The Weekly #2

July 27, 2021

The ‘Apple Pay is a monopoly’ soap opera continues

ZDNet reports Australian Parliamentary Joint Committee on Corporations and Financial Services hearings that are focused on, yet again, forcing Apple to ‘open up’ their NFC chip. Actually they should be talking about the secure element in Apple Silicon because that’s what Apple devices use and it’s not just about NFC anymore, it’s Ultra Wideband too.

The Apple Pay monopoly debate isn’t new and isn’t about being ‘open’, it’s about banks getting what they want from politicians. What I found interesting was the back and forth between Apple and Google regarding the hardware embedded secure element (eSE) vs. the virtual secure element in the cloud Host Card Emulation (HCE), a topic that confuses many ‘experts’.

Google is playing both ends here because they have different flavors of Google Pay for different kinds of Android devices. Google Pixel Google Pay uses eSE while everybody else use HCE Google Pay. One very important thing not mentioned in tech blog coverage is that Samsung Galaxy and the Chinese smartphones (Huawei, OPPO, Xiaomi) all use a custom eSE with their own XX-Pay. In other words, everybody on the Android side outside of low end junk is doing exactly what Apple Pay is doing.

Apple
Host Card Emulation (HCE) is a less secure implementation, which was adopted by Android … Apple did not implement HCE because doing so would lead to less security on Apple devices.

Google
Our payments apps are immensely secure…we would refute the suggestion our HCE environment is in any way insecure … I would argue the user experience on Google Pay is equal to that of Apple Pay.

Let’s see what GlobalPlatform has to say about HCE:

GlobalPlatform
HCE solutions can be a great option for issuers to get to market cost-effectively for their Android customers. However, they aren’t without their complexities. Rooted in the NFC device OS, HCE apps can be more vulnerable than the ‘Giant Pays’.

So HCE security is up to the payment app, shitty app = shitty security without Apple Pay Secure Intent. The whole HCE debate is nonsense, like FeliCa Dude says it’s eSE or nothing. If the committee thinks that HCE means open and good, they are showing their incompetence.

Apple Pay Wallet has a very simple rule: any card that loads a Java Card applet into the secure element has to reside in Wallet. Any card or developer that wants to loads applets and use the secure element has to have a PassKit Secure Element Certificate Pass. This is covered by NDA but a company called PassKit (not Apple) gives us an idea what Apple’s NFC/Secure Element Pass guidelines are:

Apple care a great deal about the user experience. Before granting NFC certificate access they will ensure that you have the necessary hardware, software and capabilities to develop or deploy an ecosystem that is going to deliver an experience consistent with their guidelines.

Yeah, the end to end user experience, the whole reason behind the success of Apple Pay. Banks don’t want to be told they need to improve their ecosystem for a better user experience, and they don’t want to pay a transaction cut to Apple that they are used to keeping for themselves. What else is new?

The whole ‘Apple Pay is a monopoly’ soap opera is overrated.


PASPY transit IC card migrating to QR

After thinking out loud recently about dumping their PASPY transit IC card in favor of a QR Code smartphone app, Hiroshima Electric Railway Co. Ltd (Hiroden) CEO Masao Mukuda announced that Hiroden would indeed junk NFC and migrate to a QR Code app over an unspecified period of time. Running their own transit IC card is too expensive, so old folks, school children and everybody else will have to use smartphone to ride Hiroden light rail trains in Hiroshima.

PASPY is just the tip of the iceberg. There are many transit IC cards out there with the same problem: fixed infrastructure costs supporting a small region transit IC card and declining ridership. Add the COVID crisis that has decimated public transit use and you have a business crisis. All the small transit cards outside of the Transit IC card standard (the pink box) are in the same boat: they can only be used in their respective regions, they don’t have e-money functions, they don’t have the resources to go mobile.

This is exactly the problem JR East is addressing with their 2 in 1 Suica MaaS soution. JR East hosts the hardware, the local operator issues a ‘localized’ Suica that offers both special local MaaS services (discounts and extras, etc.) and seamlessly plugs into the larger Suica and Transit IC map.

Suica 2 in 1 region cards are the keystone of JR East’s MaaS strategy

Unfortunately PASPY is in the JR West region which doesn’t have anything similar to the JR East MaaS program. It would be a perfect solution: customers would get a new card that works just like it does now but works everywhere with e-money and ICOCA benefits, Hiroden is freed from the costs of hosting and issuing their own card.

