My Cousin Apple Pay

So the EU is going ahead with ‘open NFC’ antitrust charges against Apple. As posted back in August 2020, the whole open vs closed debate is not easy to define. It’s probably easier to look at it from the simplistic App Store debate of letting developers bypass Apple’s in-app payment mechanism to avoid paying the ‘Apple Tax’, because that’s the box most people will understand.

We’ve already seen banks and Apple chafing over transactions fees on multiple occasions, the latest being ‘Banks Pressuring Visa to Cut Back on Apple Pay Fees‘ because Apple dared release their own credit card under the Mastercard brand via Goldman Sachs. German banks and Australian banks in particular demand the right to use iPhone NFC in their own payment apps instead of Wallet so they can harvest the user data they can’t get via Apple Pay and drop Apple Pay support all together in favor of their own proprietary payment apps (our exclusive card comes with our exclusive app). But there’s an aspect of the ‘open’ argument that will not be discussed by EU regulators, the banks and credit card companies.

I’ve been watching ‘My Cousin Vinny’ a lot recently. I love the courtroom scenes with Joe Pesci’s Vinny character turning the prosecution arguments upside down. There’s a key scene early on when Vinny uses a pack of cards to convince Ralph Macchio’s character to give Vinny a chance to defend him: ‘the prosecutors are gonna show you bricks with solid straight sides and corners, but they’re going to show them in a very special way’ so that judge and jury see bricks instead of playing cards, which is what ‘open NFC’ arguments are: paper card illusions.

NFC is just hardware, it’s worthless without the software protocols that drive it. NFC also has different definitions. The bank industry defines NFC as NFC A-B ISO/IEC 14443. The NFC Forum defines NFC as NFC A-B-F for device certification. On the protocol side the bank industry defines NFC as EMV because this is their industry standard created and managed by EMVCo (Europay-Mastercard-VISA initially, now collectively owned by American Express, Discover, JCB, Mastercard, UnionPay and Visa).

Are EU regulators going to argue that ‘open NFC’ is defined as NFC A-B-F on the hardware side and EMV, MIFARE, FeliCa protocols on the software side? Of course not. They will narrowly define their Vinny brick as NFC A-B and EMV, and maybe Calypso as the transit protocol is used in France for transit. Why would they do that?

It’s very simple. European banking interests don’t want to pay transaction fees to Apple, the Apple Pay tax. They want to cut out the middle man with their own exclusive apps and harvest user data. They don’t want inconvenient questions such as why there are all those different NFC standards and protocols out there, how this came to be and what really constitutes ‘open’. Why did the ISO/IEC Joint Technical Committee choose Phillips NFC-A and Motorola NFC-B while shutting out Sony NFC-F? Was that part of creating an ‘open’ and level NFC playing field on the global marketplace? Of course not, it was about playing favorites while shutting Sony and Japan out of the game. Now they want to do the same to Apple Pay. I still think Junya Suzuki is right: the EU will never demand the same thing of Samsung Pay or Huawei Pay that they are demanding from Apple.

Sawada Sho tweeted a thoughtful question recently regarding the App Store in-app payment controversy. He pointed out that gaming and other platforms charge developers great deal of money for hardware and software access, nobody questions that. Apple offers a lot of access for a very low price, is it fair to demand free passage on the App Store because it is Apple? Sho san thinks the Apple transaction cut is a fair tradeoff. Some tech writers have occasionally asked the same basic question: what’s fair?

EMV, MIFARE and FeliCa all have licensing and certification fees that all customers (developers) pay. Apple has gone to a lot of expense licensing those technologies in addition to licensing a GlobalPlatfrom Secure Element that they build into their own Apple Silicon. Those costs are recouped by Apple Pay transaction fees and fund future developments like digital keys with UWB, ID and other Wallet goodies we’ll get later on in the iOS 15 cycle. I’ve said it before and say it again: Apple took the time and expense to build a first class restaurant and outsiders are demanding the right to use Apple’s kitchen to cook their own food to serve their own customers in Apple’s restaurant.

I guess EU regulators want to give those away free to EU banking interests and let them have their way in the interest of ‘open standards’ that they define and end up protecting the home turf. That sounds like a good deal to me.

