OMNY card completes the EMV only OMNY system (updated for Apple Pay OMNY)

After a long gestation, and a COVID related delay, the good old swipe MetroCard replacement has finally shipped. OMNY card: a ‘truth in the cloud’ EMV bank payment card, not a MIFARE or FeliCa ‘truth in the card ‘ smartcard like London Oyster or Tokyo Suica. As MetroCard missed the transit smartcard revolution of the early 2000’s, MTA and ticketing system management company Cubic Transportation Systems decided to go all in with a new system built on EMV and open loop, i.e. using ‘open payment‘ EMV contactless credit/debit cards for transit fare foundation instead of dedicated transit cards. It’s a ‘one size fits all’ approach where bank payments cards are promoted for every kind of purchase. The coming addition of fare capping, i.e. OMNY card features without OMNY card, further reduces the need for OMNY card commuter passes and encourages credit/debit card use.

The piecemeal OMNY rollout has not been an easy transition for MetroCard users. One problem with one size fits all open loop is that different people have different needs: minors, seniors, disabled, daily commuters with set routes, people without credit cards and so on. Even with fare capping open loop cannot handle these well, if it did TfL would have killed Oyster card long ago. Hence OMNY card is a closed loop OMNY branded EMV card with CVV security number, likely from a Mastercard issuing agency, similar to the Mastercard closed loop Ventra and Opal digital cards. Like Ventra card, OMNY card comes in plastic and the digital version will come to Apple Pay and Google Pay ‘soon’, although MTA has not given any launch window for OMNY iOS and Android apps that will be necessary for adding OMNY to Wallet and for recharge.

As most of the open loop systems in North America, UK and Australia are designed and managed by Cubic it’s helpful to compare their ticketing system profiles.

When you carefully analyze the different systems and Express Mode transit support listed on the Where you can ride transit using Apple Pay support page, one condition becomes clear: current transit systems do not support Apple Pay Transit cards and EMV Express Transit when the system uses both MIFARE and EMV open loop. It’s a choice between supporting one or the other, not both. I suspect Apple does this because of the complexity supporting MIFARE and EMV mixed mode operations on the same transit system.

OMNY is a new system however, built completely on EMV and EMV only. When Apple Pay OMNY launches, OMNY will be the first system to support both EMV as an Apple Pay transit card and EMV Express Transit mode for credit/debit cards. There is a catch however similar to using Apple Pay China T-Union cards: turning on one card for Express Transit turns off other cards. This happens when cards share the same NFC ID number which would result in card clash at the gate reader. When cards share the same ID, only one card can be set for Express Transit mode at any one time. For EMV cards this applies to payment cards as well so Express Transit Card settings will likely turn off any activated payment cards when an OMNY card to turned on, and vice versa.

After OMNY card is launched on Apple Pay and Google Pay, the next OMNY challenge will be integrating Metro-North and LIRR commuter rail ticketing. A difficult task as none of the train line are equipped with NFC card readers. MTA has yet to unveil any commuter rail ticketing integration details. Ventra has the same problem, commuter rail ticketing remains the age old conductor visual inspection, no tap and go contactless for you. And as ever there are thorny open loop user data privacy issues.

OMNY truly represents the state American public transit as it tries to get on board with mobile payments. Progress is good and welcome but a real next generation vision with meaningful forward development of American public transit will continue to be a confused mess despite endless broken promises to fix it…simply because people with money and means don’t use it. If they did, things would have been fixed long ago.

Are Chinese manufactured PAX NFC readers a security risk?

Probably not, but the FBI Raids Chinese Point-of-Sale Giant PAX Technology report from Krebs on Security has some thrilling bits:

“FBI and MI5 are conducting an intensive investigation into PAX,” the source said. “A major US payment processor began asking questions about network packets originating from PAX terminals and were not given any good answers.”

The source said two major financial providers — one in the United States and one in the United Kingdom — had already begun pulling PAX terminals from their payment infrastructure, a claim that was verified by two different sources.

“My sources say that there is tech proof of the way that the terminals were used in attack ops,” the source said. “The packet sizes don’t match the payment data they should be sending, nor does it correlate with telemetry these devices might display if they were updating their software. PAX is now claiming that the investigation is racially and politically motivated.”

