DSB n°324: Updates to C-4 - Comment period 22 May 2026

Draft EMV® Specification Bulletin No. 324 First Edition April 2026 Update to Kernel C-4 This Draft Specification Bulletin describes proposed changes to the EMV® Contactless Specifications for Payment Systems Book C-4 Version 2.11. It is posted to allow feedback before final publication. Please submit any comments you may have via the EMVCo website at www.emvco.com by May 22, 2026. Applicability This Draft Spec Bulletin applies to: • EMV® Contactless Specifications for Payment Systems, Book C-4 Kernel 4 Specification, Version 2.11, June 2023 Related Documents • None Description This specification bulletin contains updates, clarifications and corrections to Book C-4, Kernel 4 Specification. Details of changes Updates to the specification are listed as: [1.] Uplift all references of EMV 4.3 to EMV 4.4. [2.] Removal of reference for PCI-CPoC for Terminal & mPOS architecture. [3.] Correct reference to Mobile CVM support. [4.] Correct flow in Figure 2-1: Transaction Flow Overview. [5.] Update reference for Cryptogram Version Number to include new values. [6.] Update reference for Terminal Type - Modified to clarify usage. [7.] Change “Reader offline” to “Reader is Unable to go online”. [8.] Update section to only refer to mPOS-C or mPOS-CSP terminals. [9.] Removal of SDA Support. [10.] Add clarity for PIN TVR settings. [11.] Typographical correction of mPOS-CPS to mPOS-CSP. [12.] Remove reference to DES for Application Cryptogram generation. [13.] Increase size of Application Public Key Certificate. [14.] Correct wording on data sent to card post online processing. [15.] Returned description of ans to previous value. Additionally, there have been some corrections to minor errors and additional clarifications. Text to be deleted is highlighted in yellow © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 1 Text added is highlighted in blue © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 2 Update [1]: Update references for EMV 4.3 to EMV 4.4 Section: 1.4 Reference Material, and throughout the document. Original: [EMV 4.3] EMV® Integrated Circuit Card Specifications for Payment Systems, Version 4.3, November 2011, including: [EMV 4.3 Book 1] EMV Integrated Circuit Card Specifications for Payment Systems, Book 1, Application Independent ICC to Terminal Interface Requirements [EMV 4.3 Book 2] EMV Integrated Circuit Card Specifications for Payment Systems, Book 2, Security and Key Management [EMV 4.3 Book 3] EMV Integrated Circuit Card Specifications for Payment Systems, Book 3, Application Specification [EMV 4.3 Book 4] EMV Integrated Circuit Card Specifications for Payment Systems, Book 4, Cardholder, Attendant, and Acquirer Interface Requirements Changed: [EMV 4.4] [EMV 4. 4 Book 1] [EMV 4. 4 Book 2] [EMV 4. 4 Book 3] [EMV 4. 4 Book 4] EMV® Integrated Circuit Card Specifications for Payment Systems, Version 4.4, October 2022, including: EMV Integrated Circuit Card Specifications for Payment Systems, Book 1, Application Independent ICC to Terminal Interface Requirements EMV Integrated Circuit Card Specifications for Payment Systems, Book 2, Security and Key Management EMV Integrated Circuit Card Specifications for Payment Systems, Book 3, Application Specification EMV Integrated Circuit Card Specifications for Payment Systems, Book 4, Cardholder, Attendant, and Acquirer Interface Requirements © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 3 Update [2]: Removal of reference for PCI-PCoC for mPOS Architectures Section: 1.6 mPOS Architectures Original: ASP (Accessory, Software PIN ) C Contactless COTS device and accessory1 COTS supporting SPoC device Accessory Accessory COTS device supporting N/A N/A COTS CPoC device CSP Contactless, Software PIN COTS device supporting COTS N/A CPoC and SPoC 2 device COTS device Notes: 1 If an accessory device is being used, it will provide a contact and contactless interface. 2 The mPOS-CSP architecture is mentioned in this document for completeness. However, at the time of writing, this architecture is prohibited by [PCI-CPoC]. Therefore, solutions using this architecture can only be deployed after obtaining prior approval. Permission may be granted, based on bespoke functional and security approvals, and will state any restrictions applicable to the deployment, such as number, geographic or duration. Changed: ASP (Accessory, Software PIN ) C Contactless COTS device and accessory1 COTS supporting SPoC device Accessory Accessory COTS device supporting N/A N/A COTS CPoC device CSP Contactless, Software PIN COTS device supporting COTS N/A CPoC and SPoC device COTS device © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 