Sunday, January 15, 2012

What is ARQC?

Each EMV transaction request is supposed to contain ARQC, which is a cryptogram generated from the transaction data. In the context of EMV, a cryptogram can be thought of as a digital signature on the financial transaction. A valid, verifiable cryptogram tells you two things:

  • the financial message originated from the source that it claims to be from
  • the contents of the message have not been altered 

There are two cryptograms used in EMV: ARQC (Authorisation Request Cryptogram) and ARPC (Authorisation Response Cryptogram). The first one, ARQC, is generated by the card (after taking some values from the terminal), and hence it's part of a request message. The second one, ARPC, is generated by the issuer and hence it's part of a response message.

Steps for ARQC Generation

There are four basic steps to ARQC generation:
  1. Card Key Derivation 
  2. Session Key Derivation 
  3. Preparation of Input Data in ARQC Calculation
  4. Encryption/ Hashing (the final step that gives the ARQC)
Restating the above list, the first step is to derive the card key and then use the card key to derive a session key. In parallel, we need to prepare some data and then encrypt that data with the session key derived in the previous step.

Exact details vary from one chip program to another!

Step 1 and 2: Card and Session Key Derivation

When a card is out in the field, it already contains Issuer Master Key. But to create an ARQC for a particular transaction, two new keys are required: the first key is called Card Key and the second key is called Session Key. Each EMV scheme (such as M/Chip and Visa) has its own algorithm for generation of the card key and/ or the session key. Some of these algorithms are standardized and part of the EMV specification while some others are proprietary with the vendor.

The Card Key is unique to the card and the Session Key is unique to the transaction. It's Session Key which is used for the final encryption in step 4.

Step 3: Data Preparation

In parallel to the key derivation as described above, an important step of ARQC generation is “preparation of input data”, mentioned as point #3 in the list above. Once again, which EMV tags are concatenated to prepare this input data is EMV scheme specific.

Step 4: ARQC Generation 

Finally, once the Session Key and Input Data are ready, the Input Data is encrypted using the Session Key to give the ARQC.


  1. Could you please to understand with the help of example?

  2. The exact algorithms depend on the card scheme. For example, Visa might have a different procedure as compared to Mastercard. I'll check what details are available as open standard (in the form of EMV) and post back. Thanks for asking!

    1. Hello Sir i am from TURKEY and need to ask somethings about EMV my mail is here and skype name is kendagasan i need to finish my project if you please help me about this matter i will be thankful sir.

    2. salam muhammad how you doiing , hope you fine
      please i need to talk you in pravite if you write me at that email please please

      my email is
      thx alot man iam waitting your email thx

  3. Thanks useful and in simple words. :) Great!

  4. Informative blog. Thanks for sharing :-)

  5. thanks for sharing. good information

  6. Really helpful as simple :) Thanks Ali bhai

  7. Hello. Thanks for the information provided.
    I wanna ask you about something that has happened these days.

    I am sending a AMEX EMV transaction to ATS(AMEX TEST SYSTEM), but it's complaining to have an incorrect application cryptogram. So I need a way to recalculated to confirm that is good or bad. I know that ARQC is based on some input data from the terminal that are compared to the CDOL from the card.

    How can i recalculate the ARQC?

    If you have any hints about it, please let me know.

    Have a nice day.

    1. Hello Carlos
      AMEX uses its GNSWeb simulator usually has an inbuilt tool to cal ARQC so you need to know the tlv from terminal and input it into the tool along with card number and pan seq num the basic tags required for arqc calc are:

      9f10-cvr bytes from ICC

      Also apart from this you have to update the card details with emv crypto keys also known as IMK so all in all there are 3 keys in amex sim crypto keys(for chip card) mac keys(for mac) and intergrity keys(for pin)

  8. Hi Carlos Emilio Mejía Martínez,

    I have a diagnose system I maybe able to determine what exactly is the issue, forward the software to me at

    Kind Regards,

    W. Adam

  9. Need can contact u in private...any private message... Like jabber skipe etc.

  10. How can i recalculate the ARQC?
    For visa or mastercard....?
    Exist any way to do that?
    Pls give more details about that arqc certificates

    Best regards

    1. hii tell me if you need to know about arqc

  11. how do i gen or decode extract arcq from real card

  12. You cannot calculate ARQC, as the master key of the card will be in secured layer, and unique for every transaction,
    You need the following data:
    master key
    PAN, PAN sq no, ATC, Terminal data, card data, and above all algorithm and key parity,
    somewhat if you get master key, and record a card session
    you may calculate.

  13. Hello guys,

    Hope you're fine.

    I'm facing that issue with the ARQC :

    The ARQC is not valid because the data transmitted to the Simulator by our POS Terminal is not the same as the data used by the card to calculate the ARQC.

    When analyzing our logs, I noticed that the ARQC has been calculated by the card with 5F2A = 0180 and our Terminal sent 5F2A = 0840 to the Simulator/Issuer.

    The Acquirer/Terminal must pass DE55 tags unaltered to the issuer.

    Please note that our country code is 0180 and currency code 0840.

    As our POS vendor seems not to know where to start, can you please assist us in telling me which parameter should be corrected to sort this out ?


  14. Hi Christian, try using what the card is using since you only have control of the terminal parameters.

  15. Is it mandatory that the ARQC be displayed on the credit card receipt?

    1. I don't think so. This might help:

    2. Muhammad - this was very helpful. We are also confirming with our credit card processor and Point of Sale vendor.

  16. is there any document for the ARQC calculation of MASTERCARD and VISA.

  17. Hello, i would like to know about ARPC..which tags make it up and is it mandatory to be checked at the ATM or POS..if yes which EMV doc states it..thanks Mariam

  18. This page was added to help on this topic

  19. Anyone who can explain on how to generate ARQC on a realy card. Here is my email , please help ..

  20. what is mean Bad ARQC. Invalid ARQC limit is unlimited(!), count is 1? any solution?

  21. For other channel transaction I have successfully validated Contactless and contact transaction as like ONUS CARD at VISA channel. when we transacted through to our POS or ATM it has shown invalid ARQC...

    Can you please help me this why this type of error i have got?

  22. How can I generate ARQC code on EMV software