User manual

Page 48 of 61

MS246 User Manual

<NAK> (fail)

Activation Data: 8 or 16 bytes, structured as <Challenge 1 Response> <Session ID>.

Challenge 1 Response: 6 bytes of Challenge 1 random data with 2 bytes of

Authenticated Mode timeout duration. It’s encrypted using the key derived from the

current DUKPT key.

Session ID: Optional 8 bytes Session ID, encrypted using the key derived from the

current DUKPT key.

Deactivate Authenticated Mode Command

This command is used to exit Authenticated Mode. The host needs to send the first 7

bytes of Challenge 2 (from the response of Activate Authenticated Mode command)

and the Increment Flag (0x00 indicates no increment, 0x01 indicates increment of the

KSN) encrypted with the current DUKPT Key exclusive- or’ed with <3C3C 3C3C

3C3C 3C3C 3C3C 3C3C 3C3C 3C3C>.

If the device decrypts Challenge 2 successfully, the device will exit Authenticated

Mode. The KSN will increase if the Increment flag is set to 0x01. If the device

cannot decrypt Challenge 2 successfully, it will stay in Authenticated Mode until a

timeout occurs or when the customer swipes a card.

The KSN is incremented every time the Authenticated Mode is exited by timeout or

card swipe action. When the Authenticated Mode is exited by the Deactivate

Authenticated Mode command, the KSN will increment when the increment flag is

set to 0x01.

Command Structure

Host -> Device:

Device -> Host:

<ACK> (success)

<NAK> (fail)

<Deactivation data>: 8 bytes response to Challenge 2. It contains 7 bytes of

Challenge 2 with 1 byte of Increment Flag, encrypted by the specified variant of

current DUKPT Key.

Get Reader Status Command

Command Structure

Host -> Device:

Device -> Host: