EMV Tag Dictionary

🔑 EMV Keys and Cryptography

Overview

EMV uses a hierarchical key structure with multiple levels of keys for security. Understanding these keys is essential for EMV implementation and L3 certification.

Key Hierarchy

Level 1

Master Keys (Issuer)

AC Master Key (Application Cryptogram Master Key):

Used to derive session keys for ARQC/TC/AAC generation
Stored securely in HSM (Hardware Security Module)
Typically 16 bytes (128-bit) or 24 bytes (192-bit) for 3DES
Never leaves the secure environment

SMC Master Key (Secure Messaging Channel):

Used for secure messaging and issuer script encryption
Protects data confidentiality in issuer scripts

PIN Master Key:

Used for PIN encryption and verification
Separate from application cryptogram keys

Level 2

Card Unique Keys

ICC Master Key (Personalized during card production):

Derived from issuer master key + PAN + PAN Sequence
Unique to each card
Stored in card's secure memory
Used to derive session keys during transactions

Derivation Method (EMV Option A):


ICC_Master_Key = 3DES-ECB(Issuer_Master_Key, PAN || PAN_Seq || Padding)

Level 3

Session Keys (Transaction)

Session Key:

Generated for each transaction
Derived from ICC Master Key + ATC (Application Transaction Counter)
Used once and discarded
Ensures transaction uniqueness

Derivation (Common Method):


Session_Key = 3DES-ECB(ICC_Master_Key, ATC || F0...00)
              XOR 3DES-ECB(ICC_Master_Key, ATC || 0F...FF)

Key Management Best Practices

⚠️ Security Requirements:

Dual Control: Keys must be managed by at least two authorized persons
HSM Storage: Master keys must be stored in FIPS 140-2 Level 3 certified HSMs
Key Ceremony: Key generation and injection require documented procedures
Separation of Duties: No single person should have complete key knowledge
Key Rotation: Regular key rotation policies must be implemented
Audit Trail: All key operations must be logged and auditable

🎓 EMV L3 Certification

What is L3 Certification?

EMV Level 3 (L3) Certification validates that a payment kernel correctly implements EMV specifications for chip card transactions. It's required for terminal manufacturers and payment processors.

Certification Levels

Level 1 (L1) - Physical/Electrical: Tests the physical interface between card and terminal
Level 2 (L2) - Protocol: Tests the communication protocol (T=0, T=1)
Level 3 (L3) - Application: Tests the EMV application logic and transaction flow

L3 Certification Scope

1. Kernel Implementation

EMV Contact (Visa, Mastercard, AMEX, Discover, JCB, UnionPay)
EMV Contactless (qVSDC, M/Chip, ExpressPay, J/Speedy, QuickPass)
Mobile contactless (Apple Pay, Google Pay, Samsung Pay)

2. Transaction Flows

Online authorization (ARQC)
Offline approval (TC - Transaction Certificate)
Offline decline (AAC - Application Authentication Cryptogram)
Referral transactions

3. Cardholder Verification Methods (CVM)

PIN verification (offline and online)
Signature verification
No CVM required (contactless low-value)
Consumer Device CVM (CDCVM) for mobile
Biometric verification

4. Risk Management

Terminal Risk Management (TRM)
Floor limit checking
Random transaction selection
Velocity checking
Exception file processing

5. Data Authentication

Static Data Authentication (SDA)
Dynamic Data Authentication (DDA)
Combined Data Authentication (CDA)
EMV Mode (fDDA for contactless)

6. Cryptogram Generation and Validation

ARQC generation (Authorization Request)
TC generation (Transaction Certificate)
AAC generation (Application Authentication Cryptogram)
ARPC validation (Authorization Response)

Certification Process

Pre-certification Testing:
Internal testing using EMV test cards and scripts
Submit to Test Lab:
Approved EMVCo test labs (e.g., UL, Collis, Fime, Compass Plus)
Test Execution:
Lab runs comprehensive test scenarios (typically 500-2000+ test cases)
Issue Resolution:
Fix any failures and re-test
Letter of Approval (LOA):
Lab issues LOA upon successful completion
Payment Network Approval:
Submit LOA to card schemes (Visa, Mastercard, etc.)

Test Tools and Resources

EMV Test Cards: Cards with known keys and behaviors
Terminal Test Tool (TTT): Simulates card responses
Loopback Testing: Self-contained test environment
EMV Books: Official specifications from EMVCo
Scheme-Specific Guides: Visa ADVT, Mastercard M-TIP

Typical Timeline and Costs

Development Time: 6-18 months for full kernel implementation
Testing Duration: 2-8 weeks at test lab
Lab Costs: $10,000 - $50,000+ per kernel/configuration
Test Cards: $500 - $2,000 per scheme set
Maintenance: Re-certification required for spec updates

📖 Quick Reference Guide

Most Common Tags

9F02 Amount, Authorised

9F03 Amount, Other

9F26 Application Cryptogram (ARQC/TC/AAC)

9F27 Cryptogram Information Data (CID)

9F36 Application Transaction Counter (ATC)

5A Application PAN

5F24 Application Expiration Date

5F34 Application PAN Sequence Number

95 Terminal Verification Results (TVR)

9B Transaction Status Information (TSI)

Tag Format Guide

Format	Description	Example
n	Numeric (BCD format)	Amount: 000000001000 = $10.00
cn	Compressed Numeric	PAN: 1234567890123456
an	Alphanumeric (ASCII)	Cardholder Name: "JOHN DOE"
b	Binary	TVR: 0000000000 (5 bytes)
var	Variable length	Uses TLV encoding

Cryptogram Types (Tag 9F27 - CID)

CID Value	Type	Description
`00`	AAC	Application Authentication Cryptogram (Decline)
`40`	TC	Transaction Certificate (Offline Approved)
`80`	ARQC	Authorization Request Cryptogram (Online)
`90`	ARQC	ARQC with proprietary authentication

📊 EMV Tag Dictionary

Transaction Data

Card Data

Terminal Data

Cryptographic Data

Issuer Data

Risk Management