GeneratePinData - AWS Payment Cryptography Data Plane
Request SyntaxURI Request ParametersRequest BodyResponse SyntaxResponse ElementsErrorsSee Also

GeneratePinData

Generates pin-related data such as PIN, PIN Verification Value (PVV), PIN Block, and PIN Offset during new card issuance or reissuance. For more information, see Generate PIN data in the AWS Payment Cryptography User Guide.

PIN data is never transmitted in clear to or from AWS Payment Cryptography. This operation generates PIN, PVV, or PIN Offset and then encrypts it using Pin Encryption Key (PEK) to create an EncryptedPinBlock for transmission from AWS Payment Cryptography. This operation uses a separate Pin Verification Key (PVK) for VISA PVV generation.

Using ECDH key exchange, you can receive cardholder selectable PINs into AWS Payment Cryptography. The ECDH derived key protects the incoming PIN block. You can also use it for reveal PIN, wherein the generated PIN block is protected by the ECDH derived key before transmission from AWS Payment Cryptography. For more information on establishing ECDH derived keys, see the Generating keys in the AWS Payment Cryptography User Guide.

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the AWS Payment Cryptography User Guide.

Cross-account use: This operation can't be used across different AWS accounts.

Related operations:

Request Syntax

POST /pindata/generate HTTP/1.1
Content-type: application/json

{
   "EncryptionKeyIdentifier": "string",
   "EncryptionWrappedKey": { 
      "KeyCheckValueAlgorithm": "string",
      "WrappedKeyMaterial": { ... }
   },
   "GenerationAttributes": { ... },
   "GenerationKeyIdentifier": "string",
   "PinBlockFormat": "string",
   "PinDataLength": number,
   "PrimaryAccountNumber": "string"
}

URI Request Parameters

The request does not use any URI parameters.

Request Body

The request accepts the following data in JSON format.

EncryptionKeyIdentifier

The keyARN of the PEK that AWS Payment Cryptography uses to encrypt the PIN Block. For ECDH, it is the keyARN of the asymmetric ECC key.

Type: String

Length Constraints: Minimum length of 7. Maximum length of 322.

Pattern: arn:aws:payment-cryptography:[a-z]{2}-[a-z]{1,16}-[0-9]+:[0-9]{12}:(key/[0-9a-zA-Z]{16,64}|alias/[a-zA-Z0-9/_-]+)$|^alias/[a-zA-Z0-9/_-]+

Required: Yes

EncryptionWrappedKey

Parameter information of a WrappedKeyBlock for encryption key exchange.

Type: WrappedKey object

Required: No

GenerationAttributes

The attributes and values to use for PIN, PVV, or PIN Offset generation.

Type: PinGenerationAttributes object

Note: This object is a Union. Only one member of this object can be specified or returned.

Required: Yes

GenerationKeyIdentifier

The keyARN of the PEK that AWS Payment Cryptography uses for pin data generation.

Type: String

Length Constraints: Minimum length of 7. Maximum length of 322.

Pattern: arn:aws:payment-cryptography:[a-z]{2}-[a-z]{1,16}-[0-9]+:[0-9]{12}:(key/[0-9a-zA-Z]{16,64}|alias/[a-zA-Z0-9/_-]+)$|^alias/[a-zA-Z0-9/_-]+

Required: Yes

PinBlockFormat

The PIN encoding format for pin data generation as specified in ISO 9564. AWS Payment Cryptography supports ISO_Format_0 and ISO_Format_3.

The ISO_Format_0 PIN block format is equivalent to the ANSI X9.8, VISA-1, and ECI-1 PIN block formats. It is similar to a VISA-4 PIN block format. It supports a PIN from 4 to 12 digits in length.

The ISO_Format_3 PIN block format is the same as ISO_Format_0 except that the fill digits are random values from 10 to 15.

Type: String

Valid Values: ISO_FORMAT_0 | ISO_FORMAT_3 | ISO_FORMAT_4

Required: Yes

PinDataLength

The length of PIN under generation.

Type: Integer

Valid Range: Minimum value of 4. Maximum value of 12.

Required: No

PrimaryAccountNumber

The Primary Account Number (PAN), a unique identifier for a payment credit or debit card that associates the card with a specific account holder.

Type: String

Length Constraints: Minimum length of 12. Maximum length of 19.

Pattern: [0-9]+

Required: Yes

Response Syntax

HTTP/1.1 200
Content-type: application/json

{
   "EncryptedPinBlock": "string",
   "EncryptionKeyArn": "string",
   "EncryptionKeyCheckValue": "string",
   "GenerationKeyArn": "string",
   "GenerationKeyCheckValue": "string",
   "PinData": { ... }
}

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

EncryptedPinBlock

The PIN block encrypted under PEK from AWS Payment Cryptography. The encrypted PIN block is a composite of PAN (Primary Account Number) and PIN (Personal Identification Number), generated in accordance with ISO 9564 standard.

Type: String

Length Constraints: Minimum length of 16. Maximum length of 32.

Pattern: [0-9a-fA-F]+

EncryptionKeyArn

The keyARN of the PEK that AWS Payment Cryptography uses for encrypted pin block generation. For ECDH, it is the keyARN of the asymmetric ECC key.

Type: String

Length Constraints: Minimum length of 70. Maximum length of 150.

Pattern: arn:aws:payment-cryptography:[a-z]{2}-[a-z]{1,16}-[0-9]+:[0-9]{12}:key/[0-9a-zA-Z]{16,64}

EncryptionKeyCheckValue

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

AWS Payment Cryptography computes the KCV according to the CMAC specification.

Type: String

Length Constraints: Minimum length of 4. Maximum length of 16.

Pattern: [0-9a-fA-F]+

GenerationKeyArn

The keyARN of the pin data generation key that AWS Payment Cryptography uses for PIN, PVV or PIN Offset generation.

Type: String

Length Constraints: Minimum length of 70. Maximum length of 150.

Pattern: arn:aws:payment-cryptography:[a-z]{2}-[a-z]{1,16}-[0-9]+:[0-9]{12}:key/[0-9a-zA-Z]{16,64}

GenerationKeyCheckValue

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

AWS Payment Cryptography computes the KCV according to the CMAC specification.

Type: String

Length Constraints: Minimum length of 4. Maximum length of 16.

Pattern: [0-9a-fA-F]+

PinData

The attributes and values AWS Payment Cryptography uses for pin data generation.

Type: PinData object

Note: This object is a Union. Only one member of this object can be specified or returned.

Errors

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 403

InternalServerException

The request processing has failed because of an unknown error, exception, or failure.

HTTP Status Code: 500

ResourceNotFoundException

The request was denied due to an invalid resource error.

HTTP Status Code: 404

ThrottlingException

The request was denied due to request throttling.

HTTP Status Code: 429

ValidationException

The request was denied due to an invalid request error.

HTTP Status Code: 400

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: