HSM KitHSM Kit
English

Mastercard Dynamic CVC3: EMV Verification & ATC

Payment Security# Mastercard# CVC3# EMV# Dynamic CVV
Last Updated: May 21, 20265 min readBy HSM Kit Team
Need to calculate this now?
Use our free online Mastercard CVC3 Calculator tool.

Mastercard Dynamic CVC3 is a card verification value that changes with every transaction, providing stronger security than static CVV codes. This guide explains how CVC3 works in EMV contactless and chip transactions.

What is Dynamic CVC3?

Dynamic CVC3 (Card Verification Code 3) is Mastercard's implementation of dynamic card verification. Unlike the static CVV printed on a card, CVC3 is generated fresh for each transaction using cryptographic keys stored in the card's chip.

This makes stolen CVC3 values useless for future transactions — a significant security improvement over static CVV/CVC.

How EMV Dynamic Verification Works

EMV chip cards use a challenge-response mechanism for dynamic verification:

  1. Terminal sends a challenge: The POS terminal generates an Unpredictable Number (UN)
  2. Card computes the response: The chip uses its secret key, the ATC, and the UN to generate CVC3
  3. Terminal forwards the result: The CVC3 is included in the authorization message
  4. Issuer verifies: The issuer's HSM recalculates CVC3 using the same inputs and compares

Key Components

  • Application Transaction Counter (ATC): A counter in the chip that increments with each transaction. It ensures each transaction produces a different CVC3 even if other inputs are the same.
  • Unpredictable Number (UN): A random or pseudo-random value generated by the terminal to prevent replay attacks.
  • Card Key: A secret key derived from the Issuer Master Key (IMK), unique to each card.

CVC3 Calculation Process

Inputs

  • ATC: 2-byte counter (0x0000 to 0xFFFF)
  • Unpredictable Number: 4 bytes generated by the terminal
  • Track 2 Data: Contains PAN, expiry, and service code
  • Card Key: Derived from IMK using PAN

Algorithm Steps

Step 1: Derive the Card Key

The card-specific key is derived from the Issuer Master Key:

Card Key = DerivedKey(IMK, PAN)

This uses the standard EMV key derivation method, which typically involves 3DES encryption with the PAN as diversification data.

Step 2: Construct the Data Block

Concatenate ATC, Unpredictable Number, and relevant Track 2 data:

Data Block = ATC || UN || Track2_Data

The Track 2 data typically includes the PAN (without the check digit), expiry, and service code.

Step 3: Compute CVC3

Encrypt the data block with the card key:

CVC3 = Encrypt(Card_Key, Data_Block)

The result is processed through decimalization to extract a numeric CVC3 value (typically 5 digits for contactless).

Step 4: Truncate to 5 Digits

The CVC3 is truncated to 5 decimal digits for inclusion in the transaction message.

ATC (Application Transaction Counter)

The ATC is a critical component of dynamic CVC3:

  • Size: 2 bytes (16 bits), allowing 65,536 unique values
  • Increment: Increases by 1 with each transaction
  • Persistence: Stored in the chip's non-volatile memory
  • Overflow: When ATC reaches 0xFFFF, the card may be blocked

ATC Security Role

The ATC ensures that even if:

  • The same card is used at the same terminal
  • The terminal generates the same Unpredictable Number (unlikely)
  • The same Track 2 data is present

...the CVC3 will still be different because the ATC has changed.

Unpredictable Number

The Unpredictable Number (UN) adds another layer of randomness:

  • Generated by the POS terminal
  • Must be unpredictable to prevent pre-computation attacks
  • Typically 4 bytes (32 bits)
  • Included in the authorization message for issuer verification

UN Generation

Good UN generation uses:

  • Cryptographic random number generators
  • Hardware RNG in the terminal
  • Combination of timestamp and random seed

Track Data in CVC3

The Track 2 equivalent data provides card-specific information:

Track 2 Data = PAN || Separator || Expiry || Service Code || Discretionary Data

For CVC3 calculation, typically only parts of this data are used:

  • PAN (without check digit)
  • Expiry date
  • Service code

Practical Transaction Flow

Contactless Payment

  1. Customer taps card on contactless reader
  2. Terminal generates Unpredictable Number
  3. Terminal sends GET PROCESSING OPTIONS command to card
  4. Card increments ATC
  5. Terminal sends COMPUTE CVC3 command with UN
  6. Card computes CVC3 using ATC, UN, and Track 2 data
  7. Card returns CVC3 and ATC
  8. Terminal includes CVC3, ATC, and UN in authorization message
  9. Acquirer forwards to Mastercard network
  10. Issuer HSM verifies CVC3

Chip (Contact) Payment

The process is similar for contact chip transactions, but:

  • The terminal communicates via the chip contact interface
  • Additional EMV commands may be involved
  • The CVC3 may be part of a larger cryptogram (ARQC)

Security Analysis

Why CVC3 is Secure

  1. Dynamic: Changes with every transaction
  2. Key-dependent: Requires the card's secret key to compute
  3. Multi-factor: Combines ATC, UN, and card data
  4. Replay-resistant: Stolen CVC3 values cannot be reused

Limitations

  1. Card-side only: Security depends on the chip's key not being extracted
  2. ATC exhaustion: After 65,536 transactions, the card may need replacement
  3. Terminal trust: The Unpredictable Number must be truly unpredictable

CVC3 vs Other Verification Methods

MethodDynamic?DigitsCard TypeUse Case
CVV1No3Magnetic stripeCard present
CVV2No3PrintedCard not present
CVC3Yes5Chip/contactlessDynamic verification
iCVVNo3ChipStatic chip verification

Try It Yourself

Use our Mastercard CVC3 tools to understand and verify dynamic card verification:

All calculations run in your browser — your card keys never leave your device.

Related Tool
Mastercard CVC3 Calculator