Skip to content

Generate Mac Emv Pin Change

paymentcryptographydataplane_generate_mac_emv_pin_change R Documentation

Generates an issuer script mac for EMV payment cards that use offline PINs as the cardholder verification method (CVM)

Description

Generates an issuer script mac for EMV payment cards that use offline PINs as the cardholder verification method (CVM).

This operation generates an authenticated issuer script response by appending the incoming message data (APDU command) with the target encrypted PIN block in ISO2 format. The command structure and method to send the issuer script update to the card is not defined by this operation and is typically determined by the applicable payment card scheme.

The primary inputs to this operation include the incoming new encrypted pinblock, PIN encryption key (PEK), issuer master key (IMK), primary account number (PAN), and the payment card derivation method.

The operation uses two issuer master keys - secure messaging for confidentiality (IMK-SMC) and secure messaging for integrity (IMK-SMI). The SMC key is used to internally derive a key to secure the pin, while SMI key is used to internally derive a key to authenticate the script reponse as per the EMV 4.4 - Book 2 - Security and Key Management specification.

This operation supports Amex, EMV2000, EMVCommon, Mastercard and Visa derivation methods, each requiring specific input parameters. Users must follow the specific derivation method and input parameters defined by the respective payment card scheme.

Use generate_mac operation when sending a script update to an EMV card that does not involve PIN change. When assigning IAM permissions, it is important to understand that encrypt_data using EMV keys and generate_mac perform similar functions to this command.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

  • encrypt_data

  • generate_mac

Usage

paymentcryptographydataplane_generate_mac_emv_pin_change(
  NewPinPekIdentifier, NewEncryptedPinBlock, PinBlockFormat,
  SecureMessagingIntegrityKeyIdentifier,
  SecureMessagingConfidentialityKeyIdentifier, MessageData,
  DerivationMethodAttributes)

Arguments

NewPinPekIdentifier

[required] The keyARN of the PEK protecting the incoming new encrypted PIN block.

NewEncryptedPinBlock

[required] The incoming new encrypted PIN block data for offline pin change on an EMV card.

PinBlockFormat

[required] The PIN encoding format of the incoming new encrypted PIN block as specified in ISO 9564.

SecureMessagingIntegrityKeyIdentifier

[required] The keyARN of the issuer master key (IMK-SMI) used to authenticate the issuer script response.

SecureMessagingConfidentialityKeyIdentifier

[required] The keyARN of the issuer master key (IMK-SMC) used to protect the PIN block data in the issuer script response.

MessageData

[required] The message data is the APDU command from the card reader or terminal. The target encrypted PIN block, after translation to ISO2 format, is appended to this message data to generate an issuer script response.

DerivationMethodAttributes

[required] The attributes and data values to derive payment card specific confidentiality and integrity keys.

Value

A list with the following syntax: 

list(
  NewPinPekArn = "string",
  SecureMessagingIntegrityKeyArn = "string",
  SecureMessagingConfidentialityKeyArn = "string",
  Mac = "string",
  EncryptedPinBlock = "string",
  NewPinPekKeyCheckValue = "string",
  SecureMessagingIntegrityKeyCheckValue = "string",
  SecureMessagingConfidentialityKeyCheckValue = "string",
  VisaAmexDerivationOutputs = list(
    AuthorizationRequestKeyArn = "string",
    AuthorizationRequestKeyCheckValue = "string",
    CurrentPinPekArn = "string",
    CurrentPinPekKeyCheckValue = "string"
  )
)

Request syntax

svc$generate_mac_emv_pin_change(
  NewPinPekIdentifier = "string",
  NewEncryptedPinBlock = "string",
  PinBlockFormat = "ISO_FORMAT_0"|"ISO_FORMAT_1"|"ISO_FORMAT_3",
  SecureMessagingIntegrityKeyIdentifier = "string",
  SecureMessagingConfidentialityKeyIdentifier = "string",
  MessageData = "string",
  DerivationMethodAttributes = list(
    EmvCommon = list(
      MajorKeyDerivationMode = "EMV_OPTION_A"|"EMV_OPTION_B",
      PrimaryAccountNumber = "string",
      PanSequenceNumber = "string",
      ApplicationCryptogram = "string",
      Mode = "ECB"|"CBC",
      PinBlockPaddingType = "NO_PADDING"|"ISO_IEC_7816_4",
      PinBlockLengthPosition = "NONE"|"FRONT_OF_PIN_BLOCK"
    ),
    Amex = list(
      MajorKeyDerivationMode = "EMV_OPTION_A"|"EMV_OPTION_B",
      PrimaryAccountNumber = "string",
      PanSequenceNumber = "string",
      ApplicationTransactionCounter = "string",
      AuthorizationRequestKeyIdentifier = "string",
      CurrentPinAttributes = list(
        CurrentPinPekIdentifier = "string",
        CurrentEncryptedPinBlock = "string"
      )
    ),
    Visa = list(
      MajorKeyDerivationMode = "EMV_OPTION_A"|"EMV_OPTION_B",
      PrimaryAccountNumber = "string",
      PanSequenceNumber = "string",
      ApplicationTransactionCounter = "string",
      AuthorizationRequestKeyIdentifier = "string",
      CurrentPinAttributes = list(
        CurrentPinPekIdentifier = "string",
        CurrentEncryptedPinBlock = "string"
      )
    ),
    Emv2000 = list(
      MajorKeyDerivationMode = "EMV_OPTION_A"|"EMV_OPTION_B",
      PrimaryAccountNumber = "string",
      PanSequenceNumber = "string",
      ApplicationTransactionCounter = "string"
    ),
    Mastercard = list(
      MajorKeyDerivationMode = "EMV_OPTION_A"|"EMV_OPTION_B",
      PrimaryAccountNumber = "string",
      PanSequenceNumber = "string",
      ApplicationCryptogram = "string"
    )
  )
)