The contactless payment ramen shop connection

Have you ever noticed that ramen shops in Japan kinda stick together? If there is one, there is another one close by, maybe two or three. And not just ramen shops, it can be Japanese sweets, eateries, anything. This might seem strange at first but there is a well known traditional Japanese business sense behind it. Two is better than one because more choices drives more foot traffic and interest. ‘Hey lets go to the local ramen shop district and get something to eat.’ The common interest is why store rivals tolerate each other because the increased customer interest and traffic drives business for everybody. All boats rise together.

I was reminded of this when a Japanese friend scolded me for constantly putting down code payments like PayPay when the speed and ease of Suica is so superior. “Why is it westerners always see things as black and white? Lots of choices drives interest right?” He was right of course. Coming from a western mindset it’s too easy to fall into the same old double standard of saying more choice is better on one hand, while on the other insisting that we should only use one thing. The old one size fits all, my choices are the best for everyone.

I also think there’s another, much larger and unacknowledged cultural difference regarding the concept of service: the Japanese mind tends to think of good service as being offered many options, while the western mind tends to think of good service as fulfilling one’s personal needs and wants of the moment. It may seem like a small difference but it’s a completely different way of seeing things. It’s also a good reminder that what’s convenient to our person is not necessarily convenient to other people.

One size doesn’t fit all. What’s the point of having all that different hardware when everybody’s forced to use the same software? Lots of choices for lots of people works better in the end…it drives interest in mobile payments when there are still a lot of people in Japan who have yes to use anything but plastic or cash. Variety invites and lifts all boats.

Pick one

Are Chinese manufactured PAX NFC readers a security risk?

Probably not, but the FBI Raids Chinese Point-of-Sale Giant PAX Technology report from Krebs on Security has some thrilling bits:

“FBI and MI5 are conducting an intensive investigation into PAX,” the source said. “A major US payment processor began asking questions about network packets originating from PAX terminals and were not given any good answers.”

The source said two major financial providers — one in the United States and one in the United Kingdom — had already begun pulling PAX terminals from their payment infrastructure, a claim that was verified by two different sources.

“My sources say that there is tech proof of the way that the terminals were used in attack ops,” the source said. “The packet sizes don’t match the payment data they should be sending, nor does it correlate with telemetry these devices might display if they were updating their software. PAX is now claiming that the investigation is racially and politically motivated.”

Krebs on Security

FBI, MI5, unnamed sources? Sounds like a spy novel. The original Jacksonville WOKV report is down to earth local news reporting with the official statement from the FBI: “The FBI Jacksonville Division, in partnership with Homeland Security Investigations, Customs and Border Protection, Department of Commerce, and Naval Criminal Investigative Services, and with the support of the Jacksonville Sheriff’s Office, is executing a court-authorized search at this location in furtherance of a federal investigation. We are not aware of any physical threat to the surrounding community related to this search. The investigation remains active and ongoing and no additional information can be confirmed at this time.”

PAX NFC terminals and POS systems support EMV, FeliCa and MIFARE protocols and are used extensively in Japan in nationwide POS systems such as FamiMart and Doutor Coffee chains. However it’s important to remember that each protocol has a hardware certification process, for EMVCo, for FeliCa Networks and for MIFARE. Card companies also have their own hardware security and certification. And even though the story sounds scary, we don’t know what ‘major financial provider’ POS systems are pulling PAX readers*, what hardware models are involved and what kind of POS software they run (provided by PAX? Developed in-house?), or what exactly the FBI are investigating.

That said, this is much more real and interesting than the silly Apple Pay EMV Express Transit VISA security scare story pushed by the BBC, mindlessly repeated by tech sites and dubious ‘security experts’ who scare people into buying their ‘services’. The so-called Apple Pay EMV Express Transit VISA exploit was just a lab experiment, this is happening in the field. The PAX story won’t get much press however because it does’t have ‘Apple Pay’ in the headline. At least not yet…I’m sure some media hack out there will come up with one, something like ‘Apple Pay sends your personal payment data to China’. Only then will people start paying attention.

*UPDATE 2021-11-03
Bloomberg reports FIS Worldpay (also based in Jacksonville next door to PAX…interesting eh?) is pulling PAX NFC readers from client systems and replacing them with Verifone and Ingenico NFC readers. FIS said, “While we have no evidence that data running through PAX POS devices has been compromised, we have been working directly with clients to replace those devices with other options at no cost to them and with as little disruption to their business as possible.” No evidence but Worldpay is replacing PAX readers anyway…based on what exactly, heresy?

