There’s a very interesting section at the in the Apple Platform Security May 2022 document in the section covering transit and eMoney cards.
Adding transit and eMoney cards to a family member’s Apple Watch In iOS 15 and watchOS 8, the organizer of an iCloud family can add transit and eMoney cards to their family members’ Apple Watch devices through their iPhone’s Watch app. When provisioning one of these cards to a family member’s Apple Watch, the watch is required to be nearby and connected to the organizer’s iPhone using Wi-Fi or Bluetooth. Family members are required to have two-factor authentication enabled for their Apple ID for this to occur. Family members can send a request to add money to a transit or eMoney card from their Apple Watch using iMessage. The content of the message is protected by end-to-end encryption, as described in iMessage security overview. Adding money to a card on a family member’s Apple Watch can be done remotely using a Wi-Fi or cellular connection. Proximity isn’t required.
Adding money, remote recharge, is a very handy function for stored value cards in a family setting, especially now that Apple Pay Suica • PASMO will support high school and junior high school school commuter passes from March 18. Commuter passes (commute plans) are purchased in Suica or PASMO app and new versions are coming that support student ID certification. The student takes a picture of their school ID card in the app and uploads it along with a requested commute route. They can use student commuter passes on iPhone or Apple Watch, which is the only wearable option for Mobile Suica • PASMO. All other wearables, including Pixel Watch Suica, do not support commute plans, only regular Suica.
After the student ID is certified they purchase the commute plan. Here is where it gets interesting. If the student does not have a credit card, they can purchase it via the new ‘one time purchase’ option with a parent’s card. Most Tokyo high schoolers already seems to have a Mobile Suica or PASMO, but now that they don’t need the plastic card for going to school, they can buy a commute plan and toss the plastic. That means the Tokyo area HS set will finally be 100% mobile for payments and transit.
But what about the JHS set, especially the younger ones who might not have payments cards? This is where Apple Watch Family Sharing Suica via iMessage comes in handy:
“Hey ma, I need recharge!” “I just gave you ¥5,000.” “But that was Tuesday and I have to eat before going to the Juku, can’t study when I’m hungry”
The railway station barrier-free fee system is “a Japanese railway fare system established with the aim of promoting barrier-free railway stations in urban areas” by leveraging a fee on urban railway users. A barrier-free station tax, if you will.
From 2023-03-18 most railway companies in Japan, both JR Group and non-JR, will be raising transit fares in urban areas to pay this barrier-free station tax. Here is the breakdown for the Greater Tokyo area focusing on JR East.
While barrier-free stations are good thing and not a big tax to pay for all that new infrastucture, the timing is bad. With living costs rising across the board, these little increases add up. To help ease the pain, JR East is offering Off-Peak Suica Commuter Passes (plastic)/Commute Plans (Mobile Suica), that offer a 10% discount with the following condition: Off-Peak passes can only be used outside the designated peak time of the commute plan entry station, otherwise your Suica will be charged at the regular IC fare rate. Suica Off-Peak Commuter Passes basically replace the convoluted Suica Off-Peak JRE POINT Campaign that ends March 31.
Apple Pay Suica users will be able to buy Off-Peak commute plans in an upcoming version of Suica App (v5.2.1), but you must purchase a new pass. Regular commute plans can only be renewed as regular commute plans, they cannot be migrated to off-peak plans. School commute plans and passes will not be charged the barrier-free tax which is good news. Another bonus: high school and jr. high school students can add and use Mobile Suica school commute plans staring March 18.
PASMO The situation for PASMO private rail and other non-JR East rail operators is varied. Keio and Toei Subway have not announced fare increases while Seibu, Tokyu, Tobu, Sotetsu, Odakyu, Tokyo Metro are all raising fares and commuter passes similar to JR East but there are differences. And there are no off-peak commuter passes. Be sure to check how fare increases apply to your commute situation.
When foreign issue VISA cards in Wallet stopped working for Apple Pay in-app Suica and PASMO recharge on August 5, the first people to howl in pain were Apple Pay PASMO users who suddenly couldn’t recharge with their Chase Sapphire VISA cards. Chase Sapphire still codes for 3x travel points with a PASMO recharge and long time resident Suica users migrated to PASMO when JR East and VISA shut down 3x travel points in May 2021.