4 Notes: 1 If an accessory device is being used, it will provide a contact and contactless interface. © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 5 Update [3]: Correct reference to Mobile CVM support Section: 2.1.5 Contactless Mobile Transaction Original: 2.1.5 Contactless Mobile Transaction When a transaction is performed as Contactless Mobile the reader may prompt for an action to be performed on the Mobile device by exiting the transaction with a Try Again Outcome. A Contactless Mobile: • Follows the Contactless EMV Mode of Operation requirements as per section 4.3.7. • May support Mobile CVM (typically, a four-digit code stored in the Card, entered by the user via the phone device keypad and verified by the Card). Changed: 2.1.5 Contactless Mobile Transaction When a transaction is performed as Contactless Mobile the reader may prompt for an action to be performed on the Mobile device by exiting the transaction with a Try Again Outcome. A Contactless Mobile: • Follows the Contactless EMV Mode of Operation requirements as per section 4.3.7. • May support Mobile CVM as per section 2.1.5.1. © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 6 Update [4]: Correct flow in Figure 2-1: Transaction Flow Overview. Section: 2.2 Contactless Transaction Processing Correct the order of the flow for Figure 2-1. Original: © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 7 Changed: © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 8 Update [5]: Update reference for Cryptogram Version Number to include new values Section: 2.3 Contactless Transaction Configurations Original: Table 2-2: Contactless Transaction Combinations Contactless Terminal Configuration EMV Mode supported Partial Online with delayed authorisation (Not applicable for mPOS-C, mPOS-CSP) Card Supports either EMV Mode only or Card Supports Both Mag-Stripe and EMV Modes The EMV transaction flow is performed until 1st Card Action Analysis is completed. Offline Data Authentication is mandatory. A card that supports EMV Mode will present a CDOL for Cryptogram Version '01'. An online authorisation is performed at a later time. EMV Mode supported Offline (Not applicable for mPOS-C, mPOS-CSP) An offline transaction is performed, if offline is allowed by Issuer configuration settings and Card Risk Management. Offline Data Authentication is mandatory. A card that supports EMV Mode will present a CDOL for Cryptogram Version ‘01’. EMV Mode The EMV transaction flow is performed until 1st Card Action supported Analysis is completed. Partial Online with immediate authorization A Card that supports Expresspay EMV Mode will present a CDOL for Cryptogram Version ‘01’. After going online, the transaction result will be based on the Issuer authorization response. In case of mPOS-C or CSP, if an online connection is not possible prior to the transaction, then the transaction shall not be started. Changed: Table 2-2: Contactless Transaction Combinations © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 9 Contactless Terminal Configuration EMV Mode supported Partial Online with delayed authorisation (Not applicable for mPOS-C, mPOS-CSP) Card Supports either EMV Mode only or Card Supports Both Mag-Stripe and EMV Modes The EMV transaction flow is performed until 1st Card Action Analysis is completed. Offline Data Authentication is mandatory. A card that supports EMV Mode will present a CDOL for Cryptogram Version '01', ‘32’ or ‘33’. An online authorisation is performed at a later time. EMV Mode supported Offline (Not applicable for mPOS-C, mPOS-CSP) An offline transaction is performed, if offline is allowed by Issuer configuration settings and Card Risk Management. Offline Data Authentication is mandatory. A card that supports EMV Mode will present a CDOL for Cryptogram Version ‘01’, ‘32’ or ‘33’. EMV supported Mode Partial Online with immediate authorization The EMV transaction flow is performed until 1st Card Action Analysis is completed. A Card that supports Expresspay EMV Mode will present a CDOL for Cryptogram Version ‘01’, ‘32’ or ‘33’. After going online, the transaction result will be based on the Issuer authorization response. In case of mPOS-C or CSP, if an online connection is not possible prior to the transaction, then the transaction shall not be started. © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 10 Section: A.1 Data Elements Original: Cryptogram Proprietary data element Card b 8 Version Number indicating the version of the TC, AAC/ARQC algorithm used by the application. Changed: Cryptogram Proprietary data element Card b 8 Version Number indicating the version of the TC, AAC/ARQC algorithm used by the application. Issuer 