HCE Secure Element in the Cloud is pie in the sky

Stefan Heaton’s blog piece “The reason Mobile myki isn’t available on iPhone… yet” is all the proof you need that Google inspired endless nonsense with Android Pay HCE support. This was shortly after the NFC “secure element” wars were over, with embedded Secure Element (eSE) on SIM cards losing out to eSE on smartphone chips. A secure element in the cloud approach seemed like it would solve everything, except that it didn’t.

myki is MIFARE which has never been compatible with HCE. Neither is FeliCa, which Google Pay users outside Japan assumed would work for Suica until they found out HCE-F was dead in the water and lost their shit.

What nobody has said, and I think it’s worth pointing out, is that the Android Pay to Google Pay shift was also a break with HCE and Google providing, or pretending to provide, a secure element strategy for all Android licensees. Instead, Google is focused on Pixel and their own eSE, all other Android licensees and manufacturers be dammed and left to find their own solutions. I guarantee you that, in time, Google will be doing most, if not all, of the same security hoops that Apple does now, for Google Pay card emulation (not host card emulation) for Google Pixel platform eSE access.

So yes, Apple does limit NFC Secure Element (implemented in the A Series Secure Enclave) access with PassKit NFC certificates. But Apple Pay MIFARE is real MIFARE, and Apple Pay FeliCa is real FeliCa. Public Transport Victoria (PTV) can apply for a myki card PassKit NFC certificate just like any developer. And for goodness sake Stefan, stop writing sentences that confuse Express Transit payment cards (EMV credit/debit cards) with regular Express Transit cards (FeliCa, MIFARE, PBOC). Suica is not a credit card and emulating EMV at a transit gate doesn’t automatically make a credit card into a Apple Pay Suica transit card, not by a long shot. If your aim is promoting open loop over closed loop, that’s one thing. Either way, your LinkedIn blog post is not doing your LinkedIn resume any favor.

UPDATE: Yep, myki is coming to Apple Pay, nothing to do at all with HCE support.

Advertisements

Welcome Suica

JR East announced a special plastic Suica card for inbound tourists called “Welcome Suica” that will be available from September 1, 2019 at major Tokyo area stations and JR East Travel Service Centers. The main attraction according to the press release is that the Welcome Suica card does away with the ¥500 deposit, and the hassle of getting it back when leaving the country, but the card is only valid for 28 days from the issue date and JR East also says that unused Welcome Suica balances are not refundable… but the unique card design makes a nice souvenir. Welcome Suica cannot be added to Apple Pay or Google Pay and is plastic issue only.

The whole thing sounds like it would have been a nice idea before Apple Pay Suica and Google Pay Suica, both of which let users to add virtual Suica cards without a deposit, and can be safely removed from Wallet and left on the cloud until needed again.

UPDATE
PASMO PASSPORT is a similar but slightly less attractive deal than Welcome Suica: a limited 28 day validity PASMO, a 500 JP¥ deposit fee with no deposit fee or balance refunds. It does have a cute Hello Kitty design however. A user asked if I had any opinions about Welcome Suica and PASMO PASSPORT. I thought about it and can only assume Welcome Suica/PASMO PASSPORT plastic cards are aimed at inbound visitors…

  • Who don’t plan on visiting Japan again
  • Who don’t have iPhone 8/Apple Watch Series 3 and later for Apple Pay Suica, or a Osaifu Keitai Android device for Google Pay Suica
  • Who don’t have an Apple Pay compatible bank card or come from a country where Apple Pay isn’t available yet (Indonesia, Malaysia, most of Latin America, Africa etc.)

The Welcome Suica and PASMO PASSPORT 28 day validity is also a great deal for transit operator hotlist management. From FeliCa Dude’s epic Apple Pay Octopus on iPhone 7 Reddit post:

Hotlist management is also a reason to reject a card that hasn’t been used for a while. Most lost cards are found by people who know they are lost, and honest people are unlikely to tap cards that don’t belong to them on card readers. If these lost cards are hotlisted but never disabled by a reader that encounters them, then the hotlist can grow to a size that can’t fit in the memory of a reader.

One way to manage this problem is to have the reader reject cards that have no recent transaction record (say, six months), and refer the cardholder to an operator. The operator then ‘unlocks’ the card using a terminal that has access over the network to the master hotlist. The latency of the unlock operation isn’t critical, so this kind of online referral is fine, and it allows for the hotlists in each reader to be pruned after a certain amount of time has elapsed since the card was hotlisted. This is likely to be the reason that Suica cards that aren’t used for six months need to be processed by a gate attendant (it could also be because of key rollover).

