Mobile Suica recharge security block

JR East online services (Mobile Suica, JRE POINT, Eki-Net), along with many other online services that have accounts with credit cards, have been inundated with phishing attacks since the Russia-Ukraine situation erupted in February. It has gotten to the point that JRE POINT announced temporary security limitations on July 6: a temporary suspension of JRE POINT service recharge for Mobile Suica (via Suica App) and a 5,000 JRE POINT app barcode use limit per transaction (plastic JRE POINT card use remains unlimited).

There is another security limitation Mobile Suica users need to be aware of: credit/debit card recharge security block. This does not apply to cash recharge at station kiosks, convenience stores, 7-11 ATM, etc., but it can happen with multiple credit card recharges in a short period of time, i.e. heavy users. Unfortunately JR East does not reveal what conditions trigger a recharge security block that displays an error message: チャージをご利用できない状態です/ Recharge is not available. The Mobile Suica support page specifically states that JR East “cannot inform you about the conditions and contents of restrictions.”

Fortunately Mobile Suica recharge security block appears to be somewhat rare, but it is happening more with the recent phishing attack. In general Wallet app recharge tends to be more robust than Suica app recharge but security recharge block seems to affect all credit card recharge. The only user recourse appears to be contacting the card issuer or using the Mobile Suica member online Trouble Report Form (Japanese only). No word on PASMO but users should expect the same situation.

Mobile Suica registered account information can only be changed in Suica (iOS) and Mobile Suica (Android) apps by applying for an account update, it cannot be directly changed in the app, it cannot be changed via a web browser. This offers a level of account security but too many people fall for phishing emails. The short term solution for JR East is to implement 2FA across all of their online services with a single login ID credential instead of the multiple service ID account mess we have now…hopefully soon. The longer term solution will be eliminating ID and password login altogether using Passkeys.

Recharge your recharge, the winner/loser debate doesn’t mean shit in the post-Apple Pay Japanese payments market

I love articles like this one. It’s fun examining how the writer, freelancer Meiko Homma, takes old news bits, worn-out arguments and weaves them into a ‘new’ narrative with a titillatingly hot title: “QR Code payments won the cashless race, Suica utterly defeated.”

Her article trots out some QR Code payment usage data from somewhere, the PASPY transit card death saga that illustrates the increasingly difficult challenge of keeping region limited transit IC cards going, the fact that Suica only covers 840 stations out of a total of 1630, all while conveniently ignoring recent important developments like the Suica 2 in 1 Regional Affiliate program, and big updates coming in early 2023: Cloud Suica extensions and the Mobile ICOCA launch.

It has the classic feel of ‘here’s a headline, now write the article’ hack piece passing as industry analysis we have too much of these days. The Yahoo Japan portal site picked it up and the comments section was soon full of wicked fun posts picking apart the weak arguments.

I’ve said it before and say it again: the winner/loser debate doesn’t mean shit in the post-Apple Pay Japanese payments market. PayPay for example, started out as a code payment app but has added FeliCA QUICPay and EMV contactless support along with their PayPay card offering. Just like I predicted, these companies don’t care about payment technology, they just want people to use their services. My partner and I actually see less PayPay use at checkout these days and more Mobile Suica. Why?

The great thing about prepaid eMoney ‘truth in the card’ Suica, PASMO, WAON, Edy, nanaco, is they are like micro bank accounts coupled with the backend recharge flexibility of mobile wallets (Apple Pay, Google Pay, Suica App, etc.). PayPay, au Pay, Line Pay and similar Toyota Wallet knock-off payment apps with Apple Pay Wallet cards, are deployed as mobile recharge conduits that smart users leverage to put money into different eMoney micro bank accounts and get the points or instant cashback rebates they want to get at any given campaign moment. This is where the action is.

And so we have recharge acrobats like Twitter user #1: step 1 recharge PayPay account from Seven Bank account, step 2 move recharge amount from PayPay Money to PayPay Bank, step 3 move recharge from PayPay Bank to Line Pay, in Wallet app recharge Suica with Line Pay card. Or like recharge acrobat Twitter user #2: Sony Bank Wallet to Kyash to Toyota Wallet to Suica.

Phew…none of this involves transfer fees so it’s up to user creativity to come up with the recharge scenario that works best for them. Does it count as PayPay use or Line Pay use or Mobile Suica use? Does it matter?

