Here’s the thing, most people assume that killing PASPY card means Hiroden and Hiroshima region PASPY transit partners will rip out all the FeliCa readers and replace them with optical code readers. I don’t think so. FeliCa PASPY cards will disappear but not the transit IC readers. If you listen carefully to Hiroden’s bitching and moaning about having to shoulder PASPY system costs from the PASPY/FeliCa fare processing server side (that the PASPY partners don’t help us enough with…boo-hoo-hoo). Dump that and get out of the plastic card issue business, leave ICOCA / Transit IC readers where they are and let them handle their own fare processing, retrofit a QR scanner or install Denso Wave QR+NFC readers, toss out a QR PASPY app and the PASPY associates can call it a day.
PASPY had all the limitations of region transit cards: no e-money functions for store purchases to juice the recharge business side, slowly declining ridership, and the card could not be used on JR West ICOCA and larger Transit IC network…limitations that the Suica 2 in 1 Region Affiliate program resolves. Too bad JR West doesn’t have a similar program for the ICOCA region but it says something about JR West and local government relations that Hiroshima City and prefecture officials have kept quiet.
Nevertheless, there are way too many ICOCA and Mobile Suica users out there and Mobile ICOCA goes live 12 months from now. PASPY partners will want to keep those users riding no matter what Hiroden ends up doing. And local government transit subsidies will help keep the Transit IC readers in place. The whole point of transit is encouraging people to use it…right? And if it all works out, for QR based PASPY MaaS with Transit IC support, all the better.
The app requires a Japanese Individual Number Card (My Number Card) to issue a vaccination certificate which is linked to individual vaccination information. The process offers 2 options, domestic use and international use. Issuing a certificate is simple: select options, enter the user set My Number PIN and read the physical My Number Card. The International option requires a reading a passport number.
Users report success getting an issued certificate into Wallet but the process is somewhat manual. If you don’t get a Wallet prompt, do an in-app scan of the Smart Health QR Code to load it into Health and Wallet apps.
My own experience with the app was not good. I have vaccinations and a My Number Card, but get a 60910 error when I enter my PIN and read the card. Some My Number Card naming conventions, such as such as maiden + married names, or mixed English and Japanese are not accepted by the app for certificate issue.
The app support details explain this kind of issue can only be fixed with a visit to the city hall office where city officials update the registered My Number Card name information. The issue appears to affect more than a few people. The Digital Agency updated their website later in the day and told IT reporter Junya Suzuki that an app update is coming soon to address some unspecified naming issues, however the basic name limitations remain listed on the website and app.
We shall see…knowing my luck I’ll probably have go to to the local ward office records section anyway to get a real fix. I’ll report gory details later if I do.
UPDATE2021-12-22 A number of issues have cropped up since the apps release. It seems that the Digital Agency subcontractor made mistakes, or failed to find them in their rush to get the Vaccination Certificate App out. Most likely there wasn’t proper subcontractor oversight or review, and iOS development appears to have taken a backseat to Android. The name issue is related to limitations in the current JP ePassport format. The timing is questionable as Japan is entering a gray zone regarding who should get booster vaccinations and when. Until that’s settled vaccination certificates are pretty useless for domestic use.
The list of issues so far:
The supported formats are ICAO VDS-NC and SMART Health Cards (SHC). Currently there is no support for EU DCC format which is widely used internationally (iOS 15.4 Wallet will support EU DCC, expect app support to follow).
Certificates are not added to Wallet automatically, it is done via an in-app scan of the SHC QR Code, not the VDS-NC one.
The app handles SHC code incorrectly and produces a SHC record that wrongly juxtaposes ‘family’ and ‘given’ names in Roman letters (fixed in v1.04 update).
Instead of reading ePassport data via NFC, the app uses OCR. Verification could be done with a NFC read of all ICAO MRTD (ePassport) information but the app does not do this. Instead the only requirement to get a passport read is a valid MRZ (machine readable zone) read of the birthdate that matches the birthday what gets read from the My Number Card.