Secrets of iOS 15 Apple Wallet

iOS 15 Wallet is deceptive. The first impression out of the box is that nothing has changed much. It looks the same, it works the same. It doesn’t help that many of the new features won’t come until later in the iOS 15 life cycle and will be limited to certain users and regions. ID in Wallet for example is only due to launch in eight American states ‘late 2021’. Wallet keys for home only work on A12 Bionic iPhone XS and later while office and hotel key “device requirements may vary by hotel and workplace.” In Japan the iOS 15 Wallet feature section is missing altogether. The fine print reads like Apple is giving itself the biggest set of loophole opt outs ever, as if to say, ‘sorry, better luck later on.’

This is because Wallet key and ID cards are exactly like the Apple Pay launch in 2014 when the contactless payment infrastructure in America at the time was way behind Europe and Japan. The contactless transition has been bumpy, uneven and continues to plod along while stores have been slow getting their act together. Early Apple Pay adopters grew accustomed to hearing that classic gag line at checkout when things didn’t work right: “you’re holding it wrong.”

Wallet keys and ID will see a gradual measured uptake just like Apple Pay payment and transit cards. But unlike payment cards and transit cards, the reader infrastructure side of the equation for digital keys and ID cards is only just beginning. For some people it may be years before they have the opportunity to use digital key with their car, home or apartment. The initial use for Wallet ID, TSA security checks for domestic US air travel, represents only a small subset of a much wider future potential. How long will it be before state government services are fully equipped to read their own digital issue ID? And what about in-app ID checks, there’s huge but undeveloped potential there too.

Apple is leading the digital wallet transition for keys and ID as they did for payments when Apple Pay launched in 2014. Sure, there are others already doing it on a limited scale and Apple may be late to the party, but because Apple takes the time to make complex things easy to use and get it right, eventually it’s everywhere. Even without keys and ID, iOS 15 Wallet offers some deeply useful UI improvements that will remove a lot of frustration for all Wallet users. Let’s take a look.


New Add to Wallet UI
The new Add to Wallet screen with card categories is the gateway to new iOS Wallet features, it also solves long standing UI problems that confused users for adding transit cards. The main categories:

  • Debit or Credit Card
    Add debit/credit, the same process we’ve had all along.
  • Transit Card
    The add Transit Card category is new and lists all available transit cards that support direct Wallet card add and Apple Pay recharge. Transit cards that can only be added and recharged via an app such as Portland HOP and Chicago Ventra are not included. Some transit cards on the list are somewhat deceptive. Hong Kong Octopus and China T-Union cards cannot be added without certain locally issued credit/debit cards but you only get the warning message at the very end of the addition process that aborts it. The only transit cards that anybody from anywhere can add to Wallet are: Suica, PASMO, SmarTrip, Clipper and TAP.
  • Previous Cards
    Previous Cards is a new category that appears only when needed. It shows cards, keys and passes that are attached to the user Apple ID but are not currently in Wallet.

The region-free Wallet
These seemly mundane UI tweaks are much bigger than they look. Before iOS 15, Wallet did not make a clear distinction between first time card issue (adding a card) and re-adding previous cards that were already attached to the user’s Apple ID. Adding cards to Wallet was also region dependent, that is to say users had to set the iPhone region to match the issuer region to add those cards. This has been a real pain for transit cards: Japan to add Suica, Hong Kong to add Octopus, America to add SmarTrip, Clipper or TAP.

Changing the device region is easy to do, but it’s not intuitive at all and bewildered users. It’s not uncommon for people to think that changing the region messes up the Apple Pay cards they already have making them unusable, or that a certain region setting is required to use a particular card.

Neither is true, but region-dependent Wallet was a big source of confusion that kept people from using great Wallet features and caused support problems, especially for transit card users. Do a Suica search on Apple Support Communities. The number one support issue is: I lost my Suica card, how do I get it back in Wallet?

The new UI fixes this problem by making a clear distinction between removing Wallet cards vs. deleting them. Wallet has a simple rule: removing a card added in Wallet does not delete the card but stores then on iCloud. Cards added in Wallet and keys are hooked into the user’s Apple ID. This is easy to see in Suica App which displays the unique Apple ID/Apple Pay identifier for each Suica card.

