Foreign VISA cards blocked for select Japanese mobile and online payments

Notice: this post will be updated with new developments, quick updates here


SoftBank Payments network chart

When foreign issue VISA cards in Wallet stopped working for some kinds of Apple Pay in-app purchases from Japanese merchants starting on August 5, the first people to howl in pain were Apple Pay PASMO users who suddenly couldn’t recharge the stored fare balance or renew commuter passes with their Chase Sapphire VISA cards. Chase Sapphire still codes for 3x travel points on PASMO you see and long time resident Suica users had migrated to PASMO when JR East and VISA shut down 3x travel points.

I did the usual duty of talking with Mobile Suica support, official line: there should be no problem, contact the card issuer. I then contacted Wells Fargo card services support, official line: there should be no problem with your VISA, contact the merchant. Entirely expected responses of course but I did confirm that Mobile Suica transaction attempts were not even showing on the Wells Fago system. They said it might be a ‘communications issue’.

I suspected a larger issue than just Apple Pay and an Android Suica user confirmed the same non-JP VISA problem with Google Pay Suica. I also alerted IT journalist Junya Suzuki who focuses on mobile payments. His first thought was something might be going on with the VISA Japan merchant acquirer side of the payment network. Maybe they were tightening online transaction security…or something else. He followed up with JR East PR and posted an article of his investigations that seem to place some responsibility on the JR East side. Everything clear as mud.

This past week a reader asked me if Japan was banning non-JP VISA cards across the board along with a screenshot of Universal Studios Japan advance ticket sales page with a red colored important notice on the top that said: “We apologize that currently Visa and Mastercard credit cards issued outside Japan are not available until further notice.” The DMM site is also not accepting foreign issue VISA and Mastercard.

Finally…proof that the problem is larger than just Mobile Suica and PASMO. I suspect there are other online sites with the same issue, we’re just not hearing about them. The USJ wording suggests that JTRWeb have their hands tied ‘until further notice’ and echos what JR East PR told Suzuki san about the non-JP VISA recharge problem being beyond their immediate control. Something seems to be happening with the VISA acquirer and Mastercard acquirer sides but in different highly selective ways. For example why does Apple Pay Suica work with foreign issue Mastercard and AMEX but not VISA, or why does foreign issue VISA work for Apple Pay in-app purchases with Japanese apps like Starbucks, but not in-app purchase with JR East for Suica recharge?

The impact of recent phishing attacks
It’s important to understand the effect of major phishing attacks that hit docomo, Line Pay, PayPay and other QR code payment services in late 2020, and JR East online services (Mobile Suica, JRE POINT, Eki-Net and VIEW card) in early 2022. Responses to phishing attacks has been slow, varied and sometimes vague. Companies like to say they value customer security but are short sharing details that outline exactly what they’re doing about it.

Docomo quickly suspended, then killed off, their problematic docomo koza e-paymnet service. Japanese credit card issuers responded by upgrading to EMV 3-D Secure v2 for browser and mobile app payments (edit: EMV 3-D Secure is the EMV e-commerce browser and app authentication spec for all members but card brands use their own naming) and are due to phase out 3-D Secure v1 by October 2022.

JR East has upgraded Suica App to 3-D Secure v2 for in-house credit card purchases and JRE POINT to make it more secure, but seemly little else. Scratch under the surface however and you’ll notice unannounced recharge security blocks with Apple Pay. There are also new limits for certain Japanese issue cards registered in Suica App. Recharge with Revolut VISA for example is now limited to 3,000 JPY per day despite the fact that Suica App uses 3-D Secure v2. Clear as mud…again.

Which brings up to the most important point of the whole problem: why is the VISA payment network not accepting foreign issue cards for Apple Pay Suica and Google Pay Suica recharge when those digital wallets offer the highest levels of secure online transactions out there? A bumpy 3-D Secure v2 transition might explain what’s happening with some online sites that have not been updated for the newer protocol, but the transition has been going on for a while now and the USJ site almost certainly uses EMV 3-D Secure v2. And it doesn’t explain what’s happening with Apple Pay Suica/PASMO and Google Pay Suica (Osaifu Keitai) which have nothing to do with EMV 3-D Secure.

