As part of the certification process, are you asking me to pass my transaction key as a parameter? Doesn't this nullify the entire idea of security if the key used to encrypt the parameters is passed along as a parameter? I'm looking at the Testing Criteria Guide for Card Not Present 3.1 Application on page 7.
The guide that you are looking at was written originally for certification with AIM only. When using AIM, you would always pass in the transaction key. If you are using DPM, the fingerprint and associated fields would take the place of the transaction key. I'll make a note for our certication team to see if we can get the guide updated to reflect that.