Krebs on Security

FBI, MI5, unnamed sources? Sounds like a spy novel. The original Jacksonville WOKV report is down to earth local news reporting with the official statement from the FBI: “The FBI Jacksonville Division, in partnership with Homeland Security Investigations, Customs and Border Protection, Department of Commerce, and Naval Criminal Investigative Services, and with the support of the Jacksonville Sheriff’s Office, is executing a court-authorized search at this location in furtherance of a federal investigation. We are not aware of any physical threat to the surrounding community related to this search. The investigation remains active and ongoing and no additional information can be confirmed at this time.”

PAX NFC terminals and POS systems support EMV, FeliCa and MIFARE protocols and are used extensively in Japan in nationwide POS systems such as FamiMart and Doutor Coffee chains. However it’s important to remember that each protocol has a hardware certification process, for EMVCo, for FeliCa Networks and for MIFARE. Card companies also have their own hardware security and certification. And even though the story sounds scary, we don’t know what ‘major financial provider’ POS systems are pulling PAX readers*, what hardware models are involved and what kind of POS software they run (provided by PAX? Developed in-house?), or what exactly the FBI are investigating.

That said, this is much more real and interesting than the silly Apple Pay EMV Express Transit VISA security scare story pushed by the BBC, mindlessly repeated by tech sites and dubious ‘security experts’ who scare people into buying their ‘services’. The so-called Apple Pay EMV Express Transit VISA exploit was just a lab experiment, this is happening in the field. The PAX story won’t get much press however because it does’t have ‘Apple Pay’ in the headline. At least not yet…I’m sure some media hack out there will come up with one, something like ‘Apple Pay sends your personal payment data to China’. Only then will people start paying attention.

*UPDATE 2021-11-03
Bloomberg reports FIS Worldpay (also based in Jacksonville next door to PAX…interesting eh?) is pulling PAX NFC readers from client systems and replacing them with Verifone and Ingenico NFC readers. FIS said, “While we have no evidence that data running through PAX POS devices has been compromised, we have been working directly with clients to replace those devices with other options at no cost to them and with as little disruption to their business as possible.” No evidence but Worldpay is replacing PAX readers anyway…based on what exactly, heresy?

PAX NFC readers comprise less than 5% of Worldpay client POS installations so we’re not talking big numbers. Meanwhile PAX has issued a long winded statement (PAX Technology announcement and resumption of trading) addressing and refuting the security risk claims from Krebs and FIS saying it’s only a geolocation feature. We don’t know which PAX reader models are involved but I suspect they are Android based. That’s the problem with all those crappy Android OS based POS+NFC all in one terminals: not only do they have lousy Android performance, they have all the Android security risks too. Dedicated hardware is way better, performance-wise and security-wise.

Apple Pay Japan 5 Year Mark: All of This and Nothing

Suica was the centerpiece of the Apple Pay launch in Japan October 25, 2016

October is Apple Pay month in Japan. Today, October 21, we have the Apple Pay WAON and nanaco launch. October 2020 saw the Apple Pay PASMO launch ceremony attended by Apple VIPS. October 2016 was the biggest launch of all. This month marks the 5th anniversary of Apple Pay in Japan that launched with the FeliCa enabled iPhone 7 and the iOS 10.1 update. The initial rush to add Suica to Wallet was so great that it brought down both Apple Pay and Mobile Suica servers for several hours. Junya Suzuki, the best journalist in Japan covering digital wallet payments and technology, predicted that Apple Pay would be the ‘Black Ships‘ inflection point catalyst in Japan that would change everything. He was right. Everything has changed.

I tried to think of something smart and elegant or throw together some market data numbers that explain the transformation Apple Pay facilitated in Japan, but it comes down to this picture, a crazy kaleidoscope of contactless payment choices at the local post office. That’s as mainstream as one can get.