1 Specific Value = '01' or '02' Data element held within for this CDOL. Transmitted in the specification Issuer Application Data. Issuer 1 Specific Value = '01', ‘32’ or ‘33’ for this specification Data element held within CDOL. Transmitted in the Issuer Application Data. © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 11 Update [6]: Update reference for Terminal Type - Modified to clarify usage. Section: 2.3 Contactless Transaction Configurations Original: Note that the Terminal Type – Modified value is transient and valid only for the purpose of determining whether contactless EMV mode is supported by both the Terminal and the Card for the current transaction being processed. Changed: Note that the Terminal Type – Modified value is transient and valid for the purpose of determining whether contactless EMV mode is supported by both the Terminal and the Card for the current transaction being processed. © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 12 Update [7]: Change “Reader offline” to “Reader is Unable to go online” Section: 4.3.1 Pre-PDOL Processing Original: If the reader is an offline-only reader (i.e. if the Terminal Type is 'x3' or 'x6') or the reader can determine that it is currently unable to go online for authorisation, (excluding mPOS-C, mPOS-CSP), then it will set Enhanced Contactless Reader Capabilities Byte 3 Bit 8 to 1b, ‘Terminal is offline only’. Changed: If the reader is an offline-only (i.e. if the Terminal Type is 'x3' or 'x6') or the reader can determine that it is currently unable to go online for authorisation, (excluding mPOS-C, mPOS-CSP), then it will set Enhanced Contactless Reader Capabilities Byte 3 Bit 8 to 1b, ‘Reader is Unable to go online’. Requirements: 4.3.1.3 Original: If the reader is an offline-only reader (Reader type 'x3' or 'x6') or the reader has determined that it is unable to go online, then the reader shall set Enhanced Contactless Reader Capabilities Byte 3 Bit 8 to 1b, ‘Reader is Offline Only’ Changed: If the reader is an offline-only reader (Reader type 'x3' or 'x6') or the reader has determined that it is unable to go online, then the reader shall set Enhanced Contactless Reader Capabilities Byte 3 Bit 8 to 1b, ‘Reader is Unable to go online’. Section: 4.3.4 Enhanced Contactless Reader Capabilities Original: Table 4-4: Enhanced Contactless Reader Capabilities - Tag ‘9F6E’ Terminal Capabilities Byte 1 b8 b7 b6 b5 b4 b3 b2 b1 Meaning x1 1 = Contact mode supported1 0 0 = Contactless Mag-Stripe Mode not supported © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 13 02 0 = Contactless EMV full online mode not supported (full online mode is a legacy feature and is no longer supported) 1 1 = Contactless EMV partial online mode supported 1 1 = Contactless Mobile Supported x 1 = Try Another Interface after a decline. 0 RFU 0 RFU Terminal CVM Capabilities Byte 2 b8 b7 b6 b5 b4 b3 b2 b1 Meaning x 1 = Mobile CVM supported x 1 = Online PIN supported x 1 = Signature x 1 = Plaintext Offline PIN 0 RFU 0 RFU 0 RFU 0 RFU Transaction Capabilities Byte 3 b8 b7 b6 b5 b4 b3 b2 b1 Meaning x 1 = Reader is offline only Changed: Table 4-4: Enhanced Contactless Reader Capabilities - Tag ‘9F6E’ Terminal Capabilities Byte 1 b8 b7 b6 b5 b4 b3 b2 b1 Meaning x1 1 = Contact mode supported1 0 0 = Contactless Mag-Stripe Mode not supported 02 0 = Contactless EMV full online mode not supported © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 14 (full online mode is a legacy feature and is no longer supported) 1 1 = Contactless EMV partial online mode supported 1 1 = Contactless Mobile Supported x 1 = Try Another Interface after a decline. 0 RFU 0 RFU Terminal CVM Capabilities Byte 2 b8 b7 b6 b5 b4 b3 b2 b1 Meaning x 1 = Mobile CVM supported x 1 = Online PIN supported x 1 = Signature x 1 = Plaintext Offline PIN 0 RFU 0 RFU 0 RFU 0 RFU Transaction Capabilities Byte 3 b8 b7 b6 b5 b4 b3 b2 b1 Meaning x 1 = Reader is unable to go online (e.g. offline only) © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 15 Update [8]: Update section to only refer to mPOS-C or mPOS-CSP terminals. Section: 4.3.1 Pre-PDOL Processing Original: For Online Only Terminal (for example mPOS-C or mPOS-CSP terminal), if the terminal can determine that it is currently Unable to go Online for authorization, then the kernel returns control to Entry Point, passing a Final Outcome of End Transaction. Changed: For mPOS-C or mPOS-CSP terminal types, if the terminal can determine that it is currently Unable to go Online for authorization, then the kernel returns control to Entry Point, passing a Final Outcome of End Transaction. Requirements: 4.3.1.4 Original: If the reader is an Online Only