Skip to main content

How to Simplify EMV Cryptography for More Efficient Testing

Steve Gilde December 6, 2024
pos-and-card
How to Simplify EMV Cryptography for More Efficient Testing
11:45

 

In the first installment of this two-part blog series, Navigating the EMV Testing and Certification Process, we explore the critical role that EMV cryptography plays in enhancing the security of retail (card-present) payment transactions. 

Over the past 25 years, EMV Chip technology has truly transformed the payment processing landscape, with over 14 billion EMV cards currently in circulation, 95% of global in-store transactions are now chip-enabled. The net result has been a significant reduction in card-present (counterfeit) fraud – up to 90% in some markets. 

In the first blog, we also reviewed several significant challenges associated with supporting the EMV chip technology. The ongoing effort to achieve and maintain compliance with the EMVCo standards, including testing and certification can be complex, time-consuming, and expensive. Some of the specific issues impacting these efforts include:  

  • The EMVCo specifications continue to evolve with changing market conditions. 
  • Each participating network has its own set of testing and certification requirements. 
  • Regional variations in the EMV standards must also be analyzed and addressed. 
  • Staying compliant with the EMV specifications requires frequent testing. 
  • Experienced EMV resources can be difficult to find and expensive to hire. 

Working within the parameters established by EMVco often results in extended project cycles, missed delivery dates, cost overruns, and the delayed rollout of new revenue-generating initiatives. In the very dynamic payment industry that we operate in today, where consumers demand speed and convenience above all else, these delays can put any organization at a competitive disadvantage. 

The most frustrating aspect of the entire testing and certification process for many organizations is the amount of time simply spent waiting. Waiting for test windows to open up, waiting for a response after a test, and waiting for guidance on how to correct an error before moving on to the next step in the process.  

One specific area that can cause significant waiting times in the EMV testing and certification process is dealing with its complex cryptography. 

 

Understanding EMV Cryptography 

As we have noted, sophisticated cryptography is at the core of how EMV chip cards ensure the integrity of retail payment transactions and protect against counterfeit fraud. 

These cryptographic operations rely on the manipulation of specific data elements, or EMV tags, that are used to generate a unique Authorization Request Cryptogram (ARQC) for each transaction and validate the corresponding Authorization Response Cryptogram (ARPC) response from the card issuer. 

The process works like this: 

  1. During an EMV transaction (either contact or contactless) the chip card generates an ARQC that includes data from the card, terminal, and transaction itself (i.e., unique, location-specific data that cannot be replicated or duplicated). 

  2. The ARQC is sent from the point of sale to the acquirer and across the appropriate payment network rails to the card issuer for verification. 

  3. If the card issuer verifies the ARQC as authentic, it generates the ARPC and sends the appropriate response back through the network to the point of sale, and the transaction is authorized (assuming the cardholder has the necessary funds in his or her account). 

However, correctly calculating the ARQC and ARPC can be a challenging task. Every data element must be correctly selected, assembled, and processed to generate the unique ARQC cryptogram or the transaction will fail. 

 

Minimum EMV Tags Required for Cryptogram Generation 

To generate a valid EMV ARQC, the following tags represent the baseline data required, as defined by the EMVCo specifications

  • Tag 5F2A: Transaction Currency Code 
  • Tag 82: Application Interchange Profile (AIP) 
  • Tag 95: Terminal Verification Results 
  • Tag 9A: Transaction Date 
  • Tag 9C: Transaction Type 
  • Tag 9F02: Authorized Amount (Numeric) 
  • Tag 9F03: Secondary Amount (e.g., cashback) 
  • Tag 9F10: Issuer Application Data (IAD) 
  • Tag 9F1A: Terminal Country Code 
  • Tag 9F26: Application Cryptogram 
  • Tag 9F27: Cryptogram Information Data 
  • Tag 9F36: Application Transaction Counter (ATC) 
  • Tag 9F37: Unpredictable Number (UPN) 
  • Tag 5F34: PAN Sequence Number (sometimes optional) 

While these are the minimum requirements established by EMVCo, each card brand and payment network can - and does - impose its own set of global and regional variations on this baseline calculation. The result is a complicated matrix of complex requirements that is one of the primary causes of long delay in testing and lengthy certification time frames. 

Many organizations, especially those responsible for acquiring transactions at the point of sale, do not have easy access to an issuer test system to validate that they are correctly formatting and generating the ARQC. They must schedule time and wait for limited access to scarce test resources before they can even run their test.  

And even after they run their tests, they may face more delays in getting the test results and then even longer delays in getting guidance on how to correct errors if their tests have failed. 

Designed to simplify and streamline payment testing operations, Paragon’s Web FASTest platform includes support for both the acquirer (sending) and issuer (receiving) components for dozens of ISO and non-ISO message specifications, including EMV contact and contactless transactions. 

Web FASTest includes a powerful and flexible Cryptography Calculator that helps streamline EMV testing efforts and minimize wait times and delays. 

Web FASTest, and the Cryptography Calculator in particular, put users in total control of the EMV testing process, saving time, reducing errors, and ensuring compliance with EMVCo and card brand requirements. 

 

Using the Web FASTest Cryptography Calculator 

Navigating the complexities of EMV cryptography can be challenging, especially for resources who do not already have in-depth knowledge of how the technology works. The Web FASTest platform correctly formats and processes both the ARQC and ARPC cryptograms for international and regional card brands and networks.  

Web FASTest also contains the Cryptography Calculator that can be used for detailed exploratory testing and troubleshooting. 

Following is a high-level overview of how easy it is to access and work with the Cryptography Calculator in Web FASTest via the simple, browser-based user interface: 

  1. Access the Calculator
    1. Users navigate to the Cryptography Calculators from the main Web FASTest menu and select EMV Cryptogram Calculator from the dropdown menu.
    2. Any resources who use the Cryptography Calculators regularly can “Pin” this location to their workspace for speedy access at any time.

  2. Select Card Issuer Specification and Key Derivation Method
    1. Specify the card issuer (e.g., Visa, Mastercard, AmEx) and the session key derivation method.
    2. Web FASTest includes the various key derivation methods that are supported by the issuer specifications.

  3. Input The Session Key Information
    1. The user can enter session keys directly or use the Derive Session Keys feature to calculate them dynamically by providing key components like the Application PAN and PAN Sequence Number.

  4. Choose the Output Type
    1. Select the cryptogram output type:
      1. ARQC for transaction requests.
      2. ARPC for transaction responses.
      3. Other outputs, including PIN or Message Authentication Cryptogram (MAC), are also supported.

  5. Add ICC Elements
    1. Enter the required EMV tags in the ICC Elements field. The Wizard feature of the calculator offers guided setup instructions that help ensure tag strings are correctly formatted.

  6. Executing and Reviewing Results
    1. Click “Calculate” to generate the desired cryptogram. Any errors or missing data are immediately flagged for easy correction.
    2. Valid input produces the correct output values, such as the session key, ARQC, or other requested data.

 

Solving Real-World Testing Challenges 

Consider the scenario where a transaction acquirer needs to verify that their device or application is correctly calculating the ARQC for a new transaction type. 

With the Paragon Web FASTest solution, they simply set up the sending side of the transaction in their application and fire it off to the Virtual Host feature, which knows how to correctly respond to the incoming request message according to the specification being used. 

  • If the ARQC is correctly formatted and calculated, Web FASTest will provide the correct ARPC response according to the selected specification. 
  • If the ARQC is not correct, the ARPC will not be generated and Web FASTest will immediately respond with an error message indicating what went wrong. 

The acquirer can make the necessary corrections and retest – no need to schedule or book test time and then wait for a response to come back later. Web FASTest and the Virtual Host are available 24/7 and ready for testing, anytime and from anywhere. 

In the event that the acquirer resources still have problems getting the ARQC to process correctly, they can use the Web FASTest Cryptography Calculator to perform detailed analysis and troubleshooting until they get their transaction corrected. 

This approach highlights the significant value that the Paragon tools provide as they streamline the EMV testing process to save users time, effort, and expense. 

New call-to-action

 

Key Benefits of Web FASTest and the Cryptography Calculator 

The Web FASTest platform is more than just a testing tool - it is a strategic asset that addresses several pain points associated with financial message testing, including contact and contactless EMV processing, and provides significant benefits, including: 

  • Availability: The robust set of testing capabilities is always available and ready for testing 24x7x365. 
  • Accessibility: A simple, browser-based interface can be accessed from anywhere and customized according to the specific function any individual user needs to perform. 
  • Accuracy: Correctly formatted messages, including scheme-specific cryptography components like ARQC and ARPC cryptograms, are easily generated and validated, minimizing errors and re-work. 
  • Efficiency: Shared access to test data, cards, results, and reports, as well as flexible automation options, help to significantly increase resource productivity. 
  • Flexibility: A wide variety of industry-standard message specifications – including both Acquirer and Issuer processing - are supported out of the box. 

 

Simplifying EMV Testing, One Transaction at a Time 

The success of EMV chip technology as a deterrent against card-present fraud is clearly evident. No payment industry participant with any size or scale – either issuer or acquirer – can afford to operate without it. 

However, adopting, supporting, and maintaining the EMVCo standards requires significant time, effort, and resources, especially when it comes to testing and certification. In this environment, the right testing tools can make a significant difference.  

Paragon’s Web FASTest platform, with enhanced features and capabilities such as its EMV Cryptography Calculator, simplifies, streamlines, and automates payment testing operations, enabling any payment industry participant to minimize the ongoing overhead of compliance and maximize the productivity of its operations in order to focus on growth and innovation. 

No matter if you are a card issuer, acquirer, retailer, payment processor, or terminal vendor, Web FASTest has been designed to provide each client with the features, functionality, and flexibility they require to take total control of their payment testing environment. 

Interested in learning more about how Paragon can help your organization maximize the productivity of its payment testing operations by delivering advanced capabilities like the EMV Cryptography Calculator?  

Request a consultation today. Our team of industry experts is standing by to help!  

Request a Consultation

Related posts

Payments Testing - January 10, 2025
POS Testing: Why Automated Regression Testing is Essential in Retail
Clyde Van Blarcum Author at Paragon
Payments Testing - December 12, 2024
Why Fleet Card Payments Need EMV Chip Technology & Testing Tools
Clyde Van Blarcum Author at Paragon
Payments Testing - December 3, 2024
Improving the Agility of Legacy Payment Systems
Paragon Application Systems Author at Paragon