Payment options at the Japanese post office

The post office payments menu doesn’t have an Apple Pay logo but EMV brand cards at the top are Apple Pay, FeliCa cards in the middle are Apple Pay, shitty pain-in-the-neck-launch-an-app code payments at the bottom are not Apple Pay…and yes, you can still pay with cash if you need to. This crazy variety, by western standards, is the reason why Japanese Wallet users are excited about the new 16 card iOS 15 Wallet limit, they want to add more cards and 12 was not nearly enough. We have Apple Pay to thank for this overflow of payment options. Even though Apple Pay logo isn’t anywhere to be seen, Apple Pay is reason why so many contactless payment choices exist and why they are mainstream. This is the Apple Pay Japan transformation.


A timeline of changes and challenges

  • October 2016: Apple Pay launches in Japan with support for Suica (compatible with the Transit IC transit and payment network), iD and QUICPay payment networks (American Express, JCB, Mastercard, VISA).
  • September 2017: Global NFC on iPhone 8, iPhone X, Apple Watch 3 supports dual mode cards and seamless EMV and FeliCa NFC switching. Japanese users can make payments internationally with their Japanese issue cards on EMV payment terminals, and FeliCa payment terminals at home. Mobile PASMO trademark registered.
  • 2018: Carrier code payments services launch as cashless momentum grows, iOS 12 Wallet adds MIFARE support for Student ID, May: NTT docomo dBarai, October: SoftBank PayPay.
  • 2019: Japanese Government Cashless Consumption Tax Rebate Program
  • October 1, 2019 through June 30, 2020. The aim of the program is to encourage cashless purchases and increase cashless use up to 25% of all purchases by 2025. To do this the program offers up to 5% tax rebates for cashless purchases made at middle~small businesses and also offers merchant subsidies for installing cashless checkout systems. This is a prescient inflection point as COVID proves to be huge catalyst for going cashless, far more than a normal Tokyo Olympics would even have been.
  • 2021: Apple Pay WAON and Apple Pay nanaco eMoney cards launch, VISA Japan adds Apple Pay in-app purchase support and NFC dual mode switching. This completes the Apple Pay lineup. The Tokyo Olympics didn’t turn out to the big crowd contactless driver the industry expected. Nevertheless market surveys indicate that cashless payment use in Japan has already passed the 25% target.

Japan was a very unique case, the most unique but don’t make the mistake of dismissing it as an outliner. It was way ahead of the curve with important lessons beyond the tired old meaningless FeliCa vs EMV winner-loser debate. Japan already had the extensive and mature Osaifu Keitai mobile wallet platform that launched in 2004, built on the Sony and NTT docomo created Mobile FeliCa standard, long before EMV grafted NFC on their chip and issued contactless credit cards.

The Apple Pay that launched in 2014 was exclusively EMV as credit cards were the best start point, but Apple was already hard at work adding FeliCa, MIFARE and other NFC based transaction protocols as standard in the secure element hosted on Apple Silicon. The result was first seen in 2016 iPhone 7 and Apple Watch 2 in Japan, with Apple Pay Suica, Express Transit and direct Wallet transit card adding as the centerpiece launch strategy, all firsts.

This was an extremely shrewd move. The Japanese public was well versed using Suica for transit and quick purchases. The impact of choosing the Tokyo area based Suica as the start point, coupled with the convenience of anywhere, anytime Apple Pay recharge, supercharged Suica and Apple Pay. They both grew quickly.

JR East factsheet: Apple Pay supercharged Suica growth

The full Apple Pay vision came into focus with the 2017 release of iPhone 8, iPhone X and Apple Watch 3, these were the first global NFC devices that worked everywhere. This was a complete break with the Android model of only selling FeliCa capable devices in Japan or Hong Kong. This is why any iPhone from anywhere can add and use a Suica transit card and Android devices cannot.

The most useful marketing survey covering Apple Pay use in Japan was a November 2018 survey and article from Japanese IT journalist Sachiko Watatani. At the time she found the following:

  • Only 27% of iPhone users who can use Apple Pay use it
  • 50% don’t use Apple Pay but are interested in using it
  • 22% don’t use Apple Pay and don’t care about using it

The middle 50 is the most interesting aspect, there has certainly been migration to the Apple Pay use bracket since COVID hit. Other interesting data points: 34.4% use Apple Pay daily, 24.9% use Apple Pay every 2~3 days, 37% use it for public transportation, 69% use it for convenience store purchases. This last one is the classic Apple Pay Suica (and now also PASMO) sweet spot: quick small on the go purchases without Face • Touch ID, courtesy of Express Mode. With COVID and Face ID with face masks, that sweet spot is sweeter than ever.