I did the usual duty of talking with Mobile Suica support, official line: there should be no problem, contact the card issuer. I then contacted Wells Fargo card services support, official line: there should be no problem with your VISA, contact the merchant. Entirely expected of course but I did confirm that Mobile Suica transaction attempts were not even showing on the Wells Fago system. They said it seems to be a ‘communications issue’… code word for: something’s not right on the merchant transaction authorization side.
I suspected a larger issue than just Apple Pay and an Android Suica user confirmed the same non-JP VISA problem with Google Pay Suica. I also alerted IT journalist Junya Suzuki who focuses on mobile payments. His first thought was something might be going on with the VISA Japan merchant acquirer side of the payment network. For reference, the merchant acquirer handles transaction authorization from the merchant side, ‘this transaction is clear to send to the card issuer.’ The issuer then clears the transaction with the customer account, ‘this customer is good to pay for this charge.’
Merchant acquirers are very secretive and nobody knows who is the merchant acquirer is for Mobile Suica/Mobile PASMO. Maybe they were tightening online transaction security…or something else. Everything was clear as mud though a well placed source did say this:
An acquirer made the decision stopping handling cards issued in other countries… Another guy suggests Apple or such acquirer may face money laundering issue by registering Apple Pay with pre-paid Visa cards or such.
In addition, that means JRE doesn’t know what’s happening on this problem.
A reader asked me if Japan was banning non-JP VISA cards across the board along with a screenshot of Universal Studios Japan advance ticket sales page with a red colored important notice on the top that said: “We apologize that currently Visa and Mastercard credit cards issued outside Japan are not available until further notice.”
This points to a larger problem than just Mobile Suica and PASMO. The USJ wording also suggests that JTRWeb have their hands tied ‘until further notice’ and echos what JR East PR told Suzuki san about the non-JP VISA recharge problem being beyond their immediate control. Something seems to be happening with the VISA merchant acquirer…but in different highly selective ways. For example why does foreign issue VISA work for Apple Pay in-app purchases with Japanese apps like Starbucks, but not in-app purchase with JR East for Suica recharge?
Security and Apple Pay Enhanced Fraud Prevention It’s helpful to examine the impact of phishing attacks that hit NTT Docomo, Line Pay, PayPay and other QR code mobile payment services in late 2020, and JR East online services (Mobile Suica, JRE POINT, Eki-Net and VIEW card) in early 2022. Responses to phishing attacks were varied and vague. Companies like to say they value customer security but are short detailing what they’re doing because nitty gritty details hashed out with the card brands and merchant acquirers are secret non-disclosure territory.
Japanese credit card issuers responded by upgrading to EMV 3-D Secure v2 (3-D stands for three domains: merchant/acquirer domain, the issuer domain, and the interoperability domain), for non-digital wallet browser and mobile app payments. EMV 3-D Secure is the EMV e-commerce browser and app authentication tokenization spec with card brands using their own naming and handling the merchant support. It’s important to understand that EMV 3-D Secure has nothing to do with Apple Pay, Google Pay, Samsung Pay and similar digital wallets who have their own tokenization. However, Apple Pay has been making some changes to enhance online and in-app security.
For cards with certain enhanced fraud prevention, when you attempt an online or in-app transaction, your device will evaluate information about your Apple ID, device, and location if you have enabled Location Services for Wallet, in order to develop on-device fraud prevention assessments. The output of the on-device fraud prevention assessments, but not the underlying data, will be sent to Apple and combined with information Apple knows about your device and account to develop Apple Pay transaction fraud prevention assessments. These transaction fraud prevention assessments may be shared with your payment network, together with a shipping address identifier and IP address if available, in order to prevent fraud at the time of transaction. The shipping address identifier differs per payment network and may be used to confirm whether shipping addresses for different transactions using a particular card on your device are the same in a way that does not reveal the underlying address. You can check whether a card has this enhanced fraud prevention at any time by going to the back of your payment credential in Wallet. To prevent the sharing of fraud prevention assessments with your payment network, you can select another card.
This means that Apple Pay ‘might’ share iPhone/Apple Watch location information when making online or in-app purchases. So far VISA cards are the only ones that have Enhanced Fraud Protection but it doesn’t seem an across the board change for all VISA issue cards and depends on the issuer. My Wells Fargo VISA card for example doesn’t show any sign of enhanced fraud prevention in Wallet app card details.
