Ignore NFC reader logos, advice for using Apple Pay in Japan

After the October 21 launch of Apple Pay WAON and Apple Pay nanaco e-Money cards, I updated my Apple Pay Japan chart. All I did was add WAON and nanaco logos to the official payment logos listed on the Apple Pay JP page (still not updated as of November 19):

After posting the update chart a reader asked a very good question: why not add the FeliCa reader logo as that is what you’ll often see on NFC readers in Japan. To which I say: ignore reader logos in Japan. Why? Because the reader physical compatibility mark that indicates the antenna location has nothing to do with what payments actually work at checkout. Apple isn’t doing anybody a favor listing the EMV logo in the Apple Pay Japan lineup. It only confuses users.

Let’s play that game again, the ‘which logo is the official NFC logo’ game. Choose:

The correct answer is #2, the NFC Forum logo. The reader physical compatibility mark for EMV is #1, FeliCa is #3. But you never see the NFC Forum logo on NFC readers, what you see is usually something like this:

The EMV mark on the reader tap area does not mean the store accepts EMV contactless…always check the payment acceptance marks.

The Panasonic reader shown above has both EMV and FeliCa logos on the tap area. The store has also attached a card that displays what payments are accepted, in this case both EMV (VISA, mastercard) and FeliCa (iD, Suica•PASMO, WAON, nanaco) are accepted. Looks good right? Not really. The EMV and FeliCa marks are the physical compatibility mark that indicate the antenna location. However, most people assume the physical compatibility mark mean the reader works for all payments…which it does not. Some stores with an EMV physical compatibility marked reader don’t support EMV, and vice versa: FeliCa is supported on the reader but not the POS checkout.

What to do? Let’s see…the NFC Forum is responsible for basic certification of all NFC devices so let’s put their logo on reader instead. Oh wait, can’t do that because people will think it’s a Nespresso machine instead of an NFC reader:

This slide says it all regarding NFC Forum efforts as an industry promotion org

Time for a new NFC logo.

It might seem like a good idea to separate NFC hardware from the payment services that run on top of the hardware. The reality is, it’s impossible to do because all-in-one NFC chips do it all. The NFC Forum could spend a ton of money creating a new NFC logo that can be used everywhere…but what’s the point? Nobody will use it even if they do.

NFC readers come in all kind of shapes and sizes for all kinds of end uses, from supermarket checkout, to transit gates, and vending machines, and much more. If nothing else remember this: the physical compatibility mark is there to indicate the antenna location and show you where to tap, that’s all it’s there for. It can be anything. It should match the service it’s intended to fulfill.

Are Chinese manufactured PAX NFC readers a security risk?

Probably not, but the FBI Raids Chinese Point-of-Sale Giant PAX Technology report from Krebs on Security has some thrilling bits:

“FBI and MI5 are conducting an intensive investigation into PAX,” the source said. “A major US payment processor began asking questions about network packets originating from PAX terminals and were not given any good answers.”

The source said two major financial providers — one in the United States and one in the United Kingdom — had already begun pulling PAX terminals from their payment infrastructure, a claim that was verified by two different sources.

“My sources say that there is tech proof of the way that the terminals were used in attack ops,” the source said. “The packet sizes don’t match the payment data they should be sending, nor does it correlate with telemetry these devices might display if they were updating their software. PAX is now claiming that the investigation is racially and politically motivated.”

Krebs on Security

FBI, MI5, unnamed sources? Sounds like a spy novel. The original Jacksonville WOKV report is down to earth local news reporting with the official statement from the FBI: “The FBI Jacksonville Division, in partnership with Homeland Security Investigations, Customs and Border Protection, Department of Commerce, and Naval Criminal Investigative Services, and with the support of the Jacksonville Sheriff’s Office, is executing a court-authorized search at this location in furtherance of a federal investigation. We are not aware of any physical threat to the surrounding community related to this search. The investigation remains active and ongoing and no additional information can be confirmed at this time.”

PAX NFC terminals and POS systems support EMV, FeliCa and MIFARE protocols and are used extensively in Japan in nationwide POS systems such as FamiMart and Doutor Coffee chains. However it’s important to remember that each protocol has a hardware certification process, for EMVCo, for FeliCa Networks and for MIFARE. Card companies also have their own hardware security and certification. And even though the story sounds scary, we don’t know what ‘major financial provider’ POS systems are pulling PAX readers*, what hardware models are involved and what kind of POS software they run (provided by PAX? Developed in-house?), or what exactly the FBI are investigating.

