aws-sdk-paymentcryptographydata 1.25.0 → 1.26.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 4ec1b71b5702eec1bce99e2879709a9837c586d9184c6a53a83087d9fb9ba10e
4
- data.tar.gz: b15450c42d748338df72b6911fe175f7c6686bdab971a8b74934f04206eb26b4
3
+ metadata.gz: 1cee51842de4f9812872cf67ca217fb988c34615c188f62fa3729519f3bf1fe5
4
+ data.tar.gz: f34fd2c582c47642ba205dd75025d702810537628ddc752a946593996890213a
5
5
  SHA512:
6
- metadata.gz: d8e96b21ac3ec4b1834bc0cda07389d2db481510fc2d737578101aaf53e2182c2e0831fdfcdcc025165f561eae289e5c53ffef77055bc24bc93313fa0e615911
7
- data.tar.gz: d2a1154ce033fc7d7c8ba8659bc6c981f689186adf7eb75b62776643030abf55d41f372569747eb5d68e59c518b754d18169874588bafd56cd791c51a24ccf26
6
+ metadata.gz: f375a68479f99dacda79e012106a115b94c0c7923834f570cd240b617b134c1b694430e76a8dba737af87c4431487cf49caaf2e68c84e98d86575b174466d7d8
7
+ data.tar.gz: d178f47a8b714d683ef5e68644f363209799bcc3245b13b3b367d7577eaf7a279ca354019f0d5577d20750b85f9fe70af70cbc1c965db298baf23f8d7f8702c8
data/CHANGELOG.md CHANGED
@@ -1,6 +1,11 @@
1
1
  Unreleased Changes
2
2
  ------------------
3
3
 
4
+ 1.26.0 (2024-10-21)
5
+ ------------------
6
+
7
+ * Feature - Adding new API to generate authenticated scripts for EMV pin change use cases.
8
+
4
9
  1.25.0 (2024-10-18)
5
10
  ------------------
6
11
 
data/VERSION CHANGED
@@ -1 +1 @@
1
- 1.25.0
1
+ 1.26.0
@@ -452,8 +452,8 @@ module Aws::PaymentCryptographyData
452
452
  # more information, see [Decrypt data][1] in the *Amazon Web Services
453
453
  # Payment Cryptography User Guide*.
454
454
  #
455
- # You can use an encryption key generated within Amazon Web Services
456
- # Payment Cryptography, or you can import your own encryption key by
455
+ # You can use an decryption key generated within Amazon Web Services
456
+ # Payment Cryptography, or you can import your own decryption key by
457
457
  # calling [ImportKey][2]. For this operation, the key must have
458
458
  # `KeyModesOfUse` set to `Decrypt`. In asymmetric decryption, Amazon Web
459
459
  # Services Payment Cryptography decrypts the ciphertext using the
@@ -462,6 +462,17 @@ module Aws::PaymentCryptographyData
462
462
  # can export the public component of the asymmetric key pair by calling
463
463
  # [GetPublicCertificate][3].
464
464
  #
465
+ # This operation also supports dynamic keys, allowing you to pass a
466
+ # dynamic decryption key as a TR-31 WrappedKeyBlock. This can be used
467
+ # when key material is frequently rotated, such as during every card
468
+ # transaction, and there is need to avoid importing short-lived keys
469
+ # into Amazon Web Services Payment Cryptography. To decrypt using
470
+ # dynamic keys, the `keyARN` is the Key Encryption Key (KEK) of the
471
+ # TR-31 wrapped decryption key material. The incoming wrapped key shall
472
+ # have a key purpose of D0 with a mode of use of B or D. For more
473
+ # information, see [Using Dynamic Keys][4] in the *Amazon Web Services
474
+ # Payment Cryptography User Guide*.
