# Network specific functions
**Topics**
+ [Visa specific functions](use-cases-issuers.networkfunctions.visa.md)
+ [Mastercard specific functions](use-cases-issuers.networkfunctions.mastercard.md)
+ [American Express specific functions](use-cases-issuers.networkfunctions.amex.md)
+ [JCB specific functions](use-cases-issuers.networkfunctions.jcb.md)
# Visa specific functions
**Topics**
+ [ARQC - CVN18/CVN22](#use-cases-issuers.networkfunctions.visa.cvn18)
+ [ARQC - CVN10](#use-cases-issuers.networkfunctions.visa.cvn10)
+ [3DS CAVV V7](#use-cases-issuers.networkfunctions.visa.cavv-v7)
+ [dCVV (Dynamic Card Verification Value) - CVN17](#use-cases-issuers.networkfunctions.visa.dcvv)
## ARQC - CVN18/CVN22
CVN18 and CVN22 utilize the [CSK method](use-cases-issuers.generalfunctions.arqc.md) of key derivation. The exact transaction data varies between these two methods - please see the scheme documentation for details on constructing the transaction data field.
## ARQC - CVN10
CVN10 is an older Visa method for EMV transactions that uses per card key derivation rather than session (per transaction) derivation and also uses a different payload. For information on the payload contents, please contact the scheme for details.
### Create key
```
$ aws payment-cryptography create-key --exportable --key-attributes KeyAlgorithm=TDES_2KEY,KeyUsage=TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS,KeyClass=SYMMETRIC_KEY,KeyModesOfUse='{DeriveKey=true}' --tags='[{"Key":"KEY_PURPOSE","Value":"CVN10"},{"Key":"CARD_BIN","Value":"12345678"}]'
```
The response echoes back the request parameters, including an ARN for subsequent calls as well as a Key Check Value (KCV).
```
{
"Key": {
"KeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/pw3s6nl62t5ushfk",
"KeyAttributes": {
"KeyUsage": "TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS",
"KeyClass": "SYMMETRIC_KEY",
"KeyAlgorithm": "TDES_2KEY",
"KeyModesOfUse": {
"Encrypt": false,
"Decrypt": false,
"Wrap": false,
"Unwrap": false,
"Generate": false,
"Sign": false,
"Verify": false,
"DeriveKey": true,
"NoRestrictions": false
}
},
"KeyCheckValue": "08D7B4",
"KeyCheckValueAlgorithm": "ANSI_X9_24",
"Enabled": true,
"Exportable": true,
"KeyState": "CREATE_COMPLETE",
"KeyOrigin": "AWS_PAYMENT_CRYPTOGRAPHY",
"CreateTimestamp": "2024-03-07T06:41:46.648000-07:00",
"UsageStartTimestamp": "2024-03-07T06:41:46.626000-07:00"
}
}
```
Take note of the `KeyArn` that represents the key, for example *arn:aws:payment-cryptography:us-east-2:111122223333:key/pw3s6nl62t5ushfk*. You need that in the next step.
### Validate the ARQC
**Example**
In this example, we will validate an ARQC generated using Visa CVN10.
If AWS Payment Cryptography is able to validate the ARQC, an http/200 is returned. If the arqc is not validated, it will return a http/400 response.
```
$ aws payment-cryptography-data verify-auth-request-cryptogram --auth-request-cryptogram D791093C8A921769 \
--key-identifier arn:aws:payment-cryptography:us-east-2:111122223333:key/pw3s6nl62t5ushfk \
--major-key-derivation-mode EMV_OPTION_A \
--transaction-data 00000000170000000000000008400080008000084016051700000000093800000B03011203000000 \
--session-key-derivation-attributes='{"Visa":{"PanSequenceNumber":"01" \
,"PrimaryAccountNumber":"9137631040001422"}}'
```
```
{
"KeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/pw3s6nl62t5ushfk",
"KeyCheckValue": "08D7B4"
}
```
## 3DS CAVV V7
For Visa Secure (3DS) transactions, a CAVV (Cardholder Authentication Verification Value) is generated by the issuer Access Control Server (ACS). The CAVV is evidence that cardholder authentication occurred, is unique for each authentication transaction and is provided by the acquirer in the authorization message. CAVV v7 binds additional data about the transaction to the approval including elements such as merchant name, purchase amount and purchase date. In this way, it is effectively a cryptographic hash of the transaction payload.
Cryptographically, CAVV V7 utilizes the CVV algorithm but the inputs have all been changed/repurposed. Please consult appropriate third party/Visa documentation on how to produce the inputs to generate a CAVV V7 payload.
### Create the key
```
$ aws payment-cryptography create-key --exportable --key-attributes KeyAlgorithm=TDES_2KEY,KeyUsage=TR31_C0_CARD_VERIFICATION_KEY,KeyClass=SYMMETRIC_KEY,KeyModesOfUse='{Generate=true,Verify=true}' --tags='[{"Key":"KEY_PURPOSE","Value":"CAVV-V7"},{"Key":"CARD_BIN","Value":"12345678"}]'
```
The response echoes back the request parameters, including an ARN for subsequent calls as well as a Key Check Value (KCV).