It’s not about winners or losers, it’s about moving money around. Mobile Suica is extremely useful because of it’s recharge backend flexibility, thanks to Apple Pay and Google Pay (which does not support PASMO yet). This is the case for US citizens working in Japan who get a great return of their Suica or PASMO recharge right now using US issue credit cards because of the exchange rate. This is something visitors to Hong Kong cannot do with Apple Pay Octopus as the OCL recharge backend is far more restrictive than JR East. The biggest gripe users have with Suica is ¥20,000 balance limit.

In the weeks to come we’ll be sure to see hand wringing articles debating the future of Suica, open-loop, etc.,etc., because let’s face it, IT media journalists need something to write about in these challenging times where everything has to be sold as winner/loser, black/white, 0 or 10, and nothing in-between, to get any traction at all. As for me, I think it’s far more interesting, and real, to observe how users are using all these nifty mobile payment tools.

UPDATE 2022-07-04: Thoughts on the KDDI network outage
That was fast. No sooner had the “QR Codes won the mobile payments race” article appeared when major Japanese carrier KDDI experienced a nationwide mobile network meltdown on July 2 JST, lasted a full day with a very slow, still in progress, recovery affecting more than 40 million customers. Suddenly social media channels were full of people complaining that QR Code payments didn’t work, assuming that Mobile Suica and other NFC mobile payments stopped too. Which was not the case though a few fake posts claimed, or just ‘assumed’ people were stranded inside stations. Fortunately there were numerous online articles setting the record straight.

It’s a lesson that people soon forget in our attention span challenged social media era. We saw plenty of QR Code payment downsides in the 2018 Hokkaido Eastern Iburi earthquake that knocked out power and mobile service across Hokkaido. At the time some fake Chinese social media posts claimed AliPay and WeChat pay ‘still worked’ in Hokkaido at the time, of course they did not.

Mobile payment disruptions happen with every natural disaster and war. Good and safe practices don’t come easy when smartphone apps lure us down the easy path without spelling out the risks. It’s a lesson we have to learn again and again, that while network dependent code payment apps have some benefits, they also have limits and security risks. One size does not fit all, NFC and code payments each have their place and role to play in the expanding mobile payments universe. The key is understanding their strengths and weaknesses.

Cashless is fast and convenient? Point app mania reality check

My partner wanted to pick up some cheap t-shirts on bargain sale at Uniqlo yesterday. The Asagaya station building Beans shopping mall has all the latest cashless options but very bad network service so Uniqlo checkout was a comedy routine. First he brought up the Uniqulo app to get Uniqlo points, then I brought up my JRE POINT app to earn JRE POINT, then he finally paid with QR Code dBarai (docomo). But for each app launch and load we had to run to the store entrance to capture enough network connection for the apps codes to load. The staff is very used to this and suggest customers do so when apps didn’t load, patiently folding clothes while they run back and forth. I asked the cashier if this happens all the time. She smiled and nodded. “Cash is probably faster isn’t it?” She smiled and nodded.

Gosh, just when we thought cashless was going to free us from the so called inconvenient drudgery of cash along came smartphone reward point apps that bog down the whole cashless checkout experience, neatly killing off the supposed time saving advantage. You stand in line while the checkout customer fiddles with smartphone, digging around in an app to find the right coupon code thing. You feel smug until it’s your turn and the networks sucks, the discount coupon doesn’t load and bam, you’re holding up the line too. It has gotten to the point where Nikkei XTECH has provided an Apple Pay help article for faster checkout that explains the benefits of using Apple Value Added Services. Will Apple Pay VAS dPoint and Apple Pay VAS PONTA really help us? Probably not as they only work at LAWSON.

There is another checkout trend I see recently. With price increases everywhere people are using cash a lot more, even at places like in-station Beck’s Coffee Shop. Every customer has a Suica but more young people are keeping it in their pocket and plucking down ¥10,000 yen notes for ¥300 ice coffee. Why? I think it’s Kakebo culture at play, it’s easier to budget with cash payments and the small slightly inconvenient physical routines that accompany it. It’s not about doing everything with cash, but good old tsukae-wake compartmentalization helps keep focus and tamps down the impulsiveness when doing everything cashless. Another way of spreading the risk in these uncertain times.

iOS 16 Wallet: expanding the Apple Pay experience, aka Suica auto-charge for the rest of us

iOS 15 added big new features to Wallet, expanding digital keys from cars to include home, office and hotels and ID in Wallet driver licenses for the first time. There were smaller but important UI changes too. A new add card screen offered new categories making is easy to add transit cards regardless of the device region and quickly re-add previous Wallet items from iCloud. iOS 15 was all about Wallet to the extent that Apple now advertises it as a separate thing from Apple Pay with a separate web page, and even referred to Apple Pay as “one of the most important areas of Wallet” in the WWDC keynote. Very interesting.

iOS 16 moves the focus back to Apple Pay and making digital payments more useful, practical and universal. The WWDC22 Keynote announced Apple Pay Later, in-app ID card verification and key sharing. Apple Pay Later is one aspect of several new Apple Pay functions unveiled in the What’s new in Apple Pay and Wallet session.

