What is ARQC
Steps for ARQC Generation
There are four basic steps to ARQC generation:
- Card Key Derivation
- Session Key Derivation
- Preparation of Input Data in ARQC Calculation
- Encryption/ Hashing (the final step that gives the ARQC)
Exact details vary from one chip program to another!
Step 1 and 2: Card and Session Key Derivation
When a card is out in the field, it already contains Issuer Master Key. But to create an ARQC for a particular transaction, two new keys are required: the first key is called Card Key and the second key is called Session Key. Each EMV scheme (such as M/Chip and Visa) has its own algorithm for generation of the card key and/ or the session key. Some of these algorithms are standardized and part of the EMV specification while some others are proprietary with the vendor.
The Card Key is unique to the card and the Session Key is unique to the transaction. It's Session Key which is used for the final encryption in step 4.
Step 3: Data Preparation
In parallel to the key derivation as described above, an important step
of ARQC generation is “preparation of input data”, mentioned as point #3
in the list above. Once again, which EMV tags are concatenated to
prepare this input data is EMV scheme specific.
Step 4: ARQC Generation
Finally, once the Session Key and Input Data are ready, the Input Data is encrypted using the Session Key to give the ARQC.