Papa Carder
Professional
- Messages
- 356
- Reaction score
- 277
- Points
- 63
Overview of EMV Cryptogram Types
EMV (Europay, Mastercard, and Visa) is a global standard for chip-based payment cards, using cryptograms to ensure secure transactions. Cryptograms are essentially Message Authentication Codes (MACs) or digital signatures generated using cryptographic algorithms like 3DES, AES, or RSA. They authenticate the card, transaction data, and issuer, preventing fraud such as skimming or replay attacks. These cryptograms are categorized into two main areas: transaction authorization (for approvals/declines) and offline data authentication (to verify card legitimacy without online issuer involvement).The core cryptogram types are generated by the card or issuer during different phases of a transaction. They rely on session keys derived from master keys, dynamic data like the Application Transaction Counter (ATC), and transaction-specific inputs such as amount, date, and terminal data. The card's decision on the transaction (e.g., approve, decline, or refer online) determines the type of cryptogram produced.
Main EMV Cryptogram Types
EMV cryptograms are often referred to collectively as Application Cryptograms (AC), with specific subtypes based on their purpose. The primary types include:- ARQC (Authorization Request Cryptogram): Generated by the card to request online authorization from the issuer. It authenticates the card and transaction data, ensuring integrity and origin. Used in online scenarios where the terminal sends the ARQC to the issuer for validation. Common data elements include transaction amount, terminal country code, verification results, currency, date, and type. The issuer validates it to confirm the card is genuine.
- ARPC (Authorization Response Cryptogram): Generated by the issuer in response to a valid ARQC. It authenticates the issuer's approval or decline message back to the card, preventing man-in-the-middle attacks. The card verifies the ARPC to ensure it's communicating with the legitimate issuer.
- TC (Transaction Certificate): Generated by the card for offline approvals. It confirms a successful transaction after the card has approved it without needing online issuer involvement. Provides proof that the transaction was authenticated and completed.
- AAC (Application Authentication Cryptogram): Generated by the card for offline declines. It indicates that the transaction was rejected by the card (e.g., due to insufficient funds or risk parameters) without online authorization.
- AAR (Application Authorization Referral): Less common, generated by the card to request a referral (e.g., for voice authorization). It's used when the card needs further issuer input but not full online processing.
Comparison of EMV Cryptogram Types
| Cryptogram Type | Generated By | Purpose | Scenario | Tag Indicator (9F27 Hex Value) |
|---|---|---|---|---|
| ARQC | Card | Request online authorization; authenticate card/transaction | Online transactions | 80 |
| ARPC | Issuer | Respond to ARQC; authenticate issuer's decision | Online response | N/A (not card-generated) |
| TC | Card | Confirm offline approval; provide transaction proof | Offline success | 40 |
| AAC | Card | Indicate offline decline | Offline failure | 00 |
| AAR | Card | Request referral for further authorization | Referral needed | 10 (in some specs) |
Generation and Validation Process
Cryptograms are computed using data from Card Risk Management Data Objects Lists (CDOL1/CDOL2), which specify required tags like currency code (5F2A), terminal verification results (95), and application interchange profile (82). For example:- The terminal sends a GENERATE AC command with CDOL1 data to request an ARQC.
- The card computes the cryptogram using its master key and session key.
- If online, the issuer validates the ARQC and responds with an ARPC.
- For offline, the card directly generates TC or AAC.
In contactless EMV (e.g., via ISO/IEC 14443), these cryptograms integrate with secure messaging for added protection. Tools like AWS Payment Cryptography or cryptographic calculators can simulate and verify these for testing.
For full details, refer to EMVCo specifications (e.g., EMV 4.3 Book 2: Security and Key Management).