Mastercard specific functions
DCVC3
DCVC3 predates EMV CSK and Mastercard CVN12 schemes and represents another approach for utilizing dynamic keys. It is sometimes repurposed for other use cases as well. In this scheme, the inputs are PAN, PSN, Track1/Track2 data, an unpredictable number and transaction counter (ATC).
Create key
$aws payment-cryptography create-key --exportable --key-attributes KeyAlgorithm=TDES_2KEY,KeyUsage=TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS,KeyClass=SYMMETRIC_KEY,KeyModesOfUse='{DeriveKey=true}' --tags='[{"Key":"KEY_PURPOSE","Value":"DCVC3"},{"Key":"CARD_BIN","Value":"12345678"}]'
The response echoes back the request parameters, including an ARN for subsequent calls as well as a Key Check Value (KCV).
{ "Key": { "KeyArn": "arn:aws:payment-cryptography:us-east-2::key/hrh6qgbi3sk4y3wq", "KeyAttributes": { "KeyUsage": "TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS", "KeyClass": "SYMMETRIC_KEY", "KeyAlgorithm": "TDES_2KEY", "KeyModesOfUse": { "Encrypt": false, "Decrypt": false, "Wrap": false, "Unwrap": false, "Generate": false, "Sign": false, "Verify": false, "DeriveKey": true, "NoRestrictions": false } }, "KeyCheckValue": "08D7B4", "KeyCheckValueAlgorithm": "ANSI_X9_24", "Enabled": true, "Exportable": true, "KeyState": "CREATE_COMPLETE", "KeyOrigin": "AWS_PAYMENT_CRYPTOGRAPHY", "CreateTimestamp": "2024-03-07T06:41:46.648000-07:00", "UsageStartTimestamp": "2024-03-07T06:41:46.626000-07:00" } }
Take note of the KeyArn that represents the key, for example arn:aws:payment-cryptography:us-east-2::key/hrh6qgbi3sk4y3wq. You need that in the next step.
Generate a DCVC3
Although DCVC3 may be generated by a chip card, it can also be manually generated such as in this example
$aws payment-cryptography-data generate-card-validation-data --key-identifier arn:aws:payment-cryptography:us-east-2::key/pw3s6nl62t5ushfk --primary-account-number=5413123456784808 --generation-attributes DynamicCardVerificationCode='{ApplicationTransactionCounter=0000,TrackData=5241060000000069D13052020000000000003F,PanSequenceNumber=00,UnpredictableNumber=00000000}''
{ "KeyArn": "arn:aws:payment-cryptography:us-east-2::key/pw3s6nl62t5ushfk", "KeyCheckValue": "08D7B4", "ValidationData": "865" }
Validate the DCVC3
In this example, we will validate an DCVC3. Note that ATC should be provided as a hex number for instance a counter of 11 should be represented as 000B. The service expects a 3 digit DCVC3, so if you have stored a 4(or 5) digit value, simply truncate the left characters until you have 3 digits (for instance 15321 should result in validation-data value of 321).
If AWS Payment Cryptography is able to validate, an http/200 is returned. If the value is not validated, it will return a http/400 response.
$aws payment-cryptography-data verify-card-validation-data --key-identifier arn:aws:payment-cryptography:us-east-2::key/pw3s6nl62t5ushfk --primary-account-number=5413123456784808 --verification-attributes DynamicCardVerificationCode='{ApplicationTransactionCounter=000B,TrackData=5241060000000069D13052020000000000003F,PanSequenceNumber=00,UnpredictableNumber=00000001}' --validation-data 398
{ "KeyArn": "arn:aws:payment-cryptography:us-east-2::key/pw3s6nl62t5ushfk", "KeyCheckValue": "08D7B4" }
ARQC - CVN14/CVN15
CVN14 and CVN15 utilize the EMV CSK method of key derivation. The exact transaction data varies between these two methods - please see the scheme documentation for details on constructing the transaction data field.
ARQC - CVN12/CVN13
CVN12 and CVN13 are older Mastercard-specific method for EMV transactions that incorporates an unpredictable number into the per-transaction derivation and also uses a different payload. For information on the payload contents, please contact the scheme.
Create key
$aws payment-cryptography create-key --exportable --key-attributes KeyAlgorithm=TDES_2KEY,KeyUsage=TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS,KeyClass=SYMMETRIC_KEY,KeyModesOfUse='{DeriveKey=true}' --tags='[{"Key":"KEY_PURPOSE","Value":"CVN12"},{"Key":"CARD_BIN","Value":"12345678"}]'
The response echoes back the request parameters, including an ARN for subsequent calls as well as a Key Check Value (KCV).
{ "Key": { "KeyArn": "arn:aws:payment-cryptography:us-east-2::key/pw3s6nl62t5ushfk", "KeyAttributes": { "KeyUsage": "TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS", "KeyClass": "SYMMETRIC_KEY", "KeyAlgorithm": "TDES_2KEY", "KeyModesOfUse": { "Encrypt": false, "Decrypt": false, "Wrap": false, "Unwrap": false, "Generate": false, "Sign": false, "Verify": false, "DeriveKey": true, "NoRestrictions": false } }, "KeyCheckValue": "08D7B4", "KeyCheckValueAlgorithm": "ANSI_X9_24", "Enabled": true, "Exportable": true, "KeyState": "CREATE_COMPLETE", "KeyOrigin": "AWS_PAYMENT_CRYPTOGRAPHY", "CreateTimestamp": "2024-03-07T06:41:46.648000-07:00", "UsageStartTimestamp": "2024-03-07T06:41:46.626000-07:00" } }
Take note of the KeyArn that represents the key, for example arn:aws:payment-cryptography:us-east-2::key/pw3s6nl62t5ushfk. You need that in the next step.
Validate the ARQC
In this example, we will validate an ARQC generated using Mastercard CVN12.
If AWS Payment Cryptography is able to validate the ARQC, an http/200 is returned. If the arqc is not validated, it will return a http/400 response.
$aws payment-cryptography-data verify-auth-request-cryptogram --auth-request-cryptogram 31BE5D49F14A5F01 \ --key-identifier arn:aws:payment-cryptography:us-east-2::key/pw3s6nl62t5ushfk \ --major-key-derivation-mode EMV_OPTION_A \ --transaction-data 0000000015000000000000000840000000000008402312120197695905 \ --session-key-derivation-attributes='{"Mastercard":{"PanSequenceNumber":"01" \ ,"PrimaryAccountNumber":"9137631040001422","ApplicationTransactionCounter":"000B","UnpredictableNumber":"34343434"}}'
{ "KeyArn": "arn:aws:payment-cryptography:us-east-2::key/pw3s6nl62t5ushfk", "KeyCheckValue": "08D7B4" }
