

**This documentation is for Version 1 of the Amazon CLI only.**

We announced the upcoming end-of-support for the Amazon CLI version 1. We recommend that you migrate to the Amazon CLI version 2. For dates, additional details, and information on how to migrate, see the [announcement](https://amazonaws-china.com/blogs/developer/cli-v1-maintenance-mode-announcement/). For documentation related to Version 2 of the Amazon CLI, see the [Version 2 User Guide](https://docs.amazonaws.cn/cli/latest/userguide/).

# Amazon Payment Cryptography Data Plane examples using Amazon CLI
<a name="cli_payment-cryptography-data_code_examples"></a>

The following code examples show you how to perform actions and implement common scenarios by using the Amazon Command Line Interface with Amazon Payment Cryptography Data Plane.

*Actions* are code excerpts from larger programs and must be run in context. While actions show you how to call individual service functions, you can see actions in context in their related scenarios.

Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context.

**Topics**
+ [Actions](#actions)

## Actions
<a name="actions"></a>

### `decrypt-data`
<a name="payment-cryptography-data_DecryptData_cli_topic"></a>

The following code example shows how to use `decrypt-data`.

**Amazon CLI**  
**To decrypt ciphertext**  
The following `decrypt-data` example decrypts ciphertext data using a symmetric key. For this operation, the key must have `KeyModesOfUse` set to `Decrypt` and `KeyUsage` set to `TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY`.  

```
aws payment-cryptography-data decrypt-data \
    --key-identifier {{arn:aws:payment-cryptography:us-east-2:123456789012:key/kwapwa6qaifllw2h}} \
    --cipher-text {{33612AB9D6929C3A828EB6030082B2BD}} \
    --decryption-attributes '{{Symmetric={Mode=CBC}}}'
```
Output:  

```
{
    "KeyArn": "arn:aws:payment-cryptography:us-east-2:123456789012:key/kwapwa6qaifllw2h",
    "KeyCheckValue": "71D7AE",
    "PlainText": "31323334313233343132333431323334"
}
```
For more information, see [Decrypt data](https://docs.aws.amazon.com/payment-cryptography/latest/userguide/decrypt-data.html) in the *Amazon Payment Cryptography User Guide*.  
+  For API details, see [DecryptData](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/payment-cryptography-data/decrypt-data.html) in *Amazon CLI Command Reference*. 

### `encrypt-data`
<a name="payment-cryptography-data_EncryptData_cli_topic"></a>

The following code example shows how to use `encrypt-data`.

**Amazon CLI**  
**To encrypt data**  
The following `encrypt-data` example encrypts plaintext data using a symmetric key. For this operation, the key must have `KeyModesOfUse` set to `Encrypt` and `KeyUsage` set to `TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY`.  

```
aws payment-cryptography-data encrypt-data \
    --key-identifier {{arn:aws:payment-cryptography:us-east-2:123456789012:key/kwapwa6qaifllw2h}} \
    --plain-text {{31323334313233343132333431323334}} \
    --encryption-attributes '{{Symmetric={Mode=CBC}}}'
```
Output:  

```
{
    "KeyArn": "arn:aws:payment-cryptography:us-east-2:123456789012:key/kwapwa6qaifllw2h",
    "KeyCheckValue": "71D7AE",
    "CipherText": "33612AB9D6929C3A828EB6030082B2BD"
}
```
For more information, see [Encrypt data](https://docs.aws.amazon.com/payment-cryptography/latest/userguide/encrypt-data.html) in the *Amazon Payment Cryptography User Guide*.  
+  For API details, see [EncryptData](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/payment-cryptography-data/encrypt-data.html) in *Amazon CLI Command Reference*. 

### `generate-card-validation-data`
<a name="payment-cryptography-data_GenerateCardValidationData_cli_topic"></a>

The following code example shows how to use `generate-card-validation-data`.

