The Weekly

July 27, 2021

The ‘Apple Pay is a monopoly’ soap opera continues

ZDNet reports Australian Parliamentary Joint Committee on Corporations and Financial Services hearings that are focused on, yet again, forcing Apple to ‘open up’ their NFC chip. Actually they should be talking about the secure element in Apple Silicon because that’s what Apple devices use and it’s not just about NFC anymore, it’s Ultra Wideband too.

The Apple Pay monopoly debate isn’t new and isn’t about being ‘open’, it’s about banks getting what they want from politicians. What I found interesting was the back and forth between Apple and Google regarding the hardware embedded secure element (eSE) vs. the virtual secure element in the cloud Host Card Emulation (HCE), a topic that confuses many ‘experts’.

Google is playing both ends here because they have different flavors of Google Pay for different kinds of Android devices. Google Pixel Google Pay uses eSE while everybody else use HCE Google Pay. One very important thing not mentioned in tech blog coverage is that Samsung Galaxy and the Chinese smartphones (Huawei, OPPO, Xiaomi) all use a custom eSE with their own XX-Pay. In other words, everybody on the Android side outside of low end junk is doing exactly what Apple Pay is doing.

Apple
Host Card Emulation (HCE) is a less secure implementation, which was adopted by Android … Apple did not implement HCE because doing so would lead to less security on Apple devices.

Google
Our payments apps are immensely secure…we would refute the suggestion our HCE environment is in any way insecure … I would argue the user experience on Google Pay is equal to that of Apple Pay.

Let’s see what GlobalPlatform has to say about HCE:

GlobalPlatform
HCE solutions can be a great option for issuers to get to market cost-effectively for their Android customers. However, they aren’t without their complexities. Rooted in the NFC device OS, HCE apps can be more vulnerable than the ‘Giant Pays’.

So HCE security is up to the payment app, shitty app = shitty security without Apple Pay Secure Intent. The whole HCE debate is nonsense, like FeliCa Dude says it’s eSE or nothing. If the committee thinks that HCE means open and good, they are showing their incompetence.

Apple Pay Wallet has a very simple rule: any card that loads a Java Card applet into the secure element has to reside in Wallet. Any card or developer that wants to loads applets and use the secure element has to have a PassKit Secure Element Certificate Pass. This is covered by NDA but a company called PassKit (not Apple) gives us an idea what Apple’s NFC/Secure Element Pass guidelines are:

Apple care a great deal about the user experience. Before granting NFC certificate access they will ensure that you have the necessary hardware, software and capabilities to develop or deploy an ecosystem that is going to deliver an experience consistent with their guidelines.

Yeah, the end to end user experience, the whole reason behind the success of Apple Pay. Banks don’t want to be told they need to improve their ecosystem for a better user experience, and they don’t want to pay a transaction cut to Apple that they are used to keeping for themselves. What else is new?

The whole ‘Apple Pay is a monopoly’ soap opera is overrated.


PASPY transit IC card migrating to QR

After thinking out loud recently about dumping their PASPY transit IC card in favor of a QR Code smartphone app, Hiroshima Electric Railway Co. Ltd (Hiroden) CEO Masao Mukuda announced that Hiroden would indeed junk NFC and migrate to a QR Code app over an unspecified period of time. Running their own transit IC card is too expensive, so old folks, school children and everybody else will have to use smartphone to ride Hiroden light rail trains in Hiroshima.

PASPY is just the tip of the iceberg. There are many transit IC cards out there with the same problem: fixed infrastructure costs supporting a small region transit IC card and declining ridership. Add the COVID crisis that has decimated public transit use and you have a business crisis. All the small transit cards outside of the Transit IC card standard (the pink box) are in the same boat: they can only be used in their respective regions, they don’t have e-money functions, they don’t have the resources to go mobile.

This is exactly the problem JR East is addressing with their 2 in 1 Suica MaaS soution. JR East hosts the hardware, the local operator issues a ‘localized’ Suica that offers both special local MaaS services (discounts and extras, etc.) and seamlessly plugs into the larger Suica and Transit IC map.