PAX NFC readers comprise less than 5% of Worldpay client POS installations so we’re not talking big numbers. Meanwhile PAX has issued a long winded statement (PAX Technology announcement and resumption of trading) addressing and refuting the security risk claims from Krebs and FIS saying it’s only a geolocation feature. We don’t know which PAX reader models are involved but I suspect they are Android based. That’s the problem with all those crappy Android OS based POS+NFC all in one terminals: not only do they have lousy Android performance, they have all the Android security risks too. Dedicated hardware is way better, performance-wise and security-wise.

Apple Pay Japan 5 Year Mark: All of This and Nothing

Suica was the centerpiece of the Apple Pay launch in Japan October 25, 2016

October is Apple Pay month in Japan. Today, October 21, we have the Apple Pay WAON and nanaco launch. October 2020 saw the Apple Pay PASMO launch ceremony attended by Apple VIPS. October 2016 was the biggest launch of all. This month marks the 5th anniversary of Apple Pay in Japan that launched with the FeliCa enabled iPhone 7 and the iOS 10.1 update. The initial rush to add Suica to Wallet was so great that it brought down both Apple Pay and Mobile Suica servers for several hours. Junya Suzuki, the best journalist in Japan covering digital wallet payments and technology, predicted that Apple Pay would be the ‘Black Ships‘ inflection point catalyst in Japan that would change everything. He was right. Everything has changed.

I tried to think of something smart and elegant or throw together some market data numbers that explain the transformation Apple Pay facilitated in Japan, but it comes down to this picture, a crazy kaleidoscope of contactless payment choices at the local post office. That’s as mainstream as one can get.

Payment options at the Japanese post office

The post office payments menu doesn’t have an Apple Pay logo but EMV brand cards at the top are Apple Pay, FeliCa cards in the middle are Apple Pay, shitty pain-in-the-neck-launch-an-app code payments at the bottom are not Apple Pay…and yes, you can still pay with cash if you need to. This crazy variety, by western standards, is the reason why Japanese Wallet users are excited about the new 16 card iOS 15 Wallet limit, they want to add more cards and 12 was not nearly enough. We have Apple Pay to thank for this overflow of payment options. Even though Apple Pay logo isn’t anywhere to be seen, Apple Pay is reason why so many contactless payment choices exist and why they are mainstream. This is the Apple Pay Japan transformation.


A timeline of changes and challenges

  • October 2016: Apple Pay launches in Japan with support for Suica (compatible with the Transit IC transit and payment network), iD and QUICPay payment networks (American Express, JCB, Mastercard, VISA).
  • September 2017: Global NFC on iPhone 8, iPhone X, Apple Watch 3 supports dual mode cards and seamless EMV and FeliCa NFC switching. Japanese users can make payments internationally with their Japanese issue cards on EMV payment terminals, and FeliCa payment terminals at home. Mobile PASMO trademark registered.
  • 2018: Carrier code payments services launch as cashless momentum grows, iOS 12 Wallet adds MIFARE support for Student ID, May: NTT docomo dBarai, October: SoftBank PayPay.
  • 2019: Japanese Government Cashless Consumption Tax Rebate Program
  • October 1, 2019 through June 30, 2020. The aim of the program is to encourage cashless purchases and increase cashless use up to 25% of all purchases by 2025. To do this the program offers up to 5% tax rebates for cashless purchases made at middle~small businesses and also offers merchant subsidies for installing cashless checkout systems. This is a prescient inflection point as COVID proves to be huge catalyst for going cashless, far more than a normal Tokyo Olympics would even have been.
  • 2021: Apple Pay WAON and Apple Pay nanaco eMoney cards launch, VISA Japan adds Apple Pay in-app purchase support and NFC dual mode switching. This completes the Apple Pay lineup. The Tokyo Olympics didn’t turn out to the big crowd contactless driver the industry expected. Nevertheless market surveys indicate that cashless payment use in Japan has already passed the 25% target.

Japan was a very unique case, the most unique but don’t make the mistake of dismissing it as an outliner. It was way ahead of the curve with important lessons beyond the tired old meaningless FeliCa vs EMV winner-loser debate. Japan already had the extensive and mature Osaifu Keitai mobile wallet platform that launched in 2004, built on the Sony and NTT docomo created Mobile FeliCa standard, long before EMV grafted NFC on their chip and issued contactless credit cards.

