The open loop mobile connectivity challenge

The recent additions of stera transit (Visa-SMBC-Nippon Signal-QUADRAC) open loop test systems in Kyushu covering Fukuoka metro, Kuamamoto city transit and JR Kyushu expand the VISA Touch transit boutique deeper into western Japan territory. Open loop based cloud processing advocates like to portray these developments as proof that local processing based FeliCa systems like Suica et al. are expensive bygones due for replacement.

There’s just one little problem that open loop advocates fail to mention: mobile connectivity, aka the Suica app problem, the QR Code payment problem, the Smart Navigo HCE problem, etc. Wide LTE and 5G deployment doesn’t always mean reliable mobile and internet connectivity mobile payment apps depend on, and carrier outages can bring down the transaction processing side of the equation. This was proven, yet again, on July 2 when major carrier KDDI suffered a massive nationwide outage that lasted for 80 hours. Let’s make a quick reference graph for examining local processing vs cloud processing in the mobile era.

Stera is a mobile based payments platform that does away with the NTT Data Cafis dedicated backbone and replaces it with the internet based GMO Payment Gateway. The weak point of course is that since mobile powers the gate reader side, when mobile service goes down, stera gate readers stop working. As everybody found out during the KDDI network meltdown, Mobile Suica kept right on working on the transit gate and the store checkout reader, while mobile app based code payments and point systems all stopped. Some vital services that depended on KDDI connectivity like ATM networks also stopped working.

Cloud based Suica will face these challenges too when it goes online in March 2023. The only difference being how much local processing stays intact and how much system buffering there is (how much it needs to talk with the cloud server to do the job), we shall see. Which brings me to the point I want to make. The media almost always portrays the open loop/cloud vs closed loop/local match as a winner takes all, one size fits all proposition. As the KDDI meltdown proves, this is stupid, and dangerous. Never put all the eggs in one technology basket. I don’t think the risk will go away, not as long as telecommunication company corporate structures don’t foster and promote their engineering talent (the people who actually make things work) deep into the executive decision making forums.

Open loop in Japan is geared for inbound tourists the supplements, but does not replace, the old reliable Transit IC infrastructure which is evolving and reducing costs too. They compliment each other, address different needs and uses. One size doesn’t fit all. If it did, Oyster card would have died years ago.

How much will Smart Navigo HCE suck? (Updated)

It’s interesting parsing app reviews that say ‘this app sucks’. How does it suck and why? As I’ve said before, the overwhelming negative App Store reviews for Suica App are less about the app and more about poor network connectivity due to a variety of factors: carrier auto-connect and free WiFi or overloaded mobile connections messing with Mobile Suica recharge and other online functions. People assume the WiFi and cellular icons at the top of the phone screen indicate a healthy internet connection, which they decidedly do not.

Most users see Suica App as the software that controls everything Mobile Suica AND iPhone NFC hardware. It does not of course but people dump all blame on Suica App anyway. Fortunately most of what Mobile Suica does is done without an internet connection. The only time it needs one is recharge time with a credit card in Apple Pay Wallet app or Suica App.

Yet all that complaining over online Mobile Suica app services however, tells us something important about mobile internet connections in station areas, on trains and subways: they suck. Despite ubiquitous 4G LTE~5G cellular and WiFi coverage, reliable internet is notoriously fickle in those famously busy Japanese train stations. This is the real reason behind all those ‘this app sucks’ Suica App reviews. Interestingly enough, this is the same performance gripe with the mobile myki system in Victoria. Like Mobile Suica this became a problem because mobile internet connections weren’t up to the job of delivering reliable, trouble free ‘anytime, anywhere’ recharge/top-up, which people tend to do in transit.

Which brings us to Smart Navigo, the Île-de-France Mobilités (IDFM) Paris region transit card for mobile that is going wide on Android smartphones this year. IDFM has spent a lot of time and expense working with Calypso Networks Association (CNA), the transaction tech used for Navigo, to implement the less secure network dependent Calypso HCE ‘cloud’ secure element approach as the default mobile transit tech for Android devices in 2022.

It is very unusual that IDFM chose HCE as their go to mobile strategy on Android when the more secure hardware embedded secure element (eSE) is standard on all smartphone NFC devices, and does the job without internet connections. HCE is very different from eSE in that both NFC smartphone and the reader need a connection to talk with a server. HCE was also conceived for leisurely supermarket checkout, not the challenging transit enviroment. How does Calypso HCE compare to the network-less eSE experience? CNA says:

For security reasons, transactions using the personalization key or the load key are not possible through the NFC interface, and must be done with a secure connection to a server.

Only the Calypso debit key is stored in the HCE application for validation on entrance and control during travel, coupled with a mechanism of renewal of the Calypso Serial Number (CSN) to mitigate the risk of fraud : a part of the CSN contains date and time of validity of the debit key which shall be checked by the terminals.

