SAF may be invoked to verify the caller is authorized to use this callable service, the key label, or internal secure key tokens that are stored in the CKDS or PKDS.

To verify a MAC in one call, specify the ONLY keyword on the segmenting rule keyword for the rule_array parameter. For two or more calls, specify the FIRST keyword for the first input block, MIDDLE for intermediate blocks (if any), and LAST for the last block.

For a given text string, the MAC resulting from the verification process is the same regardless of how the text is segmented, or how it was segmented when the original MAC was generated.

CCF Systems only: To use a MAC generation key or a DATA key, the NOCV enablement keys must be present in the CKDS. Using either a MAC generation key or a DATA key instead of a MAC verify key in this service substantially increases the path length for verifying the MAC.

The MAC Verify access control point controls the function of this service.

The following table lists the required cryptographic hardware for each server type and describes restrictions for this callable service.

Table 152. MAC verify required hardware

Server	Required cryptographic hardware	Restrictions
IBM zSeries 900	Cryptographic Coprocessor Feature	ICSF routes the request to a PCI Cryptographic Coprocessor if the control vector in the supplied key identifier cannot be processed on the Cryptographic Coprocessor Feature. The request must meet the following restrictions: The MAC Process Rule is X9.19OPT or EMVMACD. The MAC key is a valid double-length MAC generate key. The text_length on the final call (ONLY or LAST) can not be greater than 4K including padding. The text_length must be less than or equal to 4K bytes for the FIRST and MIDDLE keywords, and the text length must be a multiple of 8 bytes. TDES-MAC not supported.
IBM zSeries 990 IBM zSeries 890	PCI X Cryptographic Coprocessor Crypto Express2 Coprocessor	TDES-MAC not supported.
IBM System z9 EC IBM System z9 BC	Crypto Express2 Coprocessor