AWS Security ChangesHomeSearch

AWS payment-cryptography documentation change

Service: payment-cryptography · 2025-11-22 · Documentation medium

File: payment-cryptography/latest/userguide/generate-mac.md

Summary

Expanded supported MAC algorithms to include ISO 9797-1 Algorithm 1 and 3 in the Generate MAC API documentation.

Security assessment

The update enhances documentation for cryptographic features but does not indicate a security fix.

Diff

diff --git a/payment-cryptography/latest/userguide/generate-mac.md b/payment-cryptography/latest/userguide/generate-mac.md
index db07bc9ec..aa64ccba5 100644
--- a//payment-cryptography/latest/userguide/generate-mac.md
+++ b//payment-cryptography/latest/userguide/generate-mac.md
@@ -7 +7 @@
-Generate MAC API is used to authenticate card-related data, such as track data from a card magnetic stripe, by using known data values to generate a MAC (Message Authentication Code) for data validation between sending and receiving parties. The data used to generate MAC includes message data, secret MAC encryption key and MAC algorithm to generate a unique MAC value for transmission. The receiving party of the MAC will use the same MAC message data, MAC encryption key, and algorithm to reproduce another MAC value for comparison and data authentication. Even if one character of the message changes or the MAC key used for verification is not identical, the resulting MAC value is different. The API supports DUPKT MAC, HMAC and EMV MAC encryption keys for this operation.
+Generate MAC API is used to authenticate card-related data, such as track data from a card magnetic stripe, by using known data values to generate a MAC (Message Authentication Code) for data validation between sending and receiving parties. The data used to generate MAC includes message data, secret MAC encryption key and MAC algorithm to generate a unique MAC value for transmission. The receiving party of the MAC will use the same MAC message data, MAC encryption key, and algorithm to reproduce another MAC value for comparison and data authentication. Even if one character of the message changes or the MAC key used for verification is not identical, the resulting MAC value is different. The API supports ISO 9797-1 Algorithm 1 and ISO 9797-1 Algorithm 3 MAC (using a static MAC key and a derived DUKPT key), HMAC and EMV MAC encryption keys for this operation.
@@ -16,2 +16 @@ In this example, we will generate a HMAC (Hash-Based Message Authentication Code
-        --message-data "3b313038383439303031303733393431353d32343038323236303030373030303f33" \ 
-        --generation-attributes Algorithm=HMAC_SHA256
+        --message-data "3b313038383439303031303733393431353d32343038323236303030373030303f33"