475
+ #
465
476
  # For symmetric and DUKPT decryption, Amazon Web Services Payment
466
477
  # Cryptography supports `TDES` and `AES` algorithms. For EMV decryption,
467
478
  # Amazon Web Services Payment Cryptography supports `TDES` algorithms.
@@ -474,8 +485,8 @@ module Aws::PaymentCryptographyData
474
485
  # size unless padding is enabled.
475
486
  #
476
487
  # For information about valid keys for this operation, see
477
- # [Understanding key attributes][4] and [Key types for specific data
478
- # operations][5] in the *Amazon Web Services Payment Cryptography User
488
+ # [Understanding key attributes][5] and [Key types for specific data
489
+ # operations][6] in the *Amazon Web Services Payment Cryptography User
479
490
  # Guide*.
480
491
  #
481
492
  # **Cross-account use**: This operation can't be used across different
@@ -494,8 +505,9 @@ module Aws::PaymentCryptographyData
494
505
  # [1]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/decrypt-data.html
495
506
  # [2]: https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ImportKey.html
496
507
  # [3]: https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetPublicKeyCertificate.html
497
- # [4]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html
498
- # [5]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/crypto-ops-validkeys-ops.html
508
+ # [4]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/use-cases-acquirers-dynamickeys.html
509
+ # [5]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html
510
+ # [6]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/crypto-ops-validkeys-ops.html
499
511
  #
500
512
  # @option params [required, String] :key_identifier
501
513
  # The `keyARN` of the encryption key that Amazon Web Services Payment
@@ -581,11 +593,24 @@ module Aws::PaymentCryptographyData
581
593
  #
582
594
  # You can generate an encryption key within Amazon Web Services Payment
583
595
  # Cryptography by calling [CreateKey][2]. You can import your own
584
- # encryption key by calling [ImportKey][3]. For this operation, the key
585
- # must have `KeyModesOfUse` set to `Encrypt`. In asymmetric encryption,
586
- # plaintext is encrypted using public component. You can import the
587
- # public component of an asymmetric key pair created outside Amazon Web
588
- # Services Payment Cryptography by calling [ImportKey][3].
596
+ # encryption key by calling [ImportKey][3].
597
+ #
598
+ # For this operation, the key must have `KeyModesOfUse` set to
599
+ # `Encrypt`. In asymmetric encryption, plaintext is encrypted using
600
+ # public component. You can import the public component of an asymmetric
601
+ # key pair created outside Amazon Web Services Payment Cryptography by
602
+ # calling [ImportKey][3].
603
+ #
604
+ # This operation also supports dynamic keys, allowing you to pass a
605
+ # dynamic encryption key as a TR-31 WrappedKeyBlock. This can be used
606
+ # when key material is frequently rotated, such as during every card
607
+ # transaction, and there is need to avoid importing short-lived keys
608
+ # into Amazon Web Services Payment Cryptography. To encrypt using
609
+ # dynamic keys, the `keyARN` is the Key Encryption Key (KEK) of the
610
+ # TR-31 wrapped encryption key material. The incoming wrapped key shall
611
+ # have a key purpose of D0 with a mode of use of B or D. For more
612
+ # information, see [Using Dynamic Keys][4] in the *Amazon Web Services
613
+ # Payment Cryptography User Guide*.