```
{
"Key": {
"KeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/dnaeyrjgdjjtw6dk",
"KeyAttributes": {
"KeyUsage": "TR31_C0_CARD_VERIFICATION_KEY",
"KeyClass": "SYMMETRIC_KEY",
"KeyAlgorithm": "TDES_2KEY",
"KeyModesOfUse": {
"Encrypt": false,
"Decrypt": false,
"Wrap": false,
"Unwrap": false,
"Generate": true,
"Sign": false,
"Verify": true,
"DeriveKey": false,
"NoRestrictions": false
}
},
"KeyCheckValue": "F3FB13",
"KeyCheckValueAlgorithm": "ANSI_X9_24",
"Enabled": true,
"Exportable": true,
"KeyState": "CREATE_COMPLETE",
"KeyOrigin": "AWS_PAYMENT_CRYPTOGRAPHY",
"CreateTimestamp": "2023-06-05T06:41:46.648000-07:00",
"UsageStartTimestamp": "2023-06-05T06:41:46.626000-07:00"
}
}
```
Take note of the `KeyArn` that represents the key, for example *arn:aws:payment-cryptography:us-east-2:111122223333:key/dnaeyrjgdjjtw6dk*. You need that in the next step.
### Generate a CAVV V7
**Example**
In this example, we will generate a CAVV V7 for a given transactions with inputs as specified in the specifications. Note that for this algorithm, fields may be re-used/re-purposed, so it should not be assumed that the field labels match the inputs.
For all available parameters see [CardVerificationValue1](https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/API_CardVerificationValue1.html) in the API reference guide.
```
$ aws payment-cryptography-data generate-card-validation-data --key-identifier arn:aws:payment-cryptography:us-east-2:111122223333:key/dnaeyrjgdjjtw6dk --primary-account-number=171234567890123 --generation-attributes CardVerificationValue1='{CardExpiryDate=9431,ServiceCode=431}'
```
```
{
"KeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/dnaeyrjgdjjtw6dk",
"KeyCheckValue": "F3FB13",
"ValidationData": "491"
}
```
### Validate CAVV V7
**Example**
For validation, the inputs are CVK, the computed input values and the CAVV provided during the transaction to validate.
For all available parameters see, [CardVerificationValue1](https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/API_CardVerificationValue1.html) in the API reference guide.
CAVV is not a user entered value (like CVV2) but is calculated by the issuer ACS. Consideration should be given to whether it should always validate when provided.
```
$ aws payment-cryptography-data verify-card-validation-data --key-identifier arn:aws:payment-cryptography:us-east-2:111122223333:key/dnaeyrjgdjjtw6dk --primary-account-number=171234567890123 --verification-attributes CardVerificationValue1='{CardExpiryDate=9431,ServiceCode=431} --validation-data 491
```
```
{
"KeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/dnaeyrjgdjjtw6dk",
"KeyCheckValue": "F3FB13",
"ValidationData": "491"
}
```
## dCVV (Dynamic Card Verification Value) - CVN17
dCVV (dynamic Card Verification Value) is a Visa-specific dynamic cryptogram used for contactless EMV transactions. It is known as early EMV and it provides enhanced security by generating a unique verification value for each transaction. The dCVV uses inputs including the Primary Account Number (PAN), PAN Sequence Number (PSN), Application Transaction Counter (ATC), unpredictable number, and track data. It is still used in some places, but has mostly been replaced by other algorithms like CVN18.
For all available parameters see [DynamicCardVerificationValue](https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/API_DynamicCardVerificationValue.html) in the API reference guide.
### Create key
```
$ aws payment-cryptography create-key --exportable --key-attributes KeyAlgorithm=TDES_2KEY,KeyUsage=TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS,KeyClass=SYMMETRIC_KEY,KeyModesOfUse='{Generate=true,Verify=true}' --tags='[{"Key":"KEY_PURPOSE","Value":"DCVV"},{"Key":"CARD_BIN","Value":"12345678"}]'
```
The response echoes back the request parameters, including an ARN for subsequent calls as well as a Key Check Value (KCV).
```
{
"Key": {
"KeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/mw7dn3qxvkfh8ztc",
"KeyAttributes": {
"KeyUsage": "TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS",
"KeyClass": "SYMMETRIC_KEY",
"KeyAlgorithm": "TDES_2KEY",
"KeyModesOfUse": {
"Encrypt": false,
"Decrypt": false,
"Wrap": false,
"Unwrap": false,
"Generate": true,
"Sign": false,
"Verify": true,
"DeriveKey": false,
"NoRestrictions": false
}
},
"KeyCheckValue": "A8E4D2",
"KeyCheckValueAlgorithm": "ANSI_X9_24",
"Enabled": true,
"Exportable": true,
"KeyState": "CREATE_COMPLETE",
"KeyOrigin": "AWS_PAYMENT_CRYPTOGRAPHY",
"CreateTimestamp": "2025-02-02T11:45:30.648000-08:00",
"UsageStartTimestamp": "2025-02-02T11:45:30.626000-08:00"
}
}
```
Take note of the `KeyArn` that represents the key, for example *arn:aws:payment-cryptography:us-east-2:111122223333:key/mw7dn3qxvkfh8ztc*. You need that in the next step.
