EMV Transaction (ARQC/ARPC) Service (CSNBEAC and CSNEEAC)

The EMV Transaction (ARQC/ARPC) Service simplifies EMV Authorization Request Cryptogram (ARQC) and Authorization Response Cryptogram (ARPC) transaction processing. An ARQC is generated by the EMV card upon request from the point of sales terminal to obtain authorization for payment. The ARQC is forwarded across the payment network to the issuer for verification. After the issuer has verified the ARQC, the issuer generates an ARPC (the response). The ARPC is sent back through the payment network to the point of sales terminal to authorize the transaction.

The EMV Transaction (ARQC/ARPC) Service performs the following EMV functions:
  • Verifying the Authorization Request Cryptogram (ARQC).
  • Generating the Authorization Response Cryptogram (ARPC).
  • Both verifying the ARQC and generating the ARPC.
This service can be used in the following specific brand modes:
  • Visa
  • MasterCard
  • EMV

The callable service name for AMODE(64) invocation is CSNEEAC.

Format

CALL CSNBEAC(
             return_code,
             reason_code,
             exit_data_length,
             exit_data,
             rule_array_count,
             rule_array,
             issuer_master_key_identifier_length,
             issuer_master_key_identifier,
             issuer_ARPC_master_key_identifier_length,
             issuer_ARPC_master_key_identifier,
             pan_length,
             pan,
             pan_seq_number,
             cryptogram_info_length,
             cryptogram_info,
             atc,
             arc,
             arqc,
             arpc,
             unpredictable_number,
             reserved1_length,
             reserved1,
             reserved2_length,
             reserved2)

Parameters

return_code
Direction Type
Output Integer

The return code specifies the general result of the callable service. ICSF and cryptographic coprocessor return and reason codes lists the return codes.

reason_code
Direction Type
Output Integer

The reason code specifies the result of the callable service that is returned to the application program. Each return code has different reason codes assigned to it that indicate specific processing problems. ICSF and cryptographic coprocessor return and reason codes lists the reason codes.

exit_data_length
Direction Type
Input/Output Integer

The length of the data that is passed to the installation exit. The data is identified in the exit_data parameter.

exit_data
Direction Type
Input/Output String

The data that is passed to the installation exit.

rule_array_count
Direction Type
Input Integer

The number of keywords you supplied in the rule_array parameter. The minimum value is 3 and the maximum value is 4.

rule_array
Direction Type
Input String

Keywords that provide control information to the callable service. The keywords must be in contiguous storage with each of the keywords left-justified in its own 8-byte location and padded on the right with blanks.

Table 1. Rule array keywords for EMV Transaction (ARQC/ARPC) Service
Keyword Meaning
Algorithm (Required)
TDES Specifies the use of Triple-DES.
Action (One required)
VERARQC Specifies to verify the input Authorization Request Cryptogram.
GENARPC Specifies to generate the Authorization Response Cryptogram from the input Authorization Request Cryptogram and Authorization Response Code (ARC).
VERGEN Specifies to both verify the Authorization Request Cryptogram and generate the Authorization Response Cryptogram.
Key mode (One required). Defines the key derivation mechanism.
VISA Specifies to use the Visa Cryptogram Version 10 key derivation. The card’s master key for application cryptograms is used as the session key (the keys are the same for each session). See Visa specification, Appendix D2. Padding is with binary zeroes until the length is a multiple of 8 bytes.
MC Specifies to use the MasterCard M/CHIP 2.1 key derivation. The ATC and an unpredictable number is 3DES encrypted with the card’s master key. The card’s master key is used when generating the ARPC. EMV padding rules apply.
EMV Specifies to use the session key derivation as described in EMV Integrated Circuit Card Specification for Payment Systems Version 4.2 (EMV4.2) Book 2, Annex A1.3. Use this key mode for Visa Cryptogram Version 14 and MasterCard M/CHIP 4. EMV padding rules apply.
Control flag (Optional)
APPANSEQ Specifies to append the PAN sequence number when the card specific master key is derived. See the descriptions of pan and pan_seq_number. The default is not to append the PAN sequence number.
Branch Factor (One optional, valid only with key mode EMV). The branching factor is to be used in EMV session key derivation.
TDESEMV2 Specifies a branch factor of 2 for a height of 16. This is the default.
TDESEMV4 Specifies a branch factor of 4 for a height of 8.
issuer_master_key_identifier_length
Direction Type
Input Integer

