The Apple Pay monopoly debate part 2: the gatekeeper difference

I’ve always said people should pay attention to the Japan mobile payments market because there is a lot to learn from the successes and failures of the world’s first large scale mobile payment platform. There are important lessons when it comes to the EU Apple Pay monopoly debate and the downsides of having an ‘open’ iPhone secure element and eliminating Apple’s gatekeeper role.

The Osaifu Keitai mobile payment platform that launched in 2004 has supported a lot of different hardware over the years, from Symbian OS handsets to Android smartphones. During that time it has evolved from a carrier exclusive feature with SIM locked devices to the current SIM free market model. The software has evolved too, away from devices with dedicated FeliCa chips to standard NFC chips with GlobalPlatform certified embedded secure elements that do it all, like Pixel and Chinese smartphones sold in Japan. People assume there is a special ‘FeliCa chip’ on FeliCa capable devices but this isn’t the case anymore. Taken altogether those are big messy transitions.

Nikkei recently posted a scare mongering piece, typical for them, about the looming security risk of previous user Suica cards and the like left on Osaifu Keitai devices when resold on the open market. Yes, it’s true, an Android factory reset doesn’t wipe FeliCa junk off the secure element, but it has always been like this so why the sudden handwringing?

For most people this isn’t an issue. When upgrading or repairing a device through carriers or second hand retailers, they wipe both device and secure element as standard practice. It’ a potential problem for Osaifu Keitai devices sold on the open market (Mercari, etc.) as the seller is responsible for clearing off their card junk. This should be done before selling the device of course but like all things Android, it’s a piecemeal process that requires deleting cards in each payment service app (Suica, PASMO, iD, QUICPay, etc). The secure element data can also be wiped at a carrier shop data wipe kiosk. On older pre-Mobile FeliCa 4.0 devices it can be a real chore:

I just about lost my mind when I was unable to even delete Edy on my phone as Rakuten has locked me in app for “fraud.” The whole sitch is indeed ridiculous so I was super happy to see the back of Osaifu-Keitai. Apple Pay truly doing the God’s work here.

You can’t even see if you deleted all the cards as the later FeliCa versions only show “memory in use” without telling you what’s in it. And each app has a different flow & some doesn’t even allow deletion! Complete nightmare.
(Twitter comment)

On Mobile FeliCa 4.0 and later, if virtual cards are deleted, you will see ‘unused’: in that condition, the device can be transferred to a new owner and they will have no problems with it. This is what resale stores look for. Block usage data is only shown on 3.0 and below. (Felica Dude)

The Apple Pay gatekeeper role
From a usability and privacy perspective, Apple wipes the floor with Osaifu Keitai, as you would expect from an Apple product. Apple Pay is designed from the ground up to protect users from complexity by tying everything to the user Apple ID. When the user signs out of Apple ID, Wallet app contents are moved to iCloud and the iPhone secure element data is instantly wiped clean. No messy 3rd party app accounts to deal with.

Apple can do this because they ‘own’ the custom embedded secure element on their devices. They are the gatekeeper with in-house key servers that Apple Pay servers use to load card applets into the user’s Wallet app. They maintain and update the basic protocols (EMV, Mobile FeliCa, MIFARE), etc.) and take care of Wallet card housekeeping. It’s something Google Pay can’t do in Japan because it’s only a candy wrapper over the gnarly old Osaifu Keitai stack ultimately ‘owned’ by FeliCa Networks.

Does the EU want to foist the current state of Osaifu Keitai-like complexity and potential security problems on iPhone users in the name of ‘open NFC’ with a bunch of different NFC owners pulling in different directions, apps occasionally stepping on othe app NFC toes? Because that will be the reality, though people who want to eliminate gatekeepers will surely write it all off as a ‘Japanese galapagos’ thing or a FeliCa thing because it doesn’t serve their self-interest. It would be a darn shame if iPhone are forced learn the Osaifu Keitai lesson the hard way.


Related post: The Apple Pay monopoly debate part 1: context is everything

iOS 16 Wallet: expanding the Apple Pay experience, aka Suica auto-charge for the rest of us

iOS 15 added big new features to Wallet, expanding digital keys from cars to include home, office and hotels and ID in Wallet driver licenses for the first time. There were smaller but important UI changes too. A new add card screen offered new categories making is easy to add transit cards regardless of the device region and quickly re-add previous Wallet items from iCloud. iOS 15 was all about Wallet to the extent that Apple now advertises it as a separate thing from Apple Pay with a separate web page, and even referred to Apple Pay as “one of the most important areas of Wallet” in the WWDC keynote. Very interesting.

iOS 16 moves the focus back to Apple Pay and making digital payments more useful, practical and universal. The WWDC22 Keynote announced Apple Pay Later, in-app ID card verification and key sharing. Apple Pay Later is one aspect of several new Apple Pay functions unveiled in the What’s new in Apple Pay and Wallet session.

