‘Say Apple Pay’ is going away

The success of Apple Pay lies in its consistent and well integrated UI that hides complexity from users. There are limitations however, and users are bumping up against them the more they use Apple Pay and the increasingly complex Wallet. This happens with fellow gaijin in Japan unfamiliar with the JP mobile payment landscape and history. The differences are outlined in detail here but all you need to know is that at it was first conceived ‘say Apple Pay’ = the default Apple Pay card. This was short-circuited by the addition of Express Transit in 2016 for Suica, a new kind of default card that trumps the old one, that has been a problem on OMNY transit gates for manual swipe legacy MetroCard users.

The basic issue is outlined in FeliCa Dude’s tweet: when Wallet has multiple EMV cards, iPhone doesn’t know which EMV PSE (Payment System Environment) to present to the reader…the digital equivalent of card clash. The user has to manually select one. It’s one of the reasons why the Ventra system is open loop for plastic contactless plastic cards and Apple Pay without Express Transit, but not for EMV Express Transit. Instead Ventra uses closed loop EMV for Apple Pay Ventra, but EMV open loop vs EMV closed loop will always be an uneasy mix on the same system.

Officially Apple Pay only has single default payment card, the ‘say Apple Pay’ card. Unofficially you can have one payment card, one EMV Express Transit card, and multiple native Express Transit cards: one Suica, one PASMO, one Octopus, one Clipper, etc. Saying Apple Pay doesn’t work when there are multiple default cards.

This is going to get worse when Apple finally releases Apple Pay Code Payments which have been in internal testing since the first iOS 14 betas a year ago. We might see some Code Payment details during WWDC21, and I am sure that we will see more UWB Touchess action. Either way the days of saying Apple Pay are numbered. What kind of Apple Pay? NFC, QR or Touchless? And which default card? I’ve said it before and say it again:

There is one more interesting role that Apple has planned for UWB…one that promises to improve the entire Apple Pay and Wallet experience: communicating with the reader before transaction to select the right Wallet card for the job, at a distance, for a truly smart Wallet app. With national ID cards, passports and more coming to Wallet at some point, UWB could be the Wallet reboot we really need.

‘We really need a Wallet reboot’ is on full display with recently refreshed Apple Pay webpage with Wallet getting a whole separate page because Wallet holds many kinds of cards: payment, transit, reward, student ID, passes and card keys. There are some interesting branding tweaks that suggest some changes coming with iOS 15. The first one is the change from Express Transit to Express Mode. This brings it in line with Student ID which has been called Express Mode all along as it opens doors, like a transit gate, and pays for stuff, like Suica and Octopus. Express Mode/Transit debuted with the iOS 10.1 Apple Pay Suica launch in 2016, the Japanese UI uses the term Express Card which is a better fit as the Suica is more than just transit. Hopefully this is just a teaser for WWDC21 and iOS 15.

Fun with Android NFC settings…not

XIANYOU’s blog post outlining adventures getting Xiaomi Redmi Note 8 NFC to work correctly, is an excellent reminder that Apple Pay does a great service by hiding NFC setting nonsense from iPhone customers. I mean really, is it the user’s job to figure out the ‘secure element position’? Bottoms up. The essential thing is that Google Pay doesn’t play out of the box:

As it turns out, this was because the default NFC processing behavior configuration on the phone was not one that Google Pay supported on my Redmi Note 8 Pro (or at this moment, possibly any non-Pixel 3+ phones).

This is exactly the situation I predicted back when Android Pay became Google Pay. Google doesn’t want to support non-Pixel embedded secure element devices: eSE for Google, HCE for everybody else. It’s going to get real interesting when Google starts shipping Pixel with custom Google silicon, rumored for Pixel 6, along with those Mobile FeliCa multiple secure element domain functions.

Real life code payments

Doutor Coffee Shops added code payment options recently. The sticker next to the reader says all that you need to know: please have your payment app ready before paying. The downfall of code payments is always the network connection. Maybe network connection is weak, or tapped out, or whatever. Last week I was grocery shopping at a basement store location and noticed customers running from checkout to the bottom of the stairs, tapping their smartphone, then running back to the checkout. Bad network area.

This is all too common and a real pain now that every store chain and their dog has a rewards app. Most checkout goes like this: the customer pulls up the store app for discounts and reward points, then pulls up PayPay, dBarai, Line or any other popular code payment, and if the network gods are benevolent, finally pays. NFC was supposed to save us from slow plastic cards and paper coupon checkout, but in the digital wallet age we’re slow if not slower because the store location is in a crappy network area, inside a building with thick earthquake proofed concrete walls. Welcome to code payments in the real world 101.

The Open Loop transit privacy question

In 2013 JR East faced a crisis over selling Suica ridership pattern data analysis to Hitachi. The Suica data was stripped of personal information and was used to analyze popular transit routes and create general user profiles based on age group, gender and so on. Media outcry resulted in JR East drafting an opt out data policy followed by Japanese Government laws and regulations covering personal data privacy.

That was then, this is now. Line, the popular messaging service plus Line Pay payment platform, came under attack this week for storing user and transaction record data outside of Japan, in South Korea and China. This is not a surprise since Line started in South Korea and storing data on cloud servers there was always an open secret. Why the brouhaha now? The recent complicated Z Holdings acquisition maneuvers of Line are a factor. With PayPay and Line Pay QR payment empires now in the same house some kind of streamlining is bound to happen. The data scandal could be a convenient excuse to start it.

The constant drip of privacy concerns regarding social networks and QR payment systems like Line Pay, and where user transaction data is stored, makes the old JR East crisis look small and silly. Everything is more connected now in unexpected ways than even just 8 years ago.

