EMV Transaction (ARQC/ARPC) Service (CSNBEAC and CSNEEAC)
The EMV Transaction (ARQC/ARPC) Service simplifies EMV Authorization Request Cryptogram (ARQC) and Authorization Response Cryptogram (ARPC) transaction processing. An ARQC is generated by the EMV card upon request from the point of sales terminal to obtain authorization for payment. The ARQC is forwarded across the payment network to the issuer for verification. After the issuer has verified the ARQC, the issuer generates an ARPC (the response). The ARPC is sent back through the payment network to the point of sales terminal to authorize the transaction.
- Verifying the Authorization Request Cryptogram (ARQC).
- Generating the Authorization Response Cryptogram (ARPC).
- Both verifying the ARQC and generating the ARPC.
- Visa
- MasterCard
- EMV
The callable service name for AMODE(64) invocation is CSNEEAC.
Format
CALL CSNBEAC(
return_code,
reason_code,
exit_data_length,
exit_data,
rule_array_count,
rule_array,
issuer_master_key_identifier_length,
issuer_master_key_identifier,
issuer_ARPC_master_key_identifier_length,
issuer_ARPC_master_key_identifier,
pan_length,
pan,
pan_seq_number,
cryptogram_info_length,
cryptogram_info,
atc,
arc,
arqc,
arpc,
unpredictable_number,
reserved1_length,
reserved1,
reserved2_length,
reserved2)
Parameters
- return_code
-
Direction Type Output Integer The return code specifies the general result of the callable service. ICSF and cryptographic coprocessor return and reason codes lists the return codes.
- reason_code
-
Direction Type Output Integer The reason code specifies the result of the callable service that is returned to the application program. Each return code has different reason codes assigned to it that indicate specific processing problems. ICSF and cryptographic coprocessor return and reason codes lists the reason codes.
- exit_data_length
-
Direction Type Input/Output Integer The length of the data that is passed to the installation exit. The data is identified in the exit_data parameter.
- exit_data
-
Direction Type Input/Output String The data that is passed to the installation exit.
- rule_array_count
-
Direction Type Input Integer The number of keywords you supplied in the rule_array parameter. The minimum value is 3 and the maximum value is 4.
- rule_array
-
Direction Type Input String Keywords that provide control information to the callable service. The keywords must be in contiguous storage with each of the keywords left-justified in its own 8-byte location and padded on the right with blanks.
Table 1. Rule array keywords for EMV Transaction (ARQC/ARPC) Service Keyword Meaning Algorithm (Required) TDES Specifies the use of Triple-DES. Action (One required) VERARQC Specifies to verify the input Authorization Request Cryptogram. GENARPC Specifies to generate the Authorization Response Cryptogram from the input Authorization Request Cryptogram and Authorization Response Code (ARC). VERGEN Specifies to both verify the Authorization Request Cryptogram and generate the Authorization Response Cryptogram. Key mode (One required). Defines the key derivation mechanism. VISA Specifies to use the Visa Cryptogram Version 10 key derivation. The card’s master key for application cryptograms is used as the session key (the keys are the same for each session). See Visa specification, Appendix D2. Padding is with binary zeroes until the length is a multiple of 8 bytes. MC Specifies to use the MasterCard M/CHIP 2.1 key derivation. The ATC and an unpredictable number is 3DES encrypted with the card’s master key. The card’s master key is used when generating the ARPC. EMV padding rules apply. EMV Specifies to use the session key derivation as described in EMV Integrated Circuit Card Specification for Payment Systems Version 4.2 (EMV4.2) Book 2, Annex A1.3. Use this key mode for Visa Cryptogram Version 14 and MasterCard M/CHIP 4. EMV padding rules apply. Control flag (Optional) APPANSEQ Specifies to append the PAN sequence number when the card specific master key is derived. See the descriptions of pan and pan_seq_number. The default is not to append the PAN sequence number. Branch Factor (One optional, valid only with key mode EMV). The branching factor is to be used in EMV session key derivation. TDESEMV2 Specifies a branch factor of 2 for a height of 16. This is the default. TDESEMV4 Specifies a branch factor of 4 for a height of 8. - issuer_master_key_identifier_length
-
Direction Type Input Integer Specifies the length of the issuer_master_key_identifier parameter in bytes. The value must be 64.
- issuer_master_key_identifier
-
Direction Type Input/Output String A 64-byte DES key identifier (either an internal token or key label) for the issuer master key for Application Cryptograms (AC). The issuer master key is the DES key from which the card specific keys are derived and from the card specific keys, the session keys for application cryptograms are derived.
When using the key mode of VISA or EMV, this key is used for both the verification of the ARQC (VERARQC and VERGEN) and the generation of the ARPC (GENARPC and VERGEN).
When using the key mode of MC, this key is used only for the verification of the ARQC (VERARQC and VERGEN). The issuer_ARPC_master_key_identifier must supply the ARPC generation key (GENARPC and VERGEN).
If the token supplied was encrypted under the old master key, the token is returned encrypted under the current master key.
Table 2. EMV Transaction (ARQC/ARPC) Service: Key requirements Key mode keyword Key type Subtype Key usage attributes VISA DKYGENKY DKYL0 Must specify a MAC key will be derived (keyword DMAC). MC DKYGENKY DKYL1 Must specify a MAC key will be derived (keyword DMAC). EMV DKYGENKY DKYL0 Must specify a MAC key will be derived (keyword DMAC). Note: For MasterCard M/Chip 2.1, you need the issuer master key in two versions: one of each subtype (DKYL1 and DKYL0). If action VERARQC or VERGEN is specified, this key must be the subtype DKYL1 and is used to derive the session key for ARQC verification. The key to be used for ARPC generation (GENARPC and VERGEN) must be specified in the issuer_ARPC_master_key_identifier input parameter. - issuer_ARPC_master_key_identifier_length
-
Direction Type Input Integer This parameter specifies the length of the issuer_ARPC_master_key_identifier parameter in bytes. When the key mode keyword MC is specified, the value must be 64. Otherwise, the value must be zero.