Multi-merchant payments: In our online world we can never be sure how many sub-merchants are involved when we order something and how our card information is shared. In multi-merchant Apple Pay, multiple payment tokens are issued for each merchant in the same transaction, preserving user privacy, with the iOS 16 Apple Pay paysheet showing a breakdown of each sub-merchant charge. This feature works mostly on the backend, but showcases how smartly the Apple Pay Wallet team design features to ‘just work’ securely for merchants and customers.

Automatic Payments
My favorite iOS 16 feature as it addresses a lot of interesting use cases, much more than just Apple Pay Later installments which fall under:

Reoccurring payments, which include things like installments and subscriptions, basically any regularly scheduled payment. With the recent Starbucks Japan price increases, I decided to sign up for the new JR East Beck’s Coffee Shop subscription plan. Up to 3 cups a day for ¥2,800 a month. A pretty good deal for commuters like me. The Beck’s subscription service is subcontracted out to an interesting online business venture company called Favy that uses Sign in with Apple to create an account. Payment however is manual credit card entry with the onerous, ubiquitous 3D Secure sign-in. Pass issue and serving size selection (M=¥50, L=¥100 extra) is done in Safari. It works well enough, but canceling or getting payment details is a real Safari expedition. It would be a much better, and faster, customer experience doing it all in Apple Pay.

Automatic Reload: this is the real money feature for me because it plays on the classic snag of using Apple Pay Suica…recharge. All pre-paid cards are a catch-22. Japanese users love them because they like the “I know how much money I’m adding to my card” aspect of manual recharge, but there’s the inevitable, you know you forgot about it, bing-bong ‘please recharge’ transit gate alarm when Suica balance is short.

JR East offers Suica Auto-Charge (auto-reload) as a feature of their VIEW card. The auto-charge option works great with Apple Pay Suica but like all transit card auto-charge, it is tethered to the transit gate NFC system. This means the users gets instant, seamless auto-charge but only on the operator’s transit gates. Suica auto-charge does not work outside of the Suica and PASMO transit gates, not at store terminals, not in other transit card regions like JR West ICOCA. This limitation is a big customer complaint, I and many others would love Apple Pay Suica auto-charge to work everywhere.

Apple Pay automatic reload takes care of this problem very nicely. Suica would recharge anywhere because the card balance ‘trigger’ and reload process is done via Apple Pay instead of JR East transit gates and the Suica system. JR East could keep auto-charge exclusive to their VIEW cards as they do now or easily, selectively expand it. Either way they would greatly increase the usefulness of VIEW and Suica by supporting the new Apple Pay automatic reload feature. The possibilities are are pretty exciting.

Order tracking
Another very useful feature I think people will love using. The addition of QR/barcodes in the Apple Pay sheet is a first and will greatly shorten the order pickup~delivery process. The best use case of Apple Pay and bar codes that I can think of.

ID verification in apps
This is where ID in Wallet gets real. Wallet app has TSA airport checkpoint verification built-in but that’s not going to help all the government issuing agencies, not to mention software developers, around the world who want to implement digital ID verification to unlock various digital services.

JR East for example has centered their whole Super Suica MaaS Cloud initiative around ID PORT and the ability to match various region or age based services (discounts, special fares, etc.). In other words JR East and their sub-merchant or local government agency want to know where I live and how old I am. This is all provided on the Japanese government My Number digital identity card launching later this year on Android, and Apple Wallet later on. But I don’t want my personal details going everywhere. If the MaaS campaign app or website only needs to know that I live in Tokyo and am over 60, that’s the only info I want to give them. This is what the new PassKit ID request APIs in iOS 16 do: give apps only the information they need to perform a verification for a service and nothing more.

Key sharing
Nothing big here, but it does address one iOS 15 Wallet shortcoming for home, hotel keys which that could not be shared and expanded share options beyond mail and messages. I’m doubtful Apple includes office keys in the bargain but the fine print reads: available on participating car brands and access properties. We’ll find out when iOS 16 ships.

And then there’s Tap to Pay on iPhone. It’s really not an Apple Pay function to me because it turns iPhone into a very handy and portable NFC payment terminal, but it makes sense branding wise. Just say Apple Pay for making…and accepting payments. Anywhere the merchant has their payment provider POS app and a network connection, they are ready to go. This is big. Apple has lined up an impressive number payment providers in a very short time who are happy to leave all the hardware certification and secure element management to Apple and focus on software. I can practically feel the intense interest from Japan where local payment providers would love to leverage the global NFC capable iPhone for seamless EMV and FeliCa payment services. It could be an interesting Apple Pay year.

