Ahh springtime, flowers and the annual Apple Platform Security (APS) update. This year’s version has many Apple Pay housekeeping changes. Previous versions put everything Apple Pay in a single section. In keeping with Apple spinning out iOS 15 Wallet app as a separate identity, Wallet has its own separate section now, covering all the things Jennifer Bailey unveiled at WWDC21: hotel-home-office keys and ID in Wallet. The Apple Pay section adds a new category for Tap to Pay on iPhone with some interesting bits.
The Tap to Pay on iPhone servers manage the setup and provisioning of the payment kernels in the device. The servers also monitor the security of the Tap to Pay on iPhone devices in a manner compatible with to the Contactless Payments on COTS (CPoC) standard from the Payment Card Industry Security Standards Council (PCI SSC) and are PCI DSS compliant.
The Tap to Pay on iPhone server emits decryption keys to the Payment Service Provider after validation of the integrity and authenticity of the data, and after verifying that the card read was within 60 seconds of the card read on the device.
What’s interesting to me is that Tap to Pay on iPhone servers are providing a seamless payment reader experience in the same way that Apple Pay servers provide a seamless pay experience. It just works, from setup to use, the same tight integration allows payment service providers to focus on POS app development and forget about the hardware because Apple Pay takes care of everything. As Junya Suzuki tweeted recently, a lot of payment reader hardware is suddenly junk compared to what iPhone is providing with tight mobile integration and Tap to Pay servers on the backend. Now with Tap to Pay apps on the horizon, good thing that iOS 15 Wallet expanded the secure element max to 16 ain’t it?
Speaking of Wallet, this separate section covers all things “access credential” related (hotel-corporate-home-car-student ID) with App Clips suggested for provisioning multifamily home keys. Transit now includes eMoney cards (or is it e-Money, Apple seems confused about it just like Express Mode vs Express Transit) and IDs in Wallet is covered in detail. There is also an intriguing iOS 15.4 Wallet security tweak:
In iOS 15.4 or later, when a user double-clicks the side button on an iPhone with Face ID or double-clicks the Home button on an iPhone with Touch ID, their passes and access key details aren’t displayed until they authenticate to the device. Either Face ID, Touch ID, or passcode authentication is required before pass specific information including hotel booking details are displayed in Apple Wallet.
It sounds almost exactly what we already do with regular Apple Pay cards. Perhaps keys and passes only show a generic icon and checkmark with Express Mode with the double-click + authentication required for show details…it’s not very clear.
The whole security expert thing reminds me of what my uncle the doctor (who ran a medical research lab at Columbia University) used to say about his disdain for pharmaceutical companies, “They don’t want to cure you, they just want to keep ‘treating’ you with their medicines.” Human nature never changes. The gist is that EMV Express Transit Mode will always be a thorn in Apple Pay’s side because the security is up to the card companies.
The document is worth your time is you have any interest in Apple Pay and Wallet.
(The) Digital Markets Act will…require companies designated as gatekeepers to ensure effective interoperability with hardware and software features they use themselves in their ecosystems. This includes access to NFC for mobile payments.
Today’s case addresses a conduct by Apple that has been ongoing since Apple Pay was first rolled out in 2015 <sic, 2014 actually>. This conduct may have distorted competition on the mobile wallets market in Europe. It prevented emergence of new and innovative competition that could have challenged Apple.
Both pieces miss important context surrounding the debate however…and with this issue context is all, especially how Apple Pay is playing out in other global markets. Most of what follows I’ve covered in earlier posts but hope to pull the various issues together in one post. Yet again, we kickoff with an updated Apple Pay diagram.
The so called Apple ‘NFC chip’ is not a chip at all but a hardware/software sandwich. The Apple Pay ecosystem described in iOS Security is a collection of tightly integrated polished pieces: Secure Element, Secure Enclave, NFC Controller, Wallet and Apple Pay Servers, all wrapped into a slick, easy to use UI with a final security wall of ‘secure intent’, a double-click side button hot-wired to the Secure Element. This approach has been so successful that people divide mobile payments history into pre-Apple Pay and post-Apple Pay eras.
Apple Pay has a very simple rule: any card that loads a Java Card applet into their embedded secure element (eSE) has to reside in Wallet app. The maximum number depends on how many Java Card applets it can hold at any one time, the previous limit was 12, the iOS 15 Wallet limit is 16 cards. Developers have two ways to access iPhone NFC: 1) Core NFC framework for NFC operations that don’t use the secure element, 2) Secure Element pass certificates for NFC operations that need secure element transactions (payments, keys, ID, passes). Any developer who wants to run applets in the eSE has to apply for a PassKit NFC/Secure Element Pass Certificate. This is covered by NDA but a company called PassKit (not Apple) gives us an idea what Apple’s Secure Element Pass guidelines are:
Apple care a great deal about the user experience. Before granting NFC certificate access they will ensure that you have the necessary hardware, software and capabilities to develop or deploy an ecosystem that is going to deliver an experience consistent with their guidelines.
The end to end user experience, the whole reason behind the success of Apple Pay. But this gatekeeping is what riles banks and financial service providers who want to load their applets into the secure element without the Apple Pay gatekeeping, without the Apple Pay ecosystem and without the Apple Pay commission. They want to do their own transactions with their own app for free. This is what the EU Commission means when Vestager says: “Evidence on our file indicates that some developers did not go ahead with their plans as they were not able to to (sic) reach iPhone users.” It should read: when they were not able to reach iPhone users for free. Either the developer didn’t apply for a Secure Element Pass, didn’t pass the certification process, balked at Apple’s certification conditions, or couldn’t agree on Apple Pay commission rates.
Secure element gatekeeping is not new, it is an essential part of the secure element system:
A Secure Element (SE) is a microprocessor chip which can store sensitive data and run secure apps such as payment. It acts as a vault, protecting what’s inside the SE (applications and data) from malware attacks that are typical in the host (i.e. the device operating system). Secure Elements handle all sorts of applications that are vital to our modern digital lives…
Mobile Payments Here, the Secure Element securely stores card/cardholder data and manages the reading of encrypted data. During a payment transaction it acts like a contactless payment card using industry standard technology to help authorize a transaction. The Secure Element could either be embedded in the phone or embedded in your SIM card.
Lifecycle management It’s crucial that SE-embedded devices are secure throughout their lifecycle. That’s why Secure Elements need to have an end-to-end security strategy. It’s no use developing a robust security solution for a device which becomes obsolete after a period of use. This is why Secured Elements can be updated continuously to counter new threats.
Few people, especially a PayPal or EU Commission vice president, discuss the crucial secure element lifecycle management aspect. It’s not convenient for them to say the secure element ‘gatekeeper’ is responsible for keeping it secure. Far more convenient for their arguments to omit this, portray gatekeeping as unnecessary and gatekeepers as evil. In the end however, Apple has to maintain secure element updates from the various licensed secure element providers (EMV,FeliCa Networks, MIFARE, and so on) if secure payments are going to work at all This is what people who say, ‘it’s my device, we should be able to use NFC how we want,’ do not understand.
People also forget that nothing is free, you get what you pay for. With Apple Pay as gatekeeper, users get simplicity, innovation and feature updates. Simplicity: users get NFC they can use out of the box without Android-like NFC complexity such as secure element positions and obscure express mode settings.
Innovation: Apple Pay has features like Global NFC. iPhone and Apple Watch are the only smart devices that come with FeliCa built in as standard to use in Hong Kong or Japan, while Android limits functionality by market region. It’s astounding that Android, not even Google Pixel Android, has matched this basic functionality yet. We’re seeing more innovation as Ultra Wide Band (UWB) extends Wallet functionality to include ‘Touchless’ car keys and eventually, UWB enhanced automatic card selection as you approach the reader; more helpful than you might think.
Japan is key to understanding what’s really going on in the Apple Pay monopoly debate. Japan was the first market with an established mobile payment platform in place, long before mobile EMV contactless payments took off in Europe. iPhone also has a much larger marketshare in Japan than it does in Europe. It’s a shame people pass up the opportunity to learn from the successes and failures here.
So what’s the EU Committee vision for ‘open NFC’? I think it’s a rehash of the secure element wars when carriers locked mobile payment services to SIM contracts. In 2013 Google incorporated SimplyTapp HCE (Host Card Emulation ‘secure element in the cloud’) technology as a NFC ‘workaround’ to ‘free’ NFC from the evil clutches of mobile carriers. Sound familiar? Android NFC has never been right since.
How little things change, swap ‘evil mobile carriers’ for ‘evil Apple’ and you have the same self serving ‘open’ vs ‘closed’ NFC chip nonsense that people are debating today. FeliCa Dude, the ultimate industry insider who has experienced it all, said it best: ‘It’s all eSE or nothing now.’
And yet we now have Île-de-France Mobilités (IDFM) turning back the clock, circumventing the eSE on NFC equipped Android devices and going all in with HCE for IDFM’s Smart Navigo service for Android. To me this says all you need to know what European priorities are regarding the ‘open NFC’ model: eliminate eSE gatekeepers by forcing the less secure network dependent HCE as a required option. Good luck with that. From a transit perspective, based on Mobile Suica user experiences, I don’t think HCE Smart Navigo will be a smooth ride.
The EU Committee ‘open NFC’ vision might look ideal…to Apple Pay competitors. Regular users however, will have to deal with the ugly reality of multiple NFC apps, multiple NFC secure element modes and clashing updates that cancel out NFC services. Apple Silicon eSE space is limited to 16 cards. If that sounds like a lot now, wait until you have credit cards, transit cards, home, car and office keys and ID installed along with ‘open’ NFC apps wanting their own eSE space too. Services will be squeezed out forcing the user to intervene. If the EU Committee thinks this environment fosters competition and innovation while growing mobile payment use, dream on.
Japanese tech journalist Junya Suzuki has covered NFC mobile payment developments in Europe, America and Japan for over 2 decades. He doesn’t think the EU is playing an even hand here, in his opinion Samsung and Huawei would never face the scrutiny that Apple now faces. In typical European cultural fashion, EU motives pay lip service to fair open markets while playing an underhanded game of chess to make Apple do what EU banking interests want Apple to do. In other words, a double standard.
What does Apple need to do? I’ve always said that Apple needs to make the Secure Element Pass application process as transparent as possible. Keeping the blackbox NDA process as it is now makes Apple Pay a target, increasingly difficult to defend the status quo. Secure Element access on the level of Core NFC is a long shot, the very definition of a secure element means there has to be a developer certification process similar to EMVCo, FeliCa Networks, MIFARE, Calypso Networks Association, etc., that protects the privacy and business interests of all parties. But it would be great if there is a middle way where Apple can securely open things up for iPhone as a digital wallet, and iPhone as a payment terminal. We’ll see if Apple has anything to say about the subject at WWDC22.
A Japanese friend once told me that when Suica first came out, young people in Tokyo sent Suica cards to hometown families to use for coming to Tokyo. But parents and grandparents sent them back saying, “we can’t use them,” even when they could use them in their local area.
What they were really saying was, ‘Suica doesn’t get us the same transit perks we do using local paper tickets or mag stripe cards.’ There has long been a huge gap between transit services available in major cities which ‘don’t work’ in one way or another for those in outlying areas.
That’s the challenge facing the Japanese transit IC card system. Being able to use a Suica or ICOCA transit card in the sticks isn’t enough, local region services must be attached to make it worthwhile for people living outside major city areas. Transit IC has to evolve if it is going to be useful in the mobile era with proliferating smartphone payment apps vying for a piece of the national transit pie.
Now that we have a clearer vision of how Suica 2 in 1 Region Affiliate cards address this problem and how they are central to JR East’s MaaS strategy, it’s time to look at evolving JR East cloud services and how they fit into that strategy. There are a number of new cloud service parts that have come on line over the past year, or are coming soon…some visible, some not.
Taken together they comprise what I call ‘Super Suica Cloud’ following my earlier definition of Super Suica: a collection of mobile focused transit and payment infrastructure services that can be shared with or incorporate other company services, or be hosted by JR East for other companies. MaaS is an elastic term that holds a lot of flashy concepts, but I think JR East is aiming for something more low-key but practical, a Japanese Multimodal MaaS if you will.
The immediate concrete end-goals are service expansion with cost reduction; elimination of duplicate or proprietary dedicated infrastructure in favor of open internet cloud technology. With that in place the next goal is tight integration of transit payment services that work everywhere but also deliver tailored services for local regions. Let’s examine the parts.
