Here is a comprehensive, in-depth explanation of EMV cryptogram detection, covering every major aspect: cryptographic construction, session key derivation, data elements, differences between brands (Visa vs Mastercard vs Amex vs others), detection methods at every level of the payment chain, modern enhancements (AES, CDA, relay attack resistance), and real-world attack vectors that cryptogram checks are designed to stop.
Both methods guarantee that the issuer can re-derive exactly the same session key using only data that travels in the authorization message (PAN, ATC, etc.).
MAC algorithm: 3DES (legacy) or AES-CMAC (newer cards).
MAC algorithm: 3DES or AES-CMAC depending on profile.
Only the issuer host can perform the real, unbreakable check.
No human ever sees this — it is fully automated and happens in <200 ms.
Even in 2025, after 25+ years of attacks, no practical break of correctly implemented EMV cryptogram verification exists when the transaction actually reaches the issuer for online verification. This is why liability shift rules place the liability on whoever did not support proper chip cryptograms.
1. What the Cryptogram Actually Protects Against
The EMV cryptogram (ARQC/TC/AAC in tag 9F26) simultaneously proves four things in a single 8- or 16-byte value:- Card authenticity – only a card possessing the correct symmetric keys can produce a valid cryptogram.
- Data integrity – the amount, currency, date, unpredictable number, etc., are exactly the same as what the card saw.
- Liveness/freshness – because the unpredictable number (UN) from the terminal and the ATC are included.
- Card decision – whether the card wants the transaction to go online (ARQC), be approved offline (TC), or declined (AAC).
2. Detailed Session Key Derivation (How the Card and Issuer Arrive at the Same Key)
Modern cards use one of two methods:A. Common Legacy Method (3DES, still dominant in 2025)
- Card has a unique 16-byte (double-length) master key (UDK = Unique DES Key) per card, derived from issuer master key + PAN + PAN sequence number.
- During transaction, two session keys are derived from the ATC using 3DES-based diversification:
- SK_AC (Session Key for Application Cryptogram) = 3DES(UDK, ATC || 0xF0… ) ⊕ 3DES(UDK, ATC || 0x0F… )
- SK_MAC (sometimes used for other MACs)
- Result: 16-byte (double-length) 3DES session key unique per transaction.
B. Modern AES Method (Visa AES, Mastercard M/Chip Advance with AES, UnionPay, etc.)
- Issuer master key is an AES-128 or AES-256 key.
- Session key = AES-CMAC(IMK-AC, ATC || 0x00… || 0x80 0x00…)
- Usually produces 16-byte AES session key even if master key is 128-bit.
Both methods guarantee that the issuer can re-derive exactly the same session key using only data that travels in the authorization message (PAN, ATC, etc.).
3. Exact Data That Goes Into the Cryptogram Calculation
The card builds an array called the AC Session Data (different per brand, but very similar).Visa (VISA Contact & Visa payWave – VSDC / qVSDC)
Data concatenated before MAC (simplified): [Method] || [ATC] || [Cryptogram Version Number] || [Amount Authorized] || [Amount Other] || [Terminal Country Code] || [TVR] || [Transaction Currency Code] || [Transaction Date] || [Transaction Type] || [Unpredictable Number] || [IAD (optional padding)]MAC algorithm: 3DES (legacy) or AES-CMAC (newer cards).
Mastercard (M/Chip Advance, Contact & Contactless)
Uses Common Core Definitions (CCD) compliant data: [ATC] || [Cryptogram Version] || [Amount Auth] || [Amount Other] || [Country Code] || [Currency Code] || [Date] || [UN] || [TVR] || [Transaction Type] || [Padding 0x00 if needed]MAC algorithm: 3DES or AES-CMAC depending on profile.
4. Cryptogram Types in Detail
| CID (9F27) | Meaning | When Issued | Issuer Expected Action |
|---|---|---|---|
| 80 | ARQC | Card wants online authorization | Must go online and verify cryptogram |
| 40 | TC | Offline approval | Transaction approved without issuer check |
| 00 | AAC | Card declines (limit exceeded, expired, etc.) | Transaction must be declined |
| 10 | AAR (Application Advisory) | Rare, usually for referral | Usually decline |
5. Cryptogram Detection and Validation at Every Layer
| Layer | Checks Performed | What It Catches |
|---|---|---|
| Terminal / POS | • 9F26 present? • CID = 80 when online expected? • ATC > previous ATC? • CVN (Cryptogram Version Number) supported? | Obvious fakes, replay of old PDOL data, stripped cards |
| Acquirer / Gateway | Same as terminal + sometimes basic format checks + ATC database per PAN | Organized replay attacks across many terminals |
| Network (VisaNet, Banknet, etc.) | Minimal checks, just routing | Almost none |
| Issuer Host (HISO/ACS) | Full cryptographic verification: 1. Re-derive session key 2. Rebuild exact same data string 3. Compute MAC 4. Compare with 9F26 | Fake cards, pre-play, relay, data manipulation, yes-cards |
Only the issuer host can perform the real, unbreakable check.
6. Modern Enhancements That Make Attacks Harder
| Feature | Year Introduced | What It Prevents |
|---|---|---|
| Combined DDA/AC (CDA) | ~2007 (contactless) | Man-in-the-middle on contactless (card signs the cryptogram with static RSA key) |
| Dynamic Data Authentication (DDA) fallback check | Always | Ensures card has private key even if offline |
| AES cryptograms | ~2015–2020 | Much harder brute-force or key-recovery attacks |
| Strict ATC checking + velocity | Ongoing | Pre-play attacks (record 10 000 ARQCs and try to reuse) |
| Online-only CAM | Mastercard 2020+ | Forces online cryptogram even for low-value contactless |
| Transaction timestamp checks | Some issuers | Relay attacks that introduce large delays |
7. Real-World Attacks That Cryptogram Checks Stopped
| Attack Name | Year(s) | How It Worked | How Cryptogram Verification Stopped It |
|---|---|---|---|
| Pre-play attack | 2010–2014 | Record many ARQC/ARPC pairs from real card, later replay suitable one | Issuer recomputes cryptogram — replayed one never matches current UN + amount |
| Yes-card | 2009–2012 | Card always returns TC offline regardless of PIN/amount | Terminals started forcing online for high amounts + CDA |
| Wedge/relay attack | Ongoing | Real card in victim’s pocket approves relayed transaction | CDA + strict timing + online CAM largely defeats it |
| Mag-stripe fallback fraud | 2015–2020 | Chip blocked → force mag-stripe | Regions disabled fallback entirely |
| Truncated ARQC attack | 2011 | Send only first 4 bytes of ARQC | Terminals began requiring full 8 bytes |
8. Practical Example of a Failed Cryptogram (What the Issuer Sees)
Code:
Received ARQC: 1122334455667788
Issuer recomputes using correct key → expected: AABBCCDDEEFF0011
→ Mismatch → Response code 05 (Do not honour) or A1 (cryptogram error)No human ever sees this — it is fully automated and happens in <200 ms.
Conclusion
EMV cryptogram detection is the single strongest anti-fraud mechanism in modern payments. When implemented correctly (especially full issuer verification + CDA for contactless), it makes card-present counterfeit fraud essentially impossible without physically stealing the card and PIN or performing a real-time relay attack (which is extremely hard at scale).Even in 2025, after 25+ years of attacks, no practical break of correctly implemented EMV cryptogram verification exists when the transaction actually reaches the issuer for online verification. This is why liability shift rules place the liability on whoever did not support proper chip cryptograms.