589
614
  #
590
615
  # For symmetric and DUKPT encryption, Amazon Web Services Payment
591
616
  # Cryptography supports `TDES` and `AES` algorithms. For EMV encryption,
@@ -605,8 +630,8 @@ module Aws::PaymentCryptographyData
605
630
  # your account with `KeyModesOfUse` set to `DeriveKey`.
606
631
  #
607
632
  # For information about valid keys for this operation, see
608
- # [Understanding key attributes][4] and [Key types for specific data
609
- # operations][5] in the *Amazon Web Services Payment Cryptography User
633
+ # [Understanding key attributes][5] and [Key types for specific data
634
+ # operations][6] in the *Amazon Web Services Payment Cryptography User
610
635
  # Guide*.
611
636
  #
612
637
  # **Cross-account use**: This operation can't be used across different
@@ -616,7 +641,7 @@ module Aws::PaymentCryptographyData
616
641
  #
617
642
  # * DecryptData
618
643
  #
619
- # * [GetPublicCertificate][6]
644
+ # * [GetPublicCertificate][7]
620
645
  #
621
646
  # * [ImportKey][3]
622
647
  #
@@ -627,9 +652,10 @@ module Aws::PaymentCryptographyData
627
652
  # [1]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/encrypt-data.html
628
653
  # [2]: https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_CreateKey.html
629
654
  # [3]: https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ImportKey.html
630
- # [4]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html
631
- # [5]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/crypto-ops-validkeys-ops.html
632
- # [6]: https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetPublicKeyCertificate.html
655
+ # [4]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/use-cases-acquirers-dynamickeys.html
656
+ # [5]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html
657
+ # [6]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/crypto-ops-validkeys-ops.html
658
+ # [7]: https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetPublicKeyCertificate.html
633
659
  #
634
660
  # @option params [required, String] :key_identifier
635
661
  # The `keyARN` of the encryption key that Amazon Web Services Payment
@@ -906,7 +932,7 @@ module Aws::PaymentCryptographyData
906
932
  # session_key_derivation_mode: "EMV_COMMON_SESSION_KEY", # required, accepts EMV_COMMON_SESSION_KEY, EMV2000, AMEX, MASTERCARD_SESSION_KEY, VISA
907
933
  # session_key_derivation_value: { # required
908
934
  # application_cryptogram: "ApplicationCryptogramType",
909
- # application_transaction_counter: "HexLengthBetween2And4",
935
+ # application_transaction_counter: "HexLengthEquals4",
910
936
  # },
911
937
  # },
912
938
  # dukpt_iso_9797_algorithm_1: {
@@ -943,6 +969,173 @@ module Aws::PaymentCryptographyData
943
969
  req.send_request(options)
944
970
  end
945
971
 
972
+ # Generates an issuer script mac for EMV payment cards that use offline
973
+ # PINs as the cardholder verification method (CVM).
974
+ #
975
+ # This operation generates an authenticated issuer script response by
976
+ # appending the incoming message data (APDU command) with the target
977
+ # encrypted PIN block in ISO2 format. The command structure and method
978
+ # to send the issuer script update to the card is not defined by this
979
+ # operation and is typically determined by the applicable payment card
980
+ # scheme.
981
+ #
982
+ # The primary inputs to this operation include the incoming new
983
+ # encrypted pinblock, PIN encryption key (PEK), issuer master key (IMK),
984
+ # primary account number (PAN), and the payment card derivation method.
985
+ #
986
+ # The operation uses two issuer master keys - secure messaging for
987
+ # confidentiality (IMK-SMC) and secure messaging for integrity
988
+ # (IMK-SMI). The SMC key is used to internally derive a key to secure
989
+ # the pin, while SMI key is used to internally derive a key to
990
+ # authenticate the script reponse as per the [EMV 4.4 - Book 2 -
991
+ # Security and Key Management][1] specification.
992
+ #
993
+ # This operation supports Amex, EMV2000, EMVCommon, Mastercard and Visa
994
+ # derivation methods, each requiring specific input parameters. Users
995
+ # must follow the specific derivation method and input parameters
996
+ # defined by the respective payment card scheme.
997
+ #
998
+ # <note markdown="1"> Use GenerateMac operation when sending a script update to an EMV card
999
+ # that does not involve PIN change. When assigning IAM permissions, it
1000
+ # is important to understand that EncryptData using EMV keys and
1001
+ # GenerateMac perform similar functions to this command.
1002
+ #
1003
+ # </note>
1004
+ #
1005
+ # **Cross-account use**: This operation can't be used across different
1006
+ # Amazon Web Services accounts.
1007
+ #
1008
+ # **Related operations:**
1009
+ #
1010
+ # * EncryptData
1011
+ #
1012
+ # * GenerateMac
1013
+ #
1014
+ #
1015
+ #
1016
+ # [1]: https://www.emvco.com/specifications/
1017
+ #
1018
+ # @option params [required, String] :new_pin_pek_identifier
1019
+ # The `keyARN` of the PEK protecting the incoming new encrypted PIN
1020
+ # block.
1021
+ #
1022
+ # @option params [required, String] :new_encrypted_pin_block
1023
+ # The incoming new encrypted PIN block data for offline pin change on an
1024
+ # EMV card.