- issuer_ARPC_master_key_identifier
-
Direction Type Input/Output String The 64-byte CCA DES key identifier (either an internal token or key label) for the issuer master key for Application Response Cryptograms (ARPC) when using the MC key mode. The issuer ARPC master key is the DES key from which a session key for ARPC generation is derived.
Only used when action is GENARPC or VERGEN and key mode is MC, where this key is the issuer master key to be used for deriving the key to use for ARPC generation.
If the token supplied was encrypted under the old master key, the token is returned encrypted under the current master key.
Key Type Requirements: The key type must be DKYGENKY, the subtype must be DKYL0, and the key usage must specify that a MAC key will be derived (keyword DMAC).Note: For MasterCard M/Chip 2.1, you need the issuer master key in two versions: one of each subtype (DKYL1 and DKYL0). If the action GENARPC or VERGEN is specified, this key must be the subtype DKYL0 and is used to derive the session key for ARPC generation. The key to be used for ARQC verification (VERARQC and VERGEN) must be specified in the issuer_master_key_identifier input parameter. - pan_length
-
Direction Type Input Integer Length in bytes of the pan parameter. The value must be 10.
- pan
-
Direction Type Input String The 10-byte EMV card’s Primary Account Number. The data must be in compressed numeric format and right justified in a 10-byte field, padded to the left with zeroes. For example, PAN 1234567890 must be provided as x’00000000001234567890’.
This data is used in combination with the PAN sequence number to derive the card’s master key. The exact set of rules is described in EMV Integrated Circuit Card Specification for Payment Systems Version 4.2 (EMV4.2) Book 2, Annex A1.4.
- pan_seq_number
-
Direction Type Input String The 1-byte sequence number of the EMV card’s Primary Account Number. If the APPANSEQ control flag rule array keyword was specified, this PAN sequence number is used in combination with the PAN to derive the card’s master key. The exact set of rules is described in EMV Integrated Circuit Card Specification for Payment Systems Version 4.2 (EMV4.2) Book 2, Annex A1.4.
- cryptogram_info_length
-
Direction Type Input Integer The length of the cryptogram information supplied in the cryptogram_info parameter. This value must be between 1 and 252 inclusive.
- cryptogram_info
-
Direction Type Input String The cryptogram information on which the ARQC is generated. The data must not be padded.
The cryptogram information is padded as follows:Key derivation mechanism Padding VISA Visa ICC Card’s Specification V1.4.0, Appendix D2 and D3 MC, EMV EMV, Book 2, Annex A1.2 - atc
-
Direction Type Input String The 2-byte application transaction counter that is used for session key derivation. See the key mode rules for more information on session key derivation.
This parameter must be 2 bytes.Note: The first byte is the high-order byte and the second byte is the low order byte. - arc
-
Direction Type Input String The 2-byte authorization response code that must be used for generating the ARPC. Only used if action GENARPC or VERGEN is specified.
This parameter must be 2 bytes.Note: The first byte is the high-order byte and the second byte is the low order byte. - arqc
-
Direction Type Input String The 8-byte authorization request cryptogram received from the payment card.
This parameter must be 8 bytes.
- arpc
-
Direction Type Output String The 8-byte authorization response cryptogram to be sent back to the payment card. The ARPC is obtained by enciphering the ARQC XOR-ed with the ARC (See also EMV, Book 2, 8.2).
This parameter must be 8 bytes.
- unpredictable_number
-
Direction Type Input String The 4-byte unpredictable number used in the MasterCard M/Chip 2.1 session key derivation scheme.
The data in this field will not be reformatted by the API before use.
This parameter must be 4 bytes.
- reserved1_length
-
Direction Type Input Integer Length in bytes of the reserved1 parameter. The value must be 0.
- reserved1
-
Direction Type Input String This field is ignored.
- reserved2_length
-
Direction Type Input Integer Length in bytes of the reserved2 parameter. The value must be 0.
- reserved2
-
Direction Type Input String This field is ignored.
Usage notes
SAF may be invoked to verify the caller is authorized to use this callable service, the key label, or internal secure key tokens that are stored in the CKDS.
Cryptographic services used by EMV Transaction (ARQC/ARPC) Service
- CSNBKTB - Key Token Build
- CSNBDKG - Diversified Key Generate
- CSNBMGN - MAC Generate
- CSNBMVR - MAC Verify
The caller does not require authorization to each of these services, only to the EMV Transaction (ARQC/ARPC) Service. Additionally, the caller must have the required access control points enabled.
Access control points
- Diversified Key Generate - TDES-ENC
- Diversified Key Generate - SESS-XOR
- Diversified Key Generate - TDESEMV2/TDESEMV4
- MAC Generate
- MAC Verify
Required hardware
This table lists the required cryptographic hardware for each server type and describes restrictions for this callable service.
Server | Required cryptographic hardware | Restrictions |
---|---|---|
IBM System z9 EC
IBM System z9 BC |
Crypto Express2 Coprocessor | |
IBM System z10 EC
IBM System z10 BC |
Crypto Express2 Coprocessor Crypto Express3 Coprocessor |
|
IBM zEnterprise 196
IBM zEnterprise 114 |
Crypto Express3 Coprocessor | |
IBM zEnterprise EC12
IBM zEnterprise BC12 |
Crypto Express3 Coprocessor Crypto Express4 CCA Coprocessor |
|
IBM z13
IBM z13s |
Crypto Express5 CCA Coprocessor |