Featured

iOS 14 Apple Pay: going the distance with Ultra Wideband Touchless and QR (Updated)

It’s that time of year again to look into the WWDC crystal ball and see what changes might be in store for Apple Pay. 2019 was an exciting year with the important Core NFC Read-Write additions for ISO 7816, ISO 15693, FeliCa, and MIFARE tags. Since then we’ve seen iOS apps add support for contactless passports, drivers licenses, retail and manufacturer vicinity NFC tags, transit ticketing, badging, and more. Some expectations ended up on the cutting room floor. The NFC tag Apple Pay feature that Jennifer Bailey showed back in May 2019 has yet to appear. Apple Pay Ventra and Octopus transit services slated for 2019 and iOS 13 failed to launch. Apple Pay Octopus launched June 2, Apple Pay Ventra has yet to appear.

Predicting anything in 2020 is risky business because of COVID. iPhone 12 might be delayed, iOS 14 might be delayed, features brought forward, pushed back…all plans are up in the air. Some developments are clear, but timing is opaque. What follows is based on: (1) NTT Docomo announcement of Ultra Wideband (UWB) ‘Touchless’ Mobile FeliCa additions and JR East developing UWB Touchless transit gates, (2) CarKey and the Car Connectivity Consortium Digital Key 3.0 spec, and (3) Mac 9to5 reports of AliPay coming to iOS 14 Apple Pay.

Going the distance with Ultra Wideband
The NFC standard has been around a long time, long before smartphones, conceived when everything was built around close proximity read write physical IC cards. The standards have served us very well. So why are NTT Docomo and Sony (Mobile FeliCa) and NXP (MIFARE) adding Ultra Wideband + Bluetooth into the mix?

UWB + Bluetooth delivers Touchless: a hands-free keep-smartphone-in-pocket experience for unlocking a car door, walking through a transit gate or paying for takeout while sitting in the drive thru. It’s the same combo that powers Apple AirTags. UWB Touchless delivers distance with accuracy doing away with “you’re holding it wrong” close proximity hit areas necessary when using NFC. With Touchless your iPhone is essentially a big AirTag to the reader,

For Apple Pay Wallet cards it means hands free Express Card door access, Suica Express transit gate access and payments that ‘just work’ by walking up to a scan area or car. As Junya Suzuki pointed out recently, UWB Touchless is passive vs. the active NFC ‘touch to the reader’ gesture, as such it will live on smartphones and not on plastic cards. Those will remain limited to NFC which does not require a battery.

Secure Element evolution and digital key sharing
The addition of UWB Touchless however means that the Secure Element, where transaction keys are kept and applets perform their magic, has to change and evolve. Up until now the Secure Element worked hand in glove with the NFC controller to make sure communications between the reader are secure and encrypted. For this reason an embedded Secure Element (eSE) usually resides on the NFC controller chip.

Apple chose to put a Global Platform certified Apple Pay eSE in their own A/S series chips. The arrangement gives Apple more control and flexibility, such as the ability to update Secure Element applets and implement features like global NFC. The addition of UWB Touchless in FeliCa and MIFARE means both smartphone and readers need new hardware and software. Apple already has UWB in the U1 chip on iPhone 11. Mobile FeliCa software support could be coming with the next generation ‘Super Suica’ release in the spring of 2021 that requires an updated FeliCa OS.

Recent screen images of a CarKey card in Wallet…with Express Mode can we call it Suicar?

The arrival of UWB Touchless signals another change in the Secure Element as shown in middle CarKey screen image: digital key sharing via the cloud where the master key on the smartphone devices ‘blesses’ and revokes shared keys. Mobile FeliCa Digital key sharing with FeliCa cards and devices was demonstrated at the Docomo Open House in January, also outlined in the Car Connectivity Consortium (CCR) Digital Key White Paper. An interesting aspect of the CCR Digital Key architecture is the platform neutrality, any Secure Element provider (FeliCa, MIFARE, etc.) can plug into it. Calypso could join the party but I don’t see EMV moving to add UWB Touchless because it requires a battery. EMV will probably stick with battery free NFC and plastic cards.