Apple Platform Security May 2022: Tap to Pay on iPhone, Express Mode scare mongers and other fun

Ahh springtime, flowers and the annual Apple Platform Security (APS) update. This year’s version has many Apple Pay housekeeping changes. Previous versions put everything Apple Pay in a single section. In keeping with Apple spinning out iOS 15 Wallet app as a separate identity, Wallet has its own separate section now, covering all the things Jennifer Bailey unveiled at WWDC21: hotel-home-office keys and ID in Wallet. The Apple Pay section adds a new category for Tap to Pay on iPhone with some interesting bits.

The Tap to Pay on iPhone servers manage the setup and provisioning of the payment kernels in the device. The servers also monitor the security of the Tap to Pay on iPhone devices in a manner compatible with to the Contactless Payments on COTS (CPoC) standard from the Payment Card Industry Security Standards Council (PCI SSC) and are PCI DSS compliant.

The Tap to Pay on iPhone server emits decryption keys to the Payment Service Provider after validation of the integrity and authenticity of the data, and after verifying that the card read was within 60 seconds of the card read on the device.

What’s interesting to me is that Tap to Pay on iPhone servers are providing a seamless payment reader experience in the same way that Apple Pay servers provide a seamless pay experience. It just works, from setup to use, the same tight integration allows payment service providers to focus on POS app development and forget about the hardware because Apple Pay takes care of everything. As Junya Suzuki tweeted recently, a lot of payment reader hardware is suddenly junk compared to what iPhone is providing with tight mobile integration and Tap to Pay servers on the backend. Now with Tap to Pay apps on the horizon, good thing that iOS 15 Wallet expanded the secure element max to 16 ain’t it?

Speaking of Wallet, this separate section covers all things “access credential” related (hotel-corporate-home-car-student ID) with App Clips suggested for provisioning multifamily home keys. Transit now includes eMoney cards (or is it e-Money, Apple seems confused about it just like Express Mode vs Express Transit) and IDs in Wallet is covered in detail. There is also an intriguing iOS 15.4 Wallet security tweak:

In iOS 15.4 or later, when a user double-clicks the side button on an iPhone with Face ID or double-clicks the Home button on an iPhone with Touch ID, their passes and access key details aren’t displayed until they authenticate to the device. Either Face ID, Touch ID, or passcode authentication is required before pass specific information including hotel booking details are displayed in Apple Wallet.

It sounds almost exactly what we already do with regular Apple Pay cards. Perhaps keys and passes only show a generic icon and checkmark with Express Mode with the double-click + authentication required for show details…it’s not very clear.

Speaking of Express Mode, ‘security experts’ are still scare mongering the masses with the tired old Russian security expert/Apple Pay VISA Express Transit exploit story that made the rounds last November, regurgitated by Forbes in the over the top scary sounding, and sloppily written (this is Forbes after all), “How hackers can drain your bank account with Apple and Samsung tap and pay apps“.

The whole security expert thing reminds me of what my uncle the doctor (who ran a medical research lab at Columbia University) used to say about his disdain for pharmaceutical companies, “They don’t want to cure you, they just want to keep ‘treating’ you with their medicines.” Human nature never changes. The gist is that EMV Express Transit Mode will always be a thorn in Apple Pay’s side because the security is up to the card companies.

The document is worth your time is you have any interest in Apple Pay and Wallet.

State of Suica 2022

Now that the 1st wave of Suica 2 in 1 card launches is complete, it’s a good time to review the ‘State of Suica’. And it’s always interesting to examine the cultural differences too, when it comes to labeling trends as ‘good’ or ‘bad’. Westerners for example invariably say, what’s the point of having so many Suica card flavors? It’s a waste, better to have just one. It’s a classic double standard professing to want but insisting that life should revolve around single kind of credit card. Japanese don’t seem to care much as the culture is adept at ‘振り分け’: this thing for doing this, that thing for doing that. And the region affiliate users getting Suica for the first time seem pretty excited and all Suica varieties work the same for transit and e-Money purchases.

As of now we have the following plastic Suica card flavors beside the regular Suica available at station kiosks: Rinkai Suica, Monorail Suica, Welcome Suica and Suica Light. On the Mobile Suica side we have: Osaifu Keitai, Apple Pay, Google Pay, Fitbit Pay and Garmin Pay, along with branded Mobile Suica for Rakuten Suica and au Suica on Osaifu Keitai and Mizuho Suica on iOS. Last but not least we have 11 new Suica 2 in 1 Region Affiliate Transit cards that are the keystone of JR East’s MaaS strategy.

What exactly are the differences? It comes down to commuter passes or points. For Suica 2 in 1 cards specifically, it is both. This is a small but very important difference. All the other non-regular Suica outside 2 in 1, come with specific features and limitations. Rakuten and KDDI au users can recharge those Suica with those outside point systems but they can’t add commute plans. Welcome Suica expires in 28 days, Rinkai and Monorail Suica exist for commuter passes and nothing else, and so on.

