WAON and nanaco coming to Apple Pay

Two of the last big three Apple Pay Japan holdouts are finally coming: AEON announced WAON and Seven & i Holdings announced nanaco for ‘later this year’. These popular prepaid eMoney FeliCa cards have been on Osaifu Keitai and Google Pay for some time. This leaves Rakuten Edy as the last, and largest, Wallet holdout although the iOS Rakuten Edy app recently received an update that supports Apple Pay for physical card recharge.

Despite the uptake of QR Code payment apps such as PayPay, prepaid eMoney cards remain popular and getting them on Apple Pay is an important development. The cards are also more secure: Seven & i Holdings experienced a huge embarrassment when they launched their 7pay QR Code payment service in 2019 that quickly failed due to a security meltdown. Since that disaster they have refocused on nanaco as their in-store payment + loyalty point reward strategy. Currently nanaco has issued 74 million cards, WAON has issued 87 million cards. For comparison Suica has issued 84 million plastic cards and over 14 million Mobile Suica digital cards that includes Apple Pay Suica.

Release details are sparse but it’s safe to assume they are coming after iOS 15 ships (probably 15.1). iOS 15 Wallet includes UI improvements that remove the confusing device region setting requirement and simplify adding transit cards like Suica and non-bank stored value (SV) prepaid cards like WAON and nanaco. As pointed out many times before, all iPhone 8 • Apple Watch 3 and later models support Apple Pay Japan cards thanks to Apple’s global NFC support. The big questions are: (1) Is direct Wallet add card supported that bypasses creating a WAON or nanaco account as part of the digital card issue process on Google Pay? (2) Can physical cards be transferred like Suica and PASMO? None of this is supported on Android.

These and other usability issues have kept these cards from joining Apple Pay. It will be interesting to see if Apple has solved them and persuaded AEON • Seven & i to simplify their digital card issue process to follow the great example set by Apple Pay Suica because that is the high bar: direct Wallet adding with no sign up and open ended Apple Pay recharge. The low bar is the Toyota Wallet app-like model of chaining card issue and recharge functions to a user account app. The cards should support Express Mode as they do for Mobile WAON and Mobile nanaco on Android. The press release Apple Pay WAON image suggests Express Mode, the Apple Pay nanaco image does not, however the dual press announcement does suggest a level of commitment and integration on the Apple Pay side. We’ll see.

Not many of new iOS 15 Wallet goodies announced at WWDC will come to Japan soon with the exception of digital car keys, adding WAON and nanaco now is a smart move that will keep users happy. With all the card possibilities coming to Japan this year, it’s a good thing that iOS 15 ups the Wallet card max limit to 16.

The Weekly #4

August 8, 2021

Pixel 6 Tensor and the secure element

After many years of rumors Google finally unveiled their custom silicon, though details won’t be known until Pixel 6 devices go on sale. Dieter Bohn wrote:

Tensor is an SoC, not a single processor. And so while it’s fair to call it Google-designed, it’s also still unclear which components are Google-made and which are licensed from others. Two things are definitely coming from Google: a mobile TPU for AI operations and a new Titan M2 chip for security. The rest, including the CPU, GPU, and 5G modem, are all still a mystery.

Ever since Pixel 3 models went on sale in Japan with Mobile FeliCa support, inbound Pixel users have been pining for the same global NFC feature that iPhone and Apple Watch have, but it hasn’t happened. Here’s why.

On the NFC hardware side everything has been ready to go on all smartphone hardware for years because NFC A-B-F support is a requirement for NFC certification. The problem has been on the SE side, the black box where all the transaction magic happens. From GlobalPlatform the SE certification organization:

A SE is a tamper-resistant platform (typically a one chip secure microcontroller) capable of securely hosting applications and their confidential and cryptographic data (for example cryptographic keys) in accordance with the rules and security requirements set by well-identified trusted authorities.

There are different form factors of SE: embedded and integrated SEs, SIM/UICC, smart microSD as well as smart cards. SEs exist in different form factors to address the requirements of different business implementations and market needs.

GlobalPlatform Introduction to Secure Elements

SE Wars
In the pre-Apple Pay mobile carrier hardware era, carriers used SE SIM or a embedded Secure Element (eSE) + carrier SIM combo that chained customers to service contracts for the privilege of using mobile payments. This is the classic Osaifu Keitai model pioneered by NTT DOCOMO: an overpriced carrier SIM contract to use mobile payments only with select carrier handsets.

