Control Objective 2: Cryptographic keys used for PIN encryption/decryption and related key management are created using processes that ensure that it is not possible to predict any key or determine that certain keys are more probable than other keys.

Requirement 5: Key generation by AWS Payment Cryptography was assessed as part of our PCI PIN assessment. This can be specified in the key table “Generated by” column.

Requirement 6: Security controls for keys held in AWS Payment Cryptography were assessed as part of the service’s PCI PIN assessment. Include descriptions of security controls pertaining to key generation within your application and with any other service providers.

Requirement 7: You must have a key-generation policy documentation which should specify how keys are generated and all affected parties must be aware of these procedures/policies. Procedures for key creation using the APC API should include use of roles with key creation permissions and approvals for running scripts or other code that creates keys. AWS CloudTrail logs contain all CreateKey events with date and time, key ARN, and user ids. HSM serial numbers and logs for access to physical media was assessed as part of the service’s PIN assessment.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Control Objective 1: PINs used in transactions governed by these requirements are processed using equipment and methodologies that ensure they are kept secure.

Control Objective 3: Keys are conveyed or transmitted in a secure manner.