Specifies the length of the issuer_master_key_identifier parameter in bytes. The value must be 64.

issuer_master_key_identifier
Direction Type
Input/Output String

A 64-byte DES key identifier (either an internal token or key label) for the issuer master key for Application Cryptograms (AC). The issuer master key is the DES key from which the card specific keys are derived and from the card specific keys, the session keys for application cryptograms are derived.

When using the key mode of VISA or EMV, this key is used for both the verification of the ARQC (VERARQC and VERGEN) and the generation of the ARPC (GENARPC and VERGEN).

When using the key mode of MC, this key is used only for the verification of the ARQC (VERARQC and VERGEN). The issuer_ARPC_master_key_identifier must supply the ARPC generation key (GENARPC and VERGEN).

If the token supplied was encrypted under the old master key, the token is returned encrypted under the current master key.

Table 2. EMV Transaction (ARQC/ARPC) Service: Key requirements
Key mode keyword Key type Subtype Key usage attributes
VISA DKYGENKY DKYL0 Must specify a MAC key will be derived (keyword DMAC).
MC DKYGENKY DKYL1 Must specify a MAC key will be derived (keyword DMAC).
EMV DKYGENKY DKYL0 Must specify a MAC key will be derived (keyword DMAC).
Note: For MasterCard M/Chip 2.1, you need the issuer master key in two versions: one of each subtype (DKYL1 and DKYL0). If action VERARQC or VERGEN is specified, this key must be the subtype DKYL1 and is used to derive the session key for ARQC verification. The key to be used for ARPC generation (GENARPC and VERGEN) must be specified in the issuer_ARPC_master_key_identifier input parameter.
issuer_ARPC_master_key_identifier_length
Direction Type
Input Integer

This parameter specifies the length of the issuer_ARPC_master_key_identifier parameter in bytes. When the key mode keyword MC is specified, the value must be 64. Otherwise, the value must be zero.

issuer_ARPC_master_key_identifier
Direction Type
Input/Output String

The 64-byte CCA DES key identifier (either an internal token or key label) for the issuer master key for Application Response Cryptograms (ARPC) when using the MC key mode. The issuer ARPC master key is the DES key from which a session key for ARPC generation is derived.

Only used when action is GENARPC or VERGEN and key mode is MC, where this key is the issuer master key to be used for deriving the key to use for ARPC generation.

If the token supplied was encrypted under the old master key, the token is returned encrypted under the current master key.

Key Type Requirements: The key type must be DKYGENKY, the subtype must be DKYL0, and the key usage must specify that a MAC key will be derived (keyword DMAC).
Note: For MasterCard M/Chip 2.1, you need the issuer master key in two versions: one of each subtype (DKYL1 and DKYL0). If the action GENARPC or VERGEN is specified, this key must be the subtype DKYL0 and is used to derive the session key for ARPC generation. The key to be used for ARQC verification (VERARQC and VERGEN) must be specified in the issuer_master_key_identifier input parameter.
pan_length
Direction Type
Input Integer

Length in bytes of the pan parameter. The value must be 10.

pan
Direction Type
Input String

The 10-byte EMV card’s Primary Account Number. The data must be in compressed numeric format and right justified in a 10-byte field, padded to the left with zeroes. For example, PAN 1234567890 must be provided as x’00000000001234567890’.