Diagram from Car Connectivity Consortium (CCR) Digital Key White Paper

QR Code Payment Cards
There is another possible eSE transition for Apple Pay. If the 9to5 Mac AliPay for Apple Pay iOS 14 rumor is true, it represents a huge change for Apple Pay which has strictly limited payment transactions to NFC. The whole identity of Apple Pay is NFC payment cards vs. Wallet which can hold both cards (NFC) and passes (NFC or QR/Barcodes).

A few weeks ago a reader asked for some thoughts regarding the AliPay on iOS 14 Apple Pay rumor with a link to some screen/mockup images on the LIHKG site. Before getting to that it’s helpful to review some key Apple Pay Wallet features for payment cards:

  • Direct side button Wallet activation with automatic Face/Touch ID authentication and payment at the reader.
  • Device transactions handled by the eSE without a network connection.
  • Ability to set a default main card for Apple Pay use.

The images suggest a scenario for implementing AliPay in iOS 14 Apple Pay:

  • AliPay has a PassKit API method to add a ‘QR Card’ to Wallet.
  • Apple Pay Wallet QR Card set as the main card is directly activated with a button double-click for Face or a Touch ID authentication and dynamic QR Code payment generation in Apple Pay.
  • Direct static QR Code reads activate Apple Pay AliPay payment.

If Apple is adding AliPay to the ranks of top tier Wallet payment cards, they have to provide a way in. The new “PKSecureElementPass” PassKit framework addition in iOS 13.4 could be just that. Instead of PassKit NFC Certificates, the additions suggest a Secure Element Pass/certificate. Secure Element Certificates instead of NFC Certificates, or better yet completely decouple the Secure Element from NFC so that there are 2 kinds of certificates: a Secure Element Pass for Secure Element transactions, and a NFC Certificate ‘lite’ for non-Secure Element NFC use such as VAS passes which pull everything off a JSON server. In the long run Apple needs to provide finer definitions and controls for NFC and UWB access instead of one black box that PassKit NFC Certificates have been up to now.

One possible scenario for PassKit NFC Certificate evolution

The burning question here is: have Apple and AliPay developed Secure Element technology and Java Card applets for encrypted transactions that work without network connections? If so QR Wallet payment ‘cards’ are possible. Direct Apple Pay Wallet QR integration with would open up things for 3rd party (non bank) payment players. QR integration with separate access controls for the Secure Element and NFC/UWB hardware frontend might also help Apple skirt NFC monopoly allegations that got Apple Pay in trouble in Europe.

Dual Mode and flexible front ends
The addition of QR and UWB with NFC for payments opens up a long term possibility suggested by Toyota Wallet. The current app lets the user attach a QR code app payment method and/or a NFC Wallet payment method to an account. It’s intriguing but clunky. Wallet QR Payment support would allow Toyota Wallet to move the entire payment front end to Wallet and let the user choose to add one or both.

It’s the latter that interests me most. Instead of having separate NFC and QR payment ‘cards’ from the same issuer for the same account, I’d much rather have one adaptive Wallet card that smartly uses the appropriate protocol, QR, NFC, UWB for the payment at hand.

Ultimately I don’t believe that payment players need or want to anchor their services to specific technologies like QR or even NFC. AliPay may have needed QR to start their payment business empire, why not offer NFC and UWB if it’s there as a front end choice? It’s all virtual.

Capable, flexible, smart. This is what digital wallets should do, things that plastic can never achieve. Let’s hope Apple Pay Wallet makes it there someday, and that payment and transit providers are up to the mix and match challenge in the Touchless era.


WWDC20 UPDATE

CarKey
Apple announced CarKey, digital car keys and Ultra Wideband Touchless in the WWDC20 Keynote and accompanying press release:

Digital car keys give users a secure way to use iPhone or Apple Watch to unlock and start their car. Digital car keys can be easily shared using Messages, or disabled through iCloud if a device is lost, and are available starting this year through NFC. Apple also unveiled the next generation of digital car keys based on Ultra Wideband technology for spatial awareness delivered through the U1 chip, which will allow users to unlock future car models without removing their iPhone from their pocket or bag, and will become available next year.

Apple Newsroom

More details were revealed the CarKey session:

One thing the CarKey session made clear: secure Wallet transactions are limited to the Secure Element and ‘radio technologies’ that are evolving beyond NFC.

One interesting aspect of Apple Pay CarKey is the device requirement: iPhone XR/XS or later, Apple Watch Series 5 or later.

A12 devices and later makes perfect sense because they all support Express Cards with power reserve. Apple Watch does not support this feature but the Series 5 and later requirement suggests the S series chip is getting very close and likely involves Secure Element digital key sharing. We may see Express Cards with power reserve arrive with Apple Watch Series 6.

App Clips
App Clips finally unleash the power of background NFC tag reading and is the other big Apple Pay development announced at WWDC20. This is what Jennifer Bailey talked about last year just before WWDC19 but it took another year to come together.

App Clips puts NFC tags on equal footing with QR Codes for the first time with the added edge of the ‘when the screen is on’ background tag sheet pop-ups. This will be huge. See the separate post for details.


iOS 14 Apple Pay AliPay Update
AliPay QR Code support was not mentioned in the keynote but it appears that iOS 14 Apple Pay QR Payments will be coming after all: MacRumors reports code references in iOS 14 beta 2. An AliPay Wallet addition is strongly suggested by a iOS 14 PassKit alipay payment network reference. There are other new PassKit framework additions that also suggest better barcode handling. We’ll likely get an official announcement at the iPhone 12 Event with a service launch ‘coming later this year/early next year’, and only for mainland China AliPay account holders, not international users.

Advertisements

WWDC19 iOS 13 Apple Pay Wish List

(Note: iOS 13 Core NFC documentation has been released with NFC tag support for: ISO 7816, ISO 15693, FeliCa, MIFARE and NDEF)

Now that full 3rd party NFC access is reportedly coming with iOS 13 tag support for ISO 7816, FeliCa and MIFARE, does this mean developers get supercharged Core NFC and PassKit NFC Certificates generously handed out like condoms at a gay sex party? Probably not, the only new things in those rumors are ‘full access’ and ‘ISO 7816’, but let’s take a look at some possibilities based on the 3 NFC Forum defined NFC Modes: Card Emulation, Reader/Writer and Peer to Peer.

It’s useful to remember that A12 Bionic powered iPhone is one of the most compelling ‘Global NFC’ devices on the market, with all the important technologies in one package sold everywhere: NFC A-B-F hardware and EMV, FeliCa, MIFARE, PBOC and VAS (value added service protocol) software. Android is fragmented, especially when it comes to FeliCa support.

Apple has invested a lot of time and money to guarantee everything is there and ‘just works’. A12 Bionic added Express Cards with power reserve that support certain NFC transactions without iOS up and running. A12 Bionic also added Background Tag Reading and the ability to read NFC tags ‘out of the box’ without a separate app.

The big frustration for developers has been that iPhone NFC is all dressed up with no place to go. iOS 12 NFC supports Card Emulation and Reader/Writer but severely limits the Secure Element access necessary for Card Emulation with NDA covered PassKit NFC Certificates, while Core NFC is a limited Reader/Writer Mode sub-set.


Card Emulation

New Apple Card Wallet UI
After using Apple Card UI flavored Apple Pay Suica in iOS 12.2 with even more tweaks in iOS 12.3, I feel sure that new PassKit controls for Apple Pay Wallet card customization: detailed transactions, summaries, balance payments, new card options and other UI goodies of the recently announced Apple Card, will be made available for all developers and iOS 13 Wallet cards.

The Apple Card UI and Wallet UI design language in iOS 12.2 and later, is so different from the rest of iOS 12 that I’m surprised nobody in the Apple tech blog space picked up on it. There are lots of useful card options and information that can be piped into Wallet cards from the card provider cloud, instead of sitting in a separate app.

This applies to card artwork as well. Static card artwork in iOS 12 doesn’t do anything and gobbles up precious screen space. The dynamic card art of Apple Card UI can be used to give important information to users while solving the wasted space problem.