This carrier lock in model is one reason why Mobile FeliCa ended up being ridiculed as ‘galapagos technology’ even though everybody else copied it. This carrier SE SIM hostage situation, i.e. the Mobile Wallet SE Wars, led Apple and Google to follow different strategies to address the problem.

The Apple Pay Way
Apple’s answer of course was Apple Pay. A unique in-house strategy of putting a GlobalPlatform certified Secure Element in Apple Silicon. Most eSE go on the NFC controller, but doing it the Apple in-house way has advantages over a NFC chip vendor bundle: control of the eSE applets and ability to update them and the Apple eSE for new protocols in iOS updates. We saw this in action with the addition of FeliCa in 2016, PBOC in 2017 and MIFARE in 2018. We are seeing it again with the addition of Ultra Wideband (UWB) Touchless in iOS 15.

The Google Pay Way
Google’s answer to the carrier owned SE problem was a convoluted evolution from Google Wallet (2011) to Android Pay (2015) and finally Google Pay (2018). Google’s first salvo was Host Card Emulation (HCE): “NFC card emulation without a hardware secure element” a virtual secure element hosted on Google’s cloud or in an app. Later on Google attempted to do the same for FeliCa with HCE-F.

The HCE strategy was quietly abandoned when Google decided to get into the hardware business and Android Pay turned into Google Pay. Now we have Google Pay running on Google Pixel with its own embedded Secure Element (eSE). With Pixel and Google Pay, Google decided they didn’t want to be the Secure Element provider for every Android OEM out there especially when the Chinese OEMS are all rolling their own eSE based digital wallet services anyway, completely ignoring HCE. Sure, HCE/HCE-F is still there in Android developer documentation but it’s a vestigial relic of the SE wars. From an industry standpoint it’s eSE or nothing now.

Google Pixel models up to now have used vendor bundled eSE + NFC controllers with the Pixel JP models using the Osaifu Keitai software stack. This makes global NFC support more complicated because Google doesn’t ‘own’ the eSE and the software stack, at least not in the Apple sense of making their own all in one solution. As we have seen, Mobile FeliCa is installed on all Pixel 5 models but the Osaifu Keitai stack only loads on JP models.

Will a Tensor SoC that contains a Titan M2 and a custom eSE solve this? It all depends on whether Google goes deep instead of cheap by stripping Google Pay of its dependency on the Osaifu Keitai stack and create their own region free support stack. If so, inbound Pixel 6 users will have the ability to add Suica and other FeliCa cards out of the box.


The PASPY organ transplant

As pointed out previously, the PASPY transit card transition from NFC to QR is not going to be easy. Not only does HIroden have to swap out the basic technology infrastructure, they also have to swap out their IT system integrator partners. The PASPY system was built and is currently managed by NEC with the last server upgrade completed in 2014. A quick look at the system map illustrates the pain points that including swapping out the NFC reader infrastructure in trolleys and buses and replacing it with QR readers with mobile connectivity, a requirement because of central processing. There will also be a lot of pain for wide area commuters because going QR means cutting the cross compatibility cord with ICOCA, Suica, etc.

The mobile connection means a mobile operator has to be involved to make it work. The likely IT system candidate here is the same one behind all the QR transit systems in Japan so far: SoftBank backed QUADRAC. The PASPY QR replacement is expected to be closed loop, similar to the QR + smartphone app closed loop system being tested by Nankai. Too bad JR West can’t come to the rescue with a localized version of the Suica 2 in 1 Region Affiliate Transit Card, but that’s another story for another time.


To eSIM or not to eSIM

eSIMs are great in theory, unfortunately the current reality for Japanese customers is less than ideal even thought the Japanese Ministry of Internal Affairs and Communications (MIC) is promoting them over traditional physical carrier SIMS and issued eSIM guidance. In addition to this carrier SIM locked devices will not be allowed from October. Of the big three carrier budget brands: NTT DOCOMO (ahamo), au KDDI (povo), SoftBank (LINEMO), only LINEMO and povo offer eSIM options. DOCOMO says they are thinking about it but for now ahamo is a physical SIM service because DOCOMO says eSIMS are not as secure as physical SIMS.

A recent article by Masao Sano outlined the eSIM situation in Japan and current obstacles for customers. The online signup process and device setup isn’t always smooth going and first time customers sometimes have to deal with unlocking their carrier device, APN settings, network authentication codes, profile installations and so-on. The eSIM process needs to be easier and user friendly. The good news is that unlocked carrier phones will be standard soon along with better eSIM option plans and migration setup. Once ahamo adds an eSIM option the next step will be taking it mainstream for major brand carrier contracts.


