82
Application Interchange ProfileIndicates the capabilities of the card application: which authentication methods (SDA/DDA/CDA) it supports, whether cardholder verification and issuer authentication are supported, and whether terminal risk management must be performed. Returned by the card in the GET PROCESSING OPTIONS response.
Tag 82 is the card's own statement of what it can do. The terminal receives it in the response to GET PROCESSING OPTIONS — the command that opens the transaction once an application has been selected — and almost every decision that follows is shaped by the two bytes it carries: which offline data authentication method to attempt, whether cardholder verification is on the table, and whether terminal risk management has to run.
Where it shows up trips up more integrations than what it means. In a Format 2 response the card returns template 77 and the AIP arrives properly wrapped as tag 82. In a Format 1 response the card returns template 80, and the AIP is simply the first two bytes of that template's value, followed immediately by the Application File Locator — with no tag 82 present anywhere in the data. A parser that searches for the literal tag finds nothing and reports a missing AIP on a completely conformant card.
Reading it is straightforward once you know that, in contact EMV, all of the meaning lives in byte 1. Bit 7 declares SDA, bit 6 declares DDA and bit 1 declares CDA; bit 5 says cardholder verification is supported; bit 4 tells the terminal that risk management is to be performed; bit 3 announces issuer authentication; bit 2 covers on-device cardholder verification. Byte 2 is reserved.
The important nuance is that the card is declaring capability, not intent. A card whose AIP advertises CDA is not promising that CDA will run — only that it could. The method actually performed is the intersection of what the card offers here and what the terminal supports, which is where most AIP debugging ends up: if you expected dynamic authentication and the transaction quietly performed static authentication instead, decode the AIP first, because the answer is usually that bit 6 is simply off.
The value 3900 is a good one to recognise on sight: DDA and CDA supported, cardholder verification supported, and terminal risk management to be performed. One caveat worth carrying into any decoder you write — byte 2 is RFU for contact EMV, but certain contactless kernels do give its bits meaning, so decoding byte 2 without first establishing the kernel produces confident nonsense.
Properties
| Tag | 82 |
|---|---|
| Name | Application Interchange Profile |
| Format | Binary |
| Length | 2 bytes |
| Source | Card (ICC) |
| Templates | 77, 80 |
| Books | Book 3 |
Bit-by-bit breakdown
| Byte | Bit | Meaning |
|---|---|---|
| 1 | 8 | RFU (Reserved for Future Use) RFU |
| 1 | 7 | SDA (Static Data Authentication) supported |
| 1 | 6 | DDA (Dynamic Data Authentication) supported |
| 1 | 5 | Cardholder verification is supported |
| 1 | 4 | Terminal risk management is to be performed |
| 1 | 3 | Issuer authentication is supported |
| 1 | 2 | On-device cardholder verification (CDCVM) is supported |
| 1 | 1 | CDA (Combined DDA/AC generation) supported |
| 2 | 8 | RFU (Reserved for Future Use) RFU |
| 2 | 7 | RFU (Reserved for Future Use) RFU |
| 2 | 6 | RFU (Reserved for Future Use) RFU |
| 2 | 5 | RFU (Reserved for Future Use) RFU |
| 2 | 4 | RFU (Reserved for Future Use) RFU |
| 2 | 3 | RFU (Reserved for Future Use) RFU |
| 2 | 2 | RFU (Reserved for Future Use) RFU |
| 2 | 1 | RFU (Reserved for Future Use) RFU |
Decoded example
Example value: 3900
- B1·b6DDA (Dynamic Data Authentication) supported
- B1·b5Cardholder verification is supported
- B1·b4Terminal risk management is to be performed
- B1·b1CDA (Combined DDA/AC generation) supported
Interactive decoder
Paste a hex value for this tag to decode it in your browser. Nothing is sent anywhere.
- B1·b6DDA (Dynamic Data Authentication) supported
- B1·b5Cardholder verification is supported
- B1·b4Terminal risk management is to be performed
- B1·b1CDA (Combined DDA/AC generation) supported
Frequently asked questions
- What is EMV tag 82?
- Tag 82 is the Application Interchange Profile (AIP), a 2-byte field the card returns in the GET PROCESSING OPTIONS response. It declares the card application capabilities: which offline data authentication methods are supported (SDA, DDA, CDA), whether cardholder verification and issuer authentication are supported, whether on-device CVM is supported, and whether the terminal must perform risk management.
- What does AIP mean in EMV?
- AIP stands for Application Interchange Profile. It is the card telling the terminal what the selected application can do, before any authentication or cardholder verification takes place. It expresses capability, not intent — the function actually performed depends on what both the card and the terminal support.
- Why can I not find tag 82 in the GPO response?
- Because the card most likely answered with a Format 1 response. In Format 1 the card returns template 80 and the AIP is the first two bytes of its value, followed by the Application File Locator, with no tag 82 in the data. Only a Format 2 response (template 77) carries the AIP explicitly tagged as 82.
- What does AIP value 3900 mean?
- Decoding 3900 sets four bits in byte 1: DDA supported, cardholder verification supported, terminal risk management is to be performed, and CDA supported. Byte 2 is 00 and is reserved in contact EMV. Paste the value into the decoder on this page to see the bits resolved one by one.
Sources
- EMV 4.4 Book 3, Annex C1 (Application Interchange Profile) (page pending verification)
Receive site updates
Subscribe to receive site updates directly to your email
We won't send spam. You can unsubscribe at any time.