Suica 2 in 1 doesn’t have limitations and does more than any other Suica: it can hold 2 different commuter passes (one from JR East, one from the region affiliate) and it supports 2 different point systems: messy JRE POINT which is an optional account setup manually linked to the Suica card number, and local government subsidized region affiliate transit points which are automatic and stored on the card itself. The only thing the user needs to do is use the appropriate card for transit to earn and use transit point discounts.

In a mobile payment era where everybody is distinguishing themselves with increasingly complex reward point schemes, the simplicity and flexibility of Suica 2 in 1 transit points, think of it as locally processed transit point stored fare, can go places that old Suica cannot. Imagine how many more people would use Suica transit in Tokyo if it came with transit point discounts. There are other 2 in 1 features not yet supported by regular Suica: disabled and elderly transit user discounts. These are coming to Tokyo area plastic issue Suica, and PASMO too, this October though I suspect those won’t come to Mobile Suica until it gets an upgrade.

Mobile FeliCa hasn’t been updated to the next generation ‘Super Suica’ FeliCa SD2 architecture yet, but once updated we should see Suica 2 in 1 on mobile and new Suica features, along with more Suica 2 in 1 Region Affiliate cards. All in all the new Suica 2 in 1 card format tells us where JR East wants to go.

There are some interesting numbers from the JR East FY results. All things transit took a huge hit in FY 2021 from the COVID pandemic, Suica included, but are now recovering though still below pre-covid transaction levels. Another surprise is the popularity of Eki-Net eTickets, a 39% usage rate is not bad for a service that only started in March 2020. One of the smarter things JR East did with Eki-Net eTicket discounts is making them simple and available to all Eki-Net users and credit cards. The JR Central EX system has 2 different Shinkansen eTicket tiers (EX-Press and smartEX) with larger EX discounts limited to select credit cards.

There are lots of things that JR East needs to do longterm, more Suica day passes, Mobile Suica recharge that is available 24/7, phasing out legacy mag strip ticketing and UWB touchless transit gates. In the short term we have Cloud Suica and Mobile ICOCA coming online in March 2023, the end of the current fiscal year. At the very least it should be an interesting time for JR West ICOCA users, and one more nail in the PiTaPa coffin.


Apple removes region requirement for Suica, swaps recharge with top up and other updates

Sometimes it takes Apple support pages a while to acknowledge the current reality of iOS. iOS 15 Wallet brought ‘region free’ transit cards with an improved UI so that allowed Apple Pay users from anywhere to add transit cards directly in Wallet. Apple support document HT207155 “Add a Suica or PASMO card to Apple Wallet removed the ‘device region set to Japan’ requirement in an April 29, 2022 update, some 6 months after the iOS 15 release.

‘Region free’ transit cards are not all equally region free however: some transit cards only accept locally issued Apple Pay cards for adding money. This is the case for Hong Kong Apple Pay Octopus and all Chinese T-Union brand transit cards (too many to list). Octopus does offer a surprisingly user unfriendly iOS Octopus for Tourist app for tourists add Octopus to Wallet, that unfortunately locks in usurious currency exchange rates.

Suica remains the first, and best, truly region free transit card because you can “pay for transit rides and make purchases with just a tap,” and all Wallet payment cards that support in-app payments are good for adding money to Suica (and PASMO).

There are also some interesting tweak updates in the companion support doc: Use Suica or PASMO cards on iPhone or Apple Watch in Japan. The first is Apple going all in with the UK English ‘top up’ as the default English word for adding money to prepaid cards. Why not stick with regional differences? Does Apple want America to become a cultural extension of Great Britain or something? Recharge was used previously in the US doc version though I suspect most Americans use reload. ‘Top up’ is too quainty UK English for my tastes, sounds like drinking. I’ll stick with recharge.

The other change is an expanded Check the balance section that now includes If your Suica or PASMO card balance doesn’t update, with a link to a fairly new support doc, “If your transit card balance doesn’t update in Apple Wallet.” If there is one common complaint from Suica and PASMO users it is that the sometimes sluggish Apple Pay recharge process, usually due to a poor internet connection, occasionally results in the balance not updating. As the Apple doc states: the truth is always in the recent transactions list.

The last new tweak is a new section: Get a refund for purchases made with your Suica or PASMO. It has good advice that should have been there from Apple Pay Suica launch day, “return the item to the same terminal where you made the purchase before you use Suica or PASMO to make another purchase using Apple Pay.”

Unfortunately Apple failed to update has the Use the Suica or PASMO app section, leaving some very outdated and incorrect information. Shinkansen eTicket service in Suica App ended back in March 2020, and Green Car tickets were never available in PASMO app.

I guess they were too busy swapping American English with British English to notice the errors.

Add a Suica or PASMO card to Apple Wallet: no more region settings