Multi-merchant payments: In our online world we can never be sure how many sub-merchants are involved when we order something and how our card information is shared. In multi-merchant Apple Pay, multiple payment tokens are issued for each merchant in the same transaction, preserving user privacy, with the iOS 16 Apple Pay paysheet showing a breakdown of each sub-merchant charge. This feature works mostly on the backend, but showcases how smartly the Apple Pay Wallet team design features to ‘just work’ securely for merchants and customers.

Automatic Payments
My favorite iOS 16 feature as it addresses a lot of interesting use cases, much more than just Apple Pay Later installments which fall under:

Reoccurring payments, which include things like installments and subscriptions, basically any regularly scheduled payment. With the recent Starbucks Japan price increases, I decided to sign up for the new JR East Beck’s Coffee Shop subscription plan. Up to 3 cups a day for ¥2,800 a month. A pretty good deal for commuters like me. The Beck’s subscription service is subcontracted out to an interesting online business venture company called Favy that uses Sign in with Apple to create an account. Payment however is manual credit card entry with the onerous, ubiquitous 3D Secure sign-in. Pass issue and serving size selection (M=¥50, L=¥100 extra) is done in Safari. It works well enough, but canceling or getting payment details is a real Safari expedition. It would be a much better, and faster, customer experience doing it all in Apple Pay.

Automatic Reload: this is the real money feature for me because it plays on the classic snag of using Apple Pay Suica…recharge. All pre-paid cards are a catch-22. Japanese users love them because they like the “I know how much money I’m adding to my card” aspect of manual recharge, but there’s the inevitable, you know you forgot about it, bing-bong ‘please recharge’ transit gate alarm when Suica balance is short.

JR East offers Suica Auto-Charge (auto-reload) as a feature of their VIEW card. The auto-charge option works great with Apple Pay Suica but like all transit card auto-charge, it is tethered to the transit gate NFC system. This means the users gets instant, seamless auto-charge but only on the operator’s transit gates. Suica auto-charge does not work outside of the Suica and PASMO transit gates, not at store terminals, not in other transit card regions like JR West ICOCA. This limitation is a big customer complaint, I and many others would love Apple Pay Suica auto-charge to work everywhere.

Apple Pay automatic reload takes care of this problem very nicely. Suica would recharge anywhere because the card balance ‘trigger’ and reload process is done via Apple Pay instead of JR East transit gates and the Suica system. JR East could keep auto-charge exclusive to their VIEW cards as they do now or easily, selectively expand it. Either way they would greatly increase the usefulness of VIEW and Suica by supporting the new Apple Pay automatic reload feature. The possibilities are are pretty exciting.

Order tracking
Another very useful feature I think people will love using. The addition of QR/barcodes in the Apple Pay sheet is a first and will greatly shorten the order pickup~delivery process. The best use case of Apple Pay and bar codes that I can think of.

ID verification in apps
This is where ID in Wallet gets real. Wallet app has TSA airport checkpoint verification built-in but that’s not going to help all the government issuing agencies, not to mention software developers, around the world who want to implement digital ID verification to unlock various digital services.

JR East for example has centered their whole Super Suica MaaS Cloud initiative around ID PORT and the ability to match various region or age based services (discounts, special fares, etc.). In other words JR East and their sub-merchant or local government agency want to know where I live and how old I am. This is all provided on the Japanese government My Number digital identity card launching later this year on Android, and Apple Wallet later on. But I don’t want my personal details going everywhere. If the MaaS campaign app or website only needs to know that I live in Tokyo and am over 60, that’s the only info I want to give them. This is what the new PassKit ID request APIs in iOS 16 do: give apps only the information they need to perform a verification for a service and nothing more.

Key sharing
Nothing big here, but it does address one iOS 15 Wallet shortcoming for home, hotel keys which that could not be shared and expanded share options beyond mail and messages. I’m doubtful Apple includes office keys in the bargain but the fine print reads: available on participating car brands and access properties. We’ll find out when iOS 16 ships.