### Generate a dCVV
**Example**
In this example, we will generate a dCVV for a contactless EMV transaction. The inputs include the PAN, PAN Sequence Number, Application Transaction Counter, unpredictable number, and track data.
```
$ aws payment-cryptography-data generate-card-validation-data --key-identifier arn:aws:payment-cryptography:us-east-2:111122223333:key/mw7dn3qxvkfh8ztc \
--primary-account-number=5111112627662122 \
--generation-attributes DynamicCardVerificationValue='{ApplicationTransactionCounter=01,PanSequenceNumber=00,TrackData=12345,UnpredictableNumber=123}' \
--validation-data-length 5
```
```
{
"KeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/mw7dn3qxvkfh8ztc",
"KeyCheckValue": "A8E4D2",
"ValidationData": "36667"
}
```
### Validate dCVV
**Example**
In this example, we will validate a dCVV provided during a transaction. The same inputs used for generation must be provided for validation.
If AWS Payment Cryptography is able to validate, an http/200 is returned. If the value is not validated, it will return a http/400 response.
```
$ aws payment-cryptography-data verify-card-validation-data --key-identifier arn:aws:payment-cryptography:us-east-2:111122223333:key/mw7dn3qxvkfh8ztc \
--primary-account-number=5111112627662122 \
--validation-data=36667 \
--verification-attributes DynamicCardVerificationValue='{ApplicationTransactionCounter=01,PanSequenceNumber=00,TrackData=12345,UnpredictableNumber=123}'
```
```
{
"KeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/mw7dn3qxvkfh8ztc",
"KeyCheckValue": "A8E4D2"
}
```
# Mastercard specific functions
**Topics**
+ [DCVC3](#use-cases-issuers.networkfunctions.mastercard.dcvc)
+ [ARQC - CVN14/CVN15](#use-cases-issuers.networkfunctions.mastercard.cvn14)
+ [ARQC - CVN12/CVN13](#use-cases-issuers.networkfunctions.mastercard.cvn12)
+ [3DS SPA2 AAV](#use-cases-issuers.networkfunctions.mastercard.spa2aav)
## DCVC3
DCVC3 predates EMV CSK and Mastercard CVN12 schemes and represents another approach for utilizing dynamic keys. It is sometimes repurposed for other use cases as well. In this scheme, the inputs are PAN, PSN, Track1/Track2 data, an unpredictable number and transaction counter (ATC).
### Create key
```
$ aws payment-cryptography create-key --exportable --key-attributes KeyAlgorithm=TDES_2KEY,KeyUsage=TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS,KeyClass=SYMMETRIC_KEY,KeyModesOfUse='{DeriveKey=true}' --tags='[{"Key":"KEY_PURPOSE","Value":"DCVC3"},{"Key":"CARD_BIN","Value":"12345678"}]'
```
The response echoes back the request parameters, including an ARN for subsequent calls as well as a Key Check Value (KCV).
```
{
"Key": {
"KeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/hrh6qgbi3sk4y3wq",
"KeyAttributes": {
"KeyUsage": "TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS",
"KeyClass": "SYMMETRIC_KEY",
"KeyAlgorithm": "TDES_2KEY",
"KeyModesOfUse": {
"Encrypt": false,
"Decrypt": false,
"Wrap": false,
"Unwrap": false,
"Generate": false,
"Sign": false,
"Verify": false,
"DeriveKey": true,
"NoRestrictions": false
}
},
"KeyCheckValue": "08D7B4",
"KeyCheckValueAlgorithm": "ANSI_X9_24",
"Enabled": true,
"Exportable": true,
"KeyState": "CREATE_COMPLETE",
"KeyOrigin": "AWS_PAYMENT_CRYPTOGRAPHY",
"CreateTimestamp": "2024-03-07T06:41:46.648000-07:00",
"UsageStartTimestamp": "2024-03-07T06:41:46.626000-07:00"
}
}
```
Take note of the `KeyArn` that represents the key, for example *arn:aws:payment-cryptography:us-east-2:111122223333:key/hrh6qgbi3sk4y3wq*. You need that in the next step.
### Generate a DCVC3
**Example**
Although DCVC3 is typically generated by a chip card, it can also be manually generated such as in this example
```
$ aws payment-cryptography-data generate-card-validation-data --key-identifier arn:aws:payment-cryptography:us-east-2:111122223333:key/pw3s6nl62t5ushfk --primary-account-number=5413123456784808 --generation-attributes DynamicCardVerificationCode='{ApplicationTransactionCounter=0000,TrackData=5241060000000069D13052020000000000003F,PanSequenceNumber=00,UnpredictableNumber=00000000}''
```
```
{
"KeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/pw3s6nl62t5ushfk",
"KeyCheckValue": "08D7B4",
"ValidationData": "865"
}
```
### Validate the DCVC3
**Example**
In this example, we will validate an DCVC3. Note that ATC should be provided as a hex number for instance a counter of 11 should be represented as 000B. The service expects a 3 digit DCVC3, so if you have stored a 4(or 5) digit value, simply truncate the left characters until you have 3 digits (for instance 15321 should result in validation-data value of 321).
If AWS Payment Cryptography is able to validate, an http/200 is returned. If the value is not validated, it will return a http/400 response.