The secret of success and important lesson
That is all well and good, but how did Apple Pay spearhead this market change? Apple Pay proved to be a great neutral platform for payment players to both play on and play off from. But that’s not all, there is a vital point that most people miss. The secret of Apple Pay Japan’s success was that it shifted the user focus and experience away from the Osaifu Keitai app model where different NFC services are scattered across many different apps, to a simple ‘just add the card’ in Wallet where everything ‘just works’ without apps. Complexity vs simplicity; it was this simplicity that ultimately won out because most users don’t want to deal with setting different services in a bunch of apps. It was this simplicity of the Apple Pay user experience, combined with Global NFC Apple Pay as standard across the board on all devices and price points, that drove the Japanese payments transformation that Osaifu Keitai could not with its complexity and exclusivity that pigeonholed it as a high end option instead of a standard feature.

This is the lesson of Apple Pay in Japan that other markets would do well to study. Lots of different apps offering NFC services doesn’t drive user uptake, centralized simplicity with an easy to use UI drives user interest and use, ‘it just works’ standardization. It is this centralized simplicity that is driving user interest in iOS 15.1 Vaccination Certificate Wallet support and driver’s license ID. The EU and Australia are determined to force Apple to make iPhone NFC ‘open‘ and move everything to the app centric model. If their intention is to drive user uptake, the Japanese market experience proves otherwise. Good luck with that. To most westerners the value of the Japanese mobile payments experience will remain utterly lost, like that old Psychedelic Furs song whine line, “You didn’t leave me anything that I could understand.”

The Crowd Cast cashless map illustrates the rich variety of Japanese payment platforms, some code payments players like ORIGAMI no longer exist

Looking ahead
Where does Apple Pay Japan go from here? Rakuten Edy, the very last holdout, will certainly join the lineup soon enough. iOS 15 Wallet has shifted the focus from payments to keys and ID. Expect to see to some digital key action later this year. On the ID side the Japanese Ministry of Internal Affairs and Communications (MIC) has said they are in discussions with Apple to bring the digital My Number (Japanese Individual Number) Card to Wallet, hopefully soon after it launches on Osaifu Keitai in March~April 2022.

The value of having a digital My Number ID in Wallet is that regions want to promote special services and discounts tied to a resident address. That way local governments can promote differently tailored discounts and campaigns for locals and visitors. JR East for example, is planning to use My Number Card for MaaS transit discounts that promote regional economies. When a payment is made with Suica, the appropriate discount kicks in with the My Number Card verification. The My Number Card + digital payments concept is similar to the 2019~2020 Japanese Government Cashless Consumption Tax Rebate Program. The promise of getting local area based discounts for using transit or buying stuff with Apple Pay is one of the most practical use case scenarios for digital My Number Card that I can think of.

Farther out we might see development of ‘Touchless’ transit gates that incorporate Ultra Wideband technology which is already being used in iOS 15 Wallet for Touchless car keys. It would be cool to simply walk through the gate iPhone in pocket, with Suica taking care of business. I was recently reminded that UWB enhanced gates would greatly benefit those with disabilities. I saw young man in an electric wheelchair going through a JR East station manned gate, the station attendant was holding the reader out for him to tap but his movement was limited. It was difficult for him to hold his iPhone to the Suica reader. A UWB gate would let him zip through unattended at any touchless gate, that’s what barrier free should be about. When you think about it, QR Code apps for transit are just cruel for handicapped users.

Next generation JR East transit gates are wheelchair friendly but UWB touchless gates are the best ‘barrier free’ solution for users with limited mobility.

On that note…despite all the hand wringing over the rise of code payment apps, even as Apple is flirting about adding code payments to Apple Pay, Japan will continue to be a fascinating place to observe contactless payment trends before they appear in other markets. And even though Apple Pay Japan has lost the cool factor that peaked in 2018 and become mundane, that’s okay. Apple Pay in Japan will continue to be the payment service where you can do things that you cannot do with Apple Pay in any other market. That sounds like fun to me and I look forward to the next 5 years of Apple Pay Japan and hope to write about digital wallet developments…occasionally. Since COVID hit blog traffic has collapsed to the point where I think it might be time to change gears. We shall see.

