Documentation Index
Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
Use this file to discover all available pages before exploring further.
Issuing focuses on issuing payment cards and provisioning mobile payment tokens. The following sections cover these issuing topics:
- PIN and offset generation
- EMV key generation and derivation
- Mobile payment token issuance
- CVV generation
PIN and offset generation
For both PIN generation methods described in this section, the issuing bank associates PINs with an algorithm based on a 3DES encryption key, referred to as a PIN Verification Key (PVK). A PIN, generated based on the customer’s account or card number and the PIN Verification Key, is called the natural PIN.
In the past, issuers did not allow customers to select their PIN. Instead, the bank would send the natural PIN to customers in the mail and force them to use the designated PIN. Now, most banks allow customers to select their own PIN. This is done by taking the PIN Verification Key, customer account number, and the chosen PIN, then sending that to an HSM to compare the natural PIN against the customer-selected PIN and determine the difference. The difference is referred to as the PIN Verification Value for the VISA PVV method and the offset for the IBM 3624 method.
VISA PVV
The VISA PVV algorithm performs a multiple encipherment of a value, called the transformed security parameter (TSP), and an extraction of a 4-digit PVV from the ciphertext.
You can use the GVWW Excrypt command to generate a random VISA Working Key for use in the VISA Network.
IBM 3624 (Offsets)
The IBM 3624 algorithm generates an n-digit PIN based on account or person-related validation data. The assigned PIN length parameter specifies the length of the generated PIN.
You can use the GOFF Excrypt command to generate a PIN Offset for use in the IBM 3624 Network.
Common PIN and offset generation commands
This section contains PIN and offset generation commands for Excrypt, Standard, and International command sets:
Excrypt
| Command | Description |
|---|
| GNOF | Generate New Offset |
| GOFC | Generate Offset of Clear PIN |
| GOFF | Generate PIN offset value |
| GPIN | Generate PIN (Diebold Method) |
| GPIN | Generate PIN (IBM 3624 Method) |
| GPIN | Generate PIN (Visa Method) |
Standard
| Command | Description |
|---|
| 34 | Generate Clear PIN and Offset |
| 386 | Generate MAC (DUKPT) |
| 38C | Derive DUKPT Initial PIN Encryption Key |
| 3D | Generate IBM 3624 Offset |
| 3FA | Generate PIN and PVV |
International
| Command | Description |
|---|
| BK | Generate IBM 3624 PIN Offset |
| DE | Generate IBM PIN Offset |
| DG | Generate Visa PIN Verification Value (PVV) |
| EE | Derive PIN using the IBM Method |
| FW | Generate Visa PIN Verification Value (of a customer-selected PIN) |
| JA | Generate Random PIN |
EMV key generation and derivation
Europay, Mastercard, and Visa created the EMV standard, a payment method based on a technical standard for smart payment cards, payment terminals, and ATMs that can accept them.
EMV cards are smart cards, also called chip cards, which store their data on integrated circuit chips (ICCs), in addition to magnetic stripes for backward compatibility. These include cards that you physically insert (or dip) into a reader and contactless cards that can be read over a short distance using near-field communication technology.
Payment cards that comply with the EMV standard are often called chip and PIN or chip and signature cards, depending on the authentication methods employed by the card issuer, such as a personal identification number (PIN) or digital signature.
Outside the United States, the chip and PIN process is more common. It requires a secret four-digit PIN code known only by the cardholder to validate the EMV payment, making it significantly more secure. In the U.S., companies have opted for issuing chip and signature cards, weighing the risk of fraudulent transactions against the desire to make the purchasing process as seamless as possible for consumers.
Common EMV key generation and derivation commands
This section contains EMV key generation and derivation commands for Excrypt, Standard, and International command sets:
Excrypt
| Command | Description |
|---|
| EMVG | Generate Master Key |
| EMVK | Derive Key from Vendor Master Key and Derivation Data |
| EMVM | Generate/Verify MAC |
| GCIV | Generate a CVC IV |
| GDAC | Generate a Data Authenticode Code (DAC) |
| GDCV | Generate DCVC3 |
| GEMC | Generate EMV ICC Certificate |
| GEMQ | Generate EMV Issuer CSR |
| GIDN | Generate an ICC dynamic number (IDN) |
| GOPC | Generate Offset and EMV PIN Change |
| GVDC | Generate a Dynamic CVV |
| OFPC | Perform EMV PIN Change Using Offset |
| SSAD | Sign Static Authentication Data with Issuer Private Key |
Standard
| Command | Description |
|---|
| 352 | EMV Message Authentication Code (MAC) Generation |
| 354 | Generate Smart Card Master Key |
| 368 | Create Limited Use Key (LUK) |
International
| Command | Description |
|---|
| KE | Generate an EMV Issuer CSR |
| KI | Derive ICC key and encrypt under KEK |
| KO | Generate an EMV ICC certificate and sign with issuer private key |
| KU | Generate Secure Message with Integrity and optional Confidentiality |
Mobile payment token issuance
The pay brands (such as Google Pay, Apple Pay, Samsung Pay, and so on) govern mobile payment tokens. To issue mobile payment tokens to a device, the card issuer (such as Wells Fargo, Chase, Bank of America, and so on) must have a relationship with the particular pay brand to which it plans to issue the mobile payment token. Each pay brand has specific data structures and encryption methods required to communicate a token to a device, so the card issuer must support those methods for it to work.
Common mobile payment token issuance commands
This section contains mobile payment token issuance commands for the Excrypt command set:
Excrypt
| Command | Description |
|---|
| GHMC | Generate HCE Mobile Cryptogram |
| GHMD | Generate HCE Magstripe Verification Value |
| GHMK | Generate HCE Mobile Keys |
The Standard and International command sets do not support mobile payment token issuance.
Card Verification Value generation
A Card Verification Value (CVV) is similar to a PIN, except it is not a secret value. A CVV is generated based on a Card Verification Key (CVK). So the CVK is the base key, and the CVV value is based on that key and the customer account or card number.
Originally, CVV validated that a user has the original card and not a cloned card.
We have CVV generation and verification but not translation because it is not encrypted between the hops.
Common CVV generation commands
This section contains CVV generation commands for Excrypt, Standard, and International command sets:
Excrypt
| Command | Description |
|---|
| CAAV | Calculate Account holder Authentication Value |
| GCAV | Generate CAVV |
| GCAV | Generate American Express (Amex) CSC Value |
| GCVC | Generate CVC and CVC2 |
| GCVV | Generate CVV/CVC Value |
| GDDC | Generate Discover dynamic CVV |
| GVDC | Generate dynamic CVV |
| GIDN | Generate ICC dynamic number (IDN) |
Standard
| Command | Description |
|---|
| 35B | Generate American Express (Amex) CSC Value |
| 5D | Generate Card Verification Value (CVV) |
International
| Command | Description |
|---|
| CW | Generate Visa Card Verification Value (CVV) |
| RY | Generate Random CSCK |
| RY (Mode 3) | Generate Card Security Codes for CSCK |
