# Acquiring and payment facilitators
<a name="use-cases-acquirers"></a>

Acquirers, PSPs and Payment Facilators typically have a different set of cryptographic requirements than issuers. Common use cases include: 

**Data Decryption**  <a name="use-cases-acquirers.decryptdata"></a>
Data (especially pan data) may be encrypted by a payment terminal and need to be decrypted by the backend. [Decrypt Data](https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/API_DecryptData.html) and Encrypt Data support a variety of methods including TDES, AES and DUKPT derivation techniques. The AWS Payment Cryptography service itself is also PCI P2PE compliant and is registered as a PCI P2PE decryption component. 

**TranslatePin**  <a name="use-cases-acquirers.translatepin"></a>
To maintain PCI PIN compliance, acquiring systems shall not have cardholder pins in the clear after they have been entered on a secure device. Therefore, to pass the pin onward from terminal to a downstream system (such as a payment network or issuer), there is a need to re-encrypt it using a different key than the one that the payment terminal used. [Translate Pin](https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/API_TranslatePinData.html) accomplishes that by converting an encrypted pin from one key to another securely with the servicebbb. Using this command, pins can be converted between various schemes such as TDES, AES and DUKPT derivation and pin block formats such as ISO-0, ISO-3 and ISO-4. 

**VerifyMac**  <a name="use-cases-acquirers.verifymac"></a>
Data from a payment terminal may be MAC'd to ensure that the data hasn't been modified in transit. [Verify Mac](https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/API_VerifyMac.html) and GenerateMac supports a variety of techniques using symmetric keys including TDES, AES and DUKPT derivation techniques for use with ISO-9797-1 algorithm 1, ISO-9797-1 algorithm 3 (Retail MAC) and CMAC techniques. 

**Topics**
+ [Using Dynamic Keys](use-cases-acquirers-dynamickeys.md)

# Using Dynamic Keys
<a name="use-cases-acquirers-dynamickeys"></a>

 Dynamic Keys allows one-time or limited use keys to be used for cryptographic operations like `[EncryptData](https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/API_EncryptData.html)`. This flow can be utilized when the key material frequently rotates (such as on every card transaction) and there is a desire to avoid importing the key material into the service. Short-lived keys may be utilized as part of [softPOS/Mpoc](terminology.md#terms.mpoc) or other solutions. 

**Note**  
 This can be used in lieu of the typical flow using AWS Payment Cryptography, where cryptographic keys are either created or imported into the service and keys are specified using a key alias or key arn. 

The following operations support Dynamic Keys:
+ EncryptData
+ DecryptData
+ ReEncryptData
+ TranslatePin

## Decrypting Data
<a name="use-case-acquirers-dynamickeys.examples.decryptdata"></a>

 The following example shows using Dynamic Keys along with the decrypt command. The key identifier in this case is the wrapping key (KEK) that secures the decryption key (that is provided in the wrapped-key parameter in TR-31 format). The wrapped key shall be key purpose of D0 to be used with decrypt command along with a mode of use of B or D. 

**Example**  

```
$ aws payment-cryptography-data decrypt-data --key-identifier arn:aws:payment-cryptography:us-east-2:111122223333:key/ov6icy4ryas4zcza --cipher-text 1234123412341234123412341234123A --decryption-attributes 'Symmetric={Mode=CBC,InitializationVector=1234123412341234}'   --wrapped-key WrappedKeyMaterial={"Tr31KeyBlock"="D0112D0TN00E0000B05A6E82D7FC68B95C84306634B0000DA4701BE9BCA318B3A30A400B059FD4A8DE19924A9D3EE459F24FDE680F8E4A40"}
```

```
{
   "KeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/ov6icy4ryas4zcza",
   "KeyCheckValue": "0A3674",
   "PlainText": "2E138A746A0032023BEF5B85BA5060BA"
}
```

## Translating a pin
<a name="use-case-acquirers-dynamickeys.examples.translatepin"></a>

 The following example shows using Dynamic Keys along with the translate pin command to translate from a dynamic key to a semi-static acquirer working key (AWK). The incoming key identifier in this case is the wrapping key (KEK) that is protecting the dynamic pin encryption key (PEK) that is provided in the TR-31 format. The wrapped key shall be key purpose of `P0` along with a mode of use of B or D. The outgoing key identifier is a key of type `TR31_P0_PIN_ENCRYPTION_KEY` and a mode of use of Encrypt=true,Wrap=true 

**Example**  

```
$ aws payment-cryptography-data translate-pin-data --encrypted-pin-block "C7005A4C0FA23E02" --incoming-translation-attributes=IsoFormat0='{PrimaryAccountNumber=171234567890123}' --incoming-key-identifier alias/PARTNER1_KEK  --outgoing-key-identifier alias/ACQUIRER_AWK_PEK --outgoing-translation-attributes IsoFormat0="{PrimaryAccountNumber=171234567890123}"  --incoming-wrapped-key WrappedKeyMaterial={"Tr31KeyBlock"="D0112P0TB00S0000EB5D8E63076313162B04245C8CE351C956EA4A16CC32EB3FB61DE3FC75C751734B773F5B645943A854C65740738B8304"}
```

```
{
   "PinBlock": "2E66192BDA390C6F",
   "KeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/ov6icy4ryas4zcza",
   "KeyCheckValue": "0A3674"
}
```