```
$ aws payment-cryptography-data verify-card-validation-data --key-identifier arn:aws:payment-cryptography:us-east-2:111122223333:key/pw3s6nl62t5ushfk --primary-account-number=5413123456784808 --verification-attributes DynamicCardVerificationCode='{ApplicationTransactionCounter=000B,TrackData=5241060000000069D13052020000000000003F,PanSequenceNumber=00,UnpredictableNumber=00000001}' --validation-data 398
```
```
{
"KeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/pw3s6nl62t5ushfk",
"KeyCheckValue": "08D7B4"
}
```
## ARQC - CVN14/CVN15
CVN14 and CVN15 utilize the [EMV CSK method](use-cases-issuers.generalfunctions.arqc.md) of key derivation. The exact transaction data varies between these two methods - please see the scheme documentation for details on constructing the transaction data field.
## ARQC - CVN12/CVN13
CVN12 and CVN13 are older Mastercard-specific method for EMV transactions that incorporates an unpredictable number into the per-transaction derivation and also uses a different payload. For information on the payload contents, please contact the scheme.
### Create key
```
$ aws payment-cryptography create-key --exportable --key-attributes KeyAlgorithm=TDES_2KEY,KeyUsage=TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS,KeyClass=SYMMETRIC_KEY,KeyModesOfUse='{DeriveKey=true}' --tags='[{"Key":"KEY_PURPOSE","Value":"CVN12"},{"Key":"CARD_BIN","Value":"12345678"}]'
```
The response echoes back the request parameters, including an ARN for subsequent calls as well as a Key Check Value (KCV).
```
{
"Key": {
"KeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/pw3s6nl62t5ushfk",
"KeyAttributes": {
"KeyUsage": "TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS",
"KeyClass": "SYMMETRIC_KEY",
"KeyAlgorithm": "TDES_2KEY",
"KeyModesOfUse": {
"Encrypt": false,
"Decrypt": false,
"Wrap": false,
"Unwrap": false,
"Generate": false,
"Sign": false,
"Verify": false,
"DeriveKey": true,
"NoRestrictions": false
}
},
"KeyCheckValue": "08D7B4",
"KeyCheckValueAlgorithm": "ANSI_X9_24",
"Enabled": true,
"Exportable": true,
"KeyState": "CREATE_COMPLETE",
"KeyOrigin": "AWS_PAYMENT_CRYPTOGRAPHY",
"CreateTimestamp": "2024-03-07T06:41:46.648000-07:00",
"UsageStartTimestamp": "2024-03-07T06:41:46.626000-07:00"
}
}
```
Take note of the `KeyArn` that represents the key, for example *arn:aws:payment-cryptography:us-east-2:111122223333:key/pw3s6nl62t5ushfk*. You need that in the next step.
### Validate the ARQC
**Example**
In this example, we will validate an ARQC generated using Mastercard CVN12.
If AWS Payment Cryptography is able to validate the ARQC, an http/200 is returned. If the arqc is not validated, it will return a http/400 response.
```
$ aws payment-cryptography-data verify-auth-request-cryptogram --auth-request-cryptogram 31BE5D49F14A5F01 \
--key-identifier arn:aws:payment-cryptography:us-east-2:111122223333:key/pw3s6nl62t5ushfk \
--major-key-derivation-mode EMV_OPTION_A \
--transaction-data 00000000170000000000000008400080008000084016051700000000093800000B1F2201030000000000000000000000000000000000000000000000000000008000000000000000 \
--session-key-derivation-attributes='{"MastercardSessionKey":{"ApplicationTransactionCounter":"000B","PanSequenceNumber":"01","PrimaryAccountNumber":"5413123456784808","UnpredictableNumber":"00000001"}}'
```
```
{
"KeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/pw3s6nl62t5ushfk",
"KeyCheckValue": "08D7B4"
}
```
## 3DS SPA2 AAV
SPA2(Secure Payment Application) AAV (Account Authentication Value) is used for Mastercard 3DS transactions (also known as Mastercard Idenity Check). It provides cryptographic authentication for e-commerce transactions using HMAC-based MAC generation. The AAV is generated using transaction-specific data and a shared secret key.
### Create key
```
$ aws payment-cryptography create-key --exportable --key-attributes KeyAlgorithm=HMAC_SHA256,KeyUsage=TR31_M7_HMAC_KEY,KeyClass=SYMMETRIC_KEY,KeyModesOfUse='{Generate=true,Verify=true}' --tags='[{"Key":"KEY_PURPOSE","Value":"SPA2_AAV"},{"Key":"CARD_BIN","Value":"12345678"}]'
```
The response echoes back the request parameters, including an ARN for subsequent calls as well as a Key Check Value (KCV).
```
{
"Key": {
"KeyArn": "arn:aws:payment-cryptography:us-west-2:111122223333:key/q5vjtshsg67cz5gn",
"KeyAttributes": {
"KeyUsage": "TR31_M7_HMAC_KEY",
"KeyClass": "SYMMETRIC_KEY",
"KeyAlgorithm": "HMAC_SHA256",
"KeyModesOfUse": {
"Encrypt": false,
"Decrypt": false,
"Wrap": false,
"Unwrap": false,
"Generate": true,
"Sign": false,
"Verify": true,
"DeriveKey": false,
"NoRestrictions": false
}
},
"KeyCheckValue": "C661F9",
"KeyCheckValueAlgorithm": "HMAC",
"Enabled": true,
"Exportable": true,
"KeyState": "CREATE_COMPLETE",
"KeyOrigin": "AWS_PAYMENT_CRYPTOGRAPHY",
"CreateTimestamp": "2024-03-07T06:41:46.648000-07:00",
"UsageStartTimestamp": "2024-03-07T06:41:46.626000-07:00"
}
}
```
Take note of the `KeyArn` that represents the key, for example *arn:aws:payment-cryptography:us-west-2:111122223333:key/q5vjtshsg67cz5gn*. You need that in the next step.