Thales says: poor mobile network coverage can make HCE services inaccessible. In short no internet connection, no mobile transit service. Let’s compare the basic mobile transit card features of Mobile Suica with Calypso HCE:

It’s too bad IDFM didn’t study Mobile Suica shortcomings, they could have learned a few things. Most certainly they understand HCE shortcomings but chose it anyway for unknown reasons. Perhaps there are challenges getting Calypso retroactively installed on the eSE on many different Android devices and HCE was the only way to rollout Smart Navigo quickly. The Android platform reputation for keeping devices up to date with the latest software is lousy due to the slow manufacturer response.

Right out of the gate Smart Navigo HCE won’t support power reserve NFC transactions even on Android devices that support it for regular eSE NFC. In total, there are 6 core Smart Navigo features that are internet connection dependent vs 1 Mobile Suica feature. 6 more things to complain about when they don’t work…in other words the Smart Navigo HCE suck index is 6 times greater than Mobile Suica. If Suica App is anything to go by, there are going to be a lot of bad Google Play reviews for the HCE version of the Île-de-France Mobilités App.

iPhone and Apple Watch users can be thankful that Apple Pay Navigo will use eSE (as Samsung Pay Navigo already does), and avoid most of this mess when the service launches in 2023, matching the Mobile Suica experience, feature for feature.


2022-07-13 Update
IDFM started open beta testing of their Smart Navigo HCE via a signup website. Any Android 8 NFC capable device can be used, most Pixel users are out of luck however as only Pixel 6 is listed. There are also differences from regular Express Transit Mode capability of eSE as iGeneration points out:

During validation <transit gate tap>, this application does not need to be launched, but the phone must have its screen on and be unlocked. This is a major difference with the “Express mode” of iPhones <and Apple Watch> that can work without waking them…

I’m beginning to wonder if IDFM and Calypso went with HCE, despite the downsides and the fact that modern NFC capable smartphones all have eSE as standard, because of licensing fee headaches. Assume that Mobile Calypso don’t come pre-installed on smartphone eSEs, unlike EMV, then imagine the nightmare of: (1) dealing with all the Android manufacturers to retroactively update their devices so they are compatible with eSE Navigo (such as currently found on compatible Samsung Pay devices), and (2) getting Google Pay on board. Going the HCE route likely avoided a lengthy messy delay getting Navigo on mobile for the Android masses.

This is exactly the mess that Apple Pay takes care of behind the scenes so users don’t see or deal with any of it. That’s the value of having a gatekeeper, better UI and security encourages users to use NFC payments and Apple Pay use far exceeds any other digital wallet…this is the benefit that Apple Pay delivers to developers. Too bad it’s going away for EU users that the EU is forcing Apple to give up their NFC gatekeeping role, which is very sucky indeed.

Contactless Payment Turf Wars: the Smart Navigo HCE power play

Don’t you love how big organizations play fast and loose with big concepts like Host Card Emulation? HCE was SimplyTapp created technology that Google incorporated into Android Pay in 2013 sowing endless nonsense and confused debate about ‘open’ vs ‘closed’ NFC, aka the secure element wars. Back then industry pundits said:

The significance of HCE is that it frees NFC from dependence on the secure element, which has largely been controlled by mobile carriers. Banks, merchants, and wallet developers must pay fees for access to that chip. Yeager is counting on HCE to scare up interest among issuers and kickstart NFC, which has been stuck in neutral for years.

SimplyTapp, the Power Behind Google’s NFC Workaround, Aims at Mobile Banking

HCE was created when the cloud was seen as an answer for every problem. All it did for ‘freeing’ NFC from dependence on the secure element on a device was make it dependent on a network connection to connect with a ‘secure element in the cloud’. But this was overlooked in the rush to ‘free NFC’ from the evil grasp of mobile carriers.

How little things change, swap ‘evil mobile carriers’ for ‘evil Apple’ and you have exactly the same self serving ‘open’ vs ‘closed’ NFC chip nonsense that people are debating in Europe and Australia today. FeliCa Dude, the ultimate industry insider who has experienced it all, said it best: ‘It’s all eSE or nothing now.’

Let’s make this simple as possible and list the industry forces in the NFC secure element wars:

  1. SIM Secure Element (SE) used by the mobile carriers for carrier locked NFC payments
  2. Embedded Secure Element (eSE) used by smartphone manufacturer digital wallet platforms (Apple Pay, Samsung Pay, Huawei Pay that use customized eSE and truly control it, off the shelf all-in-one NFC chipset users like Pixel and Xiaomi not so much)
  3. Host Card Emulation (HCE) is a secure element in the cloud strategy used by banks and card issuers on network connected Android devices using their own apps that bypass #1 and #2.

Carriers, smartphone manufacturers, banks•card issuers. Carriers lost out long ago. A classic case would be NTT docomo who built the worlds first major digital wallet platform, Osaifu Keitai, using Sony Mobile FeliCa technology back in 2004. Osaifu Keitai eventually made it to the other major Japanese carriers (KDDI au and SoftBank) but the carriers made the mistake of locking and limiting Osaifu Keitai service to SIM contracts and their own branded handsets.

More than anything else, carriers milking Osaifu Keitai as an expensive exclusive SIM contract option instead of making it a SIM free standard for everybody, was the reason why Osaifu Keitai growth stalled. The 2016 launch of Apple Pay in Japan circumvented the entire SIM SE mess with its own eSE, and gave Mobile FeliCa the second chance it’s enjoying now.

