Detailed EMV contactless APDUs

G

Good Carder

Professional
Messages
208
Reaction score
170
Points
43

Overview of EMV Contactless APDUs​

EMV contactless transactions enable secure, proximity-based payments using NFC technology, adhering to ISO/IEC 14443 standards for communication between the Proximity Coupling Device (PCD, e.g., terminal) and Proximity Integrated Circuit Card (PICC, e.g., card or mobile device). Unlike contact-based EMV, which uses physical chip insertion and starts with an Answer To Reset (ATR), contactless begins with RF polling, anti-collision, and UID selection, without an ATR. APDUs (Application Protocol Data Units) are the core communication units, formatted similarly to contact EMV but optimized for speed: fewer round trips, data minimization, and often with Le (expected response length) set to 0. Transactions must complete quickly (typically <500 ms), supporting low-value payments without Cardholder Verification Method (CVM) like PIN.

Contactless uses scheme-specific kernels (e.g., EMVCo Book C-2 for Mastercard, C-3 for Visa) rather than a unified kernel, and emphasizes online authorization for higher values. Data is BER-TLV encoded (Tag-Length-Value), with responses including status words (SW1-SW2, e.g., 9000 for success).

Key Differences from Contact-Based EMV APDUs​

  • Initiation: Contactless uses PPSE (Proximity Payment System Environment, "2PAY.SYS.DDF01") instead of PSE ("1PAY.SYS.DDF01") to list AIDs (Application Identifiers). No ATR; starts with ISO 14443 polling.
  • Flow Simplifications: Streamlined for speed; omits steps like explicit PIN in low-value modes (e.g., Visa qVSDC skips GENERATE AC). Supports legacy modes (e.g., MagStripe emulation with dynamic CVV).
  • CVM and Risk: Often "No CVM" for low amounts; online PIN for high-value. Terminal Transaction Qualifiers (TTQ, 9F66) flag contactless specifics like CDCVM (Consumer Device CVM).
  • Kernels and AIDs: Network-specific kernels (e.g., C-2 Mastercard, C-3 Visa); AIDs same as contact but prioritized in PPSE. Highest-priority AID selected automatically.
  • Cryptograms: Similar (ARQC for online, TC for offline approve), but often generated early; ARPC (issuer response) may be ignored to avoid re-taps.
  • Interface: RF field (up to 4 cm); no mixing with contact data. Vulnerabilities include relay attacks and weak replay prevention.

Typical Contactless Transaction Flow​

The flow is kernel-driven, focusing on selection, initiation, data read, authentication, CVM/risk, and cryptogram. Steps:
  1. Detection/Activation: Terminal polls (REQA/REQB), anti-collision, selects PICC.
  2. PPSE Selection: Get list of AIDs/priorities.
  3. AID Selection: Choose debit/credit AID; get PDOL (9F38).
  4. GET PROCESSING OPTIONS (GPO): Send PDOL data (e.g., amount); get AIP (82, capabilities) and AFL (94, file locators).
  5. READ RECORD: Fetch data per AFL (e.g., PAN at 5A, expiry at 5F24).
  6. Offline Data Authentication (optional): SDA/DDA/CDA.
  7. CVM/Risk Assessment: Check limits; no CVM for low-value.
  8. GENERATE AC: Request cryptogram (ARQC/TC/AAC); get 9F26 (cryptogram), 9F27 (info), 9F36 (ATC), 9F10 (IAD).
  9. Online Authorization (if needed): Send to issuer; optional second GEN AC for TC/AAC.

For ATMs: Tap initiates, cryptogram generated; PIN after (online only). Re-tap may be required for security.

Detailed APDU Examples​

Examples in hex; C-APDU from terminal, R-APDU from card. Based on common schemes (e.g., Visa/Mastercard); actual vary by card/kernel. SW1-SW2: 9000 = success, 6A82 = not found.

1. SELECT PPSE ("2PAY.SYS.DDF01")​

  • C-APDU: 00 A4 04 00 0E 32 50 41 59 2E 53 59 53 2E 44 44 46 30 31 00
    • CLA: 00, INS: A4 (SELECT), P1: 04 (by name), P2: 00 (first), Lc: 0E, Data: PPSE ASCII hex, Le: 00.
  • Typical R-APDU: 6F [Len] 84 0E 32 50 41 59 2E 53 59 53 2E 44 44 46 30 31 A5 [Len] BF0C [Len] 61 [Len] 4F [AID] ... 90 00
    • FCI with AID templates (tag 61), priorities (87).

2. SELECT AID (e.g., Visa Debit: A0000000031010)​

  • C-APDU: 00 A4 04 00 07 A0 00 00 00 03 10 10 00
    • Data: AID.
  • Typical R-APDU: 6F [Len] 84 07 A0 00 00 00 03 10 10 A5 [Len] 50 [App Label] 9F38 [PDOL] ... 90 00
    • Includes PDOL for GPO data requirements.

3. GET PROCESSING OPTIONS (GPO)​

  • C-APDU: 80 A8 00 00 [Lc] 83 [PDOL Len] [PDOL Data, e.g., 9F02 (amount)] 00
    • Example (empty PDOL): 80 A8 00 00 02 83 00 00
  • Typical R-APDU: 77/80 [Len] 82 [AIP] 94 [AFL] ... 90 00
    • AIP: Capabilities; AFL: Files to read.

4. READ RECORD (e.g., Record 1, SFI from AFL, say 0C)​

  • C-APDU: 00 B2 01 0C 00
    • P1: Record, P2: (SFI << 3) | 4.
  • Typical R-APDU: 70 [Len] 5A [PAN] 5F24 [Expiry] ... 90 00

5. COMPUTE CRYPTOGRAPHIC CHECKSUM (Mastercard MagStripe Mode)​

  • C-APDU: 80 2A 8E 80 [Lc] [UDOL Data] 00
  • Typical R-APDU: 77 [Len] 9F61 [CVC3] 9F62 [Track1 Bits] 9F36 [ATC] 90 00

6. GENERATE APPLICATION CRYPTOGRAM (GEN AC)​

  • C-APDU: 80 AE [P1, e.g., 80 for ARQC] 00 [Lc] [CDOL Data] 00
    • Example: 80 AE 80 00 [Lc] [Data] 00
  • Typical R-APDU: 77/80 [Len] 9F27 [CID] 9F10 [IAD] 9F26 [Cryptogram] 9F36 [ATC] 90 00
    • Cryptogram types: ARQC (online request), TC (approve), AAC (decline).

For qVSDC (Visa quick mode), GEN AC may be omitted. In ATM contexts, cryptogram amount often 0 if unknown at generation. Refer to EMVCo specs for full variations.
 
You must log in or register to reply here.

Similar threads

P
Explain EMV Level 2 kernel
Replies
0
Views
118
Papa Carder
P
P
Expanded & Production-Ready APDU Parser for IST File Generation
Replies
1
Views
273
L/Op
L
Student
EMV Contactless Cryptograms – The Complete Technical Guide 2026
Replies
0
Views
354
Student
Student
Student
Ultra-Detailed Technical Guide: EMV Contactless Transactions
Replies
0
Views
637
Student
Student
Student
JCOP Card Testing Examples – 100% Real Guide 2026
Replies
0
Views
319
Student
Student
Back
Top