The pain point was the inability to see what cards were still attached to their Apple ID sitting on the Apple Pay iCloud server when not in Wallet. Most people assume a card not is Wallet is lost forever, the classic ‘I lost my Suica’ problem described above. This happened all the time in pre-iOS 15 Wallet when the user signed out of Apple ID without realizing it or migrated to a new iPhone without doing Wallet housecleaning on the old device. Removed cards were always parked safely in iCloud but there was no easy way to see them. With Previous Cards and region-free Wallet, you always know where to find your Wallet cards.

Knowing exactly where your Wallet cards are, in Wallet or parked on the server, and how to really truly delete them from the cloud, makes using Apple Pay easier. When users understand that Apple Pay has their back, they trust and use it more. Trust is far more important than technology.

From now on the new rules are: removing a card only removes it from Wallet. Only the extra step of removing a credit/debit card from Previous Cards removes it completely from Apple ID. Stored value cards like Suica can only be deleted with the card issuer app.


ID in Wallet

iOS 15 devices
watchOS 8 devices
Launch states: Arizona, Georgia, Iowa, Kentucky, Maryland, Oklahoma, Utah

ID in Wallet is the biggest new iOS 15 Wallet feature, important enough that Apple announced details and launch states before the September Apple Event, which is unusual for a feature due late 2021 early 2022. The press release clearly explains (but does not show) the exact process for adding and using an ID, and the some security details behind it. Carefully crafted screen images clearly illustrate that ID in Wallet does not show detailed personal information, not even a full name, only the ID elements that will be transmitted by NFC to the TSA reader. Like Apple Pay, users do not need to unlock, show, or hand over their device to present their ID, they simply authorize and hold to the reader.

ID Security and Privacy
It looks slick but there are lots of interesting things Apple has not shown yet, like the actual adding process, that will certainly be highlighted at the September Event. Apple is advertising high level security and privacy for ID in Wallet but there are device distinctions security concerned users will want to know about, specifically Secure Intent.

Secure intent, in a very loose sense, is the user action of confirming ‘yes I want this transaction to proceed’ by double pressing a button (Face ID and Apple Watch) or a long press (Touch ID). But there are important differences: by Apple’s official definition, Face ID iPhone and Apple Watch are secure intent devices, Touch ID iPhone is not.

Secure intent provides a way to confirm a user’s intent without any interaction with the operating system or Application Processor. The connection is a physical link—from a physical button to the Secure Enclave…With this link, users can confirm their intent to complete an operation in a way designed such that even software running with root privileges or in the kernel can’t spoof…A double-press on the appropriate button when prompted by the user interface signals confirmation of user intent.

The most secure ID in Wallet secure intent transaction is a double press button authorization action that tells the secure enclave, where your biometrics are stored, to release authentication to the secure element, where your ID credentials are stored, for the transaction magic take place. Apple: “Only after authorizing with Face ID or Touch ID is the requested identity information released from their device, which ensures that just the required information is shared and only the person who added the driver’s license or state ID to the device can present it.” There is no Express Mode for ID card nor would you want there to be.

There is another aspect to consider, one that Apple certainly won’t divulge: who manages and runs the backend centralized mobile ID issue service that plugs into Apple Pay servers. The direct in Wallet ID card add process demonstrates a high level of integration: “Similar to how customers add new credit cards and transit passes to Wallet today, they can simply tap the + button at the top of the screen in Wallet on their iPhone to begin adding their license or ID.”

We can get an idea of what’s involved on the ID backend from the Japanese Ministry of Internal Affairs and Communications (MIC) English PDF document: First Summary Toward the Realization of Electronic Certificates for Smartphones with a diagram of the digital ID system architecture for the Individual Number Card (My Number). MIC are in discussions with Apple to bring the digital My Number ID to Wallet. The Android version is set to launch in 2022.

There has to be a partner service company that sub-contracts mobile ID issue services to participating state governments…somebody that does the heavy lifting of linking various state database servers to provide a centralized card issuing service so that Apple can provide a seamless ID add card experience. But it must be an independent entity that can provide the same set of backend ID issue services to other digital wallet platforms (Google Pay, Samsung Pay, etc.) at some point. Because if it is not an independent entity providing those services, Apple is inviting more claims that Apple Pay is a monopoly. It’s a mystery worth digging into. Nevertheless, Apple is paving the way by integrating ID issue directly in Wallet that eliminates crappy 3rd party apps. It’s a huge effort that hopefully makes digital ID easy, practical and widely used.