Apple Music finally sorts Japanese artist names correctly

Congratulations Naoko! You and all your fellow Japanese artists on Apple Music were finally liberated from the # sorting section and now live in 五十音 (Gojūon) splendor in iOS Music App. A very long wait though wasn’t it? Six years!

Seriously though I wonder what took Apple so long to fix most, but not all, of their Japanese music metadata mess. Not a moment too soon as the old reliable iTunes Match service seems to be on its last legs and the macOS Music app replacement for the old reliable iTunes app is completely useless for organizing a digital music collection: Apple Music and iCloud Music library have a mind of their own.

Truth be told, I had more fun collecting and listening to music on iTunes + iPod than discovering music on Apple Music + iPhone. For some strange reason, less is sometimes more.


The Weekly will be taking a summer break the weeks of August 9 and 16 and resume the week of September 1. Take care and enjoy the rest of the summer.

The Weekly #3

August 3, 2021

Busy week for Apple Pay and Mobile FeliCa

Since last week’s Australian Parliamentary Joint Committee on Corporations and Financial Services hearings regarding the so called Apple Pay monopoly and the pointless debate of Android only Host Card Emulation (HCE) ‘virtual secure element’ vs. a hardware embedded secure element (eSE), Apple has been busy rolling out new Apple Pay Wallet services: Australian health insurance Wallet card support and digital vaccination certificates, ING Belgium and FNB South Africa additions, and today’s Student ID expansion to more universities in America including the first international addition in Canada. The last item was particularly interesting as Apple issued a press release that included new partners beyond Blackboard: Transact, CBORD, TouchNet, Atrium, HID Global, and Allegion. MIFARE and FeliCa are the 2 big protocols used for ID cards, both fully supported in iPhone and Apple Watch. Hopefully we’ll see more international Student ID card support going forward.

Japanese IT reporters have been writing about the recent addition of Xiaomi Redmi Note 10 JE (Japan Edition) to the KDDI au lineup. All the Chinese manufacturers have been bringing new models with Mobile FeliCa Osaifu Keitai support as more or less standard, but like most Android smartphones including Google Pixel, even though the hardware is the same everywhere, Mobile FeliCa is only activated for Japanese models.

The Xiaomi product manager interview casually mentions that only 20% or so of Android Osaifu Keitai device holders actually use the feature. Why bother adding it then? I suspect Osaifu Keitai usage rates vary widely depending on the region, much higher for Tokyo and other metro areas, less in rural areas. It would be really interesting to compare Osaifu Keitai usage rates with Apple Pay as I also suspect Apple Pay Japan usage rates likely leave Osaifu Keitai in the dust. As for the real reason why Chinese smartphones manufacturers are adding Mobile FeliCa support: the digital My Number ID card launching in 2022 requires it. One out of ten people living in Tokyo and other metropolitan areas is a Chinese national…do the math.

Digital My Number: First Summary Toward the Realization of Electronic Certificates for Smartphones

Delete me

The American bred internet cancel culture that started during the Obama years and went ballistic during the Trump years shows no signs of abating as battle lines are constantly redrawn to silence a somebody that somebody else wants silenced. And it has become an entrenched issue thanks to AI driven SNS content. As Tim Pool adroitly points out, and long term surveys confirm, the current American racial crisis didn’t happen until the Reddit and YouTube generation raised on endlessly looping AI driven police brutality video content came of age perceiving their virtual world as the real one. That’s the unfolding tragedy as perceptions based on virtual life replace real ones.

As bad as this is, evil players and big tech use virtual life to intimidate, blackmail and destroy real ones. That’s exactly what happened evidently when eBay’s supervisor of security operations decided to cancel the EcommerceBytes blog and carried out a cyberstalking campaign (including surveillance), against the husband and wife blogging team. Their astonishing story was published by the Boston Globe. It’s reads like the script of Michael Clayton (I prefer the Japanese title: The Fixer). eBay conducted an investigation, pushed out the CEO with a golden parachute and issued a statement that, of course, acknowledged the wrong but said ‘it’s okay now because the baddies are gone.’ Until next time, that is. eBay, of course, didn’t offer any compensation.