reader, (e.g. mPOS-C or mPOS-CSP), and Unable to go Online then the terminal shall decline the transaction, returning control to Entry Point as defined in Error! Reference source not found.. Changed: If the reader is an mPOS-C or mPOS-CSP, and Unable to go Online then the terminal shall decline the transaction, returning control to Entry Point as defined in Error! Reference source not found.. © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 16 Update [9]: Removal of SDA Support Table 5 2: Application Interchange Profile (AIP) Original: Table 5-2: Application Interchange Profile (AIP) AIP Byte 1 (Leftmost) b8 b7 b6 b5 b4 b3 b2 b1 Meaning 0 RFU (Reserved for future use) x 1b = SDA supported 0b = SDA not supported Changed: Table 5-2: Application Interchange Profile (AIP) AIP Byte 1 (Leftmost) b8 b7 b6 b5 b4 b3 b2 b1 Meaning 0 RFU (Reserved for future use) 0 0b = SDA not supported © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 17 Section: 6.1 Overview Original: All Contactless readers must support the following two forms of Offline Data Authentication, as described in the [EMV 4.3] specifications: • SDA • CDA The enablement of Offline Data Authentication must be configurable for deployment. Requirements – Offline Data Authentication 6.1.1. All Readers shall support Static Data Authentication. Changed: All Contactless readers must support the following Offline Data Authentication mechanism, as described in the [EMV 4.4] specifications: • CDA The enablement of Offline Data Authentication must be configurable for deployment. Requirements – Offline Data Authentication 6.1.1. [Requirement Removed] Section: 6.2 Processing Requirements © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 18 Original: If the reader has Offline Data Authentication enabled, then Offline Data Authentication must be performed as described in [EMV 4.3 Book 2], sections 5 and 6, and [EMV 4.3 Book 3], section 10.3. The reader determines whether the card should be authenticated using either SDA or CDA based on the card’s ability to support these methods, as indicated in the AIP. The Offline Data Authentication methods enabled by the reader are identified in Terminal Capabilities (Tag '9F33'). Changed: If the reader has Offline Data Authentication enabled, then Offline Data Authentication must be performed as described in [EMV 4.4 Book 2], sections 5 and 6, and [EMV 4.4 Book 3], section 10.3. The reader determines whether the card should be authenticated using CDA based on the card’s ability to support this method, as indicated in the AIP. The Offline Data Authentication methods enabled by the reader are identified in Terminal Capabilities (Tag '9F33'). Section: 6.2.2 Single ODA Method Supported © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 19 Original: 6.2.2 Single ODA Method Supported If CDA is the only Offline Data Authentication method supported by the card and enabled by the reader, then the reader shall authenticate the card using CDA. If SDA is the only Offline Data Authentication method supported by the card and enabled by the reader, then the reader shall authenticate the card using SDA. Requirements – Offline Data Authentication When Card Supports a Single Method 6.2.2.1 If a card indicates support of only CDA method, and the following conditions are true: • ODA is required • Reader has CDA enabled then the reader performs CDA. 6.2.2.2 If a card indicates support of only SDA method, and the following conditions are true: • ODA is required • Reader has SDA enabled then the reader performs SDA. 6.2.3 Multiple ODA Methods Supported If more than one Offline Data Authentication method is supported by the card and enabled by the reader, then CDA takes priority over SDA. Requirements – Offline Data Authentication Priority 6.2.3.1 If a card indicates support of both SDA and CDA methods, and the following conditions are true: • ODA is required • Reader has both SDA and CDA enabled then the reader performs CDA. © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 20 Changed: 6.2.2 Single ODA Method Supported If CDA is the only Offline Data Authentication method supported by the card and enabled by the reader, then the reader shall authenticate the card using CDA. Requirements – Offline Data Authentication When Card Supports a Single Method 6.2.2.1 If a card indicates support of only CDA method, and the following conditions are true: • ODA is required • Reader has CDA enabled then the reader performs CDA. 6.2.2.2 [Requirement Removed] 6.2.3 [Section Removed] Requirements – [Requirement Removed] 6.2.3.1 [Requirement Removed] 6.2.4 Scheme Certification Authority Public Keys In order that Offline Data Authentication can be