The Apple Pay that launched in 2014 was exclusively EMV as credit cards were the best start point, but Apple was already hard at work adding FeliCa, MIFARE and other NFC based transaction protocols as standard in the secure element hosted on Apple Silicon. The result was first seen in 2016 iPhone 7 and Apple Watch 2 in Japan, with Apple Pay Suica, Express Transit and direct Wallet transit card adding as the centerpiece launch strategy, all firsts.

This was an extremely shrewd move. The Japanese public was well versed using Suica for transit and quick purchases. The impact of choosing the Tokyo area based Suica as the start point, coupled with the convenience of anywhere, anytime Apple Pay recharge, supercharged Suica and Apple Pay. They both grew quickly.

JR East factsheet: Apple Pay supercharged Suica growth

The full Apple Pay vision came into focus with the 2017 release of iPhone 8, iPhone X and Apple Watch 3, these were the first global NFC devices that worked everywhere. This was a complete break with the Android model of only selling FeliCa capable devices in Japan or Hong Kong. This is why any iPhone from anywhere can add and use a Suica transit card and Android devices cannot.

The most useful marketing survey covering Apple Pay use in Japan was a November 2018 survey and article from Japanese IT journalist Sachiko Watatani. At the time she found the following:

  • Only 27% of iPhone users who can use Apple Pay use it
  • 50% don’t use Apple Pay but are interested in using it
  • 22% don’t use Apple Pay and don’t care about using it

The middle 50 is the most interesting aspect, there has certainly been migration to the Apple Pay use bracket since COVID hit. Other interesting data points: 34.4% use Apple Pay daily, 24.9% use Apple Pay every 2~3 days, 37% use it for public transportation, 69% use it for convenience store purchases. This last one is the classic Apple Pay Suica (and now also PASMO) sweet spot: quick small on the go purchases without Face • Touch ID, courtesy of Express Mode. With COVID and Face ID with face masks, that sweet spot is sweeter than ever.

The secret of success and important lesson
That is all well and good, but how did Apple Pay spearhead this market change? Apple Pay proved to be a great neutral platform for payment players to both play on and play off from. But that’s not all, there is a vital point that most people miss. The secret of Apple Pay Japan’s success was that it shifted the user focus and experience away from the Osaifu Keitai app model where different NFC services are scattered across many different apps, to a simple ‘just add the card’ in Wallet where everything ‘just works’ without apps. Complexity vs simplicity; it was this simplicity that ultimately won out because most users don’t want to deal with setting different services in a bunch of apps. It was this simplicity of the Apple Pay user experience, combined with Global NFC Apple Pay as standard across the board on all devices and price points, that drove the Japanese payments transformation that Osaifu Keitai could not with its complexity and exclusivity that pigeonholed it as a high end option instead of a standard feature.

This is the lesson of Apple Pay in Japan that other markets would do well to study. Lots of different apps offering NFC services doesn’t drive user uptake, centralized simplicity with an easy to use UI drives user interest and use, ‘it just works’ standardization. It is this centralized simplicity that is driving user interest in iOS 15.1 Vaccination Certificate Wallet support and driver’s license ID. The EU and Australia are determined to force Apple to make iPhone NFC ‘open‘ and move everything to the app centric model. If their intention is to drive user uptake, the Japanese market experience proves otherwise. Good luck with that. To most westerners the value of the Japanese mobile payments experience will remain utterly lost, like that old Psychedelic Furs song whine line, “You didn’t leave me anything that I could understand.”

The Crowd Cast cashless map illustrates the rich variety of Japanese payment platforms, some code payments players like ORIGAMI no longer exist

Looking ahead
Where does Apple Pay Japan go from here? Rakuten Edy, the very last holdout, will certainly join the lineup soon enough. iOS 15 Wallet has shifted the focus from payments to keys and ID. Expect to see to some digital key action later this year. On the ID side the Japanese Ministry of Internal Affairs and Communications (MIC) has said they are in discussions with Apple to bring the digital My Number (Japanese Individual Number) Card to Wallet, hopefully soon after it launches on Osaifu Keitai in March~April 2022.

The value of having a digital My Number ID in Wallet is that regions want to promote special services and discounts tied to a resident address. That way local governments can promote differently tailored discounts and campaigns for locals and visitors. JR East for example, is planning to use My Number Card for MaaS transit discounts that promote regional economies. When a payment is made with Suica, the appropriate discount kicks in with the My Number Card verification. The My Number Card + digital payments concept is similar to the 2019~2020 Japanese Government Cashless Consumption Tax Rebate Program. The promise of getting local area based discounts for using transit or buying stuff with Apple Pay is one of the most practical use case scenarios for digital My Number Card that I can think of.