The Apple Pay difference
Apple Pay adds a device specific secure element + bio-authorization security with built in tokenization. Apple Pay takes care of all complex tokenization/authorization stuff on their backend. Neither user nor merchant have to deal with 3-D Secure because Apple Pay has its own tokenization that ‘just works’. And because Apple Pay comes with the extra security and guarantees that Apple provides to issuers and merchants, once a card is added to Apple Wallet, it is cleared for all things Apple Pay (ditto for Google Pay). This is why a plastic contactless card that doesn’t work on TfL open loop transit gates works when it is added to Apple Wallet. It’s the Apple Pay difference.

So we circle back to foreign issue VISA again. Why are cards cleared for Apple Pay, cards that worked fine until August 5, suddenly not working? Is JR East shutting down recharge for foreign issue cards like Hong Kong Octopus and China T-Union do without telling us? So far JR East support says that all credit and debit cards that support Apple Pay in-app purchase are good to go. They certainly want inbound visitors to use Suica. What little evidence we have so far points to a change on the VISA side. Everybody else seems to be doing what they always do and haven’t changed anything.

VISA has a history of not playing nice with Japanese stored value cards on mobile. JP issue VISA cards didn’t work for Apple Pay in-app purchases and Suica recharge until last year, it took VISA 5 years to ‘resolve’ that issue. VISA cards still do not work with Mobile WAON and Mobile nanaco on Android and Apple Pay, they likely never will. My take is that VISA is happy with people buying things with VISA, they are certainly happy with people borrowing money with VISA, but they are not happy with people using VISA to move money into stored value prepaid cards for making payments, earning points, etc., that are not VISA.

Who knows? VISA has played hardball in the Japanese market before, maybe they are doing so again. Perhaps they refuse to be an ATM-like recharge backend for Japanese e-money cards unless they also get ATM-like lending rate surcharges, or maybe they want to promote open loop VISA Touch and Stera Transit at the expense Mobile Suica market and mindshare. You get the picture.

Junya Suzuki thinks VISA acquirers are coming under pressure from potential money laundering risks. I think people have the right to move their money where they want to, after all we’re only talking a max Suica balance of ¥20,000 here. Whatever the reason let’s hope it is fixed soon, though I have learned over the years that card brand payment issues are never simple. Time will tell. At the very least I think we can say this is just another skirmish in the ongoing digital payment turf wars.

Apple Pay Suica recharge security block

JR East online services (Mobile Suica, JRE POINT, Eki-Net), along with many other online services that have accounts with credit cards, have been inundated with phishing attacks since the Russia-Ukraine situation erupted in February. It has gotten to the point that JRE POINT announced temporary security limitations on July 6: a temporary suspension of JRE POINT service recharge for Mobile Suica (via Suica App) and a 5,000 JRE POINT app barcode use limit per transaction (plastic JRE POINT card use remains unlimited). All JRE POINT services were later restored with new security enhancements.

There is another security limitation Apple Pay Suica users need to be aware of: credit/debit card recharge security block. This does not apply to cash recharge at station kiosks, convenience stores, 7-11 ATM, etc., but it can happen with multiple credit card recharges in a short period of time, i.e. heavy users. Unfortunately JR East does not reveal what conditions trigger a recharge security block that displays an error message: チャージをご利用できない状態です/ Recharge is not available. The Mobile Suica support page specifically states that JR East “cannot inform you about the conditions and contents of restrictions.” User reports suggest a general daily recharge limit between ¥5,000~¥10,000, however I think it also depends on the credit card issuer. My JR East JCB VIEW card for example has never run into any recharge limits in 5 years of heavy recharge use.

Apple Pay Suica recharge security block appears to be somewhat rare, but it is happening more with the recent Mobile Suica phishing attacks. In general Wallet app recharge tends to be more robust than Suica app recharge but security recharge block seems to affect all credit card recharge. The only user recourse appears to be contacting the card issuer or using the Mobile Suica member online Trouble Report Form (Japanese only). No word on Apple Pay PASMO but users should expect the same situation.

Mobile Suica registered account information can only be changed in Suica (iOS) and Mobile Suica (Android) apps by applying for an account update, it cannot be directly changed in the app, it cannot be changed via a web browser. This offers a level of account security but too many people fall for phishing emails. Even my internet savvy partner fell for a Mobile Suica phishing mail and have to get his credit card reissued.