### Generate SPA2 AAV
**Example**
In this example, we will generate the Issuer Authentication Value (IAV) component of the SPA2 AAV using HMAC MAC generation. The message data contains the transaction-specific information that will be authenticated. The format of the message data should follow Mastercard's SPA2 specifications and is not covered in this example.
Please review your Mastercard specifications for the formatting to insert the IAV into the AAV value.
```
$ aws payment-cryptography-data generate-mac --key-identifier arn:aws:payment-cryptography:us-west-2:111122223333:key/q5vjtshsg67cz5gn --message-data "2226400099919520FFFFd8b448be65694fe7b42f836bad396e9d" --generation-attributes Algorithm=HMAC --region us-west-2
```
```
{
"KeyArn": "arn:aws:payment-cryptography:us-west-2:111122223333:key/q5vjtshsg67cz5gn",
"KeyCheckValue": "C661F9",
"Mac": "6FB2405E9D8A4C1F7B173F73ADD1A6DC358531CAB0E9994FC5B62012ADDE91FC"
}
```
### Verify SPA2 AAV
**Example**
In this example, we will verify an SPA2 AAV. The same message data and MAC value are provided for verification.
If AWS Payment Cryptography is able to validate the MAC, an http/200 is returned. If the MAC is not validated, it will return a http/400 response.
```
$ aws payment-cryptography-data verify-mac --key-identifier arn:aws:payment-cryptography:us-west-2:111122223333:key/q5vjtshsg67cz5gn --message-data "2226400099919520FFFFd8b448be65694fe7b42f836bad396e9d" --mac "6FB2405E9D8A4C1F7B173F73ADD1A6DC358531CAB0E9994FC5B62012ADDE91FC" --verification-attributes Algorithm=HMAC --region us-west-2
```
```
{
"KeyArn": "arn:aws:payment-cryptography:us-west-2:111122223333:key/q5vjtshsg67cz5gn",
"KeyCheckValue": "C661F9"
}
```
# American Express specific functions
**Topics**
+ [CSC1](#use-cases-issuers.networkfunctions.amex.csc)
+ [CSC2](#use-cases-issuers.networkfunctions.amex.csc2)
+ [iCSC](#use-cases-issuers.networkfunctions.amex.csc3)
+ [3DS AEVV](#use-cases-issuers.networkfunctions.amex.3dsaevv)
## CSC1
CSC Version 1 is also known as the Classic CSC Algorithm. The service can provide it as a 3,4 or 5 digit number.
For all available parameters see [AmexCardSecurityCodeVersion1](https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/API_AmexCardSecurityCodeVersion1.html) in the API reference guide.
### Create key
```
$ aws payment-cryptography create-key --exportable --key-attributes KeyAlgorithm=TDES_2KEY,KeyUsage=TR31_C0_CARD_VERIFICATION_KEY,KeyClass=SYMMETRIC_KEY,KeyModesOfUse='{Generate=true,Verify=true}' --tags='[{"Key":"KEY_PURPOSE","Value":"CSC1"},{"Key":"CARD_BIN","Value":"12345678"}]'
```
The response echoes back the request parameters, including an ARN for subsequent calls as well as a Key Check Value (KCV).
```
{
"Key": {
"KeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/esh6hn7pxdtttzgq",
"KeyAttributes": {
"KeyUsage": "TR31_C0_CARD_VERIFICATION_KEY",
"KeyClass": "SYMMETRIC_KEY",
"KeyAlgorithm": "TDES_2KEY",
"KeyModesOfUse": {
"Encrypt": false,
"Decrypt": false,
"Wrap": false,
"Unwrap": false,
"Generate": true,
"Sign": false,
"Verify": true,
"DeriveKey": false,
"NoRestrictions": false
}
},
"KeyCheckValue": "8B5077",
"KeyCheckValueAlgorithm": "ANSI_X9_24",
"Enabled": true,
"Exportable": true,
"KeyState": "CREATE_COMPLETE",
"KeyOrigin": "AWS_PAYMENT_CRYPTOGRAPHY",
"CreateTimestamp": "2023-06-05T06:41:46.648000-07:00",
"UsageStartTimestamp": "2023-06-05T06:41:46.626000-07:00"
}
}
```
Take note of the `KeyArn` that represents the key, for example *arn:aws:payment-cryptography:us-east-2:111122223333:key/esh6hn7pxdtttzgq*. You need that in the next step.