The Buddha’s face isn’t seen a fourth time

When the 3rd Tokyo State of Emergency (SOE) was announced, I predicted it would’t go well. Sure enough, infections started to rise before the end of SOE 3. Now we are in SOE 4 and infection rates are skyrocketing, well, skyrocketing compared to rates that were low to begin with. So life goes on as usual, the commuter time trains are crowded as usual, people go shopping as usual, there is nothing remotely panic-like despite media hysteria narratives of a ‘medical system breakdown.’

As always, it’s complicated. Few people are actually dying from COVID (and don’t forget that hospitals get a Japanese government subsidy when they report a COVID death, other deaths don’t pay). Influenza and pneumonia are much more real long term threats. Lockdowns and vaccination mandates will be impossible to implement as all the government tools to do so were locked away by the GHQ occupation and restructuring of Japan. Any attempt to invoke those kinds of centralized powers requires changing the American created Japanese constitution and nobody wants to do that (fun fact: the English language constitution of Japan is the official one, the Japanese language one a fake). Not that the situation is dire, a little context helps. And don’t forget the overall Japanese death rate dropped in 2020 YOY thanks to all that mask wearing and hand sanitizing.

Given the utter lack of useful long term planning demonstrated by Tokyo Governor Yuriko Koike, the most likely course of action will be: attempting real fines for restaurants, bars, etc. that don’t follow SOE requests. Good luck with that.

May the Pfizer be with you

My partner is a doctor so from day one of the COVID crisis I have been listening to a few mantras: 1) Vaccinations don’t stop people from getting infected, they lessen the severity if you do, 2) COVID is basically a cold virus so learning to live and deal with it, with good treatments instead of vaccinations, is the best long term adaptation, 3) Extensive PCR testing is a waste of time and money (especially at this stage, but a good money maker for the providers).

When the local city government started the vaccination reservation program in June we signed up for a first shot today, July 30. It seemed like an easy decision then, but as reports from heavily vaccinated Israel and UK that infections were picking up because of the Delta variant, which the Pfizer and Moderna vaccinations don’t cover, the mood started to change in the Japanese medical community for vaccinating low risk groups. A wait and see mood as a safer Japanese developed vaccination is said to be available by the end of this year. Better to wait for a new improved vaccination than a 3rd round of the same old current one that is loosing traction. Sure enough vaccinations rates started to stall this week as similar sentiments spilled into the general public.

And there is the vaccination certificate brouhaha. I want to visit my father next spring but getting a vaccination now means I have to get it all over again as the Pfizer•Moderna shots are only good for 4 months…if vaccination certificates are required to travel from Japan to America. As of today, they are not, although things can and do change every single day.

And so it went with every new piece of research and field report. Reasons to get vaccinated, reasons to wait. In the midst of uncertainty I was thankful for the relatively level headed Japanese approach compared with hysteria and politically driven media narratives in America. The most level headed piece I read was a recent Slate piece, The Noble Lies of COVID-19, that helped me understand the USA situation, along with Alex Berenson’s Here We Go Again and the long detailed On Driving SARS-CoV2 Extinct by Heather Heying and Bret Weinstein.

After talking about it all week we decided to go ahead with our vaccination reservations. But that doesn’t mean we don’t have any reservations about it. I think a lot of people are feeling the same. The most important thing one can do is take care of their health. Stay safe, stay healthy.

The Weekly #2

July 27, 2021

The ‘Apple Pay is a monopoly’ soap opera continues

ZDNet reports Australian Parliamentary Joint Committee on Corporations and Financial Services hearings that are focused on, yet again, forcing Apple to ‘open up’ their NFC chip. Actually they should be talking about the secure element in Apple Silicon because that’s what Apple devices use and it’s not just about NFC anymore, it’s Ultra Wideband too.

The Apple Pay monopoly debate isn’t new and isn’t about being ‘open’, it’s about banks getting what they want from politicians. What I found interesting was the back and forth between Apple and Google regarding the hardware embedded secure element (eSE) vs. the virtual secure element in the cloud Host Card Emulation (HCE), a topic that confuses many ‘experts’.

Google is playing both ends here because they have different flavors of Google Pay for different kinds of Android devices. Google Pixel Google Pay uses eSE while everybody else use HCE Google Pay. One very important thing not mentioned in tech blog coverage is that Samsung Galaxy and the Chinese smartphones (Huawei, OPPO, Xiaomi) all use a custom eSE with their own XX-Pay. In other words, everybody on the Android side outside of low end junk is doing exactly what Apple Pay is doing.

Apple
Host Card Emulation (HCE) is a less secure implementation, which was adopted by Android … Apple did not implement HCE because doing so would lead to less security on Apple devices.