Multiple Express Cards in iOS 13 Wallet
There are major Japanese eMoney prepaid cards on Android that are missing on Apple Pay: WAON, Rakuten Edy and nananco. One ‘missing on Apple Pay’ reason is that iOS 12 Apple Pay Wallet lacks a smart way to deal with multiple Express Transit and Express eMoney Cards. Wallet can hold multiple Suica cards but only one of them can be Express Transit. It’s the same for eMoney cards.

This started to change in iOS 12.3 with the addition of Express Transit with Payment Cards. The massive rebuilt of iOS 12.3 Wallet means that iOS 12.3 is basically iOS 13 Wallet already, and the heavy work continues with the temporary removal of Payment Card Express Transit in iOS 12.4 Public Beta.

iOS 13 Wallet will complete the journey, hopefully delivering a vastly improved and unified Wallet UI that elegantly solves the multiple Express Transit/Express Card issue, and eliminates card clash. At a transit gate the user should only have to tap, at checkout the user should only have to select a payment logo on a screen or tell the sales clerk Suica, Mastercard, etc., and pay.

Unified iPhone and Apple Watch Wallet
I do have one more wish for the iOS 13 Wallet UI: please integrate the separate iPhone and Apple Watch Wallets into a single Wallet. It’s incredibly convenient to control all transit card recharge/reload and other options on iPhone instead of fiddling with the tiny Apple Watch screen to recharge a Suica card for example. Suica App manages separate Suica cards on iPhone and Apple Watch incredibly well in one place.

Easy Card Emulation
I am less sure how Apple plans to make card emulation easier for developers:

  • New functions in PassKit that do more
  • Less stringent and easier to obtain PassKit NFC Certificates
  • A combination of the two or
  • Something new altogether

Whatever the approach, I hope it keeps everything secure while making it easy for developers to add all kinds of non-EMV cards to Wallet, the major categories include…

  • Transit Cards: Transit cards have been tricky because up to now each one has been a kind of custom in-house job by Apple in cooperation with the transit company. HOP launched May 21 and Ventra will arrive this summer. Clipper has been rumored for Apple Pay inclusion for some time. Hong Kong Octopus (FeliCa) and Los Angeles area TAP (EMV only?) should arrive shortly after the iOS 13 launch in September. It would be great if iOS 13 PassKit makes it easy to add all kinds of native transit cards like Taiwan EasyCARD and Melbourne Myki (both MIFARE) and more (like Calypso for example) to the mix, with Apple having to do less for a real transit card coming out party. Unfortunately I don’t see Singapore’s EZ-Link card ever joining the party unless iOS 13 PassKit makes it very easy to support customized payment technology like the Singapore only CEPAS.
  • Prepaid Reward Cards: There are lots of these everywhere. In Japan we have: Edy, nanaco, WAON (all FeliCa), Dotour (MIFARE), Ueshima (Mag strip) and Starbucks (FeliCa and Mag strip). Most of these have apps that let users attach credit cards to the backend for online recharge. None of them are on Apple Pay but need to be, urgently, to combat manufactured QR code mania stealth marketing. The challenge for Apple here is the same as transit cards: make it easy for developers to do more, with open API access and easy to obtain PassKit NFC Certificates. I suspect one hold up has been that every single one of these prepaid reward cards wants to have an Express Card option to bypass authentication at the reader. iOS 12 Wallet only supports a single Express card at a time. Hopefully iOS 13 Wallet solves the problem.
  • Regular Reward Cards: There are tons of these everywhere, mostly mag strip. My real wallet has JRE POINT, WAON POINT, Tomod’s, plus a crazy collection of stamp/point cards. How nice it would be if it was super easy for developers to port these to Wallet with NFC capability.
  • ID Cards: This is where ISO 7816 tag support fits in. Contactless Student ID cards in iOS 12 were a MIFARE only custom in-house job, transit cards without transit, by Apple in cooperation with Blackboard. Hopefully Apple will greatly extend ID card support in all NFC flavors for many companies and institutions, for all manner of ‘company only’ Wallet ID cards.
  • VAS: Apple Value Added Service protocol has been around a few years but uptake has been slow, almost as slow as VAS works on NFC readers and POS systems. This is more of an performance issue on the POS side than PassKit, nevertheless anything Apple can do to help increase VAS performance would be welcome. So would VAS working with Express Transit.

Reader/Writer

Android has a huge advantage over iOS because Android apps have the NFC access to do what they want. From RFID Insider:

Below are all the abilities/formats available for writing to a tag:

Business Card
Link/URL
Wi-Fi
Bluetooth
Email
Telephone Number
Geo Location
Launch an Application
Plain Text
SMS

How to Write an NFC Tag RFID Insider

A fully functional Core NFC could do all this, but the important question is how would Apple want to do all this. NFC tags are great technology but they remain deeply geeky for the majority of users. The key is making NFC tags as friendly, easy and secure to use as Apple Pay. This is exactly what Apple plans to do.

At the TRANSACT 2019 conference Jennifer Bailey announced NFC tag Apple Pay. NFC tag Apple Pay works with or without apps. All the user does is tap a NFC tag and Apple Pay takes care of the rest as shown in the demo video using a SmartPlate NFC tag.

The easiest way to think of it is that instead of tapping a dedicated NFC reader to pay with Apple Pay, NFC tag Apple Pay turns your iPhone into the reader. An NFC tag and iPhone is all that you need to Apple Pay at a store.

What does this sound like to you? Yep, this is enhanced Core NFC Read/Write for NFC tags that does exactly what QR Codes do. NFC tag Apple Pay is aimed right at the ‘but the store doesn’t need an expensive NFC reader to use QR’ sweet spot that QR Codes have occupied up to now. NFC tag Apple Pay levels the play field, neatly eliminating the QR advantage while offering security that QR Codes cannot match.

However don’t assume that the QR players are chained to QR Codes, it’s an inexpensive and convenient technology for building payment system app services, nothing more, not particularly sacred. Enhanced Core NFC and NFC tag Apple Pay works in an app and this offers Japanese QR Code payment systems such as Line, PayPay, etc., a way to incorporate Apple Pay NFC support in their app, if they choose to do so.

A12 Bionic iPhone XR/XS are the only devices that support background NCF tag reading and the native ability to read tags without an app. The big question in my mind is how Apple plans to implement enhanced Core NFC and NFC tag Apple Pay on older devices

Peer to Peer

iOS 12 does not support NFC Peer to Peer. I don’t see that changing in iOS 13 if it can’t be part of a new Apple Pay or related service. AirDrop already works well across devices that do not have NFC capability. That’s probably enough real world peer to peer for most people.


Summary

The Apple Pay theme for WWDC18 was ‘move Passes into Wallet, get rid of the QR Codes and replace them NFC.’ The new Apple Card UI improvements in Wallet and NFC tag support suggest the Apple Pay theme for WWDC19 will be: ‘move card functionality out of apps and into Wallet cards with new iOS 13 PASSKit controls, or get rid of apps altogether and replace them will all kinds of NFC enabled cards and NFC tags.’

It certainly makes sense. Apple Pay is NFC for the majority of iPhone users, the NFC thing that people use. Apple devoting iOS resources into making card emulation easier and better for 3rd party developers to add all kinds of cards to Wallet, and migrate functions out of separate apps to the Wallet card itself, will give the most bang for the development buck. NFC tag Apple Pay will finally bring NFC tags into the mainstream while eliminating the remaining advantages of QR Codes. It’s going to be a very interesting WWDC for all things Apple Pay.

We’ll find out at the WWDC19 keynote on June 3 at 10:00 a.m. PDT.

UPDATE
WWDC19 Apple Pay scorecard

The Contactless Payment Turf Wars: why Oyster is missing from mobile

  1. Contactless Payment Turf Wars: Transit Platforms
  2. Contactless Payment Turf Wars: PiTaPa Pitfalls
  3. >Contactless Payment Turf Wars: why Oyster is missing from mobile
  4. Contactless Payment Turf Wars: tapping the potential of TAP

Open Loop EMV
It is very strange that the TfL Oyster card, which completely transformed London area transit still isn’t hosted natively on Apple Pay or Google Pay. Other MIFARE based cards are hosted on both digital wallet platforms and TfL has an Oyster app for account management and online recharge (top-ups). From a technical standpoint there doesn’t seem to be any particular problem preventing them. Perhaps it is a political thing.

TfL decided in 2011 to put their resources into the emerging EMV contactless standard. The reason was simple:

The current Oyster system, though very popular, is expensive and complex to administer. Contactless bank cards use existing technology, responsibility for issuing cards would lie with the banks rather than TfL, and the operating costs should be lower.

That is politician think, not business think: everything is a budget problem, not a business opportunity that needs investment, reduce costs by letting someone else pick up the tab but let them take their cut first. I wonder if TfL publishes how much they pay out in transaction processing fees to banks and Cubic? Perhaps not. Meanwhile budget pressures are not letting up as Londonist notes:

In 2017 there was a push to nudge people away from their Oyster cards and towards contactless. One announcement rang out all over London’s tube stations: Why not use your contactless bank card today? Never top up again, and it’s the same fare as Oyster.

The die was cast in 2014 and probably won’t change. Instead of putting resources into hosting Oyster on Apple Pay or Google Pay, TfL and Cubic already have a mobile solution which is ‘open loop’ ticketing with EMV contactless bank cards. Open loop does not address the finer issues of different fare schedules (children, seniors, etc.), commuter passes, season tickets, nationwide transit interoperability, regional promotion, nor does it offer the business advantages of a transit payment platform, Express Cards with power reserve or any kind of future vision. That’s the end of the open loop story because EMV contactless is a very dumb smart card.

It’s a shame really because TfL loves to say they generate the most transactions in all of Europe. That’s a value capture gold mine to build an empire, budget problems solved. Unfortunately TfL gives that gold mine away to the banking industry and Cubic.

You can see the same thinking with Oyster’s Australian cousin, the Opal card system, built and managed by Cubic, just like Oyster. Opal is also going the ‘open loop’ route instead of transit cards on mobile.

Open Loop QR

Hong Kong’s Octopus (FeliCa) and Singapore’s EZ-Link (Ex-FeliCa now CEPAS) are going open loop but in different ways. EZ-Link has been testing EMV contactless for over 2 years now, users report a less than smooth experience. Kaohsiung Rapid Transit in Taiwan which uses MIFARE based iPASS and EasyCard is also considering EMV contactless open loop while the recently opened Taoyuan Airport MRT offers QR Codes and a cute YouTube video.

Hong Kong going the QR Code route shows how badly AliPay wants in on Hong Kong transit, and MTR Corporation in on China transit, bad enough that Hong Kong will sacrifice a great transit payment platform for AliPay, another gold mine giveaway. Judging by the AliPay branding and retrofitted QR Code readers on Hangzhou Metro gates in the pictures above, what AliPay wants, AliPay gets, but the fast FeliCa based Octopus smart card stands in the way. Instead of improving Octopus or extending mobile Smart Octopus, it looks like Hong Kong will invest in very slow and very dumb QR. The Hong Kong Economic Journal had this to say about the development:

MTR has set its sights on a major revamp of its fare collection system, accepting new electronic payments methods rather than just single journey tickets and Octopus Cards. From the passengers’ perspective, it means there will be no need to have an Octopus card on hand for a journey on local trains, if MTR’s new fare collection system supports all the mainstream contactless payment methods such as Visa payWave and MasterCard PayPass, or mobile payment means like Apple Pay, Samsung Pay and Google Pay.

Japan in the middle
TfL/Oyster and Transport for NSW/Opal, Octopus, EZ-Link are government held transit authorities, not private independent companies. Publicly run transit authorities are subject to politics and special interests like any government agency, this sometimes leads to poor decisions and short-term thinking.

Japan was fortunate that major transit players like JR East, are private companies with strong technology partners, like Sony and NTT Docomo. Out of this fortunate set of circumstances Suica was created and finally reached  the market in 2001 (a fascinating engineering story). Suica became the Japan IC Transit card template which evolved into the ubiquitous Japan Transit IC Mutual Use Association project for transit and e-money use. Mobile Suica was introduced in 2006 by NTT Docomo and now resides on the Apple Pay and Google Pay platforms.