Digital Keys and Power Reserve Express Mode
Home, office and hotel keys are the first new iOS 15 Wallet feature on launch day. Where is the Add to Wallet Key Card category? There isn’t one. Keys are slightly different and cannot be added (issued for the first time) to Wallet directly because the mobile key issuing company has to confirm user identity before giving the key. The most common way to add keys for the first time is with an app. From the Apple car key support page:

Open the car manufacturer’s app and follow the instructions to set up a key…Depending on your vehicle, you might be able to add car keys from a link that your car maker sends to you in an email or text message, or by following steps on your car’s information display.

Keys removed from Wallet can be re-added quickly via Previous Cards. According to the iOS 15 and watchOS preview page, keys appear to come in 2 basic varieties, sharable and un-sharable, device specs are different depending on the type of key.

  • Sharable keys
    • Car keys with Ultra Wideband
    • iPhones and Apple Watches equipped with U1 chip (iPhone 11 • Apple Watch 6 and later)

    • Car keys (NFC)
    • Home keys
    • iPhone XS • Apple Watch 5 and later
  • Un-sharable keys
    • Office key
    • Hotel key
    • Device requirements may vary by hotel and workplace

All keys work in Express Mode as keys, unlike ID, require Express Mode to be useful. iPhone XS with A12 Bionic powered NFC supports Express Mode Power Reserve, a huge performance difference from previous Apple Silicon. The extra 5 hours of power reserve key access with a drained iPhone battery are crucial and it’s understandable why Apple set iPhone XS as the base iPhone for using car and home keys.

There might be conditions for office and hotel keys depending on the key issuer. In Japan for example iPhone 6s, iPhone 6s Plus, iPhone SE (1st generation) cannot be used for FeliCa based key access, hence the ‘device requirements may vary’ tag.

One more issue here is that mobile key issue is a complex process for hotels, and one assumes offices as well, one that usually requires an app with an account to securely issue a mobile key with set limitations (time, area, etc.).

It’s important to note that issuing digital keys is only one step of the complex process that allows guests to bypass the front desk. Apple’s announcement certainly does not spell the end of the hotel app as we know it…

It’s a big step toward streamlining a process that has, until this point, prevented many guests from using their phone as a digital room key. But, Wallet only solves one segment of the end-to-end operation required to get a guest checked in and room access issued. The bigger issue is connecting identity with access, which requires many more steps beyond issuing a key.

How Apple’s Newest Features Will Affect Hotel Check-in

Hyatt Hotel launched Room Keys in Apple Wallet in limited locations on December 8. There are a few interesting requirements and other bits. (1) Bingo…reservations must be made in World of Hyatt app, (2) Room key activated in Apple Wallet after checkin and room assignment, (3) hotel updates or deactivates room key in Wallet remotely, (4) Room key in Apple Wallet is never shared with Apple or stored on Apple servers, (5) The World of Hyatt app is run by ASSA ABLOY Vostio Access Management cloud-based solution. The word ‘sharing’ is never mentioned in the Hyatt announcement or ASSA ABLOY Vostio Access literature. No word what protocol is used but you might remember that ASSA ABLOY and Blackboard use MIFARE for Student ID.

Pairing an identity with access is the core difficulty dealing with digital key issue, sharing keys on different devices is a particularly thorny problem. If I had a crystal ball to read, I might see a future where your ID in Wallet is the only confirmation necessary to add a key directly in Wallet with an email link, no apps. It would be nice if things evolved that way over time. Perhaps that is one of Apple’s long term goals for releasing home-hotel-office keys and ID in the same iOS 15 product cycle.

Wallet expansion and housekeeping
The last improvement is that iOS 15 Wallet now holds up to 16 cards. The previous official limit was 12 cards (8 cards for pre-A11 iPhone), though Apple hasn’t mentioned the new limit in any support pages. If you have trouble adding more than 12, remove one taking the total down to 11 cards, then add more cards up to the new limit. The limit is defined as cards that use the secure element for transactions: payment cards, transit cards, keys, and ID. Passes don’t count and used passes are automatically cleared and stored in the new archived passes category. One hopes Wallet will do similar housekeeping for expired hotel keys in a later iOS 15 update.

