VISA blocking foreign issue cards for select Japanese in-app and online payments

Apple, Apple Pay PASMO, Apple Pay Suica, Apple Wallet, Help Desk, Mobile and Contactless Payments

Notice: latest situation updates here

SoftBank Payments network chart

When foreign issue VISA cards in Wallet stopped working for Apple Pay in-app Suica and PASMO recharge on August 5, the first people to howl in pain were Apple Pay PASMO users who suddenly couldn’t recharge with their Chase Sapphire VISA cards. Chase Sapphire still codes for 3x travel points with a PASMO recharge and long time resident Suica users migrated to PASMO when JR East and VISA shut down 3x travel points in May 2021.

I confirmed that recharge with my Wells Fargo Signature VISA wasn’t working and contacted Mobile Suica support. The official line: there should be no problem with foreign issue cards, contact the card issuer. I then contacted Wells Fargo card services support, official line: there should be no problem with your VISA, contact the merchant. Entirely expected of course but I did confirm that Mobile Suica transaction attempts were not even showing on the Wells Fago system. They said it seems to be a ‘communications issue’… code word for: something’s not right on the merchant transaction authorization side.

I suspected a larger issue than just Apple Pay and an Android Suica user confirmed the same non-JP VISA problem with Google Pay Suica. I also alerted IT journalist Junya Suzuki who focuses on mobile payments. His first thought was something might be going on with the VISA Japan merchant acquirer side of the payment network. For reference, the merchant acquirer handles transaction authorization from the merchant side, ‘this transaction is clear to send to the card issuer.’ The issuer then clears the transaction with the customer account, ‘this customer is good to pay for this charge.’

Merchant acquirer relations are very secretive, nobody knows who is the merchant acquirer is for Mobile Suica/Mobile PASMO though I suspect it is SMBC Group who are the goto banking group for VISA Japan. Maybe they were tightening online transaction security…or something else, everything was clear as mud though he did say this:

An acquirer made the decision stopping handling cards issued in other countries… Another guy suggests Apple or such acquirer may face money laundering issue by registering Apple Pay with pre-paid Visa cards or such…In addition, that means JRE doesn’t know what’s happening on this problem.

In a later article he described JR East as a ‘victim’ of a situation forced by VISA, their hands are clearly tied. VISA payment network and their merchant acquirer are highly selective as well. For example: foreign issue VISA works fine for Apple Pay in-app purchases with Japanese apps like Starbucks, but not in-app purchase with JR East for Suica recharge. This means any and all ‘security concerns’ excuses don’t wash, they’re just a ruse.

Security and Apple Pay Enhanced Fraud Prevention
It’s helpful to examine the impact of phishing attacks targeting NTT Docomo, Line Pay, PayPay and other QR code mobile payment service users in late 2020, and JR East online service users (Mobile Suica, JRE POINT, Eki-Net and VIEW card) in early 2022. Phishing attack responses were varied and vague. Companies like to say they value customer security but are short detailing what they’re doing because details hashed out with the card brands and merchant acquirers are secret non-disclosure territory.

Japanese credit card issuers responded by upgrading to EMV 3-D Secure v2 (3-D stands for three domains: merchant/acquirer domain, the issuer domain, and the interoperability domain), for non-digital wallet browser and mobile app payments. EMV 3-D Secure is the EMV e-commerce browser and app authentication tokenization specification with the card brands using their own naming and implementing merchant support in their respective payment networks.

On the merchant side JR East has beefed up security to fight Mobile Suica phishing attacks with tighter monitoring of Suica App recharge with the app registered credit card (not Wallet app recharge). However it’s important to understand 3 key points:

  • These security measures only apply to the target of phishing attackers: Japanese credit card users who have a registered Suica, a Mobile Suica account and use Suica App recharge.
  • Japanese issue VISA cards work for Suica recharge without any problems.
  • 3D Secure compatibility issues have nothing to do with Apple Pay and Google Pay, they don’t use it. This is a common misconception on social media sites.

These are domestic issues that do not apply to inbound visitors using unregistered Suica cards in Wallet without Suica App or a Mobile Suica account. And yet VISA is blocking their foreign issue cards for recharge.