### Generate a CSC1
**Example**
```
$ aws payment-cryptography-data generate-card-validation-data --key-identifier arn:aws:payment-cryptography:us-east-2:111122223333:key/esh6hn7pxdtttzgq --primary-account-number=344131234567848 --generation-attributes AmexCardSecurityCodeVersion1='{CardExpiryDate=1224}' --validation-data-length 4
```
```
{
"KeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/esh6hn7pxdtttzgq",
"KeyCheckValue": "8B5077",
"ValidationData": "3938"
}
```
### Validate the CSC1
**Example**
In this example, we will validate a CSC1.
If AWS Payment Cryptography is able to validate, an http/200 is returned. If the value is not validated, it will return a http/400 response.
```
$ aws payment-cryptography-data verify-card-validation-data --key-identifier arn:aws:payment-cryptography:us-east-2:111122223333:key/esh6hn7pxdtttzgq --primary-account-number=344131234567848 --verification-attributes AmexCardSecurityCodeVersion1='{CardExpiryDate=1224}'' --validation-data 3938
```
```
{
"KeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/esh6hn7pxdtttzgq",
"KeyCheckValue": "8B5077"
}
```
## CSC2
CSC Version 2 is also known as the Enhanced CSC Algorithm. The service can provide it as a 3,4 or 5 digit number. The service code for CSC2 is typically 000.
For all available parameters see [AmexCardSecurityCodeVersion2](https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/API_AmexCardSecurityCodeVersion2.html) in the API reference guide.
### Create key
```
$ aws payment-cryptography create-key --exportable --key-attributes KeyAlgorithm=TDES_2KEY,KeyUsage=TR31_C0_CARD_VERIFICATION_KEY,KeyClass=SYMMETRIC_KEY,KeyModesOfUse='{Generate=true,Verify=true}' --tags='[{"Key":"KEY_PURPOSE","Value":"CSC2"},{"Key":"CARD_BIN","Value":"12345678"}]'
```
The response echoes back the request parameters, including an ARN for subsequent calls as well as a Key Check Value (KCV).
```
{
"Key": {
"KeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/erlm445qvunmvoda",
"KeyAttributes": {
"KeyUsage": "TR31_C0_CARD_VERIFICATION_KEY",
"KeyClass": "SYMMETRIC_KEY",
"KeyAlgorithm": "TDES_2KEY",
"KeyModesOfUse": {
"Encrypt": false,
"Decrypt": false,
"Wrap": false,
"Unwrap": false,
"Generate": true,
"Sign": false,
"Verify": true,
"DeriveKey": false,
"NoRestrictions": false
}
},
"KeyCheckValue": "BF1077",
"KeyCheckValueAlgorithm": "ANSI_X9_24",
"Enabled": true,
"Exportable": true,
"KeyState": "CREATE_COMPLETE",
"KeyOrigin": "AWS_PAYMENT_CRYPTOGRAPHY",
"CreateTimestamp": "2023-06-05T06:41:46.648000-07:00",
"UsageStartTimestamp": "2023-06-05T06:41:46.626000-07:00"
}
}
```
Take note of the `KeyArn` that represents the key, for example *arn:aws:payment-cryptography:us-east-2:111122223333:key/erlm445qvunmvoda*. You need that in the next step.
### Generate a CSC2
In this example, we will generate a CSC2 with a length of 4. CSC can be generated with a length of 3,4 or 5. For American Express, PANs should be 15 digits and start with 34 or 37. Expiration date is typically formatted as YYMM. Service code may vary - review your manual but typical values are 000, 201 or 702
**Example**
```
$ aws payment-cryptography-data generate-card-validation-data --key-identifier arn:aws:payment-cryptography:us-east-2:111122223333:key/erlm445qvunmvoda --primary-account-number=344131234567848 --generation-attributes AmexCardSecurityCodeVersion2='{CardExpiryDate=2412,ServiceCode=000}' --validation-data-length 4
```
```
{
"KeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/erlm445qvunmvoda",
"KeyCheckValue": "BF1077",
"ValidationData": "3982"
}
```
### Validate the CSC2
**Example**
In this example, we will validate a CSC2.
If AWS Payment Cryptography is able to validate, an http/200 is returned. If the value is not validated, it will return a http/400 response.
```
$ aws payment-cryptography-data verify-card-validation-data --key-identifier arn:aws:payment-cryptography:us-east-2:111122223333:key/erlm445qvunmvoda --primary-account-number=344131234567848 --verification-attributes AmexCardSecurityCodeVersion2='{CardExpiryDate=2412,ServiceCode=000}' --validation-data 3982
```
```
{
"KeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/erlm445qvunmvoda",
"KeyCheckValue": "BF1077"
}
```
## iCSC
iCSC is also known as a static CSC Algorithm and is calculated using CSC Version 2. The service can provide it as a 3,4 or 5 digit number.
Use service code 999 to calculate iCSC for a contact card. Use service code 702 to calculate iCSC for a contactless card.
For all available parameters see [AmexCardSecurityCodeVersion2](https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/API_AmexCardSecurityCodeVersion2.html) in the API reference guide.
### Create key
```
$ aws payment-cryptography create-key --exportable --key-attributes KeyAlgorithm=TDES_2KEY,KeyUsage=TR31_C0_CARD_VERIFICATION_KEY,KeyClass=SYMMETRIC_KEY,KeyModesOfUse='{Generate=true,Verify=true}' --tags='[{"Key":"KEY_PURPOSE","Value":"CSC1"},{"Key":"CARD_BIN","Value":"12345678"}]'
```
The response echoes back the request parameters, including an ARN for subsequent calls as well as a Key Check Value (KCV).