1025
+ #
1026
+ # @option params [required, String] :pin_block_format
1027
+ # The PIN encoding format of the incoming new encrypted PIN block as
1028
+ # specified in ISO 9564.
1029
+ #
1030
+ # @option params [required, String] :secure_messaging_integrity_key_identifier
1031
+ # The `keyARN` of the issuer master key (IMK-SMI) used to authenticate
1032
+ # the issuer script response.
1033
+ #
1034
+ # @option params [required, String] :secure_messaging_confidentiality_key_identifier
1035
+ # The `keyARN` of the issuer master key (IMK-SMC) used to protect the
1036
+ # PIN block data in the issuer script response.
1037
+ #
1038
+ # @option params [required, String] :message_data
1039
+ # The message data is the APDU command from the card reader or terminal.
1040
+ # The target encrypted PIN block, after translation to ISO2 format, is
1041
+ # appended to this message data to generate an issuer script response.
1042
+ #
1043
+ # @option params [required, Types::DerivationMethodAttributes] :derivation_method_attributes
1044
+ # The attributes and data values to derive payment card specific
1045
+ # confidentiality and integrity keys.
1046
+ #
1047
+ # @return [Types::GenerateMacEmvPinChangeOutput] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1048
+ #
1049
+ # * {Types::GenerateMacEmvPinChangeOutput#new_pin_pek_arn #new_pin_pek_arn} => String
1050
+ # * {Types::GenerateMacEmvPinChangeOutput#secure_messaging_integrity_key_arn #secure_messaging_integrity_key_arn} => String
1051
+ # * {Types::GenerateMacEmvPinChangeOutput#secure_messaging_confidentiality_key_arn #secure_messaging_confidentiality_key_arn} => String
1052
+ # * {Types::GenerateMacEmvPinChangeOutput#mac #mac} => String
1053
+ # * {Types::GenerateMacEmvPinChangeOutput#encrypted_pin_block #encrypted_pin_block} => String
1054
+ # * {Types::GenerateMacEmvPinChangeOutput#new_pin_pek_key_check_value #new_pin_pek_key_check_value} => String
1055
+ # * {Types::GenerateMacEmvPinChangeOutput#secure_messaging_integrity_key_check_value #secure_messaging_integrity_key_check_value} => String
1056
+ # * {Types::GenerateMacEmvPinChangeOutput#secure_messaging_confidentiality_key_check_value #secure_messaging_confidentiality_key_check_value} => String
1057
+ # * {Types::GenerateMacEmvPinChangeOutput#visa_amex_derivation_outputs #visa_amex_derivation_outputs} => Types::VisaAmexDerivationOutputs
1058
+ #
1059
+ # @example Request syntax with placeholder values
1060
+ #
1061
+ # resp = client.generate_mac_emv_pin_change({
1062
+ # new_pin_pek_identifier: "KeyArnOrKeyAliasType", # required
1063
+ # new_encrypted_pin_block: "PinBlockLengthEquals16", # required
1064
+ # pin_block_format: "ISO_FORMAT_0", # required, accepts ISO_FORMAT_0, ISO_FORMAT_1, ISO_FORMAT_3
1065
+ # secure_messaging_integrity_key_identifier: "KeyArnOrKeyAliasType", # required
1066
+ # secure_messaging_confidentiality_key_identifier: "KeyArnOrKeyAliasType", # required
1067
+ # message_data: "CommandMessageDataType", # required
1068
+ # derivation_method_attributes: { # required
1069
+ # emv_common: {
1070
+ # major_key_derivation_mode: "EMV_OPTION_A", # required, accepts EMV_OPTION_A, EMV_OPTION_B
1071
+ # primary_account_number: "PrimaryAccountNumberType", # required
1072
+ # pan_sequence_number: "NumberLengthEquals2", # required
1073
+ # application_cryptogram: "ApplicationCryptogramType", # required
1074
+ # mode: "ECB", # required, accepts ECB, CBC
1075
+ # pin_block_padding_type: "NO_PADDING", # required, accepts NO_PADDING, ISO_IEC_7816_4
1076
+ # pin_block_length_position: "NONE", # required, accepts NONE, FRONT_OF_PIN_BLOCK
1077
+ # },
1078
+ # amex: {
1079
+ # major_key_derivation_mode: "EMV_OPTION_A", # required, accepts EMV_OPTION_A, EMV_OPTION_B
1080
+ # primary_account_number: "PrimaryAccountNumberType", # required
1081
+ # pan_sequence_number: "NumberLengthEquals2", # required
1082
+ # application_transaction_counter: "HexLengthEquals4", # required
1083
+ # authorization_request_key_identifier: "KeyArnOrKeyAliasType", # required
1084
+ # current_pin_attributes: {
1085
+ # current_pin_pek_identifier: "KeyArnOrKeyAliasType", # required
1086
+ # current_encrypted_pin_block: "PinBlockLengthEquals16", # required
1087
+ # },
1088
+ # },
1089
+ # visa: {
1090
+ # major_key_derivation_mode: "EMV_OPTION_A", # required, accepts EMV_OPTION_A, EMV_OPTION_B
1091
+ # primary_account_number: "PrimaryAccountNumberType", # required
1092
+ # pan_sequence_number: "NumberLengthEquals2", # required
1093
+ # application_transaction_counter: "HexLengthEquals4", # required
1094
+ # authorization_request_key_identifier: "KeyArnOrKeyAliasType", # required
1095
+ # current_pin_attributes: {
1096
+ # current_pin_pek_identifier: "KeyArnOrKeyAliasType", # required
1097
+ # current_encrypted_pin_block: "PinBlockLengthEquals16", # required
1098
+ # },
1099
+ # },
1100
+ # emv_2000: {
1101
+ # major_key_derivation_mode: "EMV_OPTION_A", # required, accepts EMV_OPTION_A, EMV_OPTION_B
1102
+ # primary_account_number: "PrimaryAccountNumberType", # required
1103
+ # pan_sequence_number: "NumberLengthEquals2", # required
1104
+ # application_transaction_counter: "HexLengthEquals4", # required
1105
+ # },
1106
+ # mastercard: {
1107
+ # major_key_derivation_mode: "EMV_OPTION_A", # required, accepts EMV_OPTION_A, EMV_OPTION_B
1108
+ # primary_account_number: "PrimaryAccountNumberType", # required
1109
+ # pan_sequence_number: "NumberLengthEquals2", # required
1110
+ # application_cryptogram: "ApplicationCryptogramType", # required
1111
+ # },
1112
+ # },
1113
+ # })
1114
+ #
1115
+ # @example Response structure
1116
+ #
1117
+ # resp.new_pin_pek_arn #=> String
1118
+ # resp.secure_messaging_integrity_key_arn #=> String
1119
+ # resp.secure_messaging_confidentiality_key_arn #=> String
1120
+ # resp.mac #=> String
1121
+ # resp.encrypted_pin_block #=> String
1122
+ # resp.new_pin_pek_key_check_value #=> String
1123
+ # resp.secure_messaging_integrity_key_check_value #=> String
1124
+ # resp.secure_messaging_confidentiality_key_check_value #=> String
1125
+ # resp.visa_amex_derivation_outputs.authorization_request_key_arn #=> String
1126
+ # resp.visa_amex_derivation_outputs.authorization_request_key_check_value #=> String
1127
+ # resp.visa_amex_derivation_outputs.current_pin_pek_arn #=> String
1128
+ # resp.visa_amex_derivation_outputs.current_pin_pek_key_check_value #=> String
1129
+ #
1130
+ # @see http://docs.aws.amazon.com/goto/WebAPI/payment-cryptography-data-2022-02-03/GenerateMacEmvPinChange AWS API Documentation
1131
+ #
1132
+ # @overload generate_mac_emv_pin_change(params = {})
1133
+ # @param [Hash] params ({})
1134
+ def generate_mac_emv_pin_change(params = {}, options = {})
1135
+ req = build_request(:generate_mac_emv_pin_change, params)
1136
+ req.send_request(options)
