Like you said, all the PIN blocks are encrypted under the ZPK. Since the do have the ZPK, they can decrypt the PIN block and derive the PIN. Since you've exchanged ZMKs and created a ZPK, they don't need access to your LMKs.
Using Thales only, the batch process is like this:
Using Thales only, the batch process is like this:
- A random PIN is generated using JA.
- The PIN block is generated and saved for encoding to the card.
- The PIN is printed to a printer attached to the HSM using the PE command.