This data is used in combination with the PAN sequence number to derive the card’s master key. The exact set of rules is described in EMV Integrated Circuit Card Specification for Payment Systems Version 4.2 (EMV4.2) Book 2, Annex A1.4.

pan_seq_number
Direction Type
Input String

The 1-byte sequence number of the EMV card’s Primary Account Number. If the APPANSEQ control flag rule array keyword was specified, this PAN sequence number is used in combination with the PAN to derive the card’s master key. The exact set of rules is described in EMV Integrated Circuit Card Specification for Payment Systems Version 4.2 (EMV4.2) Book 2, Annex A1.4.

cryptogram_info_length
Direction Type
Input Integer

The length of the cryptogram information supplied in the cryptogram_info parameter. This value must be between 1 and 252 inclusive.

cryptogram_info
Direction Type
Input String

The cryptogram information on which the ARQC is generated. The data must not be padded.

The cryptogram information is padded as follows:
Key derivation mechanism Padding
VISA Visa ICC Card’s Specification V1.4.0, Appendix D2 and D3
MC, EMV EMV, Book 2, Annex A1.2
atc
Direction Type
Input String

The 2-byte application transaction counter that is used for session key derivation. See the key mode rules for more information on session key derivation.

This parameter must be 2 bytes.
Note: The first byte is the high-order byte and the second byte is the low order byte.
arc
Direction Type
Input String

The 2-byte authorization response code that must be used for generating the ARPC. Only used if action GENARPC or VERGEN is specified.

This parameter must be 2 bytes.
Note: The first byte is the high-order byte and the second byte is the low order byte.
arqc
Direction Type
Input String

The 8-byte authorization request cryptogram received from the payment card.

This parameter must be 8 bytes.

arpc
Direction Type
Output String

The 8-byte authorization response cryptogram to be sent back to the payment card. The ARPC is obtained by enciphering the ARQC XOR-ed with the ARC (See also EMV, Book 2, 8.2).

This parameter must be 8 bytes.

unpredictable_number
Direction Type
Input String

The 4-byte unpredictable number used in the MasterCard M/Chip 2.1 session key derivation scheme.

The data in this field will not be reformatted by the API before use.

This parameter must be 4 bytes.

reserved1_length
Direction Type
Input Integer

Length in bytes of the reserved1 parameter. The value must be 0.

reserved1
Direction Type
Input String

This field is ignored.

reserved2_length
Direction Type
Input Integer

Length in bytes of the reserved2 parameter. The value must be 0.

reserved2
Direction Type
Input String

This field is ignored.

Usage notes

SAF may be invoked to verify the caller is authorized to use this callable service, the key label, or internal secure key tokens that are stored in the CKDS.

Cryptographic services used by EMV Transaction (ARQC/ARPC) Service

The following CCA cryptographic services are used by EMV Transaction (ARQC/ARPC) Service:
  • CSNBKTB - Key Token Build
  • CSNBDKG - Diversified Key Generate
  • CSNBMGN - MAC Generate
  • CSNBMVR - MAC Verify

The caller does not require authorization to each of these services, only to the EMV Transaction (ARQC/ARPC) Service. Additionally, the caller must have the required access control points enabled.

Access control points

The following access control points must be enabled to use the EMV Transaction (ARQC/ARPC) Service:
  • Diversified Key Generate - TDES-ENC
  • Diversified Key Generate - SESS-XOR
  • Diversified Key Generate - TDESEMV2/TDESEMV4
  • MAC Generate
  • MAC Verify

Required hardware

This table lists the required cryptographic hardware for each server type and describes restrictions for this callable service.

Table 3. EMV Transaction (ARQC/ARPC) Service required hardware
Server Required cryptographic hardware Restrictions
IBM System z9 EC
IBM System z9 BC
 Crypto Express2 Coprocessor  
IBM System z10 EC
IBM System z10 BC
 Crypto Express2 Coprocessor

Crypto Express3 Coprocessor

  
IBM zEnterprise 196
IBM zEnterprise 114
 Crypto Express3 Coprocessor  
IBM zEnterprise EC12
IBM zEnterprise BC12
 Crypto Express3 Coprocessor

Crypto Express4 CCA Coprocessor

  
IBM z13
IBM z13s
 Crypto Express5 CCA Coprocessor