PT-2021-04: AAC/ARQC cryptogram confusion
Visa Tokenisation Service (VTS), MasterCard Tokenisation Service (MDES)
Severity level: Medium
AAC/ARQC cryptogram confusion
Access Vector: Remote
Base Score: 4.9
When an AAC cryptogram is requested, it can be substituted and presented to the tokeniser as an ARQC cryptogram. Moreover, when mobile phone declines the transaction due to risk management, some mobile wallets provide the AAC cryptogram and ATC, which can be used to authorise transactions. That means that stolen UN/cryptogram/ATC pair can be used for making purchases.
October, 2021 - Vendor notification date