2026/05/20 - Payment Cryptography Data Plane - 1 new1 updated api methods
Changes GenerateAuthRequestCryptogram API launch.
Generates an Authorization Request Cryptogram (ARQC) for an EMV chip payment card authorization. For more information, see Generate auth request cryptogram in the Amazon Web Services Payment Cryptography User Guide.
ARQC generation uses an Issuer Master Key (IMK) for application cryptograms (TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS) to derive a session key, which is then used to generate the cryptogram from the provided transaction data (when applicable). To use this operation, you must first create or import an IMK-AC key by calling CreateKey or ImportKey. The KeyModesOfUse should be set to DeriveKey for the IMK-AC encryption key.
For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.
Cross-account use: This operation supports cross-account use when the key has a resource-based policy that grants access. For more information, see Resource-based policies.
Related operations:
VerifyAuthRequestCryptogram
See also: AWS API Documentation
Request Syntax
client.generate_auth_request_cryptogram(
KeyIdentifier='string',
TransactionData='string',
MajorKeyDerivationMode='EMV_OPTION_A'|'EMV_OPTION_B',
SessionKeyDerivationAttributes={
'EmvCommon': {
'PrimaryAccountNumber': 'string',
'PanSequenceNumber': 'string',
'ApplicationTransactionCounter': 'string'
},
'Mastercard': {
'PrimaryAccountNumber': 'string',
'PanSequenceNumber': 'string',
'ApplicationTransactionCounter': 'string',
'UnpredictableNumber': 'string'
},
'Emv2000': {
'PrimaryAccountNumber': 'string',
'PanSequenceNumber': 'string',
'ApplicationTransactionCounter': 'string'
},
'Amex': {
'PrimaryAccountNumber': 'string',
'PanSequenceNumber': 'string'
},
'Visa': {
'PrimaryAccountNumber': 'string',
'PanSequenceNumber': 'string'
}
}
)
string
[REQUIRED]
The keyARN of the IMK-AC (TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS) that Amazon Web Services Payment Cryptography uses to generate the ARQC.
string
[REQUIRED]
The transaction data that Amazon Web Services Payment Cryptography uses for ARQC generation. The same transaction data is used for ARQC verification by the issuer using VerifyAuthRequestCryptogram.
string
[REQUIRED]
The method to use when deriving the major encryption key for ARQC generation within Amazon Web Services Payment Cryptography.
dict
[REQUIRED]
The attributes and values to use for deriving a session key for ARQC generation within Amazon Web Services Payment Cryptography.
EmvCommon (dict) --
Parameters to derive session key for an Emv common payment card for ARQC verification.
PrimaryAccountNumber (string) -- [REQUIRED]
The Primary Account Number (PAN) of the cardholder. A PAN is a unique identifier for a payment credit or debit card and associates the card to a specific account holder.
PanSequenceNumber (string) -- [REQUIRED]
A number that identifies and differentiates payment cards with the same Primary Account Number (PAN).
ApplicationTransactionCounter (string) -- [REQUIRED]
The transaction counter that is provided by the terminal during transaction processing.
Mastercard (dict) --
Parameters to derive session key for a Mastercard payment card for ARQC verification.
PrimaryAccountNumber (string) -- [REQUIRED]
The Primary Account Number (PAN) of the cardholder. A PAN is a unique identifier for a payment credit or debit card and associates the card to a specific account holder.
PanSequenceNumber (string) -- [REQUIRED]
A number that identifies and differentiates payment cards with the same Primary Account Number (PAN).
ApplicationTransactionCounter (string) -- [REQUIRED]
The transaction counter that is provided by the terminal during transaction processing.
UnpredictableNumber (string) -- [REQUIRED]
A random number generated by the issuer.
Emv2000 (dict) --
Parameters to derive session key for an Emv2000 payment card for ARQC verification.
PrimaryAccountNumber (string) -- [REQUIRED]
The Primary Account Number (PAN) of the cardholder. A PAN is a unique identifier for a payment credit or debit card and associates the card to a specific account holder.
PanSequenceNumber (string) -- [REQUIRED]
A number that identifies and differentiates payment cards with the same Primary Account Number (PAN).
ApplicationTransactionCounter (string) -- [REQUIRED]
The transaction counter that is provided by the terminal during transaction processing.
Amex (dict) --
Parameters to derive session key for an Amex payment card for ARQC verification.
PrimaryAccountNumber (string) -- [REQUIRED]
The Primary Account Number (PAN) of the cardholder. A PAN is a unique identifier for a payment credit or debit card and associates the card to a specific account holder.
PanSequenceNumber (string) -- [REQUIRED]
A number that identifies and differentiates payment cards with the same Primary Account Number (PAN).
Visa (dict) --
Parameters to derive session key for a Visa payment cardfor ARQC verification.
