Updates in June 2017: For more details on updates to EMVLab, including HTTPS and better handling of 3-byte and unknown tags see my blog post.

This application derives session keys from the card master key, following the algorithm described in EMV 4.1, Book 2, Part III, Annex A1.3. It then uses this key to generate authentication codes following the Chip Authentication Program (CAP) specification, when given the input to the disconnected card reader and the internal configuration of the card.

Session key derivation

(e.g. '0123456789ABCDEF0123456789ABCDEF')

(e.g. '00B4')

Card configuration

Input from customer
Reference Amount

“xxxx” is replaced by the ATC

http://www.emvlab.org/ – the one stop site for banking techies – © 2009–2017

This site is run by members of the Information Security Group at the University College London.

EMV® is a registered trademark of EMVCo LLC. This site and its operators are not affiliated or associated with or endorsed by EMVCo. All other trademarks and registered trademarks are the property of their respective owners.