JP ePassport format does not support maiden + married names (by design) and this is the given reason why OCR is used instead of NFC. The JP ePassport name limitation also the reason why the current version of the app refuses to issue vaccination certificates when the My Number Card contains such name combinations. (fixed in v1.08 update)
I have lots of respect Bloomberg reporter Gearoid Reidy, but a recent Twitter exchange he had with Craig Mod about code payment apps vs NFC reminded me that no matter how long westerners reside in Japan and appreciate the culture, our western cultural ‘winner or loser’ take on things too often gets in the way of truly understanding what’s going on. The Japanese take complexity in stride and are very adept at dealing with situations that drive us westerners crazy.
This is especially true when the debate is about that contentious intersection of contactless payments and technology: EMV is the winner FeliCa the loser, code payments are the winner NFC is the loser, and so on. As fun as that debate can be at times, the black and white distracts westerners, and even some Japanese from analyzing the gray to find out what’s driving the narratives and why.
My take has always been that Japan is the best place to observe trends first before they happen elsewhere. This is what Gearoid half jokingly calls ‘j a p a n i f i c a t i o n’. It’s real and has nothing to do with liking or disliking Japan. Either way, too many dismiss the opportunity to learn ahead of the curve. My take has also been that the crazy kaleidoscope of Japanese payment choices is coming to your country too. We got a taste of that with the announcement of the Australian national QR payments and rewards platform called eQR.
The standard Japanese market debate point of code payments vs NFC assumes the China Alipay model. China didn’t have the mobile NFC contactless payments infrastructure that Japan had, so the Alipay code payment model makes sense there. In Japan it does not, which is why Gearoid and Craig are scratching their heads in public. Code payments in Japan are all about leverage, big data, and carriers. Leverage in that carriers like NTT docomo keep the dBarai accounts in-house and use the float for their own purposes instead of letting banks and credit card companies earn interest on dCard accounts. That’s why they encourage users to use dCard to recharge the code payment dBarai account instead of using the card directly.
It’s a similar situation for SoftBank and PayPay, though I suspect it has more to do with deficit financing funnery that SoftBank Holdings is so adept at. Heaven help us, and all those Vision Fund supporters, if it comes crashing down. PayPay has been helpful though at shining a bright light on Japanese payment networks and the various service fee structures from CAFIS on down. VISA JP has suddenly seen the light and proposes to do something about it…perhaps.
Code payments are just a tool in the swiss army knife payment wallet app, like Toyota Wallet, insurance and leverage. We saw that in action when Apple Pay first launched in America and Walmart answered with CurrentC. We’re seeing again with eQR in Australia and it will keep happening when merchants or banks or payment service players need a tool to bargain a better percentage. Heck even Apple Pay is flirting with the idea of adding code payments to Wallet, though I think their hesitancy to do so means…it’s just a bargaining tool for Apple too.
The Apple Pay monopoly debate isn’t new and isn’t about being ‘open’, it’s about banks getting what they want from politicians. What I found interesting was the back and forth between Apple and Google regarding the hardware embedded secure element (eSE) vs. the virtual secure element in the cloud Host Card Emulation (HCE), a topic that confuses many ‘experts’.
Google is playing both ends here because they have different flavors of Google Pay for different kinds of Android devices. Google Pixel Google Pay uses eSE while everybody else use HCE Google Pay. One very important thing not mentioned in tech blog coverage is that Samsung Galaxy and the Chinese smartphones (Huawei, OPPO, Xiaomi) all use a custom eSE with their own XX-Pay. In other words, everybody on the Android side outside of low end junk is doing exactly what Apple Pay is doing.
Apple Host Card Emulation (HCE) is a less secure implementation, which was adopted by Android … Apple did not implement HCE because doing so would lead to less security on Apple devices.
Google Our payments apps are immensely secure…we would refute the suggestion our HCE environment is in any way insecure … I would argue the user experience on Google Pay is equal to that of Apple Pay.
GlobalPlatform HCE solutions can be a great option for issuers to get to market cost-effectively for their Android customers. However, they aren’t without their complexities. Rooted in the NFC device OS, HCE apps can be more vulnerable than the ‘Giant Pays’.