Farther out we might see development of ‘Touchless’ transit gates that incorporate Ultra Wideband technology which is already being used in iOS 15 Wallet for Touchless car keys. It would be cool to simply walk through the gate iPhone in pocket, with Suica taking care of business. I was recently reminded that UWB enhanced gates would greatly benefit those with disabilities. I saw young man in an electric wheelchair going through a JR East station manned gate, the station attendant was holding the reader out for him to tap but his movement was limited. It was difficult for him to hold his iPhone to the Suica reader. A UWB gate would let him zip through unattended at any touchless gate, that’s what barrier free should be about. When you think about it, QR Code apps for transit are just cruel for handicapped users.

Next generation JR East transit gates are wheelchair friendly but UWB touchless gates are the best ‘barrier free’ solution for users with limited mobility.

On that note…despite all the hand wringing over the rise of code payment apps, even as Apple is flirting about adding code payments to Apple Pay, Japan will continue to be a fascinating place to observe contactless payment trends before they appear in other markets. And even though Apple Pay Japan has lost the cool factor that peaked in 2018 and become mundane, that’s okay. Apple Pay in Japan will continue to be the payment service where you can do things that you cannot do with Apple Pay in any other market. That sounds like fun to me and I look forward to the next 5 years of Apple Pay Japan and hope to write about digital wallet developments…occasionally. Since COVID hit blog traffic has collapsed to the point where I think it might be time to change gears. We shall see.

Until next time stay safe and have a good cashless…er you know what I mean.


Apple Pay Japan Comments
Some reader and net comments about using Apple Pay Japan through the years. Tweet or email if you have any experiences you’d like to share and I’ll add them here.

Apple Pay Suica is so convenient it made me wear my watch on my right wrist

The last 2 times I was in Japan, I used Apple Pay with Suica. It is miles ahead of what we have in Singapore, in terms of speed, feel, and experience. And best of all, no app download required!

I changed from Android back to iOS in 2017 mostly due to being able to use Mobile Suica…And this is the real reason I still have to educate people coming to Japan about mobile Suica and putting a debit card into ApplePay and never need an ATM for most things here…Also stop with “Japan is a cash driven society” tropes. I go for weeks not using bills and coins here.

Comment regarding code payment apps vs NFC: Imo Apple and Google Pay are all a payment system needs: it’s quick, easy, and doesn’t require looking like a clown trying to scan a code…Imagine having to scan a code to pay for Suica, it would be a nightmare.

I have no idea why Apple Pay isn’t more widely supported over here. I usually just try and use Suica on my Apple Watch for most things.

The true value (of Apple Watch) is in Apple Pay and Express Transit card. If your city support it especially the latter, it’s a tremendous value.

Truth to be told, I’ve been a user of Japan’s Apple Pay almost since it came out, even thought I don’t live there haha. As a Software Engineer I always was amazed how Japan had a contactless system that you can use seamlessly on transport or store purchases.

It might sound trite, but I am still happy and amazed every time I use Suica on my iPhone. It has been a long road from Edy and Mobile Suica to this point. The next thing for me would be export of my spending for tracking. Not through Suica, but from iOS. And I really wish more Japanese businesses used the Apple Wallet for (reward) cards. When it first debuted I imagined finally getting rid of all my store cards, but it never happened.

When I was in Japan in November, when I looked up my destination via Apple Maps, I got seamless linked to buy a SUICA for my Apple Wallet direct from my credit card. It was pretty slick – 10 second transaction and I had a SUICA in my Apple Wallet.

The best way to use Suica Card on Android devices is to simply buy a new iPhone…

Suica on Watch is just superb. Even better when worn on right hand.

Two great things about my iPhone XS when traveling in #japan: first, SUICA public transport card in Apple wallet and you are able to charge them via Apple Pay wherever you are and second the dual SIM feature to get a traveller SIM like #Ubigi into your phone easily.

Twitter question: Japan peeps, what are your fave “cashless” payment apps? What do you consider the most convenient/useful?

Twitter answer: Suica wallet. Everything else is fucking shit

I want more reward point card support in Wallet that’s easier to use than it is now and supports movie tickets too.