Smart Navigo power play
Smart Navigo is the Île-de-France Mobilités (IDFM) Paris region transit card for mobile on Galaxy devices, and Android smartphones with Orange SIM cards. France was an early innovator of NFC on mobile phones but it did not lead to early mobile transit adoption: Smart Navigo launched in September 2019.

Fast forward to 2021, today in LeParisien: Île-de-France: why some smartphones no longer allow access to the metro. A step forward, a step back. The modernization of the ticketing system in force on public transport networks in Île-de-France is not a long quiet river.

What LeParisien was reporting was that IDFM suddenly ended their partnership with Orange: “As long as you do not change your SIM card, the service is operational: you can continue to buy tickets and validate them with your phone,” If customers change their Orange SIM card, Smart Navigo no longer works. IDEM is freeing Smart Navigo from the evil grasp of a mobile carriers.

The French Apple news site iGeneration reports:

A new solution is scheduled for deployment in mid-2022. It will be open to all Android smartphones, without operator constraints, thanks to HCE (Host Card Emulation) technology that emulates cards in a mobile application, allowing it to free itself from NFC constraints. HCE was also partly used for the SIM card developed by the start-up Wizway on behalf of Orange.

It’s 2021, the secure element wars ended years ago. Perhaps IDFM didn’t get the message. Or maybe they want to turn back the clock and fight the battle again. IDFM has spent a lot of time and expense working with Calypso Networks Association, the transaction tech used for Navigo, to develop the less secure network dependent Calypso HCE ‘cloud’ secure element approach. It flies in the face of where payment transaction technology has been going with eSE as standard hardware on all modern NFC devices.

It’s important to remember that one problem with the term HCE is that people and companies use it very loosely. All secure element methods have to load payment credentials from the cloud at some point. The big difference is that eSE and SIM SE have secure physical areas to store those payment credentials on the device, HCE does not. Far too many people assume that any kind of loading from the cloud = HCE, it does not. HCE = storing on the cloud.

This cloud approach has downsides outlined by Thales:

With HCE, critical payment credentials are stored in a secure shared repository (the issuer data center or private cloud) rather than on the phone. Limited use credentials are delivered to the phone in advance to enable contactless transactions to take place.

This approach eliminates the need for Trusted Service Managers (TSMs) and shifts control back to the banks. However, it brings with it a different set of security and risk challenges…

A centralized service to store many millions of payment credentials or create one-time use credentials on demand creates an obvious point of attack. Although banks have issued cards for years, those systems have largely been offline and have not requiring round-the-cloud interaction with the payment token (in this case a plastic card). HCE requires these services to be online and accessible in real-time as part of individual payment transactions. Failure to protect these service platforms places the issuer at considerable risk of fraud…

All mobile payments schemes are more complex than traditional card payments, yet smart phone user expectations are extremely high:

•Poor mobile network coverage can make HCE services inaccessible.
•Complex authentication schemes lead to errors.
•Software or hardware incompatibility can stop transactions.

What is Host Card Emulation (HCE)?

The two key takeaways are: 1) HCE shifts control back to banks and card issuers, 2) No network connection = no HCE. Think of HCE as the NCF equivalent of QR Code payment services like AliPay and PayPay that also send payment credentials to the app, just in a different format.

Apple Pay has succeeded because it delivers on those high smartphone user expectations better than any other digital wallet out there. That’s why JR East needed to get Suica on Apple Pay to take Mobile Suica to the next level combining ease of use with growth, which is exactly what happened.

IDFM unceremoniously dumping Orange and going all in with HCE says to me that IDFM wants full control and nothing to do with carrier SIM SE, smartphone manufacture eSE, nor pay transaction fees to anybody… it’s our app or nothing.

We won’t know the full story until the HCE Android service starts sometime in 2022, presumably after pay-as-you-go functionality is fully operational and ready on all exit gates. IDFM has been in talks with Apple ever since Smart Navigo was first announced in 2017. At that time they said:

“Unfortunately, it won’t be possible for iPhone owners to use the service since Apple does not yet allow third parties to access the NFC secure element in their phones. However, we are happy to explore the possibilities with Apple to offer the same service to all Paris public transport users.

Apple Pay Smart Navigo has yet to appear. If IDFM is waiting for Apple to support HCE, it will be a long wait. IDFM released an updated iOS app earlier this year that added iPhone recharge functionality for plastic Navigo cards.

One last thing: smart wearables won’t work with a HCE only Smart Navigo strategy. This is the lesson that Fitbit and Garmin have learned well from Apple Watch for deploying Mobile Suica on their devices: keep things simple and on the device for local processing without a network connection. This is what makes the Suica support coming to WearOS so interesting, it might succeed in beating Android as the first non-Apple global NFC device.

As for Smart Navigo, indeed a step forward, a step back. The IDFM journey to mobile ticketing for everybody is not a long quiet river.


This concludes the final installment Contactless Payment Turf Wars. It has been an unexpectedly longer series than planned. I hope people enjoyed reading them as much as I enjoyed writing them. Thanks always and happy transits!