performed by a reader, the reader must be configured with the necessary Certification Authority Public Keys (CAPK). Requirements – Offline Data Authentication Keys The terminal shall be able to hold a minimum of six Certification Authority Public Keys per AID. 6.2.5 [Section Removed] Requirements – [Requirement Removed] 6.2.5.1 [Requirement Removed] 6.2.5.2 [Requirement Removed] © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 21 Update [10]: Add clarity for PIN TVR settings Section: 8.2.3.2 Online PIN CVM (not applicable for mPOS-C) Original: The online PIN shall be entered after 1st Card Action Analysis, once the card processing is complete and the card can be removed from the reader. Following PIN entry, the reader proceeds to online authorisation as described in Section 12, Online Processing (online PIN transactions require online authorisation). Changed: The online PIN shall be entered after 1st Card Action Analysis, once the card processing is complete and the card can be removed from the reader. Following PIN entry, the reader proceeds to online authorisation as described in Section 12, Online Processing (online PIN transactions require online authorisation). Note: if PIN entry is bypassed or the PIN Pad is determined to be malfunctioning after the GENERATE AC command has been issued, then the Terminal must not update the TVR (i.e. Byte 3 Bit 4 or Bit 5 respectively) at this point of the transaction, since updating the TVR after the GENERATE AC would invalidate the Application Cryptogram generated by the Card. In this case, the Terminal shall continue online processing without the PIN block in the authorization request as described in Section 12, Online Processing. © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 22 Update [11]: Typographical correction of mPOS-CPS to mPOS-CSP Section: 11.1 Overview Original: The purpose of Card Action Analysis is to allow the card to perform a number of predefined risk management tests and use the results of these tests to decide upon an appropriate action. These tests are carried out on the details of this transaction and the outcome of previous transactions. They determine if positive online authorisation is required for this transaction to be completed, whether the transaction can be completed with local offline authorisation (not supported by mPOS-C, mPOS-CPS) or whether the transaction should be declined offline. Changed: The purpose of Card Action Analysis is to allow the card to perform a number of predefined risk management tests and use the results of these tests to decide upon an appropriate action. These tests are carried out on the details of this transaction and the outcome of previous transactions. They determine if positive online authorisation is required for this transaction to be completed, whether the transaction can be completed with local offline authorisation (not supported by mPOS-C, mPOS-CSP) or whether the transaction should be declined offline. © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 23 Update [12]: Remove reference to DES for Application Cryptogram generation. Section: 11.2 Processing Requirements Original: The reader is not involved in 1st Card Action Analysis, however it is triggered by the reader issuing the GENERATE AC command to the card, and the reader is informed of the result of this process in the response data returned by the card. The card generates the AC using application data and a secret DES key (the AC DEA Keys) stored on the card. (When CDA is being performed, the card will also create a dynamic signature that includes the TC or ARQC.) Changed: The reader is not involved in 1st Card Action Analysis, however it is triggered by the reader issuing the GENERATE AC command to the card, and the reader is informed of the result of this process in the response data returned by the card. The card generates the AC using application data and a secret key stored on the card. (When CDA is being performed, the card will also create a dynamic signature that includes the TC or ARQC.) © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 24 Update [13]: Increase size of Application Public Key Certificate Section: A.1 Data Elements Original: Application Public Application Public Key Card b Key Certificate Certificate used during CDA. '9F46' var. up to 128 Changed: Application Public Application Public Key Card b Key Certificate Certificate used during CDA. '9F46' var. up to 247 Used for CDA. Used for CDA. © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 25 Update [14]: Correct wording on data sent to card post online processing. Section: A.1 Data Elements Original: Authorisation Response Cryptogram (ARPC) Issuer