Suica 2 in 1 region cards are the keystone of JR East’s MaaS strategy

Unfortunately PASPY is in the JR West region which doesn’t have anything similar to the JR East MaaS program. It would be a perfect solution: customers would get a new card that works just like it does now but works everywhere with e-money and ICOCA benefits, Hiroden is freed from the costs of hosting and issuing their own card.

QR is not going to be the salvation that Hiroden hopes it will be. QR isolates Hiroden from the wider transit IC network of Mobile Suica, PASMO, ICOCA. Even if Hiroden gets rid of their card issuing business cost, they still have to host a system to run the QR Code app and manage accounts. The real rub is that instead of anybody buying an IC card out of a machine, Users will have to sign up for the app or buy a QR paper ticket. They also have to worry about where and how their account data is stored. My prediction: it’s going to be a messy money losing transition.


Heraiza down but not out

Poor little Heraiza, one of my favorite Japanese YouTubers, has been copyright claim ‘hacked’ from a fake account pretending to be Dentsu and now has 2 bogus strikes against her YouTube account. As an independent 17 year old high school student with 150,000 followers, she doesn’t have the resources of a YouTuber managment agency like UUUM, who she likes to badmouth (and I won’t put it past UUUM using fake accounts to take her out). Dentsu or whoever the real copyright holder is has confirmed to her that her content does not violate said copyrights.

Hopefully she’ll get it all worked out and unlock all her previous videos, though YouTube being YouTube, if they don’t like you they ban you…AND keep your ad revenue. In her most recent post about one of her favorite YouTubers having their account hijacked, she has her confidence back. Good thing, in these dark times we all need to laugh.

Have a good week and enjoy the Olympics.

QR Code user survey slight of hand

A recent customer sentiment survey regarding QR Code use and security from Ivanti is a classic case of marketing manipulation in action. Same survey, different titles:

The English title:
QRurb Your Enthusiasm 2021: Why the QR code remains a top security threat and what you can do about it

The Japanese title:
Is Japan a 3rd world country when it comes to QR Code use? Compared to 80~90% usage rates in China and the West, Japan remains stuck at 60%

The English survey summary highlights basic security problems to sell security software:

  • 47% or respondents claimed to know that a QR code can open a URL.
  • However, only 37% were aware that a QR code can download an application and only 22% were aware that a QR code can give away physical location.
  • Two thirds of respondents felt confident that they could identify a malicious URL, but only 39% stated they could identify a malicious QR code.
  • 49% stated they either do not have or don’t know if they have security installed on their mobile device.

The Japanese version highlights low Japanese QR Code payment use, and security software use compared with China to sell security software. It also heavily implies that Japan is behind China because of this.

Don’t know about you, but this kind of night and day spin is one reason I have stopped believing most market surveys. They are just too loaded. Give credit where it’s due: the Japanese Ivanti marketing department is certainly clever in spicing up a dull story. It’s their job. Download the English PDF and see for yourself.

A great reality check

I was pleasantly surprised to find some hits coming from a website called limitless possibility, followed the link and discovered a great podcast by Luc-Olivier Dumais-Blais and Yanik Magnan on Japanese transit IC cards, Suica 2 in 1, the new features of FeliCa Standard SD2, Ultra Wideband Touchless and more…things I’ve been writing about for a while that never get any traffic.

Yanik does a much better job of summarizing the transit technology landscape than my messy collection of posts. I wholeheartedly agree that UWB Touchless is the perfect opportunity for Japanese Transit IC members to put aside political differences and merge, or at least ‘harmonize’ their data formats for a real all in one Super Suica. We shall see. There are things coming down the pike such as multi-secure element domain/multi-protocol Mobile FeliCa that might have transit implications. And I thank Yanik for his constructive criticism of my ‘Super Suica’ coverage. It’s very helpful and rare that anybody takes the time these days.