Mobile Suica People assume that Mobile Suica does everything mobile, but basically it’s a station kiosk in the sky. Put money in for a transit card, put money in for a recharge, or a commuter pass, a day pass, and so on. Issuing, recharging and managing Suica cards on mobile devices is what Mobile Suica was built for.
As the world’s first mobile transit card service, Mobile Suica has made a lot of progress over the years expanding support to include Android, Apple Pay and wearables, but the work isn’t done until any mobile device from anywhere can add Suica. And since Mobile Suica hosts Mobile PASMO (launched in 2021) and almost certainly the forthcoming Mobile ICOCA (coming early 2023), getting those on an equally wide digital wallet footing is just as important.
As the face of all things Suica on mobile devices, the smartphone app could have many more things plugging into it, like Hong Kong’s Octopus App. So far however, JR East has chosen, wisely in my opinion, to keep it limited to basic housekeeping, breaking out ticketing and MaaS functions to separate apps.
Suica Fare Processing • JESCA Cloud This is the traditional Suica network system centerpiece that locally processes touch transit stored fare on station gates and touch e-Money payments in stores. The station gate fare side is getting a major new addition in 2023 with a simplified cloud based Suica transit fare network rolling out to 44 Tohoku area JR East stations. This new Cloud Suica area closely aligns with Suica 2 in 1 Region Affiliate cards launching this year.
The store payment side also has a simplified cloud based FeliCa payment network and a name: JESCA-Cloud. System details are vague but Cloud Suica transit fare and JESCA Cloud store payments appear to do the same thing: move transaction processing off local hardware and onto the cloud. Fast processing time is very important at transit gates, Suica tap times are the fastest out there. Those familiar with the Suica system say Cloud Suica will spilt it 50% local processing / 50% cloud processing. Dumber terminals, smarter cloud that still offers great Suica service…we hope.
One difference Cloud Suica has from a similar effort by JR West for ICOCA, is that Cloud Suica supports all the standard Suica features like commuter passes that cloud ICOCA does not. An interesting side note is that JR East hosts the processing for JR Central’s TOICA transit card network, they can certainly put the new Cloud Suica backend to good use expanding TOICA coverage in rural lines like the Minobu line.
ID Port Comb through recent JR East press releases and you’ll find 3 service announcements built around ID PORT, a “cloud based ID verification solution” from JREM (JR EAST MECHATRONICS CO., LTD), the company that builds Suica infrastructure.
Maebashi City TOPIC MaaS service (November 2020): Local MaaS discount services provided by TOPIC that use Suica with My Number card address and age to verify eligibility:
Suica Smart-Lock (December 2021): registered Suica card access a variety of access services provided by ALLIGATE:
All of the announcements have 3 components: JR East (Suica), JREM (ID-PORT), 3rd party services attached to Suica using ID-PORT as the system glue. Most of these are either in testing or ‘coming soon’. What is ID-PORT?
ID-PORT is explained on the JREM site, but the first public mention in an NTT Data PDF document from November 2020 is more revealing: “The Open MaaS Platform and supporting Multimodal MaaS”. The JR East Suica MaaS strategy is outlined with various scenarios that indicate ID-PORT is the JREM side with MaaS services on the NTT Data side. In other words a co-venture.
The job of ID-PORT is that it acts as the middle man ID verification glue linking a registered Suica (or similar Transit IC card) with various 3rd party services such as special ticketing, access and discounts.
The interesting thing about the ID-PORT and NTT Data MaaS platform reveal is that the timing exactly coincides with Sony’s release of FeliCa Standard SD2, the next generation FeliCa architecture used for Suica 2 in 1 cards. One of the little discussed new SD2 features is ‘FeliCa Secure ID’. Here is Sony’s diagram of how it works.
Look familiar? Yep, ID-PORT sure looks like FeliCa Secure ID in action. The JREM ID-PORT page is more rounded out, incorporating non-FeliCa ID verification methods like QR and bio-authentication and many different services. ID-PORT has already been added to JESCA-Cloud and CardNet so that linked services are widely available on store payment terminals, not just Suica transit gates. In sum it represents MaaS and Account Based Ticketing in action with ID-PORT at the center.
