Good Carder
Professional
- Messages
- 208
- Reaction score
- 169
- Points
- 43
Overview of ARQC and ARPC
In EMV (Europay, Mastercard, and Visa) chip card transactions, Authorization Request Cryptogram (ARQC) and Authorization Response Cryptogram (ARPC) are cryptographic values used for secure online authorization. Both are part of the EMV standard to authenticate parties and ensure data integrity, preventing fraud like skimming or replay attacks. They rely on symmetric cryptography (e.g., 3DES or AES) with shared keys between the card and issuer. ARQC initiates the online process from the card, while ARPC responds from the issuer, forming a mutual authentication loop in online transactions.Key Comparison
The table below summarizes the main differences and similarities between ARQC and ARPC:| Aspect | ARQC (Authorization Request Cryptogram) | ARPC (Authorization Response Cryptogram) |
|---|---|---|
| Purpose | Requests online authorization from the issuer; authenticates the card and transaction data. | Responds to ARQC; authenticates the issuer and the authorization decision (approve/decline). |
| Generated By | EMV chip card (during transaction at terminal). | Card issuer (host system or HSM after validating ARQC). |
| When Generated | During the first GENERATE AC command (initiated by terminal after GET PROCESSING OPTIONS). | After issuer validates ARQC and decides on authorization (approve/decline). |
| Input Data | Transaction details from CDOL1 (e.g., amount, date, terminal country, unpredictable number, ATC). | ARQC (often XORed with ARC), Authorization Response Code (ARC), or Card Status Update (CSU). |
| Length | Typically 8 bytes. | 4 or 8 bytes (depending on method; e.g., Method 1: 8 bytes, Method 2: 4 bytes). |
| Validated By | Issuer (recomputes and compares). | Card (recomputes and compares during second GENERATE AC or EXTERNAL AUTHENTICATE). |
| Cryptographic Algorithm | Symmetric (e.g., 3DES in CBC mode, AES); uses session key derived from master key, PAN, and ATC. | Same as ARQC; often uses the same session key but over response data. |
| EMV Tag | 9F26 (in request APDU). | Included in response (e.g., ISO 8583 field 91), forwarded to card. |
| Contactless Considerations | Generated early for speed; card may not validate ARPC to avoid re-taps. | Often omitted in contactless (e.g., qVSDC) for faster processing; terminal decides outcome. |
| Outcome on Validation | If valid, issuer approves/declines and may generate ARPC. | If valid, card generates TC (approve) or AAC (decline); else, transaction fails. |
Similarities
- Security Role: Both are Message Authentication Codes (MACs) ensuring authenticity and integrity in online EMV flows.
- Cryptographic Basis: Use session keys derived from a master key, PAN, and ATC; dynamic elements like ATC prevent reuse.
- Dependency: ARPC is generated only if ARQC is valid; they form a chain in mutual authentication.
- Transmission: Sent via APDUs (ARQC from card to terminal, ARPC from issuer to card via terminal).
In summary, ARQC drives the request phase for card authentication, while ARPC secures the response for issuer authentication, together enabling robust online EMV transactions. For scheme-specific details (e.g., Visa vs. Mastercard), variations in methods or algorithms may apply.
