Comments on: A truly marvellous proof of a transaction

By: Steven J. Murdoch

Steven J. Murdoch — Thu, 17 Sep 2009 11:08:37 +0000

@kendo

An ARQC shows that a chip card was probably used. It doesn’t prove that the genuine card was used (to do that, the ARQC needs to be verified, using the card’s unique derived key — UDK).

There will be an ARQC for a Chip & Signature card, but one of the fields — the issuer application data (IAD) — will state whether the PIN was successfully verified.

By: kendo

kendo — Wed, 16 Sep 2009 16:05:15 +0000

Does the presence of an ARQC categorically prove a Chip and PIN transaction or just that thegenuine card was present. Would there be an ARQC if the transaction was Chip and Signature.

By: Dave

Dave — Wed, 06 May 2009 22:14:39 +0000

Great now I have to go looking through all my receipts, that’s cool

Honestly, I’m surprised more transactions aren’t securely hashed and stored semi-publicly like this. Any word on what the algorithm is — part of an MD5 maybe, or if it’s even a recognized secure algorithm?

By: Hamish

Hamish — Tue, 07 Apr 2009 16:01:39 +0000

Minor point, but at the end of the first paragraph you refer to AQRC – is that meant to be ARQC?

By: Mike Bond

Mike Bond — Mon, 06 Apr 2009 14:18:23 +0000

True, EMV doesn’t have a monopoly on the words “Transaction Certificate”. There’s an argument which says clearly it must be there for a good reason, and its unlikely to be pure invention. But then this surely begs the question… what reason?

Even if we cynically assume that the bank is doing this entirely for their own benefit and they don’t give a damn about customer/merchant disputes, then what purpose does a hex string on its own provide? All I could think is that it helps match up disparate records. But such a field is normally called an ID or UID, not a “certificate”, which implies some crypto going on.

If there’s one thing I’ve learned from 3 years in industry its that the world of electronic payment cannot fit into any one persons head alone… there’s just too many regional variations, dirty hacks, smart ideas, etc etc.

Mike

By: Theo Markettos

Theo Markettos — Mon, 06 Apr 2009 13:04:18 +0000

I'm not convinced this is an EMV transaction certificate at all - I think it's just something relating to the web payment handling system. Here's a video showing the merchant's interface to the Atos SIPS system (the one you used in the airport). Looking at this still for a merchant-entered transaction It gives an authorisation number (6 digits) and a payment certificate (10 digits). Both look decimal, but that could just be chance. This is a Carte Bleue transaction. Meanwhile here's a still showing cancelling a transaction. This has a 12 hex digit transaction certificate. This can't be anything to do with EMV, because the card typically isn't involved in cancellations. Not everything that says 'Transaction certificate' is necessary an EMV TC. It may just be the online certificate received back from Visa/Mastercard/etc when it said the transaction between the merchant system (Atos SIPS) and Visa is OK. You have a point, though, that context-free strings of hex digits are opaque to anyone except the bank, which doesn't help if you wish to dispute a transaction or even understand what's going on.