Until next time stay safe and have a good cashless…er you know what I mean.


Apple Pay Japan Comments
Some reader and net comments about using Apple Pay Japan through the years. Tweet or email if you have any experiences you’d like to share and I’ll add them here.

Apple Pay Suica is so convenient it made me wear my watch on my right wrist

The last 2 times I was in Japan, I used Apple Pay with Suica. It is miles ahead of what we have in Singapore, in terms of speed, feel, and experience. And best of all, no app download required!

I changed from Android back to iOS in 2017 mostly due to being able to use Mobile Suica…And this is the real reason I still have to educate people coming to Japan about mobile Suica and putting a debit card into ApplePay and never need an ATM for most things here…Also stop with “Japan is a cash driven society” tropes. I go for weeks not using bills and coins here.

Comment regarding code payment apps vs NFC: Imo Apple and Google Pay are all a payment system needs: it’s quick, easy, and doesn’t require looking like a clown trying to scan a code…Imagine having to scan a code to pay for Suica, it would be a nightmare.

I have no idea why Apple Pay isn’t more widely supported over here. I usually just try and use Suica on my Apple Watch for most things.

The true value (of Apple Watch) is in Apple Pay and Express Transit card. If your city support it especially the latter, it’s a tremendous value.

Truth to be told, I’ve been a user of Japan’s Apple Pay almost since it came out, even thought I don’t live there haha. As a Software Engineer I always was amazed how Japan had a contactless system that you can use seamlessly on transport or store purchases.

It might sound trite, but I am still happy and amazed every time I use Suica on my iPhone. It has been a long road from Edy and Mobile Suica to this point. The next thing for me would be export of my spending for tracking. Not through Suica, but from iOS. And I really wish more Japanese businesses used the Apple Wallet for (reward) cards. When it first debuted I imagined finally getting rid of all my store cards, but it never happened.

When I was in Japan in November, when I looked up my destination via Apple Maps, I got seamless linked to buy a SUICA for my Apple Wallet direct from my credit card. It was pretty slick – 10 second transaction and I had a SUICA in my Apple Wallet.

The best way to use Suica Card on Android devices is to simply buy a new iPhone…

Suica on Watch is just superb. Even better when worn on right hand.

Two great things about my iPhone XS when traveling in #japan: first, SUICA public transport card in Apple wallet and you are able to charge them via Apple Pay wherever you are and second the dual SIM feature to get a traveller SIM like #Ubigi into your phone easily.

Twitter question: Japan peeps, what are your fave “cashless” payment apps? What do you consider the most convenient/useful?

Twitter answer: Suica wallet. Everything else is fucking shit

I want more reward point card support in Wallet that’s easier to use than it is now and supports movie tickets too.

One more for the road: Ken Bolido’s wonderfully informative Apple Pay Japan intro video from 2019

My Cousin Apple Pay

So the EU is going ahead with ‘open NFC’ antitrust charges against Apple. As posted back in August 2020, the whole open vs closed debate is not easy to define. It’s probably easier to look at it from the simplistic App Store debate of letting developers bypass Apple’s in-app payment mechanism to avoid paying the ‘Apple Tax’, because that’s the box most people will understand.

We’ve already seen banks and Apple chafing over transactions fees on multiple occasions, the latest being ‘Banks Pressuring Visa to Cut Back on Apple Pay Fees‘ because Apple dared release their own credit card under the Mastercard brand via Goldman Sachs. German banks and Australian banks in particular demand the right to use iPhone NFC in their own payment apps instead of Wallet so they can harvest the user data they can’t get via Apple Pay and drop Apple Pay support all together in favor of their own proprietary payment apps (our exclusive card comes with our exclusive app). But there’s an aspect of the ‘open’ argument that will not be discussed by EU regulators, the banks and credit card companies.

I’ve been watching ‘My Cousin Vinny’ a lot recently. I love the courtroom scenes with Joe Pesci’s Vinny character turning the prosecution arguments upside down. There’s a key scene early on when Vinny uses a pack of cards to convince Ralph Macchio’s character to give Vinny a chance to defend him: ‘the prosecutors are gonna show you bricks with solid straight sides and corners, but they’re going to show them in a very special way’ so that judge and jury see bricks instead of playing cards, which is what ‘open NFC’ arguments are: paper card illusions.