Google
Our payments apps are immensely secure…we would refute the suggestion our HCE environment is in any way insecure … I would argue the user experience on Google Pay is equal to that of Apple Pay.

Let’s see what GlobalPlatform has to say about HCE:

GlobalPlatform
HCE solutions can be a great option for issuers to get to market cost-effectively for their Android customers. However, they aren’t without their complexities. Rooted in the NFC device OS, HCE apps can be more vulnerable than the ‘Giant Pays’.

So HCE security is up to the payment app, shitty app = shitty security without Apple Pay Secure Intent. The whole HCE debate is nonsense, like FeliCa Dude says it’s eSE or nothing. If the committee thinks that HCE means open and good, they are showing their incompetence.

Apple Pay Wallet has a very simple rule: any card that loads a Java Card applet into the secure element has to reside in Wallet. Any card or developer that wants to loads applets and use the secure element has to have a PassKit Secure Element Certificate Pass. This is covered by NDA but a company called PassKit (not Apple) gives us an idea what Apple’s NFC/Secure Element Pass guidelines are:

Apple care a great deal about the user experience. Before granting NFC certificate access they will ensure that you have the necessary hardware, software and capabilities to develop or deploy an ecosystem that is going to deliver an experience consistent with their guidelines.

Yeah, the end to end user experience, the whole reason behind the success of Apple Pay. Banks don’t want to be told they need to improve their ecosystem for a better user experience, and they don’t want to pay a transaction cut to Apple that they are used to keeping for themselves. What else is new?

The whole ‘Apple Pay is a monopoly’ soap opera is overrated.


PASPY transit IC card migrating to QR

After thinking out loud recently about dumping their PASPY transit IC card in favor of a QR Code smartphone app, Hiroshima Electric Railway Co. Ltd (Hiroden) CEO Masao Mukuda announced that Hiroden would indeed junk NFC and migrate to a QR Code app over an unspecified period of time. Running their own transit IC card is too expensive, so old folks, school children and everybody else will have to use smartphone to ride Hiroden light rail trains in Hiroshima.

PASPY is just the tip of the iceberg. There are many transit IC cards out there with the same problem: fixed infrastructure costs supporting a small region transit IC card and declining ridership. Add the COVID crisis that has decimated public transit use and you have a business crisis. All the small transit cards outside of the Transit IC card standard (the pink box) are in the same boat: they can only be used in their respective regions, they don’t have e-money functions, they don’t have the resources to go mobile.

This is exactly the problem JR East is addressing with their 2 in 1 Suica MaaS soution. JR East hosts the hardware, the local operator issues a ‘localized’ Suica that offers both special local MaaS services (discounts and extras, etc.) and seamlessly plugs into the larger Suica and Transit IC map.

Suica 2 in 1 region cards are the keystone of JR East’s MaaS strategy

Unfortunately PASPY is in the JR West region which doesn’t have anything similar to the JR East MaaS program. It would be a perfect solution: customers would get a new card that works just like it does now but works everywhere with e-money and ICOCA benefits, Hiroden is freed from the costs of hosting and issuing their own card.

QR is not going to be the salvation that Hiroden hopes it will be. QR isolates Hiroden from the wider transit IC network of Mobile Suica, PASMO, ICOCA. Even if Hiroden gets rid of their card issuing business cost, they still have to host a system to run the QR Code app and manage accounts. The real rub is that instead of anybody buying an IC card out of a machine, Users will have to sign up for the app or buy a QR paper ticket. They also have to worry about where and how their account data is stored. My prediction: it’s going to be a messy money losing transition.


Heraiza down but not out

Poor little Heraiza, one of my favorite Japanese YouTubers, has been copyright claim ‘hacked’ from a fake account pretending to be Dentsu and now has 2 bogus strikes against her YouTube account. As an independent 17 year old high school student with 150,000 followers, she doesn’t have the resources of a YouTuber managment agency like UUUM, who she likes to badmouth (and I won’t put it past UUUM using fake accounts to take her out). Dentsu or whoever the real copyright holder is has confirmed to her that her content does not violate said copyrights.

Hopefully she’ll get it all worked out and unlock all her previous videos, though YouTube being YouTube, if they don’t like you they ban you…AND keep your ad revenue. In her most recent post about one of her favorite YouTubers having their account hijacked, she has her confidence back. Good thing, in these dark times we all need to laugh.

Have a good week and enjoy the Olympics.