QR is not going to be the salvation that Hiroden hopes it will be. QR isolates Hiroden from the wider transit IC network of Mobile Suica, PASMO, ICOCA. Even if Hiroden gets rid of their card issuing business cost, they still have to host a system to run the QR Code app and manage accounts. The real rub is that instead of anybody buying an IC card out of a machine, Users will have to sign up for the app or buy a QR paper ticket. They also have to worry about where and how their account data is stored. My prediction: it’s going to be a messy money losing transition.


Heraiza down but not out

Poor little Heraiza, one of my favorite Japanese YouTubers, has been copyright claim ‘hacked’ from a fake account pretending to be Dentsu and now has 2 bogus strikes against her YouTube account. As an independent 17 year old high school student with 150,000 followers, she doesn’t have the resources of a YouTuber managment agency like UUUM, who she likes to badmouth (and I won’t put it past UUUM using fake accounts to take her out). Dentsu or whoever the real copyright holder is has confirmed to her that her content does not violate said copyrights.

Hopefully she’ll get it all worked out and unlock all her previous videos, though YouTube being YouTube, if they don’t like you they ban you…AND keep your ad revenue. In her most recent post about one of her favorite YouTubers having their account hijacked, she has her confidence back. Good thing, in these dark times we all need to laugh.

Have a good week and enjoy the Olympics.

The Super Suica Reference

The new features that make up 2 in 1 Suica are called many things. JR East calls it ‘Next Generation Suica’ and ‘2 in 1 Region Affiliate Card’. Yanik Mangan came up with a great ‘All-in-one Suica’ moniker in his limitless possibilities podcast. I call it, and will continue to call it, Super Suica because I see wider Suica platform initiatives built off the new FeliCa OS features used for 2 in 1 • next generation Suica. It’s a looser, fuzzier platform evolution definition compared to Yanik’s tighter all-in-one card solution focused one.

That doesn’t mean that Super Suica or all-in-one Suica will ever happen they way we envision it, but at least we have some convenient handles to discuss and categorize ongoing developments until something official comes along.

This is a list of announcements, launches and posts related to Super Suica as a platform. Announcements are italic with links to JR Group PR releases, launches are bold, color classifications are as follows:

🟩= Suica cards and Transit IC region extensions
🟧= Mobile FeliCa, Mobile Suica + derivations (Mobile PASMO, Mobile ICOCA)
🟥= FeliCa Standard SD2• New FeliCa OS
🟦= Cloud Suica and cloud account services

DateCategory • Announcement** • Launch*Estimated Start
September 2018🟩🟥Suica 2 in 1 • FeliCa Standard SD2**2021
June 2019🟩🟥Suica 2 in 1 for Tochigi**
🟧Rakuten Pay Suica**
2021~2
2021
September 2019🟩🟥Cross Region Commuter Passes for ICOCA-TOICA-Suica**2021
October 2019🟧Mobile PASMO** (rebranded Mobile Suica)2021
December 2019🟥🟧UWB Touchless Mobile FeliCa**2022~3?
January 2020🟩🟥Suica 2 in 1 Iwate Green Pass (Iwate)**
🟧Mobile PASMO**
2021
March 2020🟧Mobile PASMO for Osaifu Keitai*
🟦Eki-Net Shinkansen eTicket service*
May 2020🟧Garmin Pay Suica*
🟧Rakuten Pay Suica*
September 2020🟥FeliCa Standard SD2 cards with new FeliCa OS features*
November 2020🟧wena 3 (smartwatch+band) Suica *
October 2020🟧Apple Pay PASMO*
🟧Mobile ICOCA**
🟩🟥Suica 2 in 1 Iwate**
🟩🟥Suica 2 in 1 Hachinohe**

2023
2022
2022
November 2020🟩🟥Suica 2 in 1 Aomori**
🟩🟥Suica 2 in 1 Akita**
2022
January 2021🟩Cross Region Commuter ICOCA-TOICA-Suica launch details** with TOICA and ICOCA region extensions (TOICA extensions explicitly for cross region pass support) March 2021
March 2021🟩🟥Cross Region Commuter Passes for ICOCA-TOICA-Suica*
🟩Cross region exit gates installed at Maibara and Atami stations*
🟩🟥Suica 2 in 1 totra and Iwate Green Pass*
🟧Fitbit Pay Suica launch
*
🟩🟥Suica 2 in 1 Yamagata announcement**
🟩🟥Suica 2 in 1 Gunma announcement (Noblé)**




2022
2022
April 2021🟦🟩Cloud Suica with Suica region extension announcement**
🟦 Eki-Net reboot: more cloud based attached services and JRE POINT integration
2023
2021

🟩🟥Next Generation Suica cards
A new card for integrating Transit IC and region cards in new ways focusing on Suica 2 in 1 Region Affiliate transit cards and FeliCa Standard SD2 • FeliCa OS as the core development. JR Cross Region Commuter Passes included as I suspect they also use SD2 Extended Overlap and represent a step towards cross region through transit for Transit IC.