One more for the road: Ken Bolido’s wonderfully informative Apple Pay Japan intro video from 2019

Japan mobile payment survey results

I gave the Twitter survey function a workout and asked 2 questions:

  • Which Japanese mobile payment do you use most?
  • Which Japanese reward points do you use most?

The results are not surprising but come with many caveats: the survey sampling was puny, in English and pretty much limited to a small group of Twitter followers, which means they are pretty much already invested in Mobile Suica. Also it is important to remember that mobile payment use profiles in Japan are highly regional, what’s convenient in Tokyo isn’t necessarily convenient in other areas. That said, there are some interesting and fun takeaways.

Japanese mobile payment takeaways and feedback

  • The 55% Suica/PASMO figure expresses the power of Apple Pay Express Transit (and similar for Osaifu Keitai) for store purchases in the COVID induced face mask era without the hassle of Face ID. It’s important to remember that the ballyhooed Unlock with Apple Watch Face ID feature introduced with iOS 14.5 is useless for Apple Pay authorization. Remember too that Mobile Suica has good support on wearables: Apple Watch, Garmin, fitbit, etc., the widest mobile payment platform in Japan.
  • Despite the heavy marketing VISA Touch from VISA Japan, the majority of users have been using Apple Pay and Osaifu Keitai for iD and QUICPay, etc. I suspect EMV ‘Touch’ (Visa, MC, AMEX, JCB) probably appeals more to plastic card users as VISA is pushing EMV only plastic cards vs. digital wallet dual mode Apple Pay.
  • QR Code payment apps (PayPay, dBarai, LinePay, etc.) are not as popular as you might think and are probably feeling the pain of recent bank account linking security problems, and the recent revelations of user transaction records being stored outside of Japan.

Changes quite a lot. Recently using EMV touch a lot because of SMCC 15% back campaign and Amex 20% at FamilyMart. Otherwise probably a little bit of everything just to get maximum reward. (Tokyo)

I don’t ride trains so I have no real use for Suica. Using it to pay in shops is too much of a PITA since you have to constantly recharge it. (Kagoshima, note that Suica Auto-charge only works in JR East transit region)

I do iD for the point rewards (none in JP CC recharge of Suica) otherwise Express Transit is perfect. (Tokyo)

Mostly Suica (via Garmin Pay), but I’ve been using au Pay (QR or barcode) a lot more recently. (Hiroshima)

Japanese reward point takeaway
Results are complicated. Twitter surveys are limited to 4 choices, I lumped the Japanese carrier reward point systems for docomo, au and SoftBank (dPoint, au•PONTA, T-POINT) into one category, the top choice at 43%. However if we break down the carrier number by carrier marketshare ratio we get the following:

  1. 21% JRE POINT
  2. 28% Rakuten POINT
  3. 19% dPOINT
  4. 14% au•PONTA POINT
  5. 10% T-POINT
  6. 8% V POINT

The key takeaway for reward points is the power of the Rakuten ‘Economic Zone’, i.e. where all the Rakuten pieces including shopping, banking/credit card/payments, transit (Rakuten Suica), mobile, stock trading, travel, etc., are glued together by Rakuten POINT and feed off each other. The Rakuten Economic Zone is the model that others will have to successfully emulate if they are going to be serious long term competitors. NTT docomo announced a tie-up with MUFG this month, the digital banking wars are just getting started.

QR Code user survey slight of hand

A recent customer sentiment survey regarding QR Code use and security from Ivanti is a classic case of marketing manipulation in action. Same survey, different titles:

The English title:
QRurb Your Enthusiasm 2021: Why the QR code remains a top security threat and what you can do about it

The Japanese title:
Is Japan a 3rd world country when it comes to QR Code use? Compared to 80~90% usage rates in China and the West, Japan remains stuck at 60%

The English survey summary highlights basic security problems to sell security software:

  • 47% or respondents claimed to know that a QR code can open a URL.
  • However, only 37% were aware that a QR code can download an application and only 22% were aware that a QR code can give away physical location.
  • Two thirds of respondents felt confident that they could identify a malicious URL, but only 39% stated they could identify a malicious QR code.
  • 49% stated they either do not have or don’t know if they have security installed on their mobile device.

The Japanese version highlights low Japanese QR Code payment use, and security software use compared with China to sell security software. It also heavily implies that Japan is behind China because of this.

Don’t know about you, but this kind of night and day spin is one reason I have stopped believing most market surveys. They are just too loaded. Give credit where it’s due: the Japanese Ivanti marketing department is certainly clever in spicing up a dull story. It’s their job. Download the English PDF and see for yourself.