The ubiquity and scale of interoperable transit IC cards sets Japan apart from all other countries. China copied the Japanese model for China T-Union but the cards cannot be used as e-money and have been upstaged by AliPay and WeChat Pay which, surprise, can be used for e-money and transit.

Japan occupies a very unusual middle ground between EMV contactless from the West and QR Codes from China, neither of which play well together. The scale of Suica provides the breathing space for Japan to pick and chose what works best for, and enhances their transit payment platform. The result is an incredibly rich and varied contactless payments market anchored around Suica and similar FeliCa prepaid cards.

Future trends
For every marketing report that predicts QR Code payments growing into a 70 billion USD sized market by 2023, someone else calls it nonsense because Suica is becoming the card for everything. In many ways Suica already is. MITI said it is investigating using QR Codes for small rural transit systems that cannot afford IC card systems. This loops back to TfL complaint that IC cards are expensive to issue and manage.

Low-cost QR Codes certainly make sense for lightly used rural transit operations but they have a fatal weakness: they don’t have plastic card versions that work anywhere and seniors prefer the simplicity of plastic, QR Codes require a high cost network connected smart device, an app and are strictly one way read with no offline processing.

JR East and Sony have announced that they will solve cost problems for rural transit and much more in early 2021 with Super Suica.


Update: Open Loop QR Code Security Risks
One issue that was in the back of my mind while writing this post was the privacy and security implications of letting AliPay inside with direct transactions on transit gates. Japanese customers are very sensitive about where and how transaction records are held and used but I have yet to see any security discussion in connection with Hong Kong MTR opening up transit gates to AliPay and WeChat Pay. QR Code transactions are very different from offline FeliCa Octopus transactions. Where and how does the QR Code transaction data from Hong Kong MTR transit gates get stored, does the Chinese government has access to it to gather intelligence from transaction and location records?

If there is one thing we do know about Chinese companies is that they do what they want when nobody is looking. Witness China Telecom spoofing the BGP protocol to poison internet routes and suck up massive amounts of American and Canadian internet traffic for intelligence analysis. If I was living in Hong Kong I would be concerned about the privacy implications of MTR going open loop with QR codes.

iOS 12 Apple Pay Wallet pulled a MIFARE and nobody noticed

The Apple Wallet Ponta card launch at LAWSON presents another dilemma: just what exactly is Apple using for iOS 12/watchOS 5 Apple Wallet Passes and Student ID cards? Student ID cards and Apple Wallet Ponta have the same device eligibility specs: iOS 12/watch OS 5 running on iPhone 6 and later/Apple Watch Series 1 and later.

You might assume that Apple Wallet Ponta is FeliCa but the eligible device list tells a different story. You might also assume that everything in Japan is FeliCa but this is also not the case. Doutor Coffee shops sell a handy little Doutor pre-paid card that is MIFARE and it works flawlessly side by side with FeliCa flavored Apple Pay Suica on the same NFC reader.

Altogether we have an interesting spec list for Student ID and Mobile Ponta cards.

I’m calling it (again): the only technology that fits this profile along with Express Cards (for Student ID cards but not Ponta) is MIFARE iOS 12 PassKIT Wallet passes are simply MIFARE. Only Apple could pull this kind of ‘under the hood thing’ off in iOS 12 without anybody suspecting and it neatly puts all the major NFC technology pieces on Apple Pay: EMV, FeliCa, MIFARE and PBOC China Transit.

Blackboard supplies the technology and backend services for Student ID cards on iOS 12. I contacted Blackboard PR to confirm if the card technology was FeliCa or MIFARE but did not receive an answer. However I did run across an interesting Blackboard press release from 2015 Blackboard and NXP Semiconductors Collaborate to Strengthen Campus Card Technology:

Blackboards’ push to adopt NFC in addition to their existing MIFARE-based solutions, back in 2012 showed incredible insight into the potential of this technology. The security, convenience and flexibility that NXPs NFC and MIFARE solutions bring truly reflect the student lifestyle. Now access to campus services can be simply enabled via a smart watch or smart phone.

