Sunday, January 15, 2012

What is ARQC?

Each EMV transaction request is supposed to contain ARQC, which is a cryptogram generated from the transaction data. In the context of EMV, a cryptogram can be thought of as a digital signature on the financial transaction. A valid, verifiable cryptogram tells you two things:

  • the financial message originated from the source that it claims to be from
  • the contents of the message have not been altered 

There are two cryptograms used in EMV: ARQC (Authorisation Request Cryptogram) and ARPC (Authorisation Response Cryptogram). The first one, ARQC, is generated by the card (after taking some values from the terminal), and hence it's part of a request message. The second one, ARPC, is generated by the issuer and hence it's part of a response message.

Steps for ARQC Generation

There are four basic steps to ARQC generation:
  1. Card Key Derivation 
  2. Session Key Derivation 
  3. Preparation of Input Data in ARQC Calculation
  4. Encryption/ Hashing (the final step that gives the ARQC)
Restating the above list, the first step is to derive the card key and then use the card key to derive a session key. In parallel, we need to prepare some data and then encrypt that data with the session key derived in the previous step.

Exact details vary from one chip program to another!

Step 1 and 2: Card and Session Key Derivation

When a card is out in the field, it already contains Issuer Master Key. But to create an ARQC for a particular transaction, two new keys are required: the first key is called Card Key and the second key is called Session Key. Each EMV scheme (such as M/Chip and Visa) has its own algorithm for generation of the card key and/ or the session key. Some of these algorithms are standardized and part of the EMV specification while some others are proprietary with the vendor.

The Card Key is unique to the card and the Session Key is unique to the transaction. It's Session Key which is used for the final encryption in step 4.

Step 3: Data Preparation

In parallel to the key derivation as described above, an important step of ARQC generation is “preparation of input data”, mentioned as point #3 in the list above. Once again, which EMV tags are concatenated to prepare this input data is EMV scheme specific.

Step 4: ARQC Generation 

Finally, once the Session Key and Input Data are ready, the Input Data is encrypted using the Session Key to give the ARQC.

25 comments:

  1. Could you please to understand with the help of example?

    ReplyDelete
  2. The exact algorithms depend on the card scheme. For example, Visa might have a different procedure as compared to Mastercard. I'll check what details are available as open standard (in the form of EMV) and post back. Thanks for asking!

    ReplyDelete
    Replies
    1. Hello Sir i am from TURKEY and need to ask somethings about EMV my mail is here kendagasan@gmail.com and skype name is kendagasan i need to finish my project if you please help me about this matter i will be thankful sir.

      Delete
    2. salam muhammad how you doiing , hope you fine
      please i need to talk you in pravite if you write me at that email please please

      my email is amexleder@gmail.com
      thx alot man iam waitting your email thx

      Delete
  3. Thanks useful and in simple words. :) Great!

    ReplyDelete
  4. Informative blog. Thanks for sharing :-)

    ReplyDelete
  5. thanks for sharing. good information

    ReplyDelete
  6. Really helpful as simple :) Thanks Ali bhai

    ReplyDelete
  7. Hello. Thanks for the information provided.
    I wanna ask you about something that has happened these days.

    I am sending a AMEX EMV transaction to ATS(AMEX TEST SYSTEM), but it's complaining to have an incorrect application cryptogram. So I need a way to recalculated to confirm that is good or bad. I know that ARQC is based on some input data from the terminal that are compared to the CDOL from the card.

    How can i recalculate the ARQC?

    If you have any hints about it, please let me know.

    Have a nice day.

    ReplyDelete
    Replies
    1. Hello Carlos
      AMEX uses its GNSWeb simulator usually has an inbuilt tool to cal ARQC so you need to know the tlv from terminal and input it into the tool along with card number and pan seq num the basic tags required for arqc calc are:
      9f02-terminal
      9f03-terminal
      9f1a-terminal
      95-terminal
      5f2a-terminal
      9a-terminal
      9c-terminal
      9f37-terminal

      82-icc
      9f36-icc
      9f10-cvr bytes from ICC

      Also apart from this you have to update the card details with emv crypto keys also known as IMK so all in all there are 3 keys in amex sim crypto keys(for chip card) mac keys(for mac) and intergrity keys(for pin)

      Delete
  8. Hi Carlos Emilio Mejía Martínez,

    I have a diagnose system I maybe able to determine what exactly is the issue, forward the software to me at
    willimadam70@gmail.com

    Kind Regards,

    W. Adam

    ReplyDelete
  9. Need help...how can contact u in private...any private message... Like jabber skipe etc.

    ReplyDelete
  10. How can i recalculate the ARQC?
    For visa or mastercard....?
    Exist any way to do that?
    Pls give more details about that arqc certificates

    Best regards

    ReplyDelete
    Replies
    1. hii tell me if you need to know about arqc

      Delete
  11. how do i gen or decode extract arcq from real card

    ReplyDelete
  12. You cannot calculate ARQC, as the master key of the card will be in secured layer, and unique for every transaction,
    You need the following data:
    master key
    PAN, PAN sq no, ATC, Terminal data, card data, and above all algorithm and key parity,
    somewhat if you get master key, and record a card session
    you may calculate.

    ReplyDelete
  13. This comment has been removed by the author.

    ReplyDelete
  14. Hello guys,

    Hope you're fine.

    I'm facing that issue with the ARQC :

    The ARQC is not valid because the data transmitted to the Simulator by our POS Terminal is not the same as the data used by the card to calculate the ARQC.

    When analyzing our logs, I noticed that the ARQC has been calculated by the card with 5F2A = 0180 and our Terminal sent 5F2A = 0840 to the Simulator/Issuer.

    The Acquirer/Terminal must pass DE55 tags unaltered to the issuer.

    Please note that our country code is 0180 and currency code 0840.

    As our POS vendor seems not to know where to start, can you please assist us in telling me which parameter should be corrected to sort this out ?

    Regards,

    ReplyDelete
  15. Hi Christian, try using what the card is using since you only have control of the terminal parameters.

    ReplyDelete
  16. Is it mandatory that the ARQC be displayed on the credit card receipt?

    ReplyDelete
    Replies
    1. I don't think so. This might help: https://cayan.com/developers/knowledge-base/faqs/what-requirements-exist-for-printing-receipts

      Delete
    2. Muhammad - this was very helpful. We are also confirming with our credit card processor and Point of Sale vendor.

      Delete
  17. is there any document for the ARQC calculation of MASTERCARD and VISA.

    ReplyDelete