That said, this is much more real and interesting than the silly Apple Pay EMV Express Transit VISA security scare story pushed by the BBC, mindlessly repeated by tech sites and dubious ‘security experts’ who scare people into buying their ‘services’. The so-called Apple Pay EMV Express Transit VISA exploit was just a lab experiment, this is happening in the field. The PAX story won’t get much press however because it does’t have ‘Apple Pay’ in the headline. At least not yet…I’m sure some media hack out there will come up with one, something like ‘Apple Pay sends your personal payment data to China’. Only then will people start paying attention.

*UPDATE 2021-11-03
Bloomberg reports FIS Worldpay (also based in Jacksonville next door to PAX…interesting eh?) is pulling PAX NFC readers from client systems and replacing them with Verifone and Ingenico NFC readers. FIS said, “While we have no evidence that data running through PAX POS devices has been compromised, we have been working directly with clients to replace those devices with other options at no cost to them and with as little disruption to their business as possible.” No evidence but Worldpay is replacing PAX readers anyway…based on what exactly, heresy?

PAX NFC readers comprise less than 5% of Worldpay client POS installations so we’re not talking big numbers. Meanwhile PAX has issued a long winded statement (PAX Technology announcement and resumption of trading) addressing and refuting the security risk claims from Krebs and FIS saying it’s only a geolocation feature. We don’t know which PAX reader models are involved but I suspect they are Android based. That’s the problem with all those crappy Android OS based POS+NFC all in one terminals: not only do they have lousy Android performance, they have all the Android security risks too. Dedicated hardware is way better, performance-wise and security-wise.

My Cousin Apple Pay

So the EU is going ahead with ‘open NFC’ antitrust charges against Apple. As posted back in August 2020, the whole open vs closed debate is not easy to define. It’s probably easier to look at it from the simplistic App Store debate of letting developers bypass Apple’s in-app payment mechanism to avoid paying the ‘Apple Tax’, because that’s the box most people will understand.

We’ve already seen banks and Apple chafing over transactions fees on multiple occasions, the latest being ‘Banks Pressuring Visa to Cut Back on Apple Pay Fees‘ because Apple dared release their own credit card under the Mastercard brand via Goldman Sachs. German banks and Australian banks in particular demand the right to use iPhone NFC in their own payment apps instead of Wallet so they can harvest the user data they can’t get via Apple Pay and drop Apple Pay support all together in favor of their own proprietary payment apps (our exclusive card comes with our exclusive app). But there’s an aspect of the ‘open’ argument that will not be discussed by EU regulators, the banks and credit card companies.

I’ve been watching ‘My Cousin Vinny’ a lot recently. I love the courtroom scenes with Joe Pesci’s Vinny character turning the prosecution arguments upside down. There’s a key scene early on when Vinny uses a pack of cards to convince Ralph Macchio’s character to give Vinny a chance to defend him: ‘the prosecutors are gonna show you bricks with solid straight sides and corners, but they’re going to show them in a very special way’ so that judge and jury see bricks instead of playing cards, which is what ‘open NFC’ arguments are: paper card illusions.

NFC is just hardware, it’s worthless without the software protocols that drive it. NFC also has different definitions. The bank industry defines NFC as NFC A-B ISO/IEC 14443. The NFC Forum defines NFC as NFC A-B-F for device certification. On the protocol side the bank industry defines NFC as EMV because this is their industry standard created and managed by EMVCo (Europay-Mastercard-VISA initially, now collectively owned by American Express, Discover, JCB, Mastercard, UnionPay and Visa).

Are EU regulators going to argue that ‘open NFC’ is defined as NFC A-B-F on the hardware side and EMV, MIFARE, FeliCa protocols on the software side? Of course not. They will narrowly define their Vinny brick as NFC A-B and EMV, and maybe Calypso as the transit protocol is used in France for transit. Why would they do that?

It’s very simple. European banking interests don’t want to pay transaction fees to Apple, the Apple Pay tax. They want to cut out the middle man with their own exclusive apps and harvest user data. They don’t want inconvenient questions such as why there are all those different NFC standards and protocols out there, how this came to be and what really constitutes ‘open’. Why did the ISO/IEC Joint Technical Committee choose Phillips NFC-A and Motorola NFC-B while shutting out Sony NFC-F? Was that part of creating an ‘open’ and level NFC playing field on the global marketplace? Of course not, it was about playing favorites while shutting Sony and Japan out of the game. Now they want to do the same to Apple Pay. I still think Junya Suzuki is right: the EU will never demand the same thing of Samsung Pay or Huawei Pay that they are demanding from Apple.

Sawada Sho tweeted a thoughtful question recently regarding the App Store in-app payment controversy. He pointed out that gaming and other platforms charge developers great deal of money for hardware and software access, nobody questions that. Apple offers a lot of access for a very low price, is it fair to demand free passage on the App Store because it is Apple? Sho san thinks the Apple transaction cut is a fair tradeoff. Some tech writers have occasionally asked the same basic question: what’s fair?