Based on this and the fact that it came 2 years after a FeliCa demo of Blackboard Student ID cards with a rumored migration from FeliCa to MIFARE, plus the eligible device specs, my conclusion is that Student ID cards on iOS 12 are MIFARE card emulation which is NFC-A.

Apple Wallet Ponta cards on iOS 12 are VAS protocol contactless passes outlined at WWDC18 , WWDC16, and in the Contactless Passes section of the iOS Security Guide:

Wallet supports the value added service (VAS) protocol for transmitting data from supported passes to compatible NFC terminals. The VAS protocol can be implemented on contactless terminals and uses NFC to communicate with supported Apple devices.

This is also NFC-A. Contactless passes have been around for a while on iOS but adoption has been slow. With iOS 12 PASSKit, Apple is encouraging developers to migrate from QR Codes to NFC contactless passes and hopefully lowering the NFC Certificate requirement bar a little. Part of the reason for the slow uptake is poor NFC reader support. LAWSON has a new POS system built around Panasonic JT-R600CR readers which are Apple Pay savvy and Apple Wallet Ponta cards only work correctly when you tell the LAWSON cashier to use “Apple Pay”.

UPDATE
A highly trusted NFC engineering source contacted me that I got it partly wrong. The correction edit above explains that Wallet Ponta cards are Apple’s implementation of the VAS protocol and not MIFARE. Student ID cards are PASSKit NFC Certificate MIFARE card emulation, Apple has not publicly announced MIFARE support but it is the only technology compatible with Blackboard IC card formats that could power the express card features of iOS 12 student ID cards across all eligible devices.

UPDATE 2
Apple has announced support for Portland’s HOP transit card and Chicago’s Ventra transit card, both of which are MIFARE

Global FeliCa vs Galapagos Syndrome QR Codes

Back in the pre-iPhone era Japanese manufactures were busy churning out internet connected, e-wallet capable handsets with high quality cameras (for that time) that most of the western IT media pooh-poohed: ‘nobody needs all that fancy stuff’.

Unfortunately the Japanese IT media paid way too much attention to it all endlessly handwringing over the Galapagos Syndrome of Japanese technology that nobody seemed to need or want. Worse than that, people actually bought the media con. Then something strange happened in 2016 when Apple unveiled FeliCa Apple Pay and went global with it in 2017.

Google is now following the same path with a FeliCa Pixel 3 in Japan. Why would Apple and Google do that if FeliCa was stranded in the Galapagos? There is business value there, otherwise they would not be spending resources to do it. Most of the Japanese IT media has ignored this fascinating turn of events, focusing instead on the new darling of manufactured “QR Code mania” payment platforms: AliPay, Origami Pay, Docomo d-PAY (d-HARAI), Line PayRakuten Pay, Pay Pay. The merits are dubious:

Demerits of OR Code Payments

  • QR requires a good network connection
  • Slow transaction speed
  • Weak Security and QR Code Chinese payment apps keep transaction records in Mainland China
  • Device needs be on and screen active
  • No ‘on the spot’ refunds

Merits of FeliCa (NFC-F) Payments

  • Works without network connection
  • Very fast transactions
  • High security and transaction records stay in Japan
  • Device can be in battery reserve mode sleep or screen off
  • On the spot refunds

Fortunately there is one Japanese journalist who is calling it: Masahiro Sano. Sano san’s latest piece on Nikkei notes the irony of Japanese companies falling over each other to roll out useless redundant QR Code platforms because QR Codes are “standard in China” (and nowhere else), while Apple and Google are deploying FeliCa as one more standard checklist item on their digital wallet platforms.

Fake QR Code payment mania confuses customers. Put another way QR Code payment platform apps are about de-centralizing the digital wallet into an ever-growing collection of apps while Apple Pay and Google Pay are about centralizing different technologies into a unified and smooth user experience for payments, tickets, IDs, reward cards and more. Which approach do you think will win in the long run?

Sano san thinks QR Code payment platforms in Japan are not about public demand or customers actually using them. They’re just a fad that will fade and eventually be shipped off to the Galapagos. I think he is right. The evidence so far certainly backs him up.