Online EMV Transaction

The main method of confirming the authenticity of the card in online transactions is the authentication of the card online. The basis of this method is the generation of the ARQC (Authorization Request Cryptogram) cryptogram for each payment transaction. Let’s take a closer look at this process.

The generation and verification of cryptograms is based on the 3DES algorithm. The issuer and the card own a shared secret key MKac (Application Cryptogram Master Key). At the beginning of the transaction, the card generates an SKac (Application Cryptogram Session Key) based on MKac. An 8-byte ARQC cryptogram is generated by the card using the MAC algorithm on the SKac session key using transaction data.

During the transaction, the ARQC cryptogram generated by the card is sent to the issuing bank, the Bank will verify the received ARQC with the cryptogram that it calculated on its own. For this operation, the bank generates a session key, then, based on the received transaction data, its own ARQC is calculated. If your own (generated by the issuer) ARQC and ARQC cards converge – the card is genuine.

Next, the issuer, using a similar algorithm, generates ARPC (Authorization Response Cryptogram) based on dynamic transaction data and response data and sends this cryptogram back to the card. At the moment when the card is confirmed by the incoming ARPC, mutual authentication of the card and the issuer is completed.

The basic card authentication mechanism that is used for online transactions is described above. As already mentioned, offline authentication may be present in an online transaction. However, in order not to complicate, consider a detailed description of offline authentication in the context of an offline transaction.

The next security method is the extended data in Field / DE 55 which is transmitted to the issuing bank. Field / DE 55 contains the results of the card and terminal, risk assessment and transaction analysis.

As shown in the image above, Field / DE 55 contains important information. For example, Terminal Verification Result, Card Verification Result, which, together with the rest of the data, help the issuer and the payment system understand how the transaction occurs and provide many additional details for assessing the risks of the transaction.