Plastic card management costs money and the growing number of inbound visitors asking for deposit refunds and balance refunds at airport train stations costs personnel to babysit never-ending tiny cash refund transactions. Hence we have Welcome Suica and PASMO PASSPORT with 28 day validity limits and no refunds.

To be sure, there are lots of inbound visitors who will probably be perfectly happy using a Welcome Suica or PASMO PASSPORT. But for iPhone and Apple Watch inbound visitors the new direct Suica card creation in iOS 13 Wallet (no more apps) is a better way to go.

Hankyu Goes ICOCA

Hankyu Corporation announced in January they would sell ICOCA cards for commuter pass use starting March 1. The switchover is interesting on many levels. ICOCA is the JR West transit IC card and PiTaPa is the transit IC card for Kansai area private lines (Hankyu, Keihan, Hanshin, Kintetsu, etc.). They are both FeliCa cards, offer commuter passes and are compatible for transit use under the Japan Transit IC Mutual Use Association project specification.

There is one big difference: ICOCA is prepaid while PiTaPa is a postpaid credit card/transit card hybrid that can never really be mainstream because it has credit checks. ICOCA can be bought by anyone at a ticket machine. The Hankyu/Hanshin switchover to prepaid ICOCA for the masses follows the JR West arrangement that Kintetsu and Keihan already have in place. There is just one last little detail that JR West needs to work out however: get ICOCA on mobile digital wallet platforms like Apple Pay and Google Pay. Super Suica should take care of that in 2021.

Yes, QR Codes Suck for Transit

Here are QR Codes in action at subway transit gates in Beijing.

And here is Suica in action.

Working Backwards from the User

The Suica development starting point was a user problem with magnetic card commuter passes. Old style paper passes were visually inspected at gates and could stay ‘in-wallet’ with a clear plastic opening. Magnetic card commuter passes had to be removed from the wallet and feed through the gate reader. Engineers wanted to recapture the simplicity of paper passes with IC cards.

The development process involved a lot or trail and error but Suica turned out not only to be convenient and fast but also user friendly in the way that people use things, in-wallet or otherwise. This is a classic Steve Jobs design principle: start with the user experience and work backwards to the technology.

Smartphones replicate the in-wallet experience as ‘Express Cards’ on digital wallet platforms like Apple Pay and Google Pay. The user pulls out the device and holds it to the reader. No unlocking or Touch ID/Face ID required.

QR Codes and EMV contactless on smartphones share the same transit problem of old magnetic card passes: they are not ‘in-wallet’. Devices have to be unlocked to open an app or perform a biometric authentication. This problem is compounded by poorly designed transit gate QR and EMV readers that end up forcing users to adapt to the technology and it slows everything way down. This is a design failure that would never meet the requirements of Tokyo stations where a gate has to clear 60 people a minute.

What’s fascinating to me is the assumption by some people in China, Hong Kong and even Japan that the QR Code success in China automatically qualifies it as a global payment standard regardless of the technology and business models already in place. This doesn’t ring true to me, there is something else going on.

China for example has put a lot effort into creating and promoting the China T-Union transit card standard which can be added to MI Pay, Apple Pay and Huawei Pay. Nevertheless there are not many people using China T-Union in the video. The Japanese tweet comments say that recharging China T-Union cards are not very convenient and do not offer the point goodies that AliPay and WeChat Pay do. Bingo. Is it really is that simple?

Technologies that have viable business models attached to them work better in the long run. FeliCa fares better than China T-Union or CEPAS (EZ-Link) because a transit platform like Suica does better job of attaching services and point goodies on the back end. Perhaps if China T-Union had a better business model that offered more recharge reward goodies and services on the backend to compete with QR ecosystems people might use it more, unfortunately business promotion is hard for government run transit authorities.

Free Mobile Suica for Everybody in 2020

JR East announced the end of the Mobile Suica ¥1030 annual membership fee for all Android devices on February 26 2020. Mobile Suica is free for Apple Pay users. JR East also announced the end of Symbian OS feature phone support with most devices being cut off from Mobile Suica on February 25 2020, and the rest following on December 22 2020 along with some Android devices.

All of the ‘offed’ devices can still use Suica for transit and purchases but are limited to cash recharge which can be done at station kiosks and any convenience store. Users who want to keep their Mobile Suica account will have to migrate to an eligible Apple or Android device.

JR East is also terminating Mobile Suica Shinkansen e-ticket purchases this year and will replace it with a new service similar to JR Central’s Smart EX. Details should be coming soon.

All in all it looks like JR East is clearing the Mobile Suica deck for the 2021 Super Suica launch.