UnionPay QuickPass — EMVCo Kernel 7
How the UnionPay contactless kernel processes a tap: the TTQ/CTQ qualifiers it exchanges, Fast DDA (fDDA) offline authentication, and the CVM decision the kernel makes from the card's response — grounded in EMVCo Book C-7 v2.11.
What is Kernel 7?
Kernel 7 is the EMVCo contactless kernel used by UnionPay QuickPass. Like the other Book C kernels it runs after Entry Point selects the application, but it differs from the Visa (Kernel 3) and Mastercard (Kernel 2) kernels in three ways that matter when you decode its data: it reuses the tags 9F66 (TTQ) and 9F6C (CTQ) with a different bit layout, it authenticates the card with Fast DDA rather than SDA/DDA/CDA, and it carries a few UnionPay-specific data elements.
Transaction flow
The kernel checks the PDOL and TTQ, drives the card through GET PROCESSING OPTIONS, authenticates with fDDA, resolves cardholder verification from the card's CTQ, and finishes with an Outcome.
How a UnionPay QuickPass (Kernel 7) contactless tap is processed: the kernel checks the PDOL/TTQ, drives the card through GPO, authenticates it with Fast DDA, and resolves CVM from the card's CTQ before reaching an Outcome.
1Kernel Activation
Entry Point → K7
Entry Point selects the UnionPay application (RID A000000333) and activates Kernel 7, passing the FCI — which must contain a PDOL — over to the kernel.
Fast DDA (fDDA)
Kernel 7 performs only Fast Dynamic Data Authentication — there is no SDA, DDA, or CDA path. An fDDA-capable card returns Card Authentication Related Data (9F69) whose byte 1 is the fDDA version: only version 01 is supported, and a card reporting 00 is treated as a verification failure.
The dynamic signature covers data from both sides. During pre-processing the card requests, via the PDOL, the data it wants signed — typically:
9F66 TTQ9F37 Unpredictable Number9F02 Amount, Authorised5F2A Transaction Currency CodeThe kernel passes those in the GPO command; the card signs them and returns the signature in the GPO response. The kernel verifies it once the last record is read.
Cardholder verification — the CTQ decision
The kernel determines the CVM by examining the Card Transaction Qualifiers (9F6C) the card returns. The decision is evaluated top-down — the first matching branch wins:
- Online PIN — if CTQ byte 1 bit 8 (Online PIN requested) is set and the reader supports Online PIN → Outcome CVM = Online PIN.
- Consumer Device CVM — else if CTQ byte 2 bit 8 (CDCVM performed) is set: if Card Authentication Related Data (
9F69) bytes 6–7 match CTQ bytes 1–2 → Confirmation Code Verified; otherwise (or for an ARQC without 9F69) the kernel goes online with Confirmation Code Verified, else declines. - Signature — else if CTQ byte 1 bit 7 (Signature requested) is set and the reader supports signature (TTQ byte 1 bit 2) → Obtain Signature.
- No CVM — else if the reader requires a CVM it sets Decline Required by Reader; otherwise CVM = N/A.
If the card returns no CTQ at all, the kernel falls back to its own reader capabilities: signature if supported, else Online PIN if only CDCVM + Online PIN are supported, else a declined Outcome.
TTQ & CTQ — Kernel 7 bit layout
The same tags mean different things here than on Visa. Decode live with the TTQ Decoder and CTQ Decoder (select the UnionPay (K7) kernel).
TTQ — Terminal Transaction Qualifiers (9F66, 4 bytes)
| Byte | Bit | Meaning |
|---|---|---|
| 1 | 7 | Full transaction flow on contactless interface supported |
| 1 | 6 | EMV mode supported |
| 1 | 5 | Full transaction flow on contact interface supported |
| 1 | 4 | Offline-only terminal |
| 1 | 3 | Online PIN supported |
| 1 | 2 | Signature supported |
| 1 | 1 | Offline data authentication for online authorisation supported |
| 2 | 8 | Request online cryptogram |
| 2 | 7 | CVM requested |
| 3 | 7 | Consumer device CVM supported |
| 4 | 8 | fDDA v1.0 supported |
Note byte 4 bit 8 — on Visa the entire 4th byte is RFU, so a Visa decoder silently drops the fDDA flag.
CTQ — Card Transaction Qualifiers (9F6C, 2 bytes)
| Byte | Bit | Meaning |
|---|---|---|
| 1 | 8 | Request Online PIN |
| 1 | 7 | Request Signature |
| 1 | 6 | Go online if offline data authentication fails (online-capable terminal) |
| 1 | 5 | Terminate if offline data authentication fails (standard debit/credit terminal) |
| 1 | 4 | Go online if application expired |
| 2 | 8 | Consumer device CVM performed (set to 0 by compliant cards) |
UnionPay-specific data elements
Decode any of these in the EMV TLV Decoder — try the UnionPay Tap (K7) example.
| Tag | Name | Notes |
|---|---|---|
9F69 | Card Authentication Related Data | fDDA: byte 1 = version (01), then the dynamic signature. |
9F5D | Available Offline Spending Amount | BCD amount; GET DATA-retrievable when personalised. |
9F63 | Product Identification Information | UnionPay meaning of 9F63 (Visa uses the tag as PUNATC). |
9F24 | Payment Account Reference (PAR) | 29-char alphanumeric, links tokens to the funding PAN. |
9F25 | Last 4 Digits of PAN | Tokenised-credential support. |
9F19 | Token Requestor ID | Identifies the token requestor. |
Online / clearing data set
For online and offline-approved transactions the kernel assembles a standard set of data elements (Book C-7 Annex C): 9F02, 9F03, 9F26, 82, 5A, 5F34, 9F36, 9F27, 9F10, 9F33, 9F1A, 95, 57, 5F2A, 9A, 9C. Notably the kernel sets the TVR (95) to all zero — risk management lives in the card, not the reader.
See also: POS Terminal EMV Config (UnionPay / contactless) · EMV Tag Reference