MaaS and Account Based Ticketing in action MaaS and Account Based Ticketing are the new hotness now that people realize open-loop doesn’t solve everything as banks and card companies want us to believe. Fare Payments Platform provider Masabi explains it this way:
Account Based Ticketing (ABT) shifts the fare collection system from being ‘card centric’, meaning the ticket holds the journey information and right to travel, and moves this to the back office. Moving the ticket information to the back office holds a number of benefits. It means passengers no longer need to buy a ticket or understand fares to travel and instead they use a secure token, typically either a contactless bank card, mobile phone or smartcard.
In this scenario FeliCa Secure ID is a secure token, ID-PORT is the secure token platform using the secure token to link ticketing and services together. That sounds nice but when will we see it in action? I think we already are.
Eki-Net 2 Account Based Ticketing As explained above, ABT attaches tickets from the cloud to a secure token, in this case Suica. By this definition Eki-Net 2 Shinkansen eTickets represent JR East’s first step into ABT ticketing. Eki-Net uses registered accounts and credit cards purchase and attach eTickets to Suica. These eTickets do not use Suica prepaid stored fare nor is any eTicket information written to the Suica card, the eTicket system uses Suica as a secure token. JR Central smart EX is a similar ABT service and let’s not forget the web-only multi-lingual JR-East Train Reservation service that provides some ABT ticketing for inbound visitors.
Will JR East ABT implement the ‘no longer need to buy a ticket’ part of the Masabi ABT vision? I doubt it. Shinkansen eTickets are much lower ABT hurdle: lower passenger volume on far fewer transit gates than regular Suica gates. The complexity of interlocking non-Shinkansen Japanese transit systems and the vast array of fare schedules, such as higher paper fares vs cheaper IC fares, don’t easily straitjacket into an open-loop or ABT fare box, and it doesn’t fit the JR East business model.
Suica 2 in 1 region extras There are services besides ticketing attached to a ‘secure token’ Suica. One of the important things easy to miss in the Suica 2 in 1 rollout are extra region features not available in regular Suica. Disability Suica cards for example. These are finally due to launch on Suica and PASMO cards in October 2022, but disability Suica 2 in 1 cards are already available in region affiliates.
There are also region affiliate transit points, one of the services that ID-PORT is advertising for JR East MaaS. Transit points all ‘just work’ automatically the same way. Points are earned from recharge and transit use and automatically used as transit fare. The user doesn’t do anything except tap the bus card reader. No registration, no setup. I wish JRE POINT had an option to work this way.
Transit points mimic the scheme of old regional transit mag strip card like Nishitetsu that gave ¥1,100 with a ¥1,000 recharge. Those features were popular (automatic simplicity in action again). PayPay used a similar strategy to quickly build a large customer base but pissed everybody off later as they got big and started changing bonus rate returns like used underwear. That won’t happen with Suica 2 in 1 cards as region transit points are locked in by local government subsidies to the region affiliates.
Streamlined simplicity, integration, regionality Despite the la-la-land promise of MaaS and Account Based Ticketing, the ‘just works’ angle is crucial for people to actually use it. One of the current problems with Mobile Suica, Eki-Net, JRE POINT and the MaaS services JR East advertises is that is each service is a separate app + registration + attach cards process. This needs to be streamlined into a single simple JR East sign-on service option like Sign in with Apple that works across multiple services. I suspect ID-PORT is the glue between Mobile Suica and JRE POINT that keeps those registered services automatically linked even if the Suica ID number changes. A good sign because the JR East cloud needs a lot dynamic linking.
There is also the larger problem of integration outside of JR East, such as the current state of multiple online ticketing services; Eki-Net for JR East, EX for JR Central, Odekake-net for JR West, and so on. It would bet great to have a common app that plugs into every online ticketing service. At the very least JR Group companies need to integrate eTicketing the same way they have always integrated paper ticketing for one stop service in their own apps.
The bigger question is do Super Suica Cloud parts (ID-PORT / Mobile Suica / Cloud Suica) scale beyond JR East to include other JR Group companies (JR West, JR Central, etc.) and potential region affiliates nationwide? If increased services with reduced costs is their MaaS goal, JR East needs to step up to the plate and share. Infrastructure sharing with backend integration is the only way forward for all. Japanese transit has always excelled at physical interconnection, the cloud service side needs the same level of interconnectedness.