🟧Mobile
The evolution of Mobile FeliCa to include UWB touchless and multiple secure element domains, Mobile Suica service expansion and re-branded assets for Mobile PASMO and Mobile ICOCA.

🟦Cloud
Cloud Suica: cloud based fare transaction processing and MaaS Suica payment services without a reader, cloud account attached services.

Cloud Suica and Suica region extensions announced for early 2023

JR East announced cloud based Suica and extended coverage for the Tohoku region, going online with 44 stations in early 2023 and closing some major service gaps around the same time that Mobile ICOCA is due to launch. This same cloud system is expected to drive JR East QR closed loop ticketing and MaaS Suica based services and also syncs with the Mobile ICOCA aim of delivering MaaS services in the JR West region.

You might think that JR East has installed Suica gates in every station but this is not the case: as of 2018 Suica is installed in roughly half of JR East’s 1667 stations with these station additions the first in more than 4 years. The reason is cost. Unmanned stations have simple Suica validators but the cost of hard wiring these to the Suica data center is an obstacle. Fast local processing is one of the advantages of Suica but the dedicated network backbone costs for linking and syncing with JR East servers doesn’t come cheap.

The new internet cloud based Suica backend will calculate fares centrally rather than on each gate. The trade off is slightly slower speeds with the benefit of lower installation and maintenance costs so that Suica can easily be installed anywhere. Japanese tech journalist Junya Suzuki tweeted that probably half of Suica transaction processing would remain local with half of the fare processing in Suica cloud. This means the local Suica card SF transaction is partially offloaded by the gate to a distributed closed loop fare processing network via a fast reliable internet connection. It also means that stations with heavy traffic keep fare processing on the gate.

Previously JR East had said they expect to reach 100% Suica deployment with Cloud Suica in the 2021 fiscal year (ending March 2021) and hope to sell it internationally. The program is running over a year late and the first step will be getting the new system to JR Group companies (JR West, JR Central, JR Kyushu, JR Hokkaido) before going international.

Related posts
Cloud Suica and the next generation Suica architecture
2 in 1 Suica Region Affiliate Cards

Is Suica ‘all-in-one’ possible?

Now that Suica 2 in 1 Region Affiliate transit cards are out, it’s time to examine the question that Yanik Magnan posed in his limitless possibility podcast: is Suica all-in-one possible? He defines it as follows: “All-in-one in my case would mean all Transit IC and local area transit members sharing the same physical card as a common container for their data, I’m assuming (maybe incorrectly?) that Suica + PASMO on the same card would be possible through whatever totra is doing.”

In my initial Super Suica coverage I outlined all-in-one possibilities beyond the Suica 2 in 1 Region card program and called it ‘Super Suica’ to capture that idea. Unfortunately, and as Yanik points out, I forgot an important aspect: Suica and sister Transit IC cards all use the same FeliCa technology but have their own data formats. That was an oversight. Nevertheless I think we agree, so I’m retiring Super Suica in favor of Yanik’s Suica ‘all-in-one’ moniker. Here is a grab bag of various pieces that hopefully add up to an quick overview, with Suica all-in-one as a platform of technologies that others can build off of, instead of a specific transit card.

FeliCa Enhancements
Since November 2020 we’ve seen a number of FeliCa enhancements: (1) FeliCa Standard SD2, (2) Mobile FeliCa Multiple Secure Element Domains that support non-FeliCa protocols and, (3) Mobile FeliCa Ultra Wideband Touchless. The most important of these right now is SD2 because it’s a real shipping product with Extended Overlap Service and Value-Limited Purse Service. TagInfo scans of the newly released totra 2 in 1 Suica Region Affiliate transit card reveal Extended Overlap in action. The card itself shows 2 issue numbers on the back, one from JR East who own the SF (stored fare) purse and one for the region operator who own the overall card. That JR East owns the Suica 2 in 1 card SF and float is…interesting and offers a clue as to what’s going on behind the scenes.

FeliCa Standard SD2 powered totra Suica has 2 card numbers

Float Gloat
Who owns the SF purse float, how it works on the reader side and as a business model are the big issues. Here’s an example: I suspect SD2 Extended Overlap might also be used in the new Suica-TOICA-ICOCA cross region commuter passes as those cannot be issued on current plastic and require an upgrade trip to the nearest JR station. We won’t know for sure until we get a TagInfo scan of the new physical card but let’s pretend for a bit.

Say a TOICA user purchases a cross region commuter pass from Numazu (TOICