Multiple Secure Element domains for Mobile FeliCa 4.1

FeliCa Dude posted a series of deeply interesting tweets relating to Mobile FeliCa 4.1 changes. He had earlier complained of Mobile PASMO lack of Pixel 5 support and it now appears that multiple Secure Element domain support in Mobile FeliCa 4.1 was a reason for that delay. This is an fascinating development but what is it there for?

On a Mobile FeliCa 4.1 Google Pixel device Google has it’s own secure element domain

I assume his tweeted profile is for a Pixel device, hence the FeliCa Networks secure element (SE) + Google SE references. In this context it appears that Google ‘owns’ the Mobile FeliCa SE and which applets load, in other works FeliCa Networks needs permission from Google to load applets on a Google device SE. Devices come pre-loaded as always so customers simply use it out of the box, but the implication is that FeliCa Networks and the SE domain ‘owner’ can load/delete Java Card applets and even update Mobile FeliCa over the air. Whether they actually use this functionality or not is another story.

FeliCa Dude thinks multiple secure element domains are also there to support Ministry of Internal Affairs and Communications (MIC) plans for a digital version of My Number Card (Individual Number Card) for smartphones using the Mobile FeliCa eSE, even though the current plastic card uses NFC-B. It’s strange but exciting to ponder the possibilities of a Mobile FeliCa 4.1 secure element that supports non-FeliCa protocols.

One of the big changes of Mobile FeliCa 4.0 was that it introduced loading a FeliCa applet on any approved secure element. This change frees Android device manufacturers from having to purchase FeliCa chips from the FeliCa Networks supply chain. It basically gives Android devices the same custom secure element arrangement Apple has had since the iPhone 7 Apple Japan Pay launch in 2016.

I asked FeliCa Dude if the Mobile FeliCa 4.1 development is also related to next generation FeliCa feature support used for Suica 2 in1 cards coming this month, in particular the new Extended Overlap Service. He says this is unlikely but I hope we discover other pleasant surprises as intrepid explorers dig into Mobile FeliCa 4.1 details.

MIC digital My Number Card proposal for smartphones

End of the line for Suica and the native Japan Transit IC smartcard standard?

There is a consistent theme among some Japanese tech journalists: the native Japan Transit IC smartcard system is obsolete and destined for that fabled junk heap, the Galapagos island of over-engineered irrelevant Japanese technology. The arguments always boil down to cited higher costs of maintaining the ‘over-spec’ proprietary FeliCa based inflexible transit IC architecture in face of ‘flexible, lower cost’ proprietary EMV contactless bank payment tap cards and smartphone digital wallets used for open loop transit. Is Suica really ‘over-spec’ or is it clever stealth marketing sponsorship from EMVCo members and the bank industry disguised as journalism? Logically the same argument applies to proprietary MIFARE smartcard transit systems as well but is never mentioned, presumably because it was invented in Europe instead of Japan.

Despite all the digital ink on the subject I have yet to see a single article where said costs are actually shown and compared. Smartcard deposit fees are a standard way to offset plastic issue costs and Japanese transit companies like to earn interest off the float of card deposits and unused stored value. But this is never discussed nor the fact that digital wallet issue is free of hardware costs.

Bank payment cards and smartcards have very different business models. EMVCo members and their card issuers can hide associated hardware and licensing costs in bank transaction fees that NXP, FeliCa Networks and other smartcard technology solution providers cannot. Without hard numbers we can only take journalist claims at face value, that transit smartcards are not smart at all, but expensive obstacles to lower cost open loop centralization nirvana.

I don’t buy the ‘one solution fits all’ argument and neither should you. One constant issue in our internet era is that too much centralization is not only a technology monoculture security risk, cloud services fail, and cloud centralization is abused to limit human rights. As speech is censored on SNS platforms and online profiling is used to limit freedom of travel with politically biased no fly lists, it is inevitable that face recognition transit gates will be used to track people and implement ‘no ride’ or ‘limited ride’ policies. These are issues that people must be aware of in the relentless rush towards online centralization of transit payments and services.

Nevertheless there are articles with valid criticisms well worth reading. I ran across one recently by Masanoya Sano on Nikkei that asks a good question: ‘Does taking 14 years to deliver Mobile PASMO mean the transit IC card foundation is crumbling? While I don’t agree with everything Sano san says he makes a good case that Japan Transit IC association members are failing in the face of a hydra-headed crisis: declining population with less ridership, fierce competition from other payment services such as PayPay and EMV based VISA Touch, and ridership killing COVID lockdowns. He argues that transit companies must fix some basic problems if the Japan IC Transit standard is to survive:

  • Increase coverage: get all transit on the Transit IC card service map
  • Go mobile: for all transit cards
  • Improve the transit IC card architecture: improve compatibility and loosen up current restrictions for 200 km and cross region transit, and the ¥20,000 stored fare limit

I believe most, if not all of these can be addressed with next generation FeliCa + 2 in 1 Suica (aka Super Suica) launching this year and deeper payment infrastructure sharing between transit companies. Nothing is guaranteed of course but here’s a look at each category and possible solutions.