PrimaryAccountNumber (string) -- [REQUIRED]
The Primary Account Number (PAN) of the cardholder. A PAN is a unique identifier for a payment credit or debit card and associates the card to a specific account holder.
PanSequenceNumber (string) -- [REQUIRED]
A number that identifies and differentiates payment cards with the same Primary Account Number (PAN).
dict
Response Syntax
{
'KeyArn': 'string',
'KeyCheckValue': 'string',
'AuthRequestCryptogram': 'string'
}
Response Structure
(dict) --
KeyArn (string) --
The keyARN of the IMK-AC that Amazon Web Services Payment Cryptography uses for ARQC generation.
KeyCheckValue (string) --
The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.
Amazon Web Services Payment Cryptography computes the KCV according to the CMAC specification.
AuthRequestCryptogram (string) --
The Authorization Request Cryptogram (ARQC) generated by Amazon Web Services Payment Cryptography using the specified key and transaction data.
{'KekValidationType': {'KekValidationRequest': {'RandomKeyMaxLength': 'BYTES_8 '
'| '
'BYTES_16 '
'| '
'BYTES_24'}}}
Generates a KekValidationRequest or a KekValidationResponse for node-to-node initialization between payment processing nodes using Australian Standard 2805 (AS2805).
During node-to-node initialization, both communicating nodes must validate that they possess the correct Key Encrypting Keys (KEKs) before proceeding with session key exchange. In AS2805, the sending KEK (KEKs) of one node corresponds to the receiving KEK (KEKr) of its partner node. Each node uses its KEK to encrypt and decrypt session keys exchanged between the nodes. A KEK can be created or imported into Amazon Web Services Payment Cryptography using either the CreateKey or ImportKey operations.
To use GenerateAs2805KekValidation to generate a KEK validation request, set KekValidationType to KekValidationRequest. This operation returns both RandomKeySend (KRs) and RandomKeyReceive (KRr) as response values. The partnering node receives the KRs, uses its KEKr to decrypt it, and generates a KRr which is an inverted value of KRs. The node receiving the KRr validates it against its own KRr generated during KEK validation request outside of Amazon Web Services Payment Cryptography.
You can also use this operation to generate a KEK validation response, by setting KekValidationType to KekValidationResponse and providing the incoming KRs. This operation then calculates a KRr. To learn more about more about node-to-node initialization, see Validation of KEK in the Amazon Web Services Payment Cryptography User Guide.
For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.
Cross-account use: This operation supports cross-account use when the key has a resource-based policy that grants access. For more information, see Resource-based policies.
See also: AWS API Documentation
Request Syntax
client.generate_as2805_kek_validation(
KeyIdentifier='string',
KekValidationType={
'KekValidationRequest': {
'DeriveKeyAlgorithm': 'TDES_2KEY'|'TDES_3KEY'|'AES_128'|'AES_192'|'AES_256'|'HMAC_SHA256'|'HMAC_SHA384'|'HMAC_SHA512'|'HMAC_SHA224',
'RandomKeyMaxLength': 'BYTES_8'|'BYTES_16'|'BYTES_24'
},
'KekValidationResponse': {
'RandomKeySend': 'string'
}
},
RandomKeySendVariantMask='VARIANT_MASK_82C0'|'VARIANT_MASK_82'
)
string
[REQUIRED]
The keyARN of sending KEK that Amazon Web Services Payment Cryptography uses for node-to-node initialization
dict
[REQUIRED]
Defines whether to generate a KEK validation request or KEK validation response for node-to-node initialization.
KekValidationRequest (dict) --
Parameter information for generating a KEK validation request during node-to-node initialization.
DeriveKeyAlgorithm (string) -- [REQUIRED]
The key derivation algorithm to use for generating a KEK validation request.
RandomKeyMaxLength (string) --
The maximum length of the random key to generate for a KEK validation request.
KekValidationResponse (dict) --
Parameter information for generating a KEK validation response during node-to-node initialization.
RandomKeySend (string) -- [REQUIRED]
The random key send value received from the initiating node to generate a KEK validation response.
string
[REQUIRED]
The key variant to use for generating a random key for KEK validation during node-to-node initialization.
dict
Response Syntax
{
'KeyArn': 'string',
'KeyCheckValue': 'string',
'RandomKeySend': 'string',
'RandomKeyReceive': 'string'
}
Response Structure
(dict) --
KeyArn (string) --
The keyARN of sending KEK that Amazon Web Services Payment Cryptography validates for node-to-node initialization
KeyCheckValue (string) --
The key check value (KCV) of the sending KEK that Amazon Web Services Payment Cryptography validates for node-to-node initialization.
RandomKeySend (string) --
The random key generated for sending KEK validation.
RandomKeyReceive (string) --
The random key generated for receiving KEK validation. The initiating node sends this key to its partner node for validation.