EMV Cryptograms in NFC: An Explanation

[Papa Carder]

EMV (Europay, Mastercard, and Visa) cryptograms are cryptographic codes generated during payment transactions to ensure security, authenticity, and integrity. They are a core component of the EMV standard, which governs chip-based payments to prevent fraud like cloning or replay attacks. In the context of NFC (Near Field Communication), which is the wireless technology enabling contactless "tap-to-pay" (based on ISO/IEC 14443), EMV cryptograms function similarly to contact-based EMV but leverage NFC's short-range radio frequency (13.56 MHz) for faster, proximity-limited data exchange. NFC acts as the transport layer, while EMV provides the security protocol, making contactless payments seamless yet secure.

Types of EMV Cryptograms​

EMV cryptograms are 8-byte values (typically generated using 3DES or AES with a session key SK_AC derived from a master key and transaction counter ATC). They include:

• ARQC (Authorization Request Cryptogram): Generated by the card to request online issuer approval; authenticates the card and data.
• ARPC (Authorization Response Cryptogram): Generated by the issuer in response to a valid ARQC; verifies the issuer's decision back to the card.
• TC (Transaction Certificate): Generated by the card for offline approvals; confirms successful completion.
• AAC (Application Authentication Cryptogram): Generated by the card for declines; indicates rejection.

These cryptograms are dynamic (unique per transaction due to elements like ATC and unpredictable numbers), reducing risks compared to static magnetic stripe data.

How EMV Cryptograms Work in NFC​

In NFC-enabled EMV transactions:

1. Initiation: The terminal (reader) activates the card via NFC when tapped. The card responds with its data, including supported applications (e.g., via SELECT AID command).
2. Risk Assessment: The card and terminal evaluate data (e.g., amount, currency) against risk parameters.
3. Cryptogram Generation: If online needed, ARQC is computed and sent; issuer responds with ARPC. For offline, TC or AAC is generated directly.
4. Verification and Completion: The card verifies ARPC (if applicable) and finalizes with TC (approve) or AAC (decline).

NFC's role is transmission: It handles half-duplex communication at speeds up to 848 kbps, but EMV ensures the cryptograms are encrypted and unique.

Comparison: EMV (General/Contact) vs. NFC (Contactless EMV)​

While "EMV with NFC" is essentially contactless EMV, here's a comparison between traditional contact EMV and NFC-based contactless EMV:

Aspect	EMV (Contact/Chip-and-PIN)	EMV in NFC (Contactless/Tap-to-Pay)
Interface	Physical insertion into reader; uses ISO 7816 for wired communication.	Wireless tap via NFC (ISO 14443); no insertion needed.
Speed	Slower (1-5 seconds due to insertion/PIN entry).	Faster (<1 second for low-value taps); ideal for high-volume scenarios like transit.
Security	Strong (chip encryption, PIN required often); less vulnerable to relay attacks.	Equivalent cryptogram security, but added NFC risks like relay attacks; mitigated by distance bounding.
Cryptogram Usage	Full EMV flow (ARQC/ARPC/TC/AAC); supports offline more robustly.	Same cryptograms, but optimized kernels (e.g., EMV Contactless Specs) for speed; often online-focused.
Limitations/Risks	Prone to "stuck in POS" issues; higher wear on chips.	Proximity risks (e.g., skimming); legacy modes like MSD vulnerable.
Adoption	Standard for secure chips globally; liability shift since 2015 in U.S.	Dominant for mobile wallets; >80% of transactions in many markets by 2026.

In essence, NFC enhances EMV with contactless convenience, but both rely on the same cryptogram-based security. NFC introduces wireless vulnerabilities, addressed in modern EMV specs.