JR East is fighting phishing attacks with stricter Suica App registered credit card use monitoring. Suspicious can lead to Suica being locked by JR East for credit card recharge but cash recharge is always available.

It’s also important to understand that EMV 3-D Secure has nothing to do with Apple Pay, Google Pay, Samsung Pay and similar digital wallets who have their own tokenization. Apple Pay has very high security however, Apple Pay has been making some changes to enhance security for online and in-app purchases. Apple Pay quietly launched Enhanced Fraud Protection in April 2022 when Apple Cash switched from Discover to VISA. The updated Apple Pay and Privacy text added a new section:

For cards with certain enhanced fraud prevention, when you attempt an online or in-app transaction, your device will evaluate information about your Apple ID, device, and location if you have enabled Location Services for Wallet, in order to develop on-device fraud prevention assessments. The output of the on-device fraud prevention assessments, but not the underlying data, will be sent to Apple and combined with information Apple knows about your device and account to develop Apple Pay transaction fraud prevention assessments. These transaction fraud prevention assessments may be shared with your payment network, together with a shipping address identifier and IP address if available, in order to prevent fraud at the time of transaction. The shipping address identifier differs per payment network and may be used to confirm whether shipping addresses for different transactions using a particular card on your device are the same in a way that does not reveal the underlying address. You can check whether a card has this enhanced fraud prevention at any time by going to the back of your payment credential in Wallet. To prevent the sharing of fraud prevention assessments with your payment network, you can select another card.

Apple Pay & Privacy

This means that Apple Pay ‘might’ share iPhone/Apple Watch location information when making online or in-app purchases. So far VISA cards are the only ones that have Enhanced Fraud Protection but it doesn’t seem to apply to all VISA issue cards and it’s impossible to tell which VISA cards use it. My Wells Fargo VISA card for example doesn’t show any sign of enhanced fraud prevention in Wallet app card details.

Does enhanced fraud prevention have anything to do with Apple Pay Suica and PASMO recharge not working for foreign issue VISA? The short answer is no, but it’s a background development to be aware of because: 1) it’s limited to online and in-app purchases, 2) VISA pushed for ‘fraud prevention assessments’ so they could obtain device location information and more. VISA pushing this agenda could be causing issues on the merchant acquirer side.

The VISA open loop power play
So we circle back to foreign issue VISA use in Japan again. Why are cards cleared for Apple Pay, cards that worked fine up until August, not working? The timing is perfect when you also consider that VISA is heavily promoting ‘VISA Touch’ EMV contactless and open loop transit in Japan as a challenge to the home grown FeliCa based Transit IC card system. It’s very convenient for VISA Touch open loop marketing purposes when Apple Pay Suica and PASMO are kneecapped as easy payment and transit options for inbound visitors.

VISA has a history of not playing nice with Japanese stored value cards on mobile and not playing nice with Apple Pay. Japanese issue VISA cards didn’t work for Apple Pay in-app purchases and Suica recharge until May 2021, VISA waited 5 years to ‘resolve’ that issue. VISA cards still do not work with Mobile WAON and Mobile nanaco on Android and Apple Pay, they likely never will. My take is that VISA is not happy with people using VISA cards like an ATM to move money into stored value prepaid cards for making payments, earning points, etc., that are not VISA.

VISA has played hardball with Apple Pay in the Japanese market before, maybe they are doing so again and refuse to be an ATM-like recharge backend for Japanese e-money cards…unless they also get ATM-like lending rate transaction fees. They certainly welcome the opportunity to promote open loop VISA Touch and Stera Transit at the expense of Mobile Suica market and mindshare. The real question: is VISA making their own market opportunity here? I say they are not playing fair, as monopolies do.

Hopefully this can all be fixed so that everything just works again, but I have learned over the years that card brand payment issues are never simple or solved quickly. VISA has never played nice with Apple Pay in Japan since the very beginning. At the very least we can mark this down as another skirmish in the ongoing digital payment turf wars.

Updated 2023-04-21

Published