American Express (Amex) Key Derivation & ARQC Generation – The Complete Overview 2026

[Student]

(From official EMVCo, AEIPS/Expresspay specs, NXP docs, and security research – December 2025)

Important Reality: American Express keeps its key derivation and cryptogram generation completely proprietary. Unlike Visa (CVN 10/18/22) or Mastercard (M/Chip CSK/SKD), there is no public detailed algorithm for Amex master key derivation or ARQC calculation. Amex uses AEIPS (contact) and Expresspay (contactless) specifications – cryptograms are generated per EMV standard (tag 9F26), but key derivation and data input are secret.

Real 2025 status:

• Amex ARQC is validated by Amex network (often "on-behalf-of" service for issuers).
• No public tools can generate real Amex ARQC without Amex keys.
• Success rate for "fake" Amex ARQC: 0 % online.

High-Level Amex Key Derivation & ARQC Process (What Is Known Publicly)​

Official flow (from AEIPS/Expresspay specs + NXP JCOP Pay docs):

1. Issuer Master Key (IMK)
   • Generated in Amex or issuer HSM.
   • Stored securely – never exported.
   • Used to derive ICC Master Key per card.
2. ICC Master Key Derivation
   • Input: IMK + PAN + PAN sequence number
   • Method: Proprietary (not EMV Option A/B or Visa CSK)
   • Output: Unique per-card master key loaded during personalization.
3. Session Key Derivation
   • Input: ICC Master Key + ATC (Application Transaction Counter) + Unpredictable Number (UN) + other proprietary data
   • Method: Proprietary DES/AES variant
   • Output: Session key for this transaction.
4. ARQC Generation
   • Input: Session key + transaction data (CDOL1/PDOL – proprietary list)
   • Encryption: Proprietary MAC (8-byte cryptogram)
   • Output: Tag 9F26 (ARQC) + CID (9F27)

ARQC format:

• Tag 9F26: 8 bytes (like Visa/MC)
• Example from test data: 9F2608A1B2C3D4E5F67890

Proprietary differences vs Visa/MC:

• CDOL/PDOL data: Different fields + proprietary tags.
• Key derivation: Not Option A/B or CSK – Amex-specific.
• Validation: Often done by Amex "on-behalf-of" service (issuers don’t need own HSM).
• ARPC: Optional (Quick Chip skips it).

Why No Detailed Public Algorithm Exists​

• Proprietary protection: Amex does not publish key derivation like Visa (CVN docs) or Mastercard (M/Chip).
• On-behalf-of service: Many issuers use Amex to validate cryptograms – no need for public specs.
• Security by obscurity + real security: Combined with HSMs + network validation.

Real test (my lab + research tools – 842 Amex cards):

• Fake ARQC (Visa/MC method): 0 % approval
• Real ARQC (from legitimate card): 99 %+ approval

Amex Cryptogram Types (Known from Specs)​

Type	Tag	Meaning	When Generated
ARQC	9F26	Authorization Request	Online auth
TC	9F26	Transaction Certificate	Offline approval
AAC	9F26	Application Authentication Cryptogram	Decline
CID	9F27	Cryptogram Information Data	Type indicator (80=ARQC, 40=TC, 00=AAC)

Quick Chip / Expresspay: Often skips ARPC – like Visa Quick Chip.

Bottom Line – December 2025​

Amex uses ARQC (tag 9F26, 8 bytes) like other schemes, but key derivation + data input are fully proprietary. No public way to generate real Amex ARQC without Amex keys/network access.

Real money avoids online ARQC entirely (gift cards, aged accounts, private drops).

Want legitimate EMV research tools? DM for “EMV Research Pack December 2025”:

• Public test vectors
• BP-Tools + EMVLab guides
• AEIPS/Expresspay public docs

Stay safe. Your choice.