Back to Blog
meios-de-pagamentocryptogramaemvtokenizaçãofintechadquirencia

Cryptogram: What Really Validates a Card Transaction

I explain what a cryptogram is in the context of EMV and digital wallets, how it's generated, how the issuer validates it, the differences between ARQC and AAV, the impact of the ECI, and common integration errors that affect approval and fraud.

February 20, 20265 min read

In my day-to-day work with payment integrations, I've seen this scenario many times:

We're using a token, so it's secure.

We sent the wallet indicator, so everything's fine.

And when you investigate the drop in approval rates or the increase in fraud... the problem lies in the cryptogram.

Many people implement tokenization, 3DS, wallets, but don't understand what really proves that a transaction is legitimate at the network layer. And that proof, in most cases, is the cryptogram.

Today I'm going to explain what it is, how it works behind the scenes, and why it directly impacts approval, risk, and chargebacks.

What is a Cryptogram?

A cryptogram is a cryptographic value generated dynamically for a specific transaction.

It functions as:

  • Proof of credential ownership
  • Proof of transaction integrity
  • Anti-replay mechanism

If someone intercepts the message and tries to reuse it, it won't work.

Where Does it Come From? (EMV Explained Quickly)

The cryptogram originates within the EMV (Europay, Mastercard, Visa) standard.

EMV is the global standard that defines how chip cards work.

When you insert a physical card into the machine:

  1. The terminal sends commands to the chip
  2. The chip responds via APDU (Application Protocol Data Unit)
  • which is basically the message format for communication with the chip
  1. The chip generates a unique cryptogram for that transaction

This cryptogram is called:

  • ARQC (Authorization Request Cryptogram)

It is validated by the issuer.

If valid → transaction can be authorized If invalid → denied

What About E-commerce?

In traditional e-commerce (card entered manually), there is usually no real EMV cryptogram.

But when we talk about:

  • Apple Pay
  • Google Pay
  • Click to Pay
  • Card brand tokenization

A digital cryptogram does exist.

In this case:

  • It is generated based on keys stored in the Secure Element or secure environment
  • It is sent along with the token (DPAN)
  • The card network validates it before forwarding it to the issuer

Simple Analogy

Think of the card as a safe.

The token is a controlled copy of the key.

The cryptogram is the digital signature that says:

This key was used now, in this specific transaction, for this specific amount.

Without this signature, the system doesn't fully trust it.

Types of Cryptograms You'll Encounter

1. ARQC

Authorization Request Cryptogram Generated for online authorization.

2. TC

Transaction Certificate Generated when the transaction is approved offline.

3. AAC

Application Authentication Cryptogram Indicates offline rejection.

In the digital world, you may also hear about:

  • AAV (Accountholder Authentication Value)
  • Wallet cryptogram

They are not identical to the physical ARQC, but they serve a similar role as cryptographic proof.

How it Works Behind the Scenes

Let's simplify the technical flow:

  1. Transaction data is assembled:
  • amount
  • currency
  • date
  • terminal id
  1. The card (or secure environment) uses:
  • a secret symmetric key
  • transaction counter

  1. It applies a cryptographic algorithm (usually based on 3DES or AES)

  2. Generates the cryptogram

The issuer has the corresponding key.

It recalculates the cryptogram on its side.

If it matches → valid If it doesn't match → fraud or integration error

What Can Go Wrong in Practice?

Here's where the part that few people talk about comes in.

1. Inconsistent Fields

If you change:

  • Amount
  • Currency
  • Security indicators

Without maintaining consistency with what was used to generate the cryptogram, it fails validation.

2. Incorrect ECI

The ECI (Electronic Commerce Indicator) indicates the security level of the transaction.

If the ECI does not match the type of cryptogram sent:

  • You may lose liability shift
  • You may have a downgrade
  • It may increase fraud

3. Incomplete Wallet Integration

I've seen cases:

  • Sending token
  • But ignoring cryptogram
  • Or mapping the wrong field in the acquirer

Result? The transaction basically becomes a common manually entered card.

Real Impact on Business

A well-implemented cryptogram means:

  • Higher approval rate
  • Less fraud
  • Liability shift when applicable
  • Fewer chargebacks

A poorly implemented cryptogram means:

  • Technically "valid" transaction
  • But with high risk
  • And potential financial loss

Difference Between Token and Cryptogram

I always explain it like this:

  • Token replaces the card number
  • Cryptogram proves that the transaction is legitimate

One without the other is an incomplete solution.

What You Should Take Away From This

If you work with payments, understand:

  • Cryptogram is not a technical detail.
  • It is the cryptographic layer that underpins transaction trust.
  • A wallet without the correct cryptogram loses much of its benefit.
  • Poorly mapped integration can destroy approval rates.

Before discussing fraud or conversion rates, we should always review:

Are we correctly sending the cryptogram and the ECI?

If you've never validated this in your integration, it's worth reviewing now.

In the next article I can delve deeper into:

  • How the issuer validates an ARQC
  • Practical difference between ARQC and AAV
  • How the ECI influences liability shift
  • Classic integration errors that drop approval rates

Because in payment methods, security and approval go hand in hand, and the cryptogram is exactly in the middle of that path.