1137
+ end
1138
+
946
1139
  # Generates pin-related data such as PIN, PIN Verification Value (PVV),
947
1140
  # PIN Block, and PIN Offset during new card issuance or reissuance. For
948
1141
  # more information, see [Generate PIN data][1] in the *Amazon Web
@@ -1086,6 +1279,17 @@ module Aws::PaymentCryptographyData
1086
1279
  # this operation must be in a compatible key state with `KeyModesOfUse`
1087
1280
  # set to `Encrypt`.
1088
1281
  #
1282
+ # This operation also supports dynamic keys, allowing you to pass a
1283
+ # dynamic encryption key as a TR-31 WrappedKeyBlock. This can be used
1284
+ # when key material is frequently rotated, such as during every card
1285
+ # transaction, and there is need to avoid importing short-lived keys
1286
+ # into Amazon Web Services Payment Cryptography. To re-encrypt using
1287
+ # dynamic keys, the `keyARN` is the Key Encryption Key (KEK) of the
1288
+ # TR-31 wrapped encryption key material. The incoming wrapped key shall
1289
+ # have a key purpose of D0 with a mode of use of B or D. For more
1290
+ # information, see [Using Dynamic Keys][3] in the *Amazon Web Services
1291
+ # Payment Cryptography User Guide*.
1292
+ #
1089
1293
  # For symmetric and DUKPT encryption, Amazon Web Services Payment
1090
1294
  # Cryptography supports `TDES` and `AES` algorithms. To encrypt using
1091
1295
  # DUKPT, a DUKPT key must already exist within your account with
@@ -1093,8 +1297,8 @@ module Aws::PaymentCryptographyData
1093
1297
  # calling [CreateKey][1].
1094
1298
  #
1095
1299
  # For information about valid keys for this operation, see
1096
- # [Understanding key attributes][3] and [Key types for specific data
1097
- # operations][4] in the *Amazon Web Services Payment Cryptography User
1300
+ # [Understanding key attributes][4] and [Key types for specific data
1301
+ # operations][5] in the *Amazon Web Services Payment Cryptography User
1098
1302
  # Guide*.
1099
1303
  #
1100
1304
  # **Cross-account use**: This operation can't be used across different
@@ -1106,7 +1310,7 @@ module Aws::PaymentCryptographyData
1106
1310
  #
1107
1311
  # * EncryptData
1108
1312
  #
1109
- # * [GetPublicCertificate][5]
1313
+ # * [GetPublicCertificate][6]
1110
1314
  #
1111
1315
  # * [ImportKey][2]
1112
1316
  #
@@ -1114,9 +1318,10 @@ module Aws::PaymentCryptographyData
1114
1318
  #
1115
1319
  # [1]: https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_CreateKey.html
1116
1320
  # [2]: https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ImportKey.html
1117
- # [3]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html
1118
- # [4]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/crypto-ops-validkeys-ops.html
1119
- # [5]: https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetPublicKeyCertificate.html
1321
+ # [3]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/use-cases-acquirers-dynamickeys.html
1322
+ # [4]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html
1323
+ # [5]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/crypto-ops-validkeys-ops.html
1324
+ # [6]: https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetPublicKeyCertificate.html
1120
1325
  #
1121
1326
  # @option params [required, String] :incoming_key_identifier
1122
1327
  # The `keyARN` of the encryption key of incoming ciphertext data.
@@ -1231,6 +1436,16 @@ module Aws::PaymentCryptographyData
1231
1436
  # Cryptography supports `TDES` and `AES` key derivation type for DUKPT
1232
1437
  # translations.
1233
1438
  #
1439
+ # This operation also supports dynamic keys, allowing you to pass a
1440
+ # dynamic PEK as a TR-31 WrappedKeyBlock. This can be used when key
1441
+ # material is frequently rotated, such as during every card transaction,
1442
+ # and there is need to avoid importing short-lived keys into Amazon Web
1443
+ # Services Payment Cryptography. To translate PIN block using dynamic
1444
+ # keys, the `keyARN` is the Key Encryption Key (KEK) of the TR-31
1445
+ # wrapped PEK. The incoming wrapped key shall have a key purpose of P0
1446
+ # with a mode of use of B or D. For more information, see [Using Dynamic
1447
+ # Keys][2] in the *Amazon Web Services Payment Cryptography User Guide*.
