When foreign issue VISA cards in Wallet stopped working for Apple Pay In-App Suica and PASMO recharge on August 5, the first people to howl in pain were Apple Pay PASMO users who suddenly couldn’t recharge with their Chase Sapphire VISA cards. Chase Sapphire users earned 3x travel points with a PASMO recharge, long time resident Suica users migrated to PASMO when JR East and VISA shut down 3x travel points in May 2021 when VISA finally signed with Apple Pay in Japan.
After confirming that my Wells Fargo Signature VISA stopped working for Apple Pay Suica recharge, I contacted Mobile Suica support. The official line: “There should be no problem with foreign issue cards, contact the card issuer.” My next stop was Wells Fargo card services support, official line: “There should be no problem with your VISA, contact the merchant.” Entirely expected of course but Wells Fargo confirm that Mobile Suica transaction attempts were not even showing on the Wells Fago system. They said it seems to be a ‘communications issue’ which meant something is not right on the VISA payment network merchant transaction authorization side. Everything was stopping there.
An Android Suica user confirmed the same non-JP VISA problem with Google Pay Suica recharge so it was larger issue than just Apple Pay. I contacted IT journalist Junya Suzuki who focuses on mobile payments. His first thought was something was going on with the VISA Japan payment network merchant acquirer side. For reference, the merchant acquirer handles transaction authorization from the merchant side, ‘this transaction is clear to send to the card issuer.’ The issuer then clears the transaction with the customer account, ‘this customer is good to pay for this charge.’
Merchant acquirer relations are very secretive, nobody knows who is the merchant acquirer is for Mobile Suica, Mobile PASMO and Mobile ICOCA though everybody is pretty sure it is the SMBC Group who are the banking group for all things VISA in Japan. Maybe they were tightening online transaction security…or something else. Suzuki san checked his sources and had this to say:
An acquirer made the decision stopping handling cards issued in other countries…In addition, that means JRE doesn’t know what’s happening on this problem.
In a his Japanese article he described JR East as a ‘victim’ of a situation forced by VISA, their hands are clearly tied. VISA payment network and their merchant acquirer are highly selective. For example: foreign issue VISA works fine for Apple Pay in-app purchases with the Starsbucks app, but not in-app purchase with JR East for Suica recharge. If foreign VISA cards were insecure, VISA would be stopping all In-App and online transactions, but they are not. This means the ‘security concerns’ excuse doesn’t wash, it’s a ruse for something else.
Security and Apple Pay Enhanced Fraud Prevention
It’s helpful to examine the impact of phishing and other security attacks targeting NTT Docomo, Line Pay, PayPay and other QR code mobile payment service users in late 2020, and JR East online service users (Mobile Suica, JRE POINT, Eki-Net and VIEW card) in early 2022. Security responses were varied and vague. Companies like to say they value customer security but hardly provide details of what they’re doing about it. Security details hashed out between the card brands, merchant acquirers and merchants are secret non-disclosure territory.
Japanese credit card issuers responded by upgrading to EMV 3-D Secure v2 (3-D stands for three domains: the merchant acquirer domain, the issuer domain, and the interoperability domain), for non-digital wallet browser and mobile app payments. EMV 3-D Secure is the EMV e-commerce browser and app authentication tokenization specification with the card brands using their own naming and implementing merchant support in their respective payment networks.
In addition to adding 3-D Secure v2 in their Mobile Suica and Eki-Net apps, JR East has beefed up security to fight Mobile Suica phishing attacks with tighter monitoring of Suica App recharge with the app registered credit card…not Wallet In-App recharge. It’s important to understand this key point:
- 3-D Secure has nothing to do with Apple Pay and Google Pay, they and all other digital wallets like Samsung Pay, Huawei Pay, etc., do not use it. They have their own tokenization scheme. This is a common online misconception. Japanese issue VISA (and everything else), foreign issue Mastercard and Amex cards work for Apple Pay Suica • PASMO • ICOCA recharge without problems, without 3-D Secure.