It doesn’t matter how secure transaction protocols are when user transaction record data is stored on leaky servers or sold to outsiders for profit. I wrote about this earlier, the so called popularity of QR Code payment services in Japan is really about big data. In that vein we have a timely blog post on Open Loop ltransit rider privacy from Transit Center.

For a professional advocacy organization dedicated ‘to improve public transit,’ the Transit Center privacy publication is surprisingly amateurish. It raises valid concerns but reads like open loop advertising from credit card companies (Transit Center soft sponsors?), where open loop is the golden cure-all future, and the only future at that, of every transit ill with closed loop invariably portrayed as a dead era of tokens, punchcards and mag strip swipe cards. They also make MTA seem like the only transit system in America that matters because idiosyncratic MTA problems apply everywhere. Right? Wrong. Let’s take a look at their privacy blog post…<<with comments>>.

Transit agencies around the country are adopting a new generation of fare payment systems. Agencies including New York’s MTA, Boston’s MBTA, and Houston METRO are in the process of switching to what’s known as “open-loop” systems that enable riders to tap into the system using digital wallets on their phones or with their credit cards…

<<more banks handling transit fare concessions sounds like a good idea for privacy, wait until the TC folks figure out that ‘closed loop’ bank card accounts for digital wallet OMNY is the next step in the game>>

These technologies come with clear benefits for riders, but they also carry the risk of exposing more personal data…

<<here it comes>>

The switch to these new fare payment technologies can accelerate access to riders’ trip data by other government agencies. In New York, for instance, individuals’ MTA trip data can be retrieved much faster with the new OMNY system than with the older MetroCard system…

<<retrieve trip data quickly on a fare system where users don’t tap out…what? privacy concerns are not just government agencies btw with multiple 3rd party companies handling and processing transit fare data…which brings us to>>

The increased involvement of third parties in fare payment underscores the need for better data collection and management policies within transit agencies.

<<better as in more big data details?>>

How to Implement the Next Generation of Fare Payment Without Shredding Riders’ Privacy

Anybody experienced in dealing with bank and card company customer service could see this coming. Bank and transit operating cultures are different and they don’t mix well with outside companies running the transit gate fare concession. If you think transit privacy is a concern now, wait until face recognition transit gates become the next transit future thing.

Let’s make this simple. Open Loop (EMV and QR) and bank card EMV Closed Loop means that banks and outside payment platforms run their services at the fare gates They have transit user data, as does the transit company, so does the fare system management subcontractor like Cubic. The more places data is stored the more it’s gonna leak. This is exactly what is playing out in Japan right now because Line Pay Japan user transaction data is stored in South Korea which does not, putting it mildly, have a good secure data reputation.

That doesn’t mean that closed loop is automatically more secure, but keeping data in-house with its own closed loop transaction card in the country of origin, as JR East does for Mobile Suica, does mean that outside company access is tightly controlled. At the very least there is only one company in the country of origin to take the blame when something leaks, and only one place to plug it.

It’s official: Face ID sucks with face masks

I was disappointed when Daring Fireball finally checked in on the Face ID face mask problem in the iPad Air w/Touch ID power button review. It summed up western tech journalist ignorance and indifference to a big problem that Face ID users in Asia have been dealing with since iPhone X day one. DF’s latest take on the issue in ‘Unlock With Apple Watch’ While Wearing a Face Mask Works in iOS 14.5 is even more disappointing, finally admitting that, “Prior to iOS 14.5, using a Face ID iPhone while wearing a face mask sucked.” This is pure ‘let’s not admit a problem until there’s a fix’ Apple apologia that is all too common on tech sites. DF hasn’t played straight or gotten it right when it comes to the big picture of Face ID. Then again the site is more into politics than tech these days.

Twitter followers pointed out that Apple went with Face ID knowing the trade-offs they were making in Asian markets but it was the right choice. I don’t know how much the Face ID face mask problem was on Apple’s radar during iPhone X development. But there was some arrogant, ‘we can blow off a few Asian customers’ attitude in that choice that Apple is paying for now. Face ID iPhone was quietly removed from how to videos on the Suica•PASMO promotion page in October. Face ID iPhone 12 sales might be driving 5G growth in the USA, but Tsutsumu Ishikawa reports that Touch ID iPhone SE sales in Japan are stalling the 5G transition.

I say this because there was certainly plenty of Apple arrogance when they blew off iPhone X Japanese users suffering from the notorious iPhone X NFC Suica problem. It didn’t matter because it was a iPhone problem…in Japan. It took me 3 exchanges to finally get a NFC problem free iPhone X revision B unit and I was one of the lucky ones. There were, and still are, plenty of iPhone X users fumbling in the dark. To this day iPhone X NFC problem search hits are the #1 hit on this site. Years later I am still outraged by Apple’s secrecy and denial of the issue. There was no excuse hiding the problem so that people would keep buying a defective top of the line product.

So no, I don’t think iOS 14.5 Unlock with Apple Watch is a solution for the Face ID face mask problem. It’s a stop gap until we get an ‘Apple finally figured it out’ iPhone that reviewers will gush over. And it performs like a stop gap: even in iOS 14.5 beta 2, one out of three Face ID with face mask attempts fails for me and performance is often sluggish, particularly glitchy when listening to Apple Music and using Apple Pay Suica transit.

iOS 14.5 Face ID sucks less for Apple Watch users, that’s all. People who make excuses for Apple’s hardware mistakes and missteps aren’t helping people make the right choice before plunking down hard earned money on expensive devices. Nothing is worse than having to live with somebody else’s mistake, except for having to live with somebody else’s deception.