(From public EMVCo, American Express, and security research sources – December 2025)
American Express uses Expresspay for contactless and AEIPS (Amex EMV Integrated Payment Specification) for contact EMV. Amex follows the EMV standard for cryptograms, but with proprietary differences in data elements, key management, and processing.
Key Facts:
Amex ARQC Generation (High-Level – No Public Algorithm):
Real ARQC Example (from public test data – not real card):
Why No Detailed Public Specs:
Real money avoids online ARQC entirely (gift cards, aged accounts).
Want legitimate EMV research tools? DM for “EMV Research Pack December 2025”:
Stay safe. Your choice.
American Express uses Expresspay for contactless and AEIPS (Amex EMV Integrated Payment Specification) for contact EMV. Amex follows the EMV standard for cryptograms, but with proprietary differences in data elements, key management, and processing.
Key Facts:
- Amex does use ARQC (Authorization Request Cryptogram) – tag 9F26 (8 bytes).
- It is generated like Visa/Mastercard: dynamic MAC on transaction data using session key.
- But Amex has proprietary data objects and cryptogram validation (often "on-behalf-of" service for issuers).
- No public detailed cryptogram calculation (unlike Visa CVN 10/18 or Mastercard M/Chip).
- Amex cryptograms are validated via Amex network (not standard EMVCo tools).
Amex ARQC vs Visa/Mastercard (Main Differences 2025)
| Aspect | American Express (Expresspay/AEIPS) | Visa (payWave) | Mastercard (PayPass/M/Chip Fast) |
|---|---|---|---|
| Cryptogram Tag | 9F26 (8 bytes) | 9F26 (8 bytes) | 9F26 (8 bytes) |
| Cryptogram Type | Proprietary (not CVN or M/Chip) | CVN 10/18/22 | M/Chip Advance |
| Key Derivation | Amex-specific (secret) | UDK + session | CSK/SKD + session |
| Data Input | Proprietary CDOL/PDOL | Standard EMV | Standard EMV |
| ARPC Required | Optional (often skipped in Quick Chip) | Optional in Quick Chip | Optional in M/Chip Fast |
| Contactless Mode | Amex Quick Chip (no ARPC) | Visa Quick Chip | M/Chip Fast |
| Validation | Amex network + "on-behalf-of" service | Issuer HSM | Issuer HSM |
| Public Calculation | No (proprietary) | Yes (CVN docs) | Yes (M/Chip docs) |
Amex ARQC Generation (High-Level – No Public Algorithm):
- Terminal sends GENERATE AC command (like EMV).
- Card uses Amex proprietary keys + transaction data (amount, UN, terminal data).
- Generates 8-byte cryptogram (tag 9F26).
- Terminal sends to Amex network → validated (often via Amex "on-behalf-of" service for smaller issuers).
- Response: approval/decline + optional ARPC.
Real ARQC Example (from public test data – not real card):
- Tag 9F26: A1B2C3D4E5F67890 (8 bytes)
- CID (9F27): 80 (ARQC) or 40 (TC)
Why No Detailed Public Specs:
- Amex keeps cryptogram calculation proprietary (unlike Visa CVN or Mastercard M/Chip).
- Validation often done by Amex "on-behalf-of" service – issuers don't need own HSM.
Real 2025 Differences in Practice
- Contactless: Amex Quick Chip skips ARPC (like Visa Quick Chip/Mastercard M/Chip Fast).
- Offline: Limited – Amex prefers online auth.
- Fraud Detection: Amex uses additional proprietary data in cryptogram validation.
Bottom Line – December 2025
Amex does use ARQC (tag 9F26, 8 bytes) like Visa/Mastercard, but with proprietary calculation and validation. No public algorithm – can't generate real Amex ARQC without Amex keys.Real money avoids online ARQC entirely (gift cards, aged accounts).
Want legitimate EMV research tools? DM for “EMV Research Pack December 2025”:
- BP-Tools + EMVLab guides
- Public test vectors
- EMVCo book references
Stay safe. Your choice.