Coverage
The transit IC coverage gap is the biggest failure of Japanese transit companies and there are big gaps. Suica only covers major population areas in Tokyo, Niigata and Sendai, roughly half of the stations on JR East are not wired for Suica. A similar situation applies to the other JR Group companies. JR East has promised to get their entire rail network on Suica with a simplified lower cost cloud based Suica in the 2020 fiscal year ending March 2021 but has yet to announce any details (they are specifically referenced in the new Suica Terms and Conditions effective March 27).

On the plus side JR West is expanding ICOCA coverage with a light rail approach of incorporating NFC readers installed in the train car for tap in/tap out for unmanned stations. No wires. SMBC and VISA use the same strategy for their VISA Touch transit boutique marketing program. It’s a practical low cost strategy for lightly traveled rural lines that reduces the hard wire requirement. Only stations that need it get wired and even those installations can use the lower cost JR East cloud based system.

JR West ICOCA area expansion includes on train NFC readers starting March 13, 2020

All major transit companies need to install these lower cost solutions to fill the transit IC gaps and integrate remaining isolated regions. VISA Touch transit boutiques are marketed as a solution for inbound and casual users, but these EMV only installation leave those transit areas off the transit IC grid for regular users and don’t work for wider area travel.

Mobile
Mobile Suica and Mobile PASMO combined represent 80% of the current transit IC card market. Mobile ICOCA (JR West) is due to launch in 2023. There is no word yet about mobile for TOICA (JR Central), manaca (Nagoya City Transit rail/bus), PiTaPa (Kansai region private rail/bus), Kitaca (JR Hokkaido), Sugoca (JR Kyushu), nimoca (Nishitestsu), Hayaken (Fukuoka City Transit). This is a big challenge but the borrowed Suica infrastructure used for Mobile PASMO is a strategy that can be applied to the other major cards.

Improving Transit IC
JR East is releasing the 2 in 1 Suica card architecture that incorporates new FeliCa OS features the most important being the “2 cards in 1” Extended Overlap Service. New regional transit card using this new FeliCa OS and Suica format are launching this month in Aomori, Iwate and Utsunomiya. The next challenge for JR East is expanding 2 in 1 Suica to existing and important region transit cards inside the JR East transit region such Niigata Kotsu Ryuto and Sendai City Transportation Bureau icsca.

The ultimate long term success of the Japanese Transit IC systems depends on infrastructure sharing and integration. For this to happen other JR Group companies and private rail outside of the JR East regions have to incorporate the 2 in 1 Suica format and improvements for their own cards and regions. Only when all Transit IC Mutual Use Association members are using the new format can they link and combine services in new ways, and add new features such as raising the stored fare card value above the current ¥20,000 limit.

Will it be enough? I have no idea. Immediately I see problems for the Kansai region PiTaPa card association companies (Hankyu, Hanshin, Keihan, Kintetsu, Nankai) as they have to make fundamental changes to use the new card format. I don’t see a Mobile PiTaPA in its current incarnation and this is why SMBC (who run PiTaPa card accounts) and VISA are targeting the Kansai area for VISA Touch transit: non-JR Kansai transit companies have their backs against the wall and no way easy forward to mobile except for going all in with JR West Mobile ICOCA, or taking what SMBC offers them.

Open Loop competition
Kansai area private rail companies never managed to create the equivalent of PASMO. PiTaPa is a postpay card that has credit card issue checks and cannot be purchased at station kiosks like all other transit cards for casual use. Issue is limited, so Kansai transit companies issue JR West ICOCA commuter passes for people who can’t use credit cards. This is the context surrounding the SMBC VISA Touch transit for Nankai announcement that got lots of press attention as the first major test deployment of open loop on a Japan Transit IC card system.

Junya Suzuki’s latest Pay Attention installment has a deep dive on the VISA Touch Japanese open loop transit system solution powered by QUADRAC Q-CORE server technology. It is the solution also used for the Okinawa Yui Rail monorail fare system that integrates Suica/Transit IC and QR support. He argues that open loop EMV is good enough because, (1) we don’t need the over-spec FeliCa 200 millisecond (ms) transaction speed (it’s actually faster, between 100~150 ms), (2) it has a leg up on future MaaS and cloud integration. Holding onto Suica local transaction performance as ‘faster/better’ is a myth holding back progress.

I have tremendous respect for Suzuki san and his work but his arguments fall down for me here. He completely ignores the white elephant in the room: closed loop is here to stay because the open loop model cannot support all fare options. Even on the open loop systems that he champions, Oyster and Opal for example, closed loop cards are still essential and are transitioning to a closed loop EMV model for digital wallet issue. The only change is the closed loop card transition from MIFARE to EMV because bank partners are running the transit system account system backend instead of the transit company. In other words it has nothing to do with technology at all, it is bank system convenience. Bank convenience is what it all boils down to.

Making the right technology choices are essential in our era of limited resources, ride the right horse and you succeed. I want to believe the cloud holds the promise to extend transit IC to low transit volume rural areas that don’t have it now, but every time I use a slow cloud based stera payment terminal I’m reminded how impractical that approach is for stations with high transit volume.

Does it make cost sense to replace the current transit IC system and re-create it with EMV open loop when Opal, Oyster and OMNY systems will always need closed loop cards? The practical thing is leveraging a good system already in use. Upgrade the Japan Transit IC system we have now, spend precious resources that fix current limitations and extend it with new technologies like UWB Touchless.

The strength and weakness of the Japan Transit IC standard is that it’s not top down but based on mutual cooperation. It’s not one entity but association members have to move forward as if they are one. JR East has been the technology leader and is working to improve and share it at lower cost. 2021 is not the make or break year for Japan Transit IC, but it will be an important and challenging one that will set its future direction.

The good old Japan Transit IC card mutual use map, all the little one way arrows marked with the ‘IC’ logo pointing outside the main IC area indicate transit system compatibility.

Apple Pay Japan 2020 Wrap Up Wish List

A two word summary for people in a hurry: COVID and PASMO. As everybody in Japan knows at this point, COVID drove cashless payment use more than any government program could, or anything else for that matter. Cashless went from being the perennial ‘next big thing’ to first choice at checkout in a surprisingly short time with a growing number of ‘cashless only’ places. Here’s a short recap of the best and worst all things Apple Pay Japan in 2020.

The Worst: Face ID Apple Pay
COVID meant mandatory face mask wear outside the home. iPhone Face ID users outside of Asia quickly learned that Face ID and especially Face ID Apple Pay really sucks with face masks. Apple tweaked Face ID slightly to alleviate the issue but this is a long term problem with no short term workaround. Apple had the foresight to resurrect Touch ID in iPhone SE 2, the right device coming at the right time. For the time being it will hold up the middle and lower range iPhone user base in Japan. Face ID is such a marketing embarrassment right now that Apple only features Touch ID recharge on the Apple Pay PASMO page. The real short term future proof Face ID Apple Pay fix is Apple Watch.

The Biggest: Apple Pay PASMO
Mobile PASMO finally joined Mobile Suica, first on Osaifu Keitai Android then Apple Pay, the biggest and most important launch for Apple Pay Japan in 2020. Suica and PASMO combined represent 80% of the entire transit IC card market. In terms of pure usability, a large and diverse installed base, with Express Transit powered transit and purchases on iPhone and Apple Watch, PASMO easily beat all other Apple Pay service rollouts this year. Apple had VIP execs and foreign media on hand at the press event, something they haven’t done since the Apple Pay Japan launch in 2016.

The Most Influential: Toyota Wallet
The Toyota Wallet App rollout I wrote about a year ago turned out to be the model everybody is doing now: ‘XX Pay’ or ‘XX Wallet’ app consisting of a user account linked to a bank or credit card with a flexible payment dual mode front end offering QR Code payment via the app and a ‘instant issue’ prepaid card in Apple Pay Wallet. The Apple Pay Line Pay card launched on December 22 is the exact same model. Instant app issue debit and prepaid Wallet cards do away with plastic issue costs and lower the user entry bar, amount other things. Expect more of this in 2021, actually expect everybody to do this in 2021.

The WildCard: App Clips
iOS 14.3 App Clip Code support completed the picture for App Clip developers, but it will take time to see how they play out in a market overcrowded with mobile payment options. I think there is always a chance for a low cost high quality service which intelligently designed App Clips can deliver. The key will be solving the Japanese Softcream Cashless Index (SCI) Challenge: can App Clip cashless do a faster more reliable job than good old food ticket vending machines, without an app and without an account? How streamlined can it be and still be an App Clip? I hope we can find the answers to those questions in 2021… but there’s one more thing.

The Missing: Apple Pay Code Payments
The iOS 14 Apple Pay AliPay/Apple Pay Code Payment has been in open secret test mode for nearly a year with no firm release in sight. If screenshots are anything to go by, Apple Pay Code Payments are done with a virtual Wallet ‘card’ like any other and Apple Pay Wallet cards have certain properties:

  • Direct side button Wallet activation with automatic Face/Touch ID authentication and payment at the reader.
  • Device transactions handled by the eSE without a network connection.
  • Ability to set a default main card for Apple Pay use.