**Amazon CLI**  
**To generate a CVV**  
The following `generate-card-validation-data` example generates a CVV/CVV2.  

```
aws payment-cryptography-data generate-card-validation-data \
    --key-identifier {{arn:aws:payment-cryptography:us-east-2:123456789012:key/kwapwa6qaifllw2h}} \
    --primary-account-number=171234567890123 \
    --generation-attributes {{CardVerificationValue2={CardExpiryDate=0123}}}
```
Output:  

```
{
    "KeyArn": "arn:aws:payment-cryptography:us-east-2:123456789012:key/kwapwa6qaifllw2h",
    "KeyCheckValue": "CADDA1",
    "ValidationData": "801"
}
```
For more information, see [Generate card data](https://docs.aws.amazon.com/payment-cryptography/latest/userguide/generate-card-data.html) in the *Amazon Payment Cryptography User Guide*.  
+  For API details, see [GenerateCardValidationData](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/payment-cryptography-data/generate-card-validation-data.html) in *Amazon CLI Command Reference*. 

### `generate-mac`
<a name="payment-cryptography-data_GenerateMac_cli_topic"></a>

The following code example shows how to use `generate-mac`.

**Amazon CLI**  
**To generate a MAC**  
The following `generate-card-validation-data` example generates a Hash-Based Message Authentication Code (HMAC) for card data authentication using the algorithm HMAC\_SHA256 and an HMAC encryption key. The key must have `KeyUsage` set to `TR31_M7_HMAC_KEY` and `KeyModesOfUse` to `Generate`.  

```
aws payment-cryptography-data generate-mac \
    --key-identifier {{arn:aws:payment-cryptography:us-east-2:123456789012:key/kwapwa6qaifllw2h}} \
    --message-data {{"3b313038383439303031303733393431353d32343038323236303030373030303f33"}} \
    --generation-attributes {{Algorithm=HMAC_SHA256}}
```
Output:  

```
{
    "KeyArn": "arn:aws:payment-cryptography:us-east-2:123456789012:key/kwapwa6qaifllw2h,
    "KeyCheckValue": "2976E7",
    "Mac": "ED87F26E961C6D0DDB78DA5038AA2BDDEA0DCE03E5B5E96BDDD494F4A7AA470C"
}
```
For more information, see [Generate MAC](https://docs.aws.amazon.com/payment-cryptography/latest/userguide/generate-mac.html) in the *Amazon Payment Cryptography User Guide*.  
+  For API details, see [GenerateMac](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/payment-cryptography-data/generate-mac.html) in *Amazon CLI Command Reference*. 

### `generate-pin-data`
<a name="payment-cryptography-data_GeneratePinData_cli_topic"></a>

The following code example shows how to use `generate-pin-data`.

**Amazon CLI**  
**To generate a PIN**  
The following `generate-card-validation-data` example generate a new random PIN using the Visa PIN scheme.  

```
aws payment-cryptography-data generate-pin-data \
    --generation-key-identifier {{arn:aws:payment-cryptography:us-east-2:111122223333:key/37y2tsl45p5zjbh2}} \
    --encryption-key-identifier {{arn:aws:payment-cryptography:us-east-2:111122223333:key/ivi5ksfsuplneuyt}} \
    --primary-account-number {{171234567890123}} \
    --pin-block-format {{ISO_FORMAT_0}} \
    --generation-attributes {{VisaPin={PinVerificationKeyIndex=1}}}
```
Output:  

```
{
    "GenerationKeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/37y2tsl45p5zjbh2",
    "GenerationKeyCheckValue": "7F2363",
    "EncryptionKeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/ivi5ksfsuplneuyt",
    "EncryptionKeyCheckValue": "7CC9E2",
    "EncryptedPinBlock": "AC17DC148BDA645E",
    "PinData": {
        "VerificationValue": "5507"
    }
}
```
For more information, see [Generate PIN data](https://docs.aws.amazon.com/payment-cryptography/latest/userguide/generate-pin-data.html) in the *Amazon Payment Cryptography User Guide*.  
+  For API details, see [GeneratePinData](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/payment-cryptography-data/generate-pin-data.html) in *Amazon CLI Command Reference*. 

### `re-encrypt-data`
<a name="payment-cryptography-data_ReEncryptData_cli_topic"></a>

The following code example shows how to use `re-encrypt-data`.