NFC is just hardware, it’s worthless without the software protocols that drive it. NFC also has different definitions. The bank industry defines NFC as NFC A-B ISO/IEC 14443. The NFC Forum defines NFC as NFC A-B-F for device certification. On the protocol side the bank industry defines NFC as EMV because this is their industry standard created and managed by EMVCo (Europay-Mastercard-VISA initially, now collectively owned by American Express, Discover, JCB, Mastercard, UnionPay and Visa).

Are EU regulators going to argue that ‘open NFC’ is defined as NFC A-B-F on the hardware side and EMV, MIFARE, FeliCa protocols on the software side? Of course not. They will narrowly define their Vinny brick as NFC A-B and EMV, and maybe Calypso as the transit protocol is used in France for transit. Why would they do that?

It’s very simple. European banking interests don’t want to pay transaction fees to Apple, the Apple Pay tax. They want to cut out the middle man with their own exclusive apps and harvest user data. They don’t want inconvenient questions such as why there are all those different NFC standards and protocols out there, how this came to be and what really constitutes ‘open’. Why did the ISO/IEC Joint Technical Committee choose Phillips NFC-A and Motorola NFC-B while shutting out Sony NFC-F? Was that part of creating an ‘open’ and level NFC playing field on the global marketplace? Of course not, it was about playing favorites while shutting Sony and Japan out of the game. Now they want to do the same to Apple Pay. I still think Junya Suzuki is right: the EU will never demand the same thing of Samsung Pay or Huawei Pay that they are demanding from Apple.

Sawada Sho tweeted a thoughtful question recently regarding the App Store in-app payment controversy. He pointed out that gaming and other platforms charge developers great deal of money for hardware and software access, nobody questions that. Apple offers a lot of access for a very low price, is it fair to demand free passage on the App Store because it is Apple? Sho san thinks the Apple transaction cut is a fair tradeoff. Some tech writers have occasionally asked the same basic question: what’s fair?

EMV, MIFARE and FeliCa all have licensing and certification fees that all customers (developers) pay. Apple has gone to a lot of expense licensing those technologies in addition to licensing a GlobalPlatfrom Secure Element that they build into their own Apple Silicon. Those costs are recouped by Apple Pay transaction fees and fund future developments like digital keys with UWB, ID and other Wallet goodies we’ll get later on in the iOS 15 cycle. I’ve said it before and say it again: Apple took the time and expense to build a first class restaurant and outsiders are demanding the right to use Apple’s kitchen to cook their own food to serve their own customers in Apple’s restaurant.

I guess EU regulators want to give those away free to EU banking interests and let them have their way in the interest of ‘open standards’ that they define and end up protecting the home turf. That sounds like a good deal to me.

The EMV Express Transit Security Trade-off (updated)

The Practical EMV Relay Protection paper authored by Andreea-Ina Radu, Tom Chothia, Christopher J.P. Newton, Ioana Boureanu and Liqun Chen, outlines a potential weakness with VISA cards when used with Apple Pay Express Transit. The BBC reported the issue which was then widely reported on Apple news sites. The authors and the BBC both frame the security issue as known by Apple, who say it’s a VISA system problem, and VISA who say the hack is only a lab project, not a real world problem. Ionut Ilascu on BleepingComputer had a concise summary:

The tests were successful only with iPhone and Visa cards. With Mastercard, a check is performed to make sure that a locked iPhone accepts transactions only from card readers with a transit merchant code.

Trying the method with Samsung Pay, the researchers found that transactions are always possible with locked Samsung devices. However, the value is always zero and transport providers charge for tickets based on data associated with these transactions.

The findings of this research have been sent to both Apple and Visa in October 2020 and May 2021, respectively, but neither fixed the problem.