There are cultural angles too. Japanese have a passion for hunting down local perks, bargains and discounts. People complain about Eki-Net (deservedly) but they sure scramble and swamp the system getting those time limited discount eTickets like crazy pre-COVID era Black Friday midnight Christmas shopper crowds rushing into the store.
There is also the traditional cultural value of promoting local economies. As the saying goes, cities are only healthy in the long term when local economies are healthy too. If JR East is really serious about promoting regional MaaS, they’ve got to aggressively offer linked services that clearly promote regions. There are many region programs that visitors are simply not aware of. JR East can do a lot simply linking them to discount coupons, limited offer eTickets and such that appeal to the bargain hunter Japanese mind. The key is being creative and nimble like QR payment players.
The JR East MaaS region affiliate strategy was conceived long before the COVID crisis, yet COVID also presents a golden opportunity to invest in regions and promote working remotely. The world has changed and transit has to change too, the biggest risk is doing nothing, staying with the status quo. The emerging Japanese MaaS vision is unique in that Japan has a golden opportunity of leveraging the national Transit IC card standard into something new, taking it into the next era…if old rivalries and sectarian interests don’t get in the way and blow it, that is. Either way the next few years will be a very interesting time for Japanese transit.
The new features that make up 2 in 1 Suica are called many things. JR East calls it ‘Next Generation Suica’ and ‘2 in 1 Region Affiliate Card’. Yanik Mangan came up with ‘All-in-one Suica’ moniker in his limitless possibilities podcast. I call it, and will continue to call it, Super Suica because I see wider Suica platform initiatives built off the new FeliCa OS features used for 2 in 1 • next generation Suica. It’s a looser, fuzzier platform evolution definition instead of one card that does it all.
That doesn’t mean that Super Suica or all-in-one Suica will ever happen they way we envision it. The aim is to give people convenient, easy to understand concepts to discuss and categorize ongoing developments until something official comes along.
This is a list of announcements, launches and posts related to Super Suica as a platform with links to JR Group PR releases, color classifications as follows:
🟩= Suica cards • Suica region extensions 🟧= Mobile FeliCa, Mobile Suica + derivations (Mobile PASMO, Mobile ICOCA) 🟥= FeliCa Standard SD2• New FeliCa OS 🟦= Cloud Suica (transit fare) • JESCA-Cloud (e-Money payments) 🟪= ID-PORT Services
🟩🟥Next Generation Suica 2 in 1 cards A new card for integrating Transit IC and region cards in new ways focusing on Suica 2 in 1 Region Affiliate transit cards and FeliCa Standard SD2 • FeliCa OS as the core development. JR Cross Region Commuter Passes included as I suspect they also use SD2 Extended Overlap and represent a step towards cross region through transit for Transit IC.
🟧Mobile FeliCa • Mobile Suica The evolution of Mobile FeliCa to include UWB touchless and multiple secure element domains for digital ID, Mobile Suica service expansion and hosting Mobile PASMO and Mobile ICOCA.
Kitasando Coffee was one of the Japan debut sites for App Clips. I finally had time to check it out today. The overall experience was similar to the Starbucks app mobile order and pay. Regulars would use the full blown Coffee App but I wanted to see how fast the App Clip ‘point and pay’ experience would be.
My iPhone 11 NFC reader mode kicked in and launched the Coffee App Clip, I ordered and paid with Apple Pay, all just under a minute even with first timer ‘what do I do now’ pauses, then waited for the order to be filled. There was no ‘Sign in with Apple ID’ step, just point, order, pay, pickup. The video shows the whole process with the order wait time edited out.
App Clips does a very good job of utilizing NFC reader mode and loading time with 4G LTE was also good. I still have doubts about the experience in a marginal WiFi environment (the WiFi Assist factor) and hope to test different places as App Clips gain traction. Bottom line: if NFC with reader mode is this slick, why would anybody bother with QR or App Clip Codes?
UPDATE iOS 14.3 beta has support for Apple designed App Clip Code scanning. Here is a quick screen recording of the scan process and animation. The App Clip Code is a photo of the ExxonMobile gas pump stickers that launched October 22. The App Clip does not load because the ExxonMobile App is not available in Japan.