Domestic security issues do not apply to inbound visitors adding and using Suica cards in Apple Wallet. They do not use Suica App or have a Mobile Suica account. And yet VISA seems to be using domestic security problems to block foreign issue cards for Apple Pay In-App recharge.
The tokenization that Apple Pay, Google Pay, Samsung Pay and similar digital wallets use is highly secure, some say more secure than EMV 3-D Secure tokenization. Despite this, Apple has been making some changes to Apple Pay to enhance security for online and in-app purchases, at the behest of VISA. Apple Pay quietly launched Enhanced Fraud Protection in April 2022 when Apple Cash switched from Discover to VISA. The updated Apple Pay and Privacy text added a new section:
For cards with certain enhanced fraud prevention, when you attempt an online or in-app transaction, your device will evaluate information about your Apple ID, device, and location if you have enabled Location Services for Wallet, in order to develop on-device fraud prevention assessments. The output of the on-device fraud prevention assessments, but not the underlying data, will be sent to Apple and combined with information Apple knows about your device and account to develop Apple Pay transaction fraud prevention assessments. These transaction fraud prevention assessments may be shared with your payment network, together with a shipping address identifier and IP address if available, in order to prevent fraud at the time of transaction. The shipping address identifier differs per payment network and may be used to confirm whether shipping addresses for different transactions using a particular card on your device are the same in a way that does not reveal the underlying address. You can check whether a card has this enhanced fraud prevention at any time by going to the back of your payment credential in Wallet. To prevent the sharing of fraud prevention assessments with your payment network, you can select another card.Apple Pay & Privacy
This means that Apple Pay ‘might’ share iPhone/Apple Watch location information when making online or in-app purchases. So far VISA cards are the only ones that have Enhanced Fraud Protection but it doesn’t seem to apply to all VISA issue cards and it’s hard to tell which VISA cards use it.
Does enhanced fraud prevention have anything to do with Apple Pay Suica and PASMO recharge not working for foreign issue VISA? The short answer is no, but it’s a background development to be aware of because: 1) it’s limited to online and in-app purchases, 2) VISA is pushing for ‘fraud prevention assessments’ so they could obtain device location information and more. Only after VISA started pushing this agenda did we start having recharge issues with Apple Pay In-App payments.
The VISA open loop power play
So we circle back to foreign issue VISA use in Japan again. Why are cards cleared for Apple Pay, cards that worked fine up until August, not working? The timing is perfect when you also consider that VISA is heavily promoting ‘VISA Touch’ EMV contactless and open loop transit in Japan as a challenge to the home grown FeliCa based Transit IC card system. It’s very convenient for VISA Touch open loop marketing purposes when Apple Pay Suica and PASMO are kneecapped as easy payment and transit options for inbound visitors.
VISA has a history of not playing nice with Japanese stored value cards on mobile and not playing nice with Apple Pay. Japanese issue VISA cards didn’t work for Apple Pay in-app purchases and Suica recharge until May 2021, VISA waited 5 years to ‘resolve’ that issue. VISA cards still do not work with Mobile WAON and Mobile nanaco on Android and Apple Pay, they likely never will. My take is that VISA is not happy with people using VISA cards like an ATM to move money into stored value prepaid cards for making payments, earning points, etc., that are not VISA.
VISA has played hardball with Apple Pay in the Japanese market before, they are doing so again. Perhaps they refuse to be an ATM-like recharge backend for Japanese e-money cards…unless they also get ATM-like lending rate transaction fees. They certainly will use the opportunity to promote open loop VISA Touch and Stera Transit at the expense of Mobile Suica market and mindshare. The real question: is VISA making their own market opportunity here? I say they are not playing fair, as monopolies often do.
Examining VISA’s moves in the Japanese market proves one thing: payment network issues are never simple or solved quickly because they often come down to market politics. VISA has never played nice with Apple Pay in Japan since the very beginning, they continue to do so. At the very least we can mark this down as another skirmish in the ongoing digital payment turf wars.
This post was originally posted 2022-08-08 and has been updated to reflect a changing situation. The post date reflects the latest major update.