**Amazon CLI**  
**To re-encrypt data with a different key**  
The following `re-encrypt-data` example decrypts cipher text that was encrypted using an AES symmetric key and re-encrypts it using a Derived Unique Key Per Transaction (DUKPT) key.  

```
aws payment-cryptography-data re-encrypt-data \
    --incoming-key-identifier {{arn:aws:payment-cryptography:us-west-2:111122223333:key/hyvv7ymboitd4vfy}} \
    --outgoing-key-identifier {{arn:aws:payment-cryptography:us-west-2:111122223333:key/jl6ythkcvzesbxen}} \
    --cipher-text {{4D2B0BDBA192D5AEFEAA5B3EC28E4A65383C313FFA25140101560F75FE1B99F27192A90980AB9334}} \
    --incoming-encryption-attributes {{"Dukpt={Mode=ECB,KeySerialNumber=0123456789111111}"}} \
    --outgoing-encryption-attributes '{{{"Symmetric": {"Mode": "ECB"}}}}'
```
Output:  

```
{
    "CipherText": "F94959DA30EEFF0C035483C6067667CF6796E3C1AD28C2B61F9CFEB772A8DD41C0D6822931E0D3B1",
    "KeyArn": "arn:aws:payment-cryptography:us-west-2:111122223333:key/jl6ythkcvzesbxen",
    "KeyCheckValue": "2E8CD9"
}
```
For more information, see [Encrypt and decrypt data](https://docs.aws.amazon.com/payment-cryptography/latest/userguide/crypto-ops.encryptdecrypt.html) in the *Amazon Payment Cryptography User Guide*.  
+  For API details, see [ReEncryptData](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/payment-cryptography-data/re-encrypt-data.html) in *Amazon CLI Command Reference*. 

### `translate-pin-data`
<a name="payment-cryptography-data_TranslatePinData_cli_topic"></a>

The following code example shows how to use `translate-pin-data`.

**Amazon CLI**  
**To translate PIN data**  
The following `translate-pin-data` example translates a PIN from PEK TDES encryption using ISO 0 PIN block to an AES ISO 4 PIN Block using the DUKPT algorithm.  

```
aws payment-cryptography-data translate-pin-data \
    --encrypted-pin-block {{"AC17DC148BDA645E"}} \
    --incoming-translation-attributes=IsoFormat0='{PrimaryAccountNumber=171234567890123}' \
    --incoming-key-identifier {{arn:aws:payment-cryptography:us-east-2:111122223333:key/ivi5ksfsuplneuyt}} \
    --outgoing-key-identifier {{arn:aws:payment-cryptography:us-east-2:111122223333:key/4pmyquwjs3yj4vwe}} \
    --outgoing-translation-attributes IsoFormat4="{PrimaryAccountNumber=171234567890123}" \
    --outgoing-dukpt-attributes KeySerialNumber="FFFF9876543210E00008"
```
Output:  

```
{
    "PinBlock": "1F4209C670E49F83E75CC72E81B787D9",
    "KeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/ivi5ksfsuplneuyt
    "KeyCheckValue": "7CC9E2"
}
```
For more information, see [Translate PIN data](https://docs.aws.amazon.com/payment-cryptography/latest/userguide/translate-pin-data.html) in the *Amazon Payment Cryptography User Guide*.  
+  For API details, see [TranslatePinData](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/payment-cryptography-data/translate-pin-data.html) in *Amazon CLI Command Reference*. 

### `verify-auth-request-cryptogram`
<a name="payment-cryptography-data_VerifyAuthRequestCryptogram_cli_topic"></a>

The following code example shows how to use `verify-auth-request-cryptogram`.

**Amazon CLI**  
**To verify an auth request**  
The following `verify-auth-request-cryptogram` example verifies an Authorization Request Cryptogram (ARQC).  

```
aws payment-cryptography-data verify-auth-request-cryptogram \
    --auth-request-cryptogram {{F6E1BD1E6037FB3E}} \
    --auth-response-attributes '{{{"ArpcMethod1": {"AuthResponseCode": "1111"}}}}' \
    --key-identifier {{arn:aws:payment-cryptography:us-west-2:111122223333:key/pboipdfzd4mdklya}} \
    --major-key-derivation-mode {{"EMV_OPTION_A"}} \
    --session-key-derivation-attributes '{{{"EmvCommon": {"ApplicationTransactionCounter": "1234","PanSequenceNumber": "01","PrimaryAccountNumber": "471234567890123"}}}}' \
    --transaction-data {{"123456789ABCDEF"}}
```
Output:  

```
{
    "AuthResponseValue": "D899B8C6FBF971AA",
    "KeyArn": "arn:aws:payment-cryptography:us-west-2:111122223333:key/pboipdfzd4mdklya",
    "KeyCheckValue": "985792"
}
```
For more information, see [Verify auth request (ARQC) cryptogram](https://docs.aws.amazon.com/payment-cryptography/latest/userguide/data-operations.verifyauthrequestcryptogram.html) in the *Amazon Payment Cryptography User Guide*.  
+  For API details, see [VerifyAuthRequestCryptogram](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/payment-cryptography-data/verify-auth-request-cryptogram.html) in *Amazon CLI Command Reference*. 

