Same IMK-AC key in an EMV chip card with two AIDs?

Question

In an EMV chip card with two AIDs, it is correct to use different IMK-AC keys for each AID or the same IMK-AC key for both AIDs?

I'm asking this question because we are having problems validating the ARQC for an EMV chip card. The ARQC validation is success only when the card is using one AID, and the ARQC validation is failing when the card is using the other AID. We have tested this several times and have the same result. My theory is the IMK-AC used to issue the AIDs are different, but I don't know if that makes sense?

Is there any way to know the IMK-AC KCV in an AID EMV chip card?

Also, In the TVR (terminal verification result) for the transactions are:

• ARQC Success: 8000048000 (Online PIN entered ON)
• ARQC Failing: 8000008000 (Online PIN entered OFF) I don't know if the TVR could affect in any way the ARQC validation?

I'll appreciate any help on this issue.

Thanks!

Answer 1

Two different applications and hence two different card numbers, correct ?

While you personalize, IMK AC will not be sent to card, it is a key derived from the IMK-AC, diversified with pan and card sequence number, called Unique derivation key sent to the card, and hence both cards will have two UDKs even though the IMK-AC is same.

Since AID is different, ensure the ARPC verification is appropriate for the Cryptogram Verification Number. You can get this from 9F10(Issuer Application Data). The value in TVR do not matter for ARQC validation, but what received from the terminal should be used for verification since it was used for generation by the chip.

You can add some logs from terminal, host and HSM here ( after masking sensitive data if performed using a live card ).