```
{
"Key": {
"KeyArn": "arn:aws:payment-cryptography:us-east-1:111122223333:key/7vrybrbvjcvwtunv",
"KeyAttributes": {
"KeyUsage": "TR31_C0_CARD_VERIFICATION_KEY"
"KeyAlgorithm": "TDES_2KEY",
"KeyClass": "SYMMETRIC_KEY",
"KeyModesOfUse": {
"Decrypt": false,
"DeriveKey": false,
"Encrypt": false,
"Generate": true,
"NoRestrictions": false,
"Sign": false,
"Unwrap": false,
"Verify": true,
"Wrap": false
},
},
"KeyCheckValue": "7121C7",
"KeyCheckValueAlgorithm": "ANSI_X9_24",
"Enabled": true,
"Exportable": true,
"KeyOrigin": "AWS_PAYMENT_CRYPTOGRAPHY",
"KeyState": "CREATE_COMPLETE",
"CreateTimestamp": "2025-01-29T09:19:21.209000-05:00",
"UsageStartTimestamp": "2025-01-29T09:19:21.192000-05:00"
}
}
```
Take note of the `KeyArn` that represents the key, for example *arn:aws:payment-cryptography:us-east-1:111122223333:key/7vrybrbvjcvwtunv*. You need that in the next step.
### Generate a iCSC
In this example, we will generate a iCSC with a length of 4, for a contactless card using service code 702. CSC can be generated with a length of 3,4 or 5. For American Express, PANs should be 15 digits and start with 34 or 37.
**Example**
```
$ aws payment-cryptography-data generate-card-validation-data --key-identifier arn:aws:payment-cryptography:us-east-1:111122223333:key/7vrybrbvjcvwtunv --primary-account-number=344131234567848 --generation-attributes AmexCardSecurityCodeVersion2='{CardExpiryDate=1224,ServiceCode=702}' --validation-data-length 4
```
```
{
"KeyArn": arn:aws:payment-cryptography:us-east-1:111122223333:key/7vrybrbvjcvwtunv,
"KeyCheckValue": 7121C7,
"ValidationData": "2365"
}
```
### Validate the iCSC
**Example**
In this example, we will validate a iCSC.
If AWS Payment Cryptography is able to validate, an http/200 is returned. If the value is not validated, it will return a http/400 response.
```
$ aws payment-cryptography-data verify-card-validation-data --key-identifier arn:aws:payment-cryptography:us-east-1:111122223333:key/7vrybrbvjcvwtunv --primary-account-number=344131234567848 --verification-attributes AmexCardSecurityCodeVersion2='{CardExpiryDate=1224,ServiceCode=702}' --validation-data 2365
```
```
{
"KeyArn": arn:aws:payment-cryptography:us-east-1:111122223333:key/7vrybrbvjcvwtunv,
"KeyCheckValue": 7121C7
}
```
## 3DS AEVV
3DS AEVV (3-D Secure Account Verification Value) is used for American Express 3-D Secure authentication. It uses the same algorithm as CSC2 but with different input parameters. The expiration date field should be populated with an unpredictable (random) number, and the service code consists of the AEVV Authentication Results Code (1 digit) plus the Second Factor Authentication Code (2 digits). The output length should be 3-digits.
For all available parameters see [AmexCardSecurityCodeVersion2](https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/API_AmexCardSecurityCodeVersion2.html) in the API reference guide.
### Create key
```
$ aws payment-cryptography create-key --exportable --key-attributes KeyAlgorithm=TDES_2KEY,KeyUsage=TR31_C0_CARD_VERIFICATION_KEY,KeyClass=SYMMETRIC_KEY,KeyModesOfUse='{Generate=true,Verify=true}' --tags='[{"Key":"KEY_PURPOSE","Value":"3DS_AEVV"},{"Key":"CARD_BIN","Value":"12345678"}]'
```
The response echoes back the request parameters, including an ARN for subsequent calls as well as a Key Check Value (KCV).
```
{
"Key": {
"KeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/kw8djn5qxvfh3ztm",
"KeyAttributes": {
"KeyUsage": "TR31_C0_CARD_VERIFICATION_KEY"
"KeyAlgorithm": "TDES_2KEY",
"KeyClass": "SYMMETRIC_KEY",
"KeyModesOfUse": {
"Decrypt": false,
"DeriveKey": false,
"Encrypt": false,
"Generate": true,
"NoRestrictions": false,
"Sign": false,
"Unwrap": false,
"Verify": true,
"Wrap": false
},
},
"KeyCheckValue": "8F3A21",
"KeyCheckValueAlgorithm": "ANSI_X9_24",
"Enabled": true,
"Exportable": true,
"KeyOrigin": "AWS_PAYMENT_CRYPTOGRAPHY",
"KeyState": "CREATE_COMPLETE",
"CreateTimestamp": "2025-02-02T10:30:15.209000-05:00",
"UsageStartTimestamp": "2025-02-02T10:30:15.192000-05:00"
}
}
```
Take note of the `KeyArn` that represents the key, for example *arn:aws:payment-cryptography:us-east-2:111122223333:key/kw8djn5qxvfh3ztm*. You need that in the next step.
