Verify CVV2

Mar 15, 2012 at 2:41 AM

I am trying to do what I think should be very straightforward, but for the life of me, I can't seem to figure it out. I assume that I should be using the "CY" command which is meant to allow the verification of either CVV or CVV2 values. When I look at the documentation, I can't seem to tell the HSM that the CVV value after the CVK A/B value is a CVV2. I am coming from the Jones Futurex product which is very straightforward to use.

Mar 15, 2012 at 8:37 AM

I'm replying without looking at the documentation but I remember that a single algorithm generates both CVV and CVV2. If I remember correctly, the difference is in the SVC that's passed as a parameter to the CY command; for CVV, the actual SVC is passed but for CVV2 a fixed value is used (but I can't remember it out of the top of my head).

Mar 15, 2012 at 4:46 PM

Boy, I was really afraid the response was just what you said. I was reading in manual, and I kinda got that impression when reading between the lines.

Mar 15, 2012 at 6:08 PM

Why afraid?

Mar 15, 2012 at 6:40 PM
Have cards that have been issued with CVV2 values calculated with a
service code of not "000" which means I can't just pull Jones HSM out
and replace with Thales unit.

On Thu, Mar 15, 2012 at 1:08 PM, [email removed] wrote:
> From: nickntg
> Why afraid?
> Read the full discussion online.
> To add a post to this discussion, reply to this email
> ([email removed])
> To start a new discussion for this project, email
> [email removed]
> You are receiving this email because you subscribed to this discussion on
> CodePlex. You can unsubscribe on
> Please note: Images and attachments will be removed from emails. Any posts
> to this discussion will also be available online at
Mar 15, 2012 at 7:44 PM

You can set the SVC parameter of the Thales command to something other than "000". The CY command will not care about it and generate the appropriate CVV, which in your case is CVV2. The fact that you can use the CY command both for CVV and CVV2 generation does not imply that when you use it for CVV2 generation you must pass "000" as the SVC. In fact, CY does not distinguish between CVV, CVV2 and iCVV generation.

Does that sound right? Is the problem something else that I'm missing?

Mar 15, 2012 at 9:02 PM

I guess my question is this, is the same algorithm used to generate both CVV and CVV2 values? If it is the exact same other then inputs, I guess I could pass the CVV2 in the the "CY" command but not force the service code to "000". Is that what you are suggesting?

Mar 15, 2012 at 10:01 PM

Yes it is. The algorithm is the same for CVV, CVV2 and iCVV. Only the value of SVC changes.