Authentication Data A cryptogram generated by the Issuer Host System during an online transaction Issuer Issuer data transmitted to card for online Issuer authentication. Issuer b 64 — b 64-128 '91' 8 A cryptogram generated by the Issuer Host System and included in the Issuer Authentication Data to be returned to the reader and sent to the chip card in the response to an online transaction. Refer to Issuer Authentication Data in this table. var. up to 16 The Issuer Authentication Data consists of the following data: • First 8 bytes = ARPC • Last 2 bytes = Authorisation Response Code This data is transmitted to the card by the reader in the EXTERNAL AUTHENTICATE command. © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 26 Changed: Authorisation Response Cryptogram (ARPC) Issuer Authentication Data A cryptogram generated by the Issuer Host System during an online transaction Issuer Issuer data provided for Authorisation Response. Issuer b 64 — b 64-128 '91' 8 A cryptogram generated by the Issuer Host System and included in the Issuer Authentication Data to be returned to the reader. Refer to Issuer Authentication Data in this table. var. up to 16 The Issuer Authentication Data consists of the following data: • First 8 bytes = ARPC • Last 2 bytes = Authorisation Response Code Authorisation Response Code used for transaction outcome. © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 27 Update [15]: Returned description of ans to previous value. Annex D Glossary Original: ans , as defined in [EMV 4.3 Book 4], Annex B Changed: ans Alphanumeric Special characters, as defined in [EMV 4.4 Book 4], Annex B © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 28 Legal Notice Unless the user has an applicable separate agreement with EMVCo or with the applicable payment system, any and all uses of these Specifications is subject to the terms and conditions of the EMVCo Terms of Use agreement available at www.emvco.com and the following supplemental terms and conditions. The license granted in the EMVCo Terms of Use specifically excludes (a) the right to disclose, distribute or publicly display these Specifications or otherwise make these Specifications available to any third party, and (b) the right to make, use, sell, offer for sale, or import any software or hardware that practices, in whole or in part, these Specifications. Further, EMVCo does not grant any right to use the Kernel Specifications to develop contactless payment applications designed for use on a Card (or components of such applications). As used in these supplemental terms and conditions, the term “Card” means a proximity integrated circuit card or other device containing an integrated circuit chip designed to facilitate contactless payment transactions. Additionally, a Card may include a contact interface and/or magnetic stripe used to facilitate payment transactions. To use the Specifications to develop contactless payment applications designed for use on a Card (or components of such applications), please contact the applicable payment system. To use the Specifications to develop or manufacture products, or in any other manner not provided in the EMVCo Terms of Use, please contact EMVCo. These Specifications are provided "AS IS" without warranties of any kind, and EMVCo neither assumes nor accepts any liability for any errors or omissions contained in these Specifications. EMVCO DISCLAIMS ALL REPRESENTATIONS AND WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT, AS TO THESE SPECIFICATIONS. EMVCo makes no representations or warranties with respect to intellectual property rights of any third parties in or in relation to the Specifications. EMVCo undertakes no responsibility to determine whether any implementation of these Specifications may violate, infringe, or otherwise exercise the patent, copyright, trademark, trade secret, know-how, or other intellectual property rights of third parties, and thus any person who implements any part of these Specifications should consult an intellectual property attorney before any such implementation. Without limiting the foregoing, the Specifications may provide for the use of public key encryption and other technology, which may be the subject matter of patents in several countries. Any party seeking to implement these Specifications is solely responsible for determining whether its activities require a license to any such technology, including for patents on public key encryption technology. EMVCo shall not be liable under any theory for any party's infringement of any intellectual property rights in connection with these Specifications. © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 29