1448
+ #
1234
1449
  # The allowed combinations of PIN block format translations are guided
1235
1450
  # by PCI. It is important to note that not all encrypted PIN block
1236
1451
  # formats (example, format 1) require PAN (Primary Account Number) as
@@ -1239,8 +1454,8 @@ module Aws::PaymentCryptographyData
1239
1454
  # not require a PAN for generation.
1240
1455
  #
1241
1456
  # For information about valid keys for this operation, see
1242
- # [Understanding key attributes][2] and [Key types for specific data
1243
- # operations][3] in the *Amazon Web Services Payment Cryptography User
1457
+ # [Understanding key attributes][3] and [Key types for specific data
1458
+ # operations][4] in the *Amazon Web Services Payment Cryptography User
1244
1459
  # Guide*.
1245
1460
  #
1246
1461
  # <note markdown="1"> Amazon Web Services Payment Cryptography currently supports ISO PIN
@@ -1261,8 +1476,9 @@ module Aws::PaymentCryptographyData
1261
1476
  #
1262
1477
  #
1263
1478
  # [1]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/translate-pin-data.html
1264
- # [2]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html
1265
- # [3]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/crypto-ops-validkeys-ops.html
1479
+ # [2]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/use-cases-acquirers-dynamickeys.html
1480
+ # [3]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html
1481
+ # [4]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/crypto-ops-validkeys-ops.html
1266
1482
  #
1267
1483
  # @option params [required, String] :incoming_key_identifier
1268
1484
  # The `keyARN` of the encryption key under which incoming PIN block data
@@ -1468,18 +1684,18 @@ module Aws::PaymentCryptographyData
1468
1684
  # emv_common: {
1469
1685
  # primary_account_number: "PrimaryAccountNumberType", # required
1470
1686
  # pan_sequence_number: "NumberLengthEquals2", # required
1471
- # application_transaction_counter: "HexLengthBetween2And4", # required
1687
+ # application_transaction_counter: "HexLengthEquals4", # required
1472
1688
  # },
1473
1689
  # mastercard: {
1474
1690
  # primary_account_number: "PrimaryAccountNumberType", # required
1475
1691
  # pan_sequence_number: "NumberLengthEquals2", # required
1476
- # application_transaction_counter: "HexLengthBetween2And4", # required
1692
+ # application_transaction_counter: "HexLengthEquals4", # required
1477
1693
  # unpredictable_number: "HexLengthBetween2And8", # required
1478
1694
  # },
1479
1695
  # emv_2000: {
1480
1696
  # primary_account_number: "PrimaryAccountNumberType", # required
1481
1697
  # pan_sequence_number: "NumberLengthEquals2", # required
1482
- # application_transaction_counter: "HexLengthBetween2And4", # required
1698
+ # application_transaction_counter: "HexLengthEquals4", # required
1483
1699
  # },
1484
1700
  # amex: {
1485
1701
  # primary_account_number: "PrimaryAccountNumberType", # required
@@ -1702,7 +1918,7 @@ module Aws::PaymentCryptographyData
1702
1918
  # session_key_derivation_mode: "EMV_COMMON_SESSION_KEY", # required, accepts EMV_COMMON_SESSION_KEY, EMV2000, AMEX, MASTERCARD_SESSION_KEY, VISA
1703
1919
  # session_key_derivation_value: { # required
1704
1920
  # application_cryptogram: "ApplicationCryptogramType",
1705
- # application_transaction_counter: "HexLengthBetween2And4",
1921
+ # application_transaction_counter: "HexLengthEquals4",
1706
1922
  # },
1707
1923
  # },
1708
1924
  # dukpt_iso_9797_algorithm_1: {
@@ -1874,7 +2090,7 @@ module Aws::PaymentCryptographyData
1874
2090
  tracer: tracer
1875
2091
  )
1876
2092
  context[:gem_name] = 'aws-sdk-paymentcryptographydata'
1877
- context[:gem_version] = '1.25.0'
2093
+ context[:gem_version] = '1.26.0'
1878
2094
  Seahorse::Client::Request.new(handlers, context)
1879
2095
  end
1880
2096