EMV, MIFARE and FeliCa all have licensing and certification fees that all customers (developers) pay. Apple has gone to a lot of expense licensing those technologies in addition to licensing a GlobalPlatfrom Secure Element that they build into their own Apple Silicon. Those costs are recouped by Apple Pay transaction fees and fund future developments like digital keys with UWB, ID and other Wallet goodies we’ll get later on in the iOS 15 cycle. I’ve said it before and say it again: Apple took the time and expense to build a first class restaurant and outsiders are demanding the right to use Apple’s kitchen to cook their own food to serve their own customers in Apple’s restaurant.

I guess EU regulators want to give those away free to EU banking interests and let them have their way in the interest of ‘open standards’ that they define and end up protecting the home turf. That sounds like a good deal to me.

SEIYU Stores finally add NFC payment support for Apple Pay Suica • PASMO

That didn’t take long. The announcement Walmart was selling majority control of SEIYU over to KKR and Rakuten was made November 16. And what was the first new management move? Adding Suica and Transit IC payment support which means Apple Pay Suica • PASMO and Google Pay Suica can finally, finally be used for paying at checkout. QR Code PayPay has been in place for awhile already. SEIYU also rolled out a new system recently for self checkout and EMV IC chip payments for SEIYU brand Saison cards (other cards have to be signed…yuck). NFC anything has been entirely missing from the SEIYU payments lineup despite the COVID crisis and a huge push for all things cashless, but Walmart has a long antagonistic history with NFC digital wallet payments.

I only noticed the change this evening when I heard the store announcement over the PA. Sure enough Suica signs were plastered at every checkout. It’s weird but somehow fitting that SEIYU is soft launching long overdue NFC contactless payments with Suica. More will come. I’m sure Walmart leaving town had nothing to do with it. Yeah, nothing at all. SEIYU stores were much better under the pre-Walmart Seibu management. Hopefully this marks a return to better service and clean modern stores.

Dear Jane, we fucked up, sincerely MTA

The piecemeal MTA OMNY rollout is a lesson how not to do a transition from old system to new system. A case where poor design, poor management choices and unanticipated user interaction, each insignificant in isolation, snowball into a nagging long term problem.

The problem goes like this:

(1) Apple Pay Express Transit is opted in by default and iPhone users don’t always know it’s on. They don’t care about using Apple Pay credit cards on OMNY anyway because fare options are limited and OMNY isn’t installed everywhere and won’t be until at least the end of next year. They use good old MetroCard and put iPhone away in the right pocket or purse carried on the right shoulder.

(2) When the user gets to a OMNY fare gate they swipe MetroCard with its peculiar forward swipe motion on the reader which is located above and behind the OMNY NFC reader, which is positioned low and angled at pocket level. As “MetroCard sucks, it may take several (forward) swipes to enter”, the user leans into the gate while doing this and boom: OMNY reader activates iPhone Express Transit and charges fare without the user knowing it.

Default opt in Express Transit has been with us ever since Apple Pay Suica arrived in 2016. But transit cards are not credit cards and everything was fine. Things got sticky when iOS 12.3 introduced EMV Express Transit that uses bank issued credit/debit/prepaid cards for transit on Apple certified open loop systems. Currently these are Portland HOP, NYC OMNY and London TfL.

HOP and TfL don’t have problems with Express Transit. Both systems use contactless exclusively. HOP has stand alone validators, not gates. TfL gates have the NFC reader located on the top. OMNY on the other hand will have MetroCard swipe cards around for years to come: the OMNY transit card replacement is still in development with no release date. With the slow transition pace and current gate design expect the OMNY Express Transit problem to be around until MetroCard is dead, and OMNY is complete with the new tap only card.

In retrospect MTA should have done it this way: (1) rollout out the OMNY card MetroCard replacement first and add open loop support as the very last thing, (2) design better OMNY gates in two kinds, dual mode NFC + swipe, and single mode NFC only. This way MTA stations could do what JR East stations do: start with single mode tap only express gates on the edges and dual mode gates in the middle. As the transition progresses the dual mode gates get fewer and pushed to the sides with single mode gates taking over.

Apple could help by keeping automatic Express Transit opt in only for native transit cards (Suica, SmarTrip etc.). EMV Express Transit should always be a manual opt in. I understand Apple’s perspective: they want to present Apple Pay Express Transit as a seamless one flavor service, not good/better/best Express Transit flavors. The reality however is that the current technology powering EMV open loop fare systems isn’t up to native transit card standards. Apple can’t fix that.

Unfortunately MTA has taken the dumb path of blaming Apple instead of fixing their own problems. New York deserves a world class modern transit system, OMNY is an important step in building one. MTA management performance so far doesn’t inspire much confidence. Let’s hope they focus on the rollout and deliver it without more delays or problems.