Apple Pay with VISA lets hackers force payments on locked iPhones, BleepingComputer

Apple Pay uses a GlobalPlatform licensed secure element while Samsung Pay Knox technology uses a Trusted Execution Environment (TEE), it’s a flimsy apple vs orange comparison. A meaningful comparison should have compared iPhone with another secure element device, like Pixel using VISA. Because of the limited scope, it feels like an attention grabbing ploy as it involves iPhone, rather than meaningful security research.

The security paper authors concluded: “While either Visa or Apple implement a fix for the problem, we recommend users to not use Visa as a transport card in Apple Pay. If your iPhone is lost or stolen, activate the Lost Mode on your iPhone, and call your bank to block your card.” In other words, turn off the Express Transit Card option for VISA cards.

It is not Apple’s problem to fix but Apple set themselves up for this.

Steve Jobs said it best: designing anything is about choices and trade-offs. The Apple Pay that launched in 2014 was designed for credit cards with bio-authentication to authorize payment transactions. This changed in 2016 with the arrival of Suica, the first transit card on Apple Pay, and Express Transit. Express Transit and Express Mode emulate the way that transit cards and student ID are designed to work. The FeliCa and MIFARE protocols used for these cards are very secure and have a long history of safe prepaid smartcard use.

For a time, the Apple Pay security protocol design was clearly defined: EMV bank payment cards required bio-authorization for transactions while transit cards, ID cards and digital keys worked in Express mode without it.

All was good until iOS 12.3 and the arrival of EMV Express Transit that changed the rules so that credit cards could act like express mode transit cards too. No more Touch ID or Face ID authentication for using Apple Pay bank cards on Transport for London (TfL) and New York OMNY transit gates. It sounded like a good idea but Apple decided to promote these services by making EMV Express Transit ‘on by default’ when adding a credit/debit card to Wallet.

As any careful watcher of the OMNY rollout will tell you, there have been plenty of Express Transit problems, especially for MetroCard users. Most of whom have no idea Express Transit was a default on option. Express Transit issues continue to crop up as they did for Apple Card users recently with problems on the Mastercard network and Goldman Sachs side. Open loop transit comes with more downsides than promoters like to admit.

It boils down to this. When Apple activated EMV Express Transit and make it a default on, presumably to promote all kinds of Apple Pay cards for transit…cards that were never designed for it, it made Apple Pay susceptible to any and all bank card network security issues and glitches. Instead of Apple service quality or secure dedicated transit cards, the user ends up with bank and card company service level quality at the transit gate. In other words, EMV Express Transit quality is up to banks, not Apple nor the transit agency. It’s their card, they call the shots. That’s the trade-off that won’t go away.

UPDATE 2021-11-19
There was an interesting post on the TechRepublic site, Security researcher: Flaw in Apple Pay, Samsung Pay and Google Pay makes fraud easy for thieves, that sheds more light on the EMV for transit weakness, why it is a potential problem and why VISA is the weak link. It boils down to offline data authentication (ODA) and how some card networks like VISA basically ignore it. Card companies control their their payment networks and run them how they want.

As outlined in the post above, the EMV Express Transit (and similar) security tradeoff means that Apple Pay, Google Pay, Samsung Pay will always be at mercy of lax card network payment operation practices, the same applies to transit companies who use open loop. This is why locally processed mutually authenticated stored value transit cards using FeliCa, MIFARE and Calypso protocols will always be the most secure contactless transit payments. This is why EMV Express Transit will always be a security tradeoff:

Yunusov said a lack of offline data authentication allows this exploit, even though there are EMVCo specifications covering these transactions. 

“The only problem is that now big companies like MasterCard, Visa and AMEX don’t need to follow these standards when we talk about NFC payments – these companies diverged in the early 2010s, and everyone is now doing what they want here,” he said.

Apple Pay, Google Pay and Samsung Pay apps are all vulnerable to this threat. There does seem to be a difference if a person is using a Visa card for payment instead of a Mastercard or American Express, according to Yunusov. 

“MasterCard decided that ODA is an important part of their security mechanisms and will stick to it,” he said. “Therefore, all terminals across the globe that accept MC cards should carry out the ODA, and if it fails, the NFC transaction should be declined.

Visa does not use this ODA verification at all point of sale terminals, according to Yunusov, which creates the vulnerability.

Security researcher: Flaw in Apple Pay, Samsung Pay and Google Pay makes fraud easy for thieves