### Generate a 3DS AEVV
In this example, we will generate a 3DS AEVV with a length of 3. The expiration date field contains an unpredictable (random) number (e.g., 1234), and the service code consists of the AEVV Authentication Results Code (1 digit) plus the Second Factor Authentication Code (2 digits), for example 543 where 5 is the Authentication Results Code and 43 is the Second Factor Authentication Code. For American Express, PANs should be 15 digits and start with 34 or 37.
**Example**
```
$ aws payment-cryptography-data generate-card-validation-data --key-identifier arn:aws:payment-cryptography:us-east-2:111122223333:key/kw8djn5qxvfh3ztm --primary-account-number=344131234567848 --generation-attributes AmexCardSecurityCodeVersion2='{CardExpiryDate=1234,ServiceCode=543}' --validation-data-length 3
```
```
{
"KeyArn": arn:aws:payment-cryptography:us-east-2:111122223333:key/kw8djn5qxvfh3ztm,
"KeyCheckValue": 8F3A21,
"ValidationData": "921"
}
```
### Validate the 3DS AEVV
**Example**
In this example, we will validate a 3DS AEVV.
If AWS Payment Cryptography is able to validate, an http/200 is returned. If the value is not validated, it will return a http/400 response.
```
$ aws payment-cryptography-data verify-card-validation-data --key-identifier arn:aws:payment-cryptography:us-east-2:111122223333:key/kw8djn5qxvfh3ztm --primary-account-number=344131234567848 --verification-attributes AmexCardSecurityCodeVersion2='{CardExpiryDate=1234,ServiceCode=543}' --validation-data 921
```
```
{
"KeyArn": arn:aws:payment-cryptography:us-east-2:111122223333:key/kw8djn5qxvfh3ztm,
"KeyCheckValue": 8F3A21
}
```
# JCB specific functions
**Topics**
+ [ARQC - CVN04](#use-cases-issuers.networkfunctions.jcb.cvn04)
+ [ARQC - CVN01](#use-cases-issuers.networkfunctions.jcb.cvn01)
## ARQC - CVN04
JCB CVN04 utilizes the [CSK method](use-cases-issuers.generalfunctions.arqc.md) of key derivation. Please see the scheme documentation for details on constructing the transaction data field.
## ARQC - CVN01
CVN01 is an older JCB method for EMV transactions that uses per card key derivation rather than session (per transaction) derivation and also uses a different payload. This message is also used by Visa hence the element name has that name even though it's also used for JCB. For information on the payload contents, please contact the scheme documentation.
### Create key
```
$ aws payment-cryptography create-key --exportable --key-attributes KeyAlgorithm=TDES_2KEY,KeyUsage=TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS,KeyClass=SYMMETRIC_KEY,KeyModesOfUse='{DeriveKey=true}' --tags='[{"Key":"KEY_PURPOSE","Value":"CVN10"},{"Key":"CARD_BIN","Value":"12345678"}]'
```
The response echoes back the request parameters, including an ARN for subsequent calls as well as a Key Check Value (KCV).
```
{
"Key": {
"KeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/pw3s6nl62t5ushfk",
"KeyAttributes": {
"KeyUsage": "TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS",
"KeyClass": "SYMMETRIC_KEY",
"KeyAlgorithm": "TDES_2KEY",
"KeyModesOfUse": {
"Encrypt": false,
"Decrypt": false,
"Wrap": false,
"Unwrap": false,
"Generate": false,
"Sign": false,
"Verify": false,
"DeriveKey": true,
"NoRestrictions": false
}
},
"KeyCheckValue": "08D7B4",
"KeyCheckValueAlgorithm": "ANSI_X9_24",
"Enabled": true,
"Exportable": true,
"KeyState": "CREATE_COMPLETE",
"KeyOrigin": "AWS_PAYMENT_CRYPTOGRAPHY",
"CreateTimestamp": "2024-03-07T06:41:46.648000-07:00",
"UsageStartTimestamp": "2024-03-07T06:41:46.626000-07:00"
}
}
```
Take note of the `KeyArn` that represents the key, for example *arn:aws:payment-cryptography:us-east-2:111122223333:key/pw3s6nl62t5ushfk*. You need that in the next step.
### Validate the ARQC
**Example**
In this example, we will validate an ARQC generated using JCB CVN01. This uses the same options as the Visa method, hence the name of the parameter.
If AWS Payment Cryptography is able to validate the ARQC, an http/200 is returned. If the arqc is not validated, it will return a http/400 response.
```
$ aws payment-cryptography-data verify-auth-request-cryptogram --auth-request-cryptogram D791093C8A921769 \
--key-identifier arn:aws:payment-cryptography:us-east-2:111122223333:key/pw3s6nl62t5ushfk \
--major-key-derivation-mode EMV_OPTION_A \
--transaction-data 00000000170000000000000008400080008000084016051700000000093800000B03011203000000 \
--session-key-derivation-attributes='{"Visa":{"PanSequenceNumber":"01" \
,"PrimaryAccountNumber":"9137631040001422"}}'
```
```
{
"KeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/pw3s6nl62t5ushfk",
"KeyCheckValue": "08D7B4"
}
```