Extra bonus: their discussion of the Japan QR Code payment mess and a sendup of PayPay ‘gamification’ campaigns using the Canadian Tim Hortons roll up the rim thing is hilarious and spot on.

QR Code Transit on Hong Kong MTR starts January 23 (Updated)

After a very long preparation period QR Code transit on Hong Kong MTR finally starts on Saturday, January 23. The MTR Fan FaceBook page:

Only TWO WEEKS left before the launch of QR code payment on 23 January! For this new service, we have installed about 1,000 QR code scanners at stations and conducted a series of system and on-site tests. Prominent purple signage will also be on display to help passengers identify the gates providing the new service.

This is the debut of MTR ‘open-loop’ ticketing. Up until now MTR used the ubiquitous Octopus card, the trail blazing transit card that showed the world what smartcard ticketing can do when extended beyond transit to include eMoney payments, transforming a transit card into a transit payment platform. Unlike Japan however Octopus Card Limited (OCL) was late bringing Octopus to mobile. Part of the problem was that Hong Kong mobile carriers never had an Osaifu Keitai-like standard that bridged the Symbian and Android hardware eras. OCL also wasted time with SIM card mobile support before finally launching the mobile Smart Octopus service first on Samsung Pay in late 2018, followed by Apple Pay Octopus in June 2020 and Huawei Pay Octopus in December 2020.

But MTR still faces a problem that most Android devices don’t support FeliCa even though NFC-F is supported across all NFC capable devices. It’s the global NFC dilemma best illustrated in the Google Pay on Google Pixel situation: Mobile FeliCa is installed on all Pixel devices but Google only turns it on for Pixel models sold in Japan. There are many takes on the reasons why. My take is that Google doesn’t want to do the all the global NFC OS level support work that benefits all Android manufacturers. Google’s stance is, ‘don’t ask us, roll your own embedded Secure Element (eSE) solution.’ And so it’s a race of how many ‘Octopus on XX Pay’ digital wallet platforms OCL can line up for Android and wearables.

For MTR, QR Code open loop transit sidesteps this Android hardware mess, but will it be a success when users have to open a smartphone app with a face mask on at every gate? Apple Pay Octopus on Apple Watch sure beats that problem and then some. Long term I think NFC wearables and UWB Touchless will be the QR killer. Time will tell.

AliPay HK is the first payment provider, others QR players will be added as they are qualified. The transit gate layout is interesting, QR is limited to purple colored gate lanes shown in a nifty MTR video. This is similar to what JR East will do when they phase out mag strip paper ticketing and replace it QR Code paper tickets. It’s also the layout that Nankai will do when they implement VISA Touch after testing it this year.

The next MTR open loop addition is expected to be EMV+PBOC China T-Union compatibility though MTR has not announced when that will happen. OCL already committed to a new Octopus card that will be compatible with China T-Union.

UPDATE

AliPay mainland accounts can also be used for Hong Kong MTR QR transit.

SEIYU Stores finally add NFC payment support for Apple Pay Suica • PASMO

That didn’t take long. The announcement Walmart was selling majority control of SEIYU over to KKR and Rakuten was made November 16. And what was the first new management move? Adding Suica and Transit IC payment support which means Apple Pay Suica • PASMO and Google Pay Suica can finally, finally be used for paying at checkout. QR Code PayPay has been in place for awhile already. SEIYU also rolled out a new system recently for self checkout and EMV IC chip payments for SEIYU brand Saison cards (other cards have to be signed…yuck). NFC anything has been entirely missing from the SEIYU payments lineup despite the COVID crisis and a huge push for all things cashless, but Walmart has a long antagonistic history with NFC digital wallet payments.

I only noticed the change this evening when I heard the store announcement over the PA. Sure enough Suica signs were plastered at every checkout. It’s weird but somehow fitting that SEIYU is soft launching long overdue NFC contactless payments with Suica. More will come. I’m sure Walmart leaving town had nothing to do with it. Yeah, nothing at all. SEIYU stores were much better under the pre-Walmart Seibu management. Hopefully this marks a return to better service and clean modern stores.