And then there’s Tap to Pay on iPhone. It’s really not an Apple Pay function to me because it turns iPhone into a very handy and portable NFC payment terminal, but it makes sense branding wise. Just say Apple Pay for making…and accepting payments. Anywhere the merchant has their payment provider POS app and a network connection, they are ready to go. This is big. Apple has lined up an impressive number payment providers in a very short time who are happy to leave all the hardware certification and secure element management to Apple and focus on software. I can practically feel the intense interest from Japan where local payment providers would love to leverage the global NFC capable iPhone for seamless EMV and FeliCa payment services. It could be an interesting Apple Pay year.

State of Suica 2022

Now that the 1st wave of Suica 2 in 1 card launches is complete, it’s a good time to review the ‘State of Suica’. And it’s always interesting to examine the cultural differences too, when it comes to labeling trends as ‘good’ or ‘bad’. Westerners for example invariably say, what’s the point of having so many Suica card flavors? It’s a waste, better to have just one. It’s a classic double standard professing to want but insisting that life should revolve around single kind of credit card. Japanese don’t seem to care much as the culture is adept at ‘振り分け’: this thing for doing this, that thing for doing that. And the region affiliate users getting Suica for the first time seem pretty excited and all Suica varieties work the same for transit and e-Money purchases.

As of now we have the following plastic Suica card flavors beside the regular Suica available at station kiosks: Rinkai Suica, Monorail Suica, Welcome Suica and Suica Light. On the Mobile Suica side we have: Osaifu Keitai, Apple Pay, Google Pay, Fitbit Pay and Garmin Pay, along with branded Mobile Suica for Rakuten Suica and au Suica on Osaifu Keitai and Mizuho Suica on iOS. Last but not least we have 11 new Suica 2 in 1 Region Affiliate Transit cards that are the keystone of JR East’s MaaS strategy.

What exactly are the differences? It comes down to commuter passes or points. For Suica 2 in 1 cards specifically, it is both. This is a small but very important difference. All the other non-regular Suica outside 2 in 1, come with specific features and limitations. Rakuten and KDDI au users can recharge those Suica with those outside point systems but they can’t add commute plans. Welcome Suica expires in 28 days, Rinkai and Monorail Suica exist for commuter passes and nothing else, and so on.

Suica 2 in 1 doesn’t have limitations and does more than any other Suica: it can hold 2 different commuter passes (one from JR East, one from the region affiliate) and it supports 2 different point systems: messy JRE POINT which is an optional account setup manually linked to the Suica card number, and local government subsidized region affiliate transit points which are automatic and stored on the card itself. The only thing the user needs to do is use the appropriate card for transit to earn and use transit point discounts.

In a mobile payment era where everybody is distinguishing themselves with increasingly complex reward point schemes, the simplicity and flexibility of Suica 2 in 1 transit points, think of it as locally processed transit point stored fare, can go places that old Suica cannot. Imagine how many more people would use Suica transit in Tokyo if it came with transit point discounts. There are other 2 in 1 features not yet supported by regular Suica: disabled and elderly transit user discounts. These are coming to Tokyo area plastic issue Suica, and PASMO too, this October though I suspect those won’t come to Mobile Suica until it gets an upgrade.

Mobile FeliCa hasn’t been updated to the next generation ‘Super Suica’ FeliCa SD2 architecture yet, but once updated we should see Suica 2 in 1 on mobile and new Suica features, along with more Suica 2 in 1 Region Affiliate cards. All in all the new Suica 2 in 1 card format tells us where JR East wants to go.

There are some interesting numbers from the JR East FY results. All things transit took a huge hit in FY 2021 from the COVID pandemic, Suica included, but are now recovering though still below pre-covid transaction levels. Another surprise is the popularity of Eki-Net eTickets, a 39% usage rate is not bad for a service that only started in March 2020. One of the smarter things JR East did with Eki-Net eTicket discounts is making them simple and available to all Eki-Net users and credit cards. The JR Central EX system has 2 different Shinkansen eTicket tiers (EX-Press and smartEX) with larger EX discounts limited to select credit cards.

There are lots of things that JR East needs to do longterm, more Suica day passes, Mobile Suica recharge that is available 24/7, phasing out legacy mag strip ticketing and UWB touchless transit gates. In the short term we have Cloud Suica and Mobile ICOCA coming online in March 2023, the end of the current fiscal year. At the very least it should be an interesting time for JR West ICOCA users, and one more nail in the PiTaPa coffin.