Host unchanged.
Command Code 2 A Value 'Y6'.
SADMIN 16 H Signature for verification.
Length 2 B Length.
Record Type 1 B Record Type.
RIDPSAM 5 B The RID of the PSAM Creator.
IDPSAMCREATOR 4 B The identifier assigned to the PSAM creator by the RIDPSAM owner.
IDPSAM 4 B PSAM Identifier assigned by the PSAM creator.
Administrative Record ID
1 B Operating data table content status.
CNTTABLE 1 B Number of tables whose status is being reported in this record.
Table IDN 1 B Identifies the table being reported.
HASH valueN 8 B Hash value of data in the table.
End Message Delimiter 1 C Must be present if a message trailer is present. Value X'19.
Message Trailer n A Optional. Maximum length 32 characters.
Field Length & Type Details
RESPONSE MESSAGE
Message Header m A Returned to the Host unchanged.
Response Code 2 A Value 'Y7'.
Error Code 2 N '00' : No error (SADMIN validated successfully) '01' : SADMIN validation failed '10' : KMAC parity error
or a standard error code, as listed in Chapter 4 of [2].
End Message Delimiter 1 C Present only if present in the command message. Value X'19.
Message Trailer n A Present only if present in the command message. Maximum length 32 characters.
-
Host Commands HSM 8000 ESP Command Reference Manual
54 1270A308 Issue 8.4 August 2010
Create the Merchant Acquirer MAC Licence HSM8-LIC004 is required.
Authorisation: Not required
Command: Create the Merchant Acquirer MAC.
Notes:
Field Length & Type Details
COMMAND MESSAGE
Message Header m A Subsequently returned to the Host unchanged.
Command Code 2 A Value 'Y8'.
*KMACMA 32 H Double length KMACMA encrypted under LMK pair 22-23 variant 2.
Date & Time 6 B Date and Time.
Function Code 2 B Function Code.
IDSOURCE 4 B IDSOURCE.
CURRCPDA 2 B CURRCPDA, can be all zeroes.
Block 1 9 B Block 1 containing CNTBATCH, CNTACCEPT, IDBATCH, NTBATCH and RESEND.
Block 2 9 B Block 2 containing Amount and Net Reconciliation.
End Message Delimiter 1 C Must be present if a message trailer is present. Value X'19.
Message Trailer n A Optional. Maximum length 32 characters.
Field Length & Type Details
RESPONSE MESSAGE
Message Header m A Returned to the Host unchanged.
Response Code 2 A Value 'Y9'.
Error Code 2 N '00' : No error '10' : KMAC parity error
or a standard error code, as listed in Chapter 4 of [2].
SMA 16 H Merchant Acquirer MAC.
End Message Delimiter 1 C Present only if present in the command message. Value X'19.
Message Trailer n A Present only if present in the command message. Maximum length 32 characters.
-
HSM 8000 ESP Command Reference Manual Host Commands
55
Validate the Card Issuer MAC Licence HSM8-LIC004 is required.
Authorisation: Not required
Command: Validate the Card Issuer MAC.
Notes:
Field Length & Type Details
COMMAND MESSAGE
Message Header m A Subsequently returned to the Host unchanged.
Command Code 2 A Value 'Z0'.
*KMACCI 32 H Double length KMACCI encrypted under LMK pair 22-23 variant 3.
SCI 16 H Signature for Verification.
Date & Time 6 B Date and Time.
Function Code 2 B Function Code.
IDDEST 4 B IDDEST.
Block 1 2 B Block 1, fixed to all zeroes.
Block 2 9 B Block 2 containing CNTBATCH, CNTACCEPT, IDBATCH, NTBATCH and RESEND.
Block 3 9 B Block 3 containing Amount and Net Reconciliation.
End Message Delimiter 1 C Must be present if a message trailer is present. Value X'19.
Message Trailer n A Optional. Maximum length 32 characters.
Field Length & Type Details
RESPONSE MESSAGE
Message Header m A Returned to the Host unchanged.
Response Code 2 A Value 'Z1'.
Error Code 2 N '00' : No error (SCI validated successfully) '01' : SCI validation failed '10' : KMAC parity error
or a standard error code, as listed in Chapter 4 of [2].
End Message Delimiter 1 C Present only if present in the command message. Value X'19.
Message Trailer n A Present only if present in the command message. Maximum length 32 characters.
-
Host Commands HSM 8000 ESP Command Reference Manual
56 1270A308 Issue 8.4 August 2010
Generate Issuer RSA Key Set (MasterCard/Europay)
Licence HSM8-LIC002 is required. Licence HSM8-LIC004 is required.
Authorisation: Required Activity: generate.rsa-sk.host
Command: To generate an Issuer RSA Key Set and return the Public Key in the form of a MasterCard/Europay-format Self-Signed Issuer Public Key Certificate.
Notes: Depending on key size, this function may take up to a minute or more to execute. This command may be used with either an odd Public Exponent or a Public Exponent = 2. This command uses the Europay method of generating key pairs.
Field Length & Type Details
COMMAND MESSAGE
Message Header m A Subsequently returned to the Host unchanged.
Command Code 2 A Value 'J0' (J-zero).
Hash Identifier 2 N Identifier of algorithm used to hash data.
Signature Identifier 2 N Identifier of signature algorithm.
Key Length 4 N Modulus length in bits (must be a multiple of 8) Range: '0400' '2040'.
Data Block 10 B Data block to be included in the Self-Signed Certificate (comprises Certificate Subject ID (5 bytes), Expiry Date (2 bytes) and Certificate Serial Number (3 bytes)).
Issuer Public Key Index 3 B Issuer Public Key Index.
Authentication Data n A Optional; additional data to be included in the MAC calculation (must not include ';').
Delimiter 1 A Delimiter to indicate end of Authentication Data field: Value ';'.
Public Exponent Length 4 N Optional; length in bits of the Public Exponent; must be supplied if Public Exponent present in command message.
Public Exponent n B Optional; if supplied then it must be odd or equal to 2; if not supplied then a default exponent of 65537 is assumed.
End Message Delimiter 1 C Must be present if a message trailer is present. Value X'19.
Message Trailer n A Optional. Maximum length 32 characters.
-
HSM 8000 ESP Command Reference Manual Host Commands
57
Field Length & Type Details
RESPONSE MESSAGE
Message Header m A Returned to the Host unchanged.
Response