Sunday, January 15, 2012

What is ARQC?

Each EMV transaction request is supposed to contain ARQC, which is a cryptogram generated from the transaction data. In the context of EMV, a cryptogram can be thought of as a digital signature on the financial transaction. A valid, verifiable cryptogram tells you two things:

  • the financial message originated from the source that it claims to be from
  • the contents of the message have not been altered 

There are two cryptograms used in EMV: ARQC (Authorisation Request Cryptogram) and ARPC (Authorisation Response Cryptogram). The first one, ARQC, is generated by the card (after taking some values from the terminal), and hence it's part of a request message. The second one, ARPC, is generated by the issuer and hence it's part of a response message.

Steps for ARQC Generation

There are four basic steps to ARQC generation:
  1. Card Key Derivation 
  2. Session Key Derivation 
  3. Preparation of Input Data in ARQC Calculation
  4. Encryption/ Hashing (the final step that gives the ARQC)
Restating the above list, the first step is to derive the card key and then use the card key to derive a session key. In parallel, we need to prepare some data and then encrypt that data with the session key derived in the previous step.

Exact details vary from one chip program to another!

Step 1 and 2: Card and Session Key Derivation

When a card is out in the field, it already contains Issuer Master Key. But to create an ARQC for a particular transaction, two new keys are required: the first key is called Card Key and the second key is called Session Key. Each EMV scheme (such as M/Chip and Visa) has its own algorithm for generation of the card key and/ or the session key. Some of these algorithms are standardized and part of the EMV specification while some others are proprietary with the vendor.

The Card Key is unique to the card and the Session Key is unique to the transaction. It's Session Key which is used for the final encryption in step 4.

Step 3: Data Preparation

In parallel to the key derivation as described above, an important step of ARQC generation is “preparation of input data”, mentioned as point #3 in the list above. Once again, which EMV tags are concatenated to prepare this input data is EMV scheme specific.

Step 4: ARQC Generation 

Finally, once the Session Key and Input Data are ready, the Input Data is encrypted using the Session Key to give the ARQC.

Thursday, January 12, 2012

EMV Versions

EMV got standardized in 1995. The first widely used version was EMV 3.0 published in 1996, which is why its popularly known as EMV '96. Some modifications to the standard were done in 1998, giving us EMV 3.1.1.

Another version came out in Dec 2000. Though the formal name was EMV 4.0, it became popularly known as EMV 2000. Finally, another version came out as EMV 4.1 in June 2007, which fortunately didn't get its name altered.

Minor improvements to EMV 4.1 resulted in EMV 4.2 in Jun 2008, and further in EMV 4.3 which was published very recently in Nov 2011.

Tuesday, January 10, 2012

EMV Schemes

There are various EMV schemes out there. The term, EMV scheme, is normally used to refer to a concrete implementation of the EMV specification by a vendor. Another common term for the same is "chip card program."

The most famous EMV schemes or chip programs are VSDC (Visa Smart Debit and Credit) by Visa and M/Chip by Mastercard. Other EMV schemes with good market penetration are AEIPS by American Express or AMEX, JCB (Japan Card Bureau), etc.

While at the terminal, a chip card can be identified by reading the "Application Identifier" (AID) on the chip, an online transaction message based on ISO-8583 doesn't contain the AID.

Sunday, January 8, 2012

What is EMV?

EMV stands for Europay, Mastercard and Visa. It's the underlying technical standard which defines the Chip and PIN program. The standard defines the characteristics and behaviour of the card, the terminal (POS, ATMs as well as transactions carried over the Internet) and the issuer.

All cards which are compliant with the EMV standard carry a chip (unlike the old cards which just had a magnetic stripe at their back) and usually require a PIN to authorize a transaction.

EMV is supposed to be secure.[1] It safeguards customers and banks against various types of frauds that are possible with old style magnetics cards as well as PIN-less transactions. Plain old magnetic cards are extremely easy to duplicate; not so with EMV based cards.

Unlike ISO-8583 (and other ISO standards), EMV is freely available in the form of 4 books.[2]

Future posts on this blog will dive into the details of the EMV standard. Most of the information presented here will be based on several years of practice in the field as well as freely available information on the Internet.

Please feel free to post your questions about the topic!

[1] It's said that Chip and PIN has been hacked.