The short term solution for JR East is to implement 2FA across all of their online services with a single login ID credential instead of the multiple service ID account mess we have now…hopefully soon. The longer term solution will be eliminating ID and password login altogether using Passkeys.

Recharge your recharge, the winner/loser debate doesn’t mean jack in the post-Apple Pay Japanese payments market

I love articles like this one. It’s fun examining how the writer, freelancer Meiko Homma, takes old news bits, worn-out arguments and weaves them into a ‘new’ narrative with a titillatingly hot title: “QR Code payments won the cashless race, Suica utterly defeated.”

Her article trots out some QR Code payment usage data from somewhere, the PASPY transit card death saga that illustrates the increasingly difficult challenge of keeping region limited transit IC cards going, the fact that Suica only covers 840 stations out of a total of 1630, all while conveniently ignoring recent important developments like the Suica 2 in 1 Regional Affiliate program, and big updates coming in early 2023: Cloud Suica extensions and the Mobile ICOCA launch.

It has the classic feel of ‘here’s a headline, now write the article’ hack piece passing as industry analysis we have too much of these days. The Yahoo Japan portal site picked it up and the comments section was soon full of wicked fun posts picking apart the weak arguments.

I’ve said it before and say it again: the winner/loser debate doesn’t mean shit in the post-Apple Pay Japanese payments market. PayPay for example, started out as a code payment app but has added FeliCA QUICPay and EMV contactless support along with their PayPay card offering. Just like I predicted, these companies don’t care about payment technology, they just want people to use their services. My partner and I actually see less PayPay use at checkout these days and more Mobile Suica. Why?

The great thing about prepaid eMoney ‘truth in the card’ Suica, PASMO, WAON, Edy, nanaco, is they are like micro bank accounts coupled with the backend recharge flexibility of mobile wallets (Apple Pay, Google Pay, Suica App, etc.). PayPay, au Pay, Line Pay and similar Toyota Wallet knock-off payment apps with Apple Pay Wallet cards, are deployed as mobile recharge conduits that smart users leverage to put money into different eMoney micro bank accounts and get the points or instant cashback rebates they want to get at any given campaign moment. This is where the action is.

And so we have recharge acrobats like Twitter user #1: step 1 recharge PayPay account from Seven Bank account, step 2 move recharge amount from PayPay Money to PayPay Bank, step 3 move recharge from PayPay Bank to Line Pay, in Wallet app recharge Suica with Line Pay card. Or like recharge acrobat Twitter user #2: Sony Bank Wallet to Kyash to Toyota Wallet to Suica.

Phew…none of this involves transfer fees so it’s up to user creativity to come up with the recharge scenario that works best for them. Does it count as PayPay use or Line Pay use or Mobile Suica use? Does it matter?

It’s not about winners or losers, it’s about moving money around. Mobile Suica is extremely useful because of it’s recharge backend flexibility, thanks to Apple Pay and Google Pay (which does not support PASMO yet). This is the case for US citizens working in Japan who get a great return of their Suica or PASMO recharge right now using US issue credit cards because of the exchange rate. This is something visitors to Hong Kong cannot do with Apple Pay Octopus as the OCL recharge backend is far more restrictive than JR East. The biggest gripe users have with Suica is ¥20,000 balance limit.

In the weeks to come we’ll be sure to see hand wringing articles debating the future of Suica, open-loop, etc.,etc., because let’s face it, IT media journalists need something to write about in these challenging times where everything has to be sold as winner/loser, black/white, 0 or 10, and nothing in-between, to get any traction at all. As for me, I think it’s far more interesting, and real, to observe how users are using all these nifty mobile payment tools.

UPDATE 2022-07-04: Thoughts on the KDDI network outage
That was fast. No sooner had the “QR Codes won the mobile payments race” article appeared when major Japanese carrier KDDI experienced a nationwide mobile network meltdown on July 2 JST, lasted a full day with a very slow, still in progress, recovery affecting more than 40 million customers. Suddenly social media channels were full of people complaining that QR Code payments didn’t work, assuming that Mobile Suica and other NFC mobile payments stopped too. Which was not the case though a few fake posts claimed, or just ‘assumed’ people were stranded inside stations. Fortunately there were numerous online articles setting the record straight.

It’s a lesson that people soon forget in our attention span challenged social media era. We saw plenty of QR Code payment downsides in the 2018 Hokkaido Eastern Iburi earthquake that knocked out power and mobile service across Hokkaido. At the time some fake Chinese social media posts claimed AliPay and WeChat pay ‘still worked’ in Hokkaido at the time, of course they did not.