Supporting QR Code payments with an Apple Pay Wallet ‘card’ moves QR payments out of the app and removes some, but not all, of the QR payment friction points. It makes App Clips a better user experience too when all payments can be accomplished with Apple Pay.

Ultimately I hope the Apple Pay Wallet card model moves away from single mode technology and evolves to multimode awareness that encompasses NFC, Ultra Wideband, QR, etc. It has too. Our smartphones must be smart and take care of any payment technology for us. They have to because things are only going to get more complicated. People ridicule the Japanese payments landscape but that will be everywhere. Card companies and banks push EMV as a ‘global standard’ but EMV already comes in different flavors like PBOC, so does NFC (NFC A-B-F-V), and Ultra Wideband is joining the mix.

That’s what digital payments are all about: combining complex things into ‘it just works’ simplicity. Anybody can create or load a Suica, Octopus or PASMO into Apple Pay, without signing up or creating a new account, and start using it for lots of different instant payments. That’s how simple it should always be. That’s my 2021 Apple Pay wish.

Best wishes for a happy and safe 2021.

UPDATE: Reader Apple Pay Wishes for 2021

>Mine would be for VISA Japan to support Apple Pay.

>Mine are resurrecting #FeliCa-based @VisaJP TOUCH (can be rebranded), @id_credit re-attempts @ #FeliCa network expansion overseas starting w/ equipping end-users w/ the technology in new card distribution (via digital & physical), & @JCB_CARD expands @QUICPay_PR network overseas.

Mobile PASMO Device Support

FeliCa Dude points out that Pixel 4a (5G) and Pixel 5 devices use the latest Mobile FeliCa 4.1 but are not yet qualified for Mobile PASMO even though they run Suica just fine. PASMO support lists them as in the works.

Worse than that however is that OEMs are still releasing Osaifu Keitai devices with older Mobile FeliCa 3.x/4.0 factory fixed firmware that either forces the user to choose between installing Mobile PASMO or Mobile Suica, or doesn’t work with Mobile PASMO at all. It’s a real snapshot of the Android hardware dilemma.

Apple Pay PASMO is supported in iPhone 8/Apple Watch Series 3 and later. iPhone 7 JP model users are not happy about that but the writing was on the wall with the Apple Pay Octopus ‘iPhone 8 and later’ configuration. Going forward, iPhone 8 and two-factor authentication Apple ID will be the base configuration for using Mobile ICOCA, Super Suica and other mobile transit IC cards.

Reader Question: what’s the point of Apple Pay My Suica?

A reader asked a very good question: what’s the point of an Apple Pay My Suica? Can’t you already migrate a normal ‘unregistered’ Suica to another device if you loose your device?

There are 3 basic Suica plastic card categories: unregistered, registered (My Suica) and commuter. PASMO and all other major Transit IC card are the same. An unregistered Suica card just spits out of the station kiosk after putting money in and you are on your way, but it cannot be replaced or re-issued if lost. Buy a new one, end of story.

With a registered My Suica card, the customer registers a name and other information on the kiosk touchscreen and if the card is lost it can be re-issued for a fee with the original stored balance intact. It’s Suica insurance. Same deal for Commuter Suica which is registered Suica with a commute plan attached.

Mobile Suica uses the same 3 category card model but Apple Pay Suica changed the game considerably. When a user transfers any flavor of plastic Suica to Apple Pay, the card is permanently linked to the user Apple ID. When a user creates a Suica card in Wallet it creates a My Suica card also attached to Apple ID. Apple Pay Suica cards also seem to be ‘ghost’ registered to Mobile Suica even when the user does not have a Mobile Suica account. Only the Apple Pay and Mobile Suica system elves really know what is going on.

The upside for Apple Pay users is that Apple Pay and Mobile Suica preserve Suica card information so the user can safely remove Suica from Wallet, re-add it, or transfer it to another device at any time. It’s free insurance without the hassle of registering a Mobile Suica account. All Suica card types are treated the same. The downside is that if you want to migrate to Android you have to delete your Mobile Suica account and refund the card, then create a new card and Mobile Suica account for Google Pay Suica. It’s the same deal going migrating the other way.

To answer the reader question regarding the point of Apple Pay My Suica, the point is this: commute plans, auto-charge, Green Car seat purchase. The point of Apple Pay Registered PASMO is similar: commute plans and auto-charge. All this is done via Suica App or PASMO App. If you don’t want those extra services, a plain unregistered Suica or PASMO is all you need.