Generate a new AES-256 session key for every secure-data request.
The AES key must be no smaller than 256 bits.
Keep the original AES session key on the cardholder device or secure client application.