What is ARQC and how does it work

[chushpan]

What is ARQC?​

ARQC (Authorization Request Cryptogram) is a cryptogram generated by a bank card chip when a transaction is made. It is used to authenticate the card and verify its authenticity during the payment authorization process. ARQC is a key element of the EMV (Europay, MasterCard, Visa) security system, which provides protection against fraud when using cards with a microchip.

How does ARQC work?​

When you make a transaction using a chip card, the following process occurs:

1. Initializing a transaction:
   • The terminal sends a request to the card, providing transaction details (e.g. amount, currency, unique terminal identifier).
2. ARQC generation:
   • The card chip uses a secret cryptographic key (stored in the card's memory) and an encryption algorithm to create ARQC.
   • The input data for generating ARQC includes:
     • Transaction details.
     • Unique card number (PAN).
     • Card validity period.
     • Transaction counter (ATC)
     • Random number (UN - Unpredictable Number) provided by the terminal.
3. ARQC transmission:
   • The ARQC cryptogram is sent along with other data to the bank’s processing center via the terminal.
4. ARQC Check:
   • The issuing bank's processing center verifies the ARQC using the same secret key and encryption algorithm.
   • If the ARQC is confirmed, the transaction is considered legitimate and the bank sends back an ARPC (Authorization Response Cryptogram) to complete authentication.

Why do we need ARQC?​

1. Protection against card counterfeiting:
   • ARQC guarantees that the card is genuine and issued by the issuing bank.
2. Data Security:
   • The use of cryptography makes it impossible to forge ARQC without access to the secret key.
3. EMV Compatibility:
   • ARQC is part of the EMV standard, which is used worldwide to ensure transaction security.

How is ARQC formed?​

The formation of ARQC depends on the algorithm specified in the card specification. The following standards are commonly used:

1. DES/3DES:
   • The most common algorithm for generating ARQC.
   • Triple DES encryption with a secret key is used.
2. AES:
   • Some modern systems use the more secure AES algorithm.

Example of the process:

• Input data (e.g. PAN, amount, ATC) are combined into one line.
• This string is encrypted using a secret key.
• The result of encryption is ARQC.

Example of using ARQC​

Scenario: Payment in a store[​

1. The client inserts the card into the POS terminal.
2. The terminal sends a request to the card, including transaction details.
3. The card chip generates an ARQC and sends it back to the terminal.
4. The terminal transmits ARQC to the bank’s processing center.
5. The bank checks the ARQC and sends a response (ARPC) confirming or rejecting the transaction.

What is ARPC?​

ARPC (Authorization Response Cryptogram) is a cryptogram that the bank sends back to the terminal after checking the ARQC. It confirms that the transaction was successfully authenticated.

Important points​

1. Secret key:
   • The secret key is stored only on the card chip and in the issuing bank’s system.
   • Even if an attacker intercepts the ARQC, he will not be able to decrypt or forge it without the key.
2. Uniqueness of ARQC:
   • Each ARQC is unique for each transaction due to the use of a random number (UN) and a transaction counter (ATC).
3. Defense against attacks:
   • ARQC protects against attacks such as card cloning or data reuse.

Conclusion​

ARQC is an important element of the EMV security system that provides reliable card authentication and transaction protection. It is used in all modern chip payment systems and helps prevent fraud. Understanding how ARQC works is important for payment technology professionals, POS terminal developers, and banking systems developers.

If you have additional questions about ARQC or its application, please ask!