So HCE security is up to the payment app, shitty app = shitty security without Apple Pay Secure Intent. The whole HCE debate is nonsense, like FeliCa Dude says it’s eSE or nothing. If the committee thinks that HCE means open and good, they are showing their incompetence.
Apple Pay Wallet has a very simple rule: any card that loads a Java Card applet into the secure element has to reside in Wallet. Any card or developer that wants to loads applets and use the secure element has to have a PassKit Secure Element Certificate Pass. This is covered by NDA but a company called PassKit (not Apple) gives us an idea what Apple’s NFC/Secure Element Pass guidelines are:
Apple care a great deal about the user experience. Before granting NFC certificate access they will ensure that you have the necessary hardware, software and capabilities to develop or deploy an ecosystem that is going to deliver an experience consistent with their guidelines.
Yeah, the end to end user experience, the whole reason behind the success of Apple Pay. Banks don’t want to be told they need to improve their ecosystem for a better user experience, and they don’t want to pay a transaction cut to Apple that they are used to keeping for themselves. What else is new?
The whole ‘Apple Pay is a monopoly’ soap opera is overrated.
PASPY is just the tip of the iceberg. There are many transit IC cards out there with the same problem: fixed infrastructure costs supporting a small region transit IC card and declining ridership. Add the COVID crisis that has decimated public transit use and you have a business crisis. All the small transit cards outside of the Transit IC card standard (the pink box) are in the same boat: they can only be used in their respective regions, they don’t have e-money functions, they don’t have the resources to go mobile.
This is exactly the problem JR East is addressing with their 2 in 1 Suica MaaS soution. JR East hosts the hardware, the local operator issues a ‘localized’ Suica that offers both special local MaaS services (discounts and extras, etc.) and seamlessly plugs into the larger Suica and Transit IC map.
Unfortunately PASPY is in the JR West region which doesn’t have anything similar to the JR East MaaS program. It would be a perfect solution: customers would get a new card that works just like it does now but works everywhere with e-money and ICOCA benefits, Hiroden is freed from the costs of hosting and issuing their own card.
QR is not going to be the salvation that Hiroden hopes it will be. QR isolates Hiroden from the wider transit IC network of Mobile Suica, PASMO, ICOCA. Even if Hiroden gets rid of their card issuing business cost, they still have to host a system to run the QR Code app and manage accounts. The real rub is that instead of anybody buying an IC card out of a machine, Users will have to sign up for the app or buy a QR paper ticket. They also have to worry about where and how their account data is stored. My prediction: it’s going to be a messy money losing transition.
Heraiza down but not out
Poor little Heraiza, one of my favorite Japanese YouTubers, has been copyright claim ‘hacked’ from a fake account pretending to be Dentsu and now has 2 bogus strikes against her YouTube account. As an independent 17 year old high school student with 150,000 followers, she doesn’t have the resources of a YouTuber managment agency like UUUM, who she likes to badmouth (and I won’t put it past UUUM using fake accounts to take her out). Dentsu or whoever the real copyright holder is has confirmed to her that her content does not violate said copyrights.
A recent customer sentiment survey regarding QR Code use and security from Ivanti is a classic case of marketing manipulation in action. Same survey, different titles:
The English title: QRurb Your Enthusiasm 2021: Why the QR code remains a top security threat and what you can do about it
The Japanese title: Is Japan a 3rd world country when it comes to QR Code use? Compared to 80~90% usage rates in China and the West, Japan remains stuck at 60%
The English survey summary highlights basic security problems to sell security software:
47% or respondents claimed to know that a QR code can open a URL.
However, only 37% were aware that a QR code can download an application and only 22% were aware that a QR code can give away physical location.
Two thirds of respondents felt confident that they could identify a malicious URL, but only 39% stated they could identify a malicious QR code.
49% stated they either do not have or don’t know if they have security installed on their mobile device.
The Japanese version highlights low Japanese QR Code payment use, and security software use compared with China to sell security software. It also heavily implies that Japan is behind China because of this.
Don’t know about you, but this kind of night and day spin is one reason I have stopped believing most market surveys. They are just too loaded. Give credit where it’s due: the Japanese Ivanti marketing department is certainly clever in spicing up a dull story. It’s their job. Download the English PDF and see for yourself.