Does enhanced fraud prevention have anything to do with Apple Pay Suica and PASMO recharge not working for foreign issue VISA? I suspect not but it’s an important background development because: 1) it’s limited to online and in-app purchases, 2) VISA pushed for these ‘fraud prevention assessments’ so they could obtain device location information and more. VISA pushing this agenda could be causing issues on the merchant acquirer side.
The VISA open loop power play So we circle back to foreign issue VISA use in Japan again. Why are cards cleared for Apple Pay, cards that worked fine until August 5, suddenly not working? JR East support says it’s not o them: all credit and debit cards that support Apple Pay in-app purchase are good to go. They certainly want inbound visitors to use Suica. Evidence points to a transaction authorization change on the VISA merchant acquirer side. Everybody else seems to be doing what they always do.
The timing is perfect however when you also consider that VISA is heavily promoting ‘VISA Touch’ EMV contactless and open loop transit in Japan as a challenge to the home grown FeliCa based Transit IC card system. It’s very convenient for VISA Touch open loop marketing purposes when Apple Pay Suica and PASMO are kneecapped as easy payment and transit options for inbound visitors.
VISA has a history of not playing nice with Japanese stored value cards on mobile. Japanese issue VISA cards didn’t work for Apple Pay in-app purchases and Suica recharge until May 2021, VISA waited 5 years to ‘resolve’ that issue. VISA cards still do not work with Mobile WAON and Mobile nanaco on Android and Apple Pay, they likely never will. My take is that VISA is happy with people buying things with VISA, they are certainly happy with people borrowing money at ATM machines with VISA, but they are not happy with people using VISA to move money into stored value prepaid cards for making payments, earning points, etc., that are not VISA.
Junya Suzuki thinks the VISA merchant acquirers might be coming under pressure from potential money laundering risks. I say bunk, after all we’re only talking a max Suica balance of ¥20,000 here. Whatever the reason let’s hope it is fixed, though I have learned over the years that card brand payment issues are never simple or solved quickly. Time will tell. At the very least we can mark this down as another skirmish in the ongoing digital payment turf wars.
2022-12-03 UPDATE JR East updated the entire JR East credit card system with a series of special maintenance downtimes in November 2022. The work covered everything connected to credit card purchases: JR East station kiosks, VIEW ATMs, Mobile Suica, Eki-Net, etc.
After the last scheduled overnight maintenance session on November 30~December 1, a few select foreign issue VISA cards started working again for Apple Pay Suica and PASMO recharge but everything stopped again 2022-12-03. The VISA in-app block continues. JR East has also scheduled special Mobile Suica credit card system maintenance for March.
JR East online services (Mobile Suica, JRE POINT, Eki-Net), along with many other online services that have accounts with credit cards, have been inundated with phishing attacks since the Russia-Ukraine situation erupted in February. It has gotten to the point that JRE POINT announced temporary security limitations on July 6: a temporary suspension of JRE POINT service recharge for Mobile Suica (via Suica App) and a 5,000 JRE POINT app barcode use limit per transaction (plastic JRE POINT card use remains unlimited). All JRE POINT services were later restored with new security enhancements.
There is another security limitation Apple Pay Suica users need to be aware of: credit/debit card recharge security block. This does not apply to cash recharge at station kiosks, convenience stores, 7-11 ATM, etc., but it can happen with multiple credit card recharges in a short period of time, i.e. heavy users. Unfortunately JR East does not reveal what conditions trigger a recharge security block that displays an error message: チャージをご利用できない状態です/ Recharge is not available. The Mobile Suica support page specifically states that JR East “cannot inform you about the conditions and contents of restrictions.” User reports suggest a general daily recharge limit between ¥5,000~¥10,000, however I think it also depends on the credit card issuer. My JR East JCB VIEW card for example has never run into any recharge limits in 5 years of heavy recharge use.
Apple Pay Suica recharge security block appears to be somewhat rare, but it is happening more with the recent Mobile Suica phishing attacks. In general Wallet app recharge tends to be more robust than Suica app recharge but security recharge block seems to affect all credit card recharge. The only user recourse appears to be contacting the card issuer or using the Mobile Suica member online Trouble Report Form (Japanese only). No word on Apple Pay PASMO but users should expect the same situation.
Mobile Suica registered account information can only be changed in Suica (iOS) and Mobile Suica (Android) apps by applying for an account update, it cannot be directly changed in the app, it cannot be changed via a web browser. This offers a level of account security but too many people fall for phishing emails. Even my internet savvy partner fell for a Mobile Suica phishing mail and have to get his credit card reissued.