Mobile payment disruptions happen with every natural disaster and war. Good and safe practices don’t come easy when smartphone apps lure us down the easy path without spelling out the risks. It’s a lesson we have to learn again and again, that while network dependent code payment apps have some benefits, they also have limits and security risks. One size does not fit all, NFC and code payments each have their place and role to play in the expanding mobile payments universe. The key is understanding their strengths and weaknesses.

iOS 16 Wallet: expanding the Apple Pay experience, aka Suica auto-charge for the rest of us

iOS 15 added big new features to Wallet, expanding digital keys from cars to include home, office and hotels and ID in Wallet driver licenses for the first time. There were smaller but important UI changes too. A new add card screen offered new categories making is easy to add transit cards regardless of the device region and quickly re-add previous Wallet items from iCloud. iOS 15 was all about Wallet to the extent that Apple now advertises it as a separate thing from Apple Pay with a separate web page, and even referred to Apple Pay as “one of the most important areas of Wallet” in the WWDC keynote. Very interesting.

iOS 16 moves the focus back to Apple Pay and making digital payments more useful, practical and universal. The WWDC22 Keynote announced Apple Pay Later, in-app ID card verification and key sharing. Apple Pay Later is one aspect of several new Apple Pay functions unveiled in the What’s new in Apple Pay and Wallet session.

Multi-merchant payments: In our online world we can never be sure how many sub-merchants are involved when we order something and how our card information is shared. In multi-merchant Apple Pay, multiple payment tokens are issued for each merchant in the same transaction, preserving user privacy, with the iOS 16 Apple Pay paysheet showing a breakdown of each sub-merchant charge. This feature works mostly on the backend, but showcases how smartly the Apple Pay Wallet team design features to ‘just work’ securely for merchants and customers.

Automatic Payments
My favorite iOS 16 feature as it addresses a lot of interesting use cases, much more than just Apple Pay Later installments which fall under:

Reoccurring payments, which include things like installments and subscriptions, basically any regularly scheduled payment. With the recent Starbucks Japan price increases, I decided to sign up for the new JR East Beck’s Coffee Shop subscription plan. Up to 3 cups a day for ¥2,800 a month. A pretty good deal for commuters like me. The Beck’s subscription service is subcontracted out to an interesting online business venture company called Favy that uses Sign in with Apple to create an account. Payment however is manual credit card entry with the onerous, ubiquitous 3D Secure sign-in. Pass issue and serving size selection (M=¥50, L=¥100 extra) is done in Safari. It works well enough, but canceling or getting payment details is a real Safari expedition. It would be a much better, and faster, customer experience doing it all in Apple Pay.

Automatic Reload: this is the real money feature for me because it plays on the classic snag of using Apple Pay Suica…recharge. All pre-paid cards are a catch-22. Japanese users love them because they like the “I know how much money I’m adding to my card” aspect of manual recharge, but there’s the inevitable, you know you forgot about it, bing-bong ‘please recharge’ transit gate alarm when Suica balance is short.

JR East offers Suica Auto-Charge (auto-reload) as a feature of their VIEW card. The auto-charge option works great with Apple Pay Suica but like all transit card auto-charge, it is tethered to the transit gate NFC system. This means the users gets instant, seamless auto-charge but only on the operator’s transit gates. Suica auto-charge does not work outside of the Suica and PASMO transit gates, not at store terminals, not in other transit card regions like JR West ICOCA. This limitation is a big customer complaint, I and many others would love Apple Pay Suica auto-charge to work everywhere.

Apple Pay automatic reload takes care of this problem very nicely. Suica would recharge anywhere because the card balance ‘trigger’ and reload process is done via Apple Pay instead of JR East transit gates and the Suica system. JR East could keep auto-charge exclusive to their VIEW cards as they do now or easily, selectively expand it. Either way they would greatly increase the usefulness of VIEW and Suica by supporting the new Apple Pay automatic reload feature. The possibilities are are pretty exciting.

Order tracking
Another very useful feature I think people will love using. The addition of QR/barcodes in the Apple Pay sheet is a first and will greatly shorten the order pickup~delivery process. The best use case of Apple Pay and bar codes that I can think of.

