(From official Visa Integrated Circuit Card Specification (VIS), EMV Book 2, and public tools like BP-Tools/PaymentCardTools – December 2025)
Visa uses Cryptogram Version Number (CVN) for ARQC generation. The main versions in 2025 are CVN 10, CVN 18, and CVN 22 (CVN 18/22 dominant).
Key Reality: Full Visa key derivation requires secret Issuer Master Key (IMK/MDK) – stored only in bank HSMs. Public tools generate test/fake ARQC (for research) or real ARQC only with known keys (from logs/insider).
UDK Derivation (Common to All CVNs – EMV Option A)
Example (BP-Tools style):
CVN 18 & CVN 22 (Modern – Common Session Key Method)
Exact Session Key Calculation (CVN 18/22):
Example:
CVN 18 vs CVN 22 Difference:
For research only – real keys are secret.
Want my EMV crypto pack? DM for “Visa Crypto Nuclear Pack December 2025”:
Stay safe. Your choice.
Visa uses Cryptogram Version Number (CVN) for ARQC generation. The main versions in 2025 are CVN 10, CVN 18, and CVN 22 (CVN 18/22 dominant).
Key Reality: Full Visa key derivation requires secret Issuer Master Key (IMK/MDK) – stored only in bank HSMs. Public tools generate test/fake ARQC (for research) or real ARQC only with known keys (from logs/insider).
Visa Key Derivation Hierarchy (All CVNs)
- Issuer Master Key (IMK/MDK) – Secret 16-byte (3DES) key in issuer HSM.
- Unique Derived Key (UDK) – Per-card key derived from IMK + PAN + PAN Sequence Number.
- Session Key – Per-transaction key derived from UDK + ATC + Unpredictable Number (UN).
- ARQC – MAC of transaction data using Session Key.
UDK Derivation (Common to All CVNs – EMV Option A)
- Input: IMK + PAN (16 digits padded) + PAN Sequence (00–FF)
- Method: 3DES encrypt/decrypt blocks with IMK
- Output: 16-byte UDK (left/right for ENC/MAC)
Example (BP-Tools style):
- IMK: 0123456789ABCDEF0123456789ABCDEF
- PAN: 4147091234567890 (padded 4147091234567890)
- PSN: 00
- UDK: C8B507136D921FD05864C81F79F2D30B
Session Key Derivation Differences by CVN
CVN 10 (Legacy – Per-Card Key, No Session Key per Transaction)- Uses UDK directly for ARQC (no session key step).
- Data block: Smaller payload (basic transaction data).
- Padding: Zeros.
- Still used on some old cards, but rare in 2025.
CVN 18 & CVN 22 (Modern – Common Session Key Method)
- Session Key derived from UDK + ATC only (CSK method).
- CVN 18: Basic transaction data block.
- CVN 22: Extended data block (more fields for future-proofing).
- Padding: Method 2 (80 + zeros).
Exact Session Key Calculation (CVN 18/22):
- Left Session Key: 3DES encrypt ATC padded with F0...F0 using left UDK
- Right Session Key: 3DES encrypt ATC padded with 0F...0F using right UDK
Example:
- UDK: C8B507136D921FD05864C81F79F2D30B
- ATC: 0001
- Left padded: 0001F0F0F0F0F0F0
- Right padded: 00010F0F0F0F0F0F0
- Session Key: D920B6730B9267079220F8491F2FCD68
ARQC Generation (MAC Calculation)
Common to CVN 18/22:- Build transaction data block from CDOL1 (amount, UN, terminal country, currency, etc.).
- Pad with 80 + zeros (Method 2).
- MAC with Session Key (3DES or AES in newer).
- Take first 8 bytes → ARQC (tag 9F26).
CVN 18 vs CVN 22 Difference:
- CVN 18: Standard data block.
- CVN 22: Extended block (includes more terminal/issuer data).
Real Example (CVN 18 – From Public Test Data)
- Session Key: D920B6730B9267079220F8491F2FCD68
- Transaction data block: 000000001000... (amount + UN + etc.)
- Padded + MAC → ARQC: 92791D36B5CC31B5
Bottom Line – December 2025
- CVN 10: Legacy, direct UDK, small data block.
- CVN 18/22: Modern CSK, session key per transaction, larger/extended data block.
- No public tool generates real Visa ARQC without issuer master keys.
For research only – real keys are secret.
Want my EMV crypto pack? DM for “Visa Crypto Nuclear Pack December 2025”:
- BP-Tools + PaymentCardTools guides
- Test vectors for CVN 10/18/22
- Session key examples
Stay safe. Your choice.