The expansion seems trivial but 4 more parking spaces in Wallet garage is a godsend not only for card otaku but also for regular users who already have lots of payment and transit cards, it’s easy to hit the limit. The housekeeping changes are appropriate and timely, going forward we’ll all be adding car, home, office, and hotel keys along with our driver’s license to an ever growing Wallet.

UPDATE
An earlier edit of this post incorrectly stated that watchOS 8 Wallet did not support hotel and office keys (they were not listed on Apple’s watchOS 8 preview page but mentioned on a separate PR release). Apple PR reached out regarding the error and has been corrected.

Last updated 2021-12-09 (added Hyatt Hotel Wallet key beta test announcement)

Octopus 2.0

The Apple Pay Octopus launch in June 2020 marked the end of an era of Octopus as the exclusive Hong Kong MTR home grown transit platform, and the start of MTR integrating into China mainland transit fare standards. In August 2020 Octopus Cards Limited announced they would join China T-Union. My take about it and the eventual migration of Octopus from FeliCa to PBOC 2.0, struck a raw nerve and did not go down well with some Hong Kong folk:

Can someone tell the ill-informed, self-centred, attention-seeking blogger to stop spreading fake rumours about octopus ditching FeliCa? Not in this lifetime…The self-proclaimed expert blogger’s been wrong on so many levels I’m amazed people still follow him like religion and never question his fantasy stories. Utterly annoyed by him dropping quotes from people out of context and use them to his benefits.

In April 2021 new OCL CEO Angus Lee Chun-ming said in a South China Morning Post interview that OCL had applied for China T-Union membership as planned, and will launch a dual mode Octopus card for mainland transit use:

“We have applied to join the China T-Union, the nationwide one-card payment system led by the Ministry of Transport. That will enable Octopus physical-card holders to pay for public transport fares in mainland China,”…

The service can be upgraded to digital Octopus cards in the phase two development. “The card will be denominated in Hong Kong dollars. Octopus will arrange the currency settlement with the mainland partner,” said Lee.

A one-card nationwide payment system eh? Sounds like an plug for China T-Union instead of an Octopus presser. Phase 1 is a physical dual mode Octopus card that appears to be 2 separate chips (PBOC and FeliCa) in one card with a common HKD ePurse. This is novel as Greater Bay Area dual mode cards up to now used separate ePurses for each currency. It’s also complicated because mainland transit operators have to do the currency conversion. A digital wallet version is phase 2. The elimination of FeliCa on the Hong Kong side will be the final phase, though that depends on the Ministry of Transport removing the current PBOC restriction that limits it to transit use and T-Union branding issue, or Octopus coming up with something else. We shall see.

On the mobile side Hong Kong iPhone users already have a dual mode Wallet option to add China T-Union cards if they have a China UnionPay credit or debit card. It’s not dual mode on one card and there is an Express Transit issue when turning on a China T-Union card turns off Express Transit for Octopus, but it works.

Dual mode transit cards on Apple Pay don’t exist yet but they are technically possible. Apple Pay already uses dual mode NFC switching for Japanese issue payment cards, FeliCa for contactless use in Japan, EMV for contactless use abroad. Another option might be the multiple secure element domain/multiple NFC protocol support of Mobile FeliCa 4.1 outlined by FeliCa Dude for dual mode transactions using just Mobile FeliCa with NFC-A/NFC-F.

On the transit gate side it will be interesting to see what design MTR uses for multiple protocol open-loop. NFC requires the reader side to specify the NFC protocol used for the transaction. This is a not a problem at store checkout, but how does the user specify the transaction protocol on transit gates? Answer: by tapping different readers. Perhaps the new MTR gates will host a NFC-A reader (EMV and PBOC), a NFC-F reader (FeliCa) in addition to the already separate QR reader? And if those Touchless UWB rumors are true, UWB and Bluetooth could be joining the MTR next generation gate party. One thing for sure, transitions are messy, and expensive.

Real life code payments

Doutor Coffee Shops added code payment options recently. The sticker next to the reader says all that you need to know: please have your payment app ready before paying. The downfall of code payments is always the network connection. Maybe network connection is weak, or tapped out, or whatever. Last week I was grocery shopping at a basement store location and noticed customers running from checkout to the bottom of the stairs, tapping their smartphone, then running back to the checkout. Bad network area.