The short term solution for JR East is to implement 2FA across all of their online services with a single login ID credential instead of the multiple service ID account mess we have now…hopefully soon. The longer term solution will be eliminating ID and password login altogether using Passkeys.
It has the classic feel of ‘here’s a headline, now write the article’ hack piece passing as industry analysis we have too much of these days. The Yahoo Japan portal site picked it up and the comments section was soon full of wicked fun posts picking apart the weak arguments.
I’ve said it before and say it again: the winner/loser debate doesn’t mean shit in the post-Apple Pay Japanese payments market. PayPay for example, started out as a code payment app but has added FeliCA QUICPay and EMV contactless support along with their PayPay card offering. Just like I predicted, these companies don’t care about payment technology, they just want people to use their services. My partner and I actually see less PayPay use at checkout these days and more Mobile Suica. Why?
The great thing about prepaid eMoney ‘truth in the card’ Suica, PASMO, WAON, Edy, nanaco, is they are like micro bank accounts coupled with the backend recharge flexibility of mobile wallets (Apple Pay, Google Pay, Suica App, etc.). PayPay, au Pay, Line Pay and similar Toyota Wallet knock-off payment apps with Apple Pay Wallet cards, are deployed as mobile recharge conduits that smart users leverage to put money into different eMoney micro bank accounts and get the points or instant cashback rebates they want to get at any given campaign moment. This is where the action is.
And so we have recharge acrobats like Twitter user #1: step 1 recharge PayPay account from Seven Bank account, step 2 move recharge amount from PayPay Money to PayPay Bank, step 3 move recharge from PayPay Bank to Line Pay, in Wallet app recharge Suica with Line Pay card. Or like recharge acrobat Twitter user #2: Sony Bank Wallet to Kyash to Toyota Wallet to Suica.
Phew…none of this involves transfer fees so it’s up to user creativity to come up with the recharge scenario that works best for them. Does it count as PayPay use or Line Pay use or Mobile Suica use? Does it matter?
It’s not about winners or losers, it’s about moving money around. Mobile Suica is extremely useful because of it’s recharge backend flexibility, thanks to Apple Pay and Google Pay (which does not support PASMO yet). This is the case for US citizens working in Japan who get a great return of their Suica or PASMO recharge right now using US issue credit cards because of the exchange rate. This is something visitors to Hong Kong cannot do with Apple Pay Octopus as the OCL recharge backend is far more restrictive than JR East. The biggest gripe users have with Suica is ¥20,000 balance limit.
In the weeks to come we’ll be sure to see hand wringing articles debating the future of Suica, open-loop, etc.,etc., because let’s face it, IT media journalists need something to write about in these challenging times where everything has to be sold as winner/loser, black/white, 0 or 10, and nothing in-between, to get any traction at all. As for me, I think it’s far more interesting, and real, to observe how users are using all these nifty mobile payment tools.
UPDATE 2022-07-04: Thoughts on the KDDI network outage That was fast. No sooner had the “QR Codes won the mobile payments race” article appeared when major Japanese carrier KDDI experienced a nationwide mobile network meltdown on July 2 JST, lasted a full day with a very slow, still in progress, recovery affecting more than 40 million customers. Suddenly social media channels were full of people complaining that QR Code payments didn’t work, assuming that Mobile Suica and other NFC mobile payments stopped too. Which was not the case though a few fake posts claimed, or just ‘assumed’ people were stranded inside stations. Fortunately there were numerous online articles setting the record straight.
It’s a lesson that people soon forget in our attention span challenged social media era. We saw plenty of QR Code payment downsides in the 2018 Hokkaido Eastern Iburi earthquake that knocked out power and mobile service across Hokkaido. At the time some fake Chinese social media posts claimed AliPay and WeChat pay ‘still worked’ in Hokkaido at the time, of course they did not.
Mobile payment disruptions happen with every natural disaster and war. Good and safe practices don’t come easy when smartphone apps lure us down the easy path without spelling out the risks. It’s a lesson we have to learn again and again, that while network dependent code payment apps have some benefits, they also have limits and security risks. One size does not fit all, NFC and code payments each have their place and role to play in the expanding mobile payments universe. The key is understanding their strengths and weaknesses.