ID verification in apps
This is where ID in Wallet gets real. Wallet app has TSA airport checkpoint verification built-in but that’s not going to help all the government issuing agencies, not to mention software developers, around the world who want to implement digital ID verification to unlock various digital services.

JR East for example has centered their whole Super Suica MaaS Cloud initiative around ID PORT and the ability to match various region or age based services (discounts, special fares, etc.). In other words JR East and their sub-merchant or local government agency want to know where I live and how old I am. This is all provided on the Japanese government My Number digital identity card launching later this year on Android, and Apple Wallet later on. But I don’t want my personal details going everywhere. If the MaaS campaign app or website only needs to know that I live in Tokyo and am over 60, that’s the only info I want to give them. This is what the new PassKit ID request APIs in iOS 16 do: give apps only the information they need to perform a verification for a service and nothing more.

Key sharing
Nothing big here, but it does address one iOS 15 Wallet shortcoming for home, hotel keys which that could not be shared and expanded share options beyond mail and messages. I’m doubtful Apple includes office keys in the bargain but the fine print reads: available on participating car brands and access properties. We’ll find out when iOS 16 ships.

And then there’s Tap to Pay on iPhone. It’s really not an Apple Pay function to me because it turns iPhone into a very handy and portable NFC payment terminal, but it makes sense branding wise. Just say Apple Pay for making…and accepting payments. Anywhere the merchant has their payment provider POS app and a network connection, they are ready to go. This is big. Apple has lined up an impressive number payment providers in a very short time who are happy to leave all the hardware certification and secure element management to Apple and focus on software. I can practically feel the intense interest from Japan where local payment providers would love to leverage the global NFC capable iPhone for seamless EMV and FeliCa payment services. It could be an interesting Apple Pay year.

Apple removes region requirement for Suica, swaps recharge with top up and other updates

Sometimes it takes Apple support pages a while to acknowledge the current reality of iOS. iOS 15 Wallet brought ‘region free’ transit cards with an improved UI so that allowed Apple Pay users from anywhere to add transit cards directly in Wallet. Apple support document HT207155 “Add a Suica or PASMO card to Apple Wallet removed the ‘device region set to Japan’ requirement in an April 29, 2022 update, some 6 months after the iOS 15 release.

‘Region free’ transit cards are not all equally region free however: some transit cards only accept locally issued Apple Pay cards for adding money. This is the case for Hong Kong Apple Pay Octopus and all Chinese T-Union brand transit cards (too many to list). Octopus does offer a surprisingly user unfriendly iOS Octopus for Tourist app for tourists add Octopus to Wallet, that unfortunately locks in usurious currency exchange rates.

Suica remains the first, and best, truly region free transit card because you can “pay for transit rides and make purchases with just a tap,” and all Wallet payment cards that support in-app payments are good for adding money to Suica (and PASMO).

There are also some interesting tweak updates in the companion support doc: Use Suica or PASMO cards on iPhone or Apple Watch in Japan. The first is Apple going all in with the UK English ‘top up’ as the default English word for adding money to prepaid cards. Why not stick with regional differences? Does Apple want America to become a cultural extension of Great Britain or something? Recharge was used previously in the US doc version though I suspect most Americans use reload. ‘Top up’ is too quainty UK English for my tastes, sounds like drinking. I’ll stick with recharge.

The other change is an expanded Check the balance section that now includes If your Suica or PASMO card balance doesn’t update, with a link to a fairly new support doc, “If your transit card balance doesn’t update in Apple Wallet.” If there is one common complaint from Suica and PASMO users it is that the sometimes sluggish Apple Pay recharge process, usually due to a poor internet connection, occasionally results in the balance not updating. As the Apple doc states: the truth is always in the recent transactions list.

The last new tweak is a new section: Get a refund for purchases made with your Suica or PASMO. It has good advice that should have been there from Apple Pay Suica launch day, “return the item to the same terminal where you made the purchase before you use Suica or PASMO to make another purchase using Apple Pay.”

Unfortunately Apple failed to update has the Use the Suica or PASMO app section, leaving some very outdated and incorrect information. Shinkansen eTicket service in Suica App ended back in March 2020, and Green Car tickets were never available in PASMO app.

I guess they were too busy swapping American English with British English to notice the errors.

Add a Suica or PASMO card to Apple Wallet: no more region settings