This is all too common and a real pain now that every store chain and their dog has a rewards app. Most checkout goes like this: the customer pulls up the store app for discounts and reward points, then pulls up PayPay, dBarai, Line or any other popular code payment, and if the network gods are benevolent, finally pays. NFC was supposed to save us from slow plastic cards and paper coupon checkout, but in the digital wallet age we’re slow if not slower because the store location is in a crappy network area, inside a building with thick earthquake proofed concrete walls. Welcome to code payments in the real world 101.

Mobile Suica Lite

With the proliferation of wearables JR East has been busy adding new devices to Mobile Suica. A timeline:

  • 2006: Mobile Suica for Osaifu Keitai
  • 2016: Apple Pay Suica for iPhone and Apple Watch
  • 2018: Google Pay Suica for Android Osaifu Keitai
  • 2020: Garmin Pay Suica, wena 3 Suica
  • 2021: Fitbit Pay Suica

The first hardware standard for Mobile Suica was Osaifu Keitai first on Symbian feature phones in 2006 followed by Android in 2013. This is the basic FeliCa chip in phone approach.

Apple Pay Suica in 2016 brought a new hardware model: a Apple custom embedded secure element (eSE) with licensed Mobile FeliCa for iPhone and Apple Watch. Pixel 3 and later models employ a somewhat similar arrangement using NXP multi-protocol NFC controllers with preinstalled Mobile FeliCa but Osaifu Keitai software is only activated on Japanese Pixel models.

A shortcoming of the Osaifu Keitai standard is that it only works on Osaifu Keitai ready Android smartphones. In 2016 Google released the HCE-F specification for Android 7.0. Japanese tech media at the time assumed HCE-F would become widespread for delivering FeliCa services to low-end Android devices without Osaifu Keitai support but that didn’t happen. As FeliCa Dude points out, “HCE-F is not useful for emulating existing FeliCa cards because the API has been needlessly crippled.” The HCE strategy is questionable and comes with security risks. In the pre-Apple Pay, pre-Google Pay era it seemed like a viable path, but things haven’t panned out in the embedded secure element era of today.

So how does JR East host Gamin Pay Suica, wena 3 Suica and Fitbit Charge 4 Suica wearables without Osaifu Keitai? The answer is what I call Mobile Suica Lite, a prepackaged service that supports some basic Mobile Suica features but has limitations:

  • New digital issue of regular non-registered Suica cards only, no transfer of plastic Suica cards.
  • No transfer of Suica to new devices
  • Deleting Suica from the device comes with a SF balance refund option (¥200 service fee + transfer to a Japanese bank account) but once the card is deleted it is gone forever.
  • No supplemental Suica services
  • Google Pay recharge backend

For wearables in the COVID era with teleworking and less reliance on commuter passes, Mobile Suica Lite is surprisingly useful despite the limitations. If you migrate to a new wearable simply run the SF balance down to zero, delete the old card, then issue a new digital card on the new device.

How exactly is JR East doing this? We know for certain that it is not Osaifu Keitai or HCE-F. My theory is we are witnessing Mobile FeliCa Cloud in action. According to FeliCa Networks Mobile FeliCa Cloud is:

…a service platform that connects NFC FeliCa Devices with Mobile FeliCa services. With Mobile FeliCa Cloud, the seamless provision of Mobile FeliCa services becomes possible regardless of OS or platform for smartphones and wearable devices…

What is a ‘NFC FeliCa’ device exactly? All NFC certified devices must support NFC-A, NFC-B and NFC-F. Any Global Platform certified secure element on a device also supports Mobile FeliCa. I suspect that any manufacturer with NFC and Global Platform certifications can pick Mobile FeliCa Cloud services à la cart from FeliCa Networks: i.e. I’ll have a Mobile Suica lite with a side order of Rakuten Edy but hold the iD.

Mobile FeliCa Cloud doesn’t come with all the Osaifu Keitai bells and whistles, but it also streamlines and eliminates Osaifu Keitai support headaches with prepackaged services. A Mobile FeliCa lite option for lite wearables…I hope we see more of it on more devices with more services.