### `verify-card-validation-data`
<a name="payment-cryptography-data_VerifyCardValidationData_cli_topic"></a>

The following code example shows how to use `verify-card-validation-data`.

**Amazon CLI**  
**To validate a CVV**  
The following `verify-card-validation-data` example validates a CVV/CVV2 for a PAN.  

```
aws payment-cryptography-data verify-card-validation-data \
    --key-identifier {{arn:aws:payment-cryptography:us-east-2:111122223333:key/tqv5yij6wtxx64pi}} \
    --primary-account-number=171234567890123 \
    --verification-attributes {{CardVerificationValue2={CardExpiryDate=0123}}} \
    --validation-data {{801}}
```
Output:  

```
{
    "KeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/tqv5yij6wtxx64pi",
    "KeyCheckValue": "CADDA1"
}
```
For more information, see [Verify card data](https://docs.aws.amazon.com/payment-cryptography/latest/userguide/verify-card-data.html) in the *Amazon Payment Cryptography User Guide*.  
+  For API details, see [VerifyCardValidationData](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/payment-cryptography-data/verify-card-validation-data.html) in *Amazon CLI Command Reference*. 

### `verify-mac`
<a name="payment-cryptography-data_VerifyMac_cli_topic"></a>

The following code example shows how to use `verify-mac`.

**Amazon CLI**  
**To verify a MAC**  
The following `verify-mac` example verifies a Hash-Based Message Authentication Code (HMAC) for card data authentication using the algorithm HMAC\_SHA256 and an HMAC encryption key.  

```
aws payment-cryptography-data verify-mac \
    --key-identifier {{arn:aws:payment-cryptography:us-east-2:111122223333:key/qnobl5lghrzunce6}} \
    --message-data {{"3b343038383439303031303733393431353d32343038323236303030373030303f33"}} \
    --verification-attributes='Algorithm=HMAC_SHA256' \
    --mac {{ED87F26E961C6D0DDB78DA5038AA2BDDEA0DCE03E5B5E96BDDD494F4A7AA470C}}
```
Output:  

```
{
    "KeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/qnobl5lghrzunce6,
    "KeyCheckValue": "2976E7",
}
```
For more information, see [Verify MAC](https://docs.aws.amazon.com/payment-cryptography/latest/userguide/verify-mac.html) in the *Amazon Payment Cryptography User Guide*.  
+  For API details, see [VerifyMac](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/payment-cryptography-data/verify-mac.html) in *Amazon CLI Command Reference*. 

### `verify-pin-data`
<a name="payment-cryptography-data_VerifyPinData_cli_topic"></a>

The following code example shows how to use `verify-pin-data`.

**Amazon CLI**  
**To verify a PIN**  
The following `verify-pin-data` example validates a PIN for a PAN.  

```
aws payment-cryptography-data verify-pin-data \
    --verification-key-identifier {{arn:aws:payment-cryptography:us-east-2:111122223333:key/37y2tsl45p5zjbh2}} \
    --encryption-key-identifier {{arn:aws:payment-cryptography:us-east-2:111122223333:key/ivi5ksfsuplneuyt}} \
    --primary-account-number {{171234567890123}} \
    --pin-block-format {{ISO_FORMAT_0}} \
    --verification-attributes VisaPin="{PinVerificationKeyIndex=1,VerificationValue=5507}" \
    --encrypted-pin-block {{AC17DC148BDA645E}}
```
Output:  

```
{
    "VerificationKeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/37y2tsl45p5zjbh2",
    "VerificationKeyCheckValue": "7F2363",
    "EncryptionKeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/ivi5ksfsuplneuyt",
    "EncryptionKeyCheckValue": "7CC9E2",
}
```
For more information, see [Verify PIN data](https://docs.aws.amazon.com/payment-cryptography/latest/userguide/verify-pin-data.html) in the *Amazon Payment Cryptography User Guide*.  
+  For API details, see [VerifyPinData](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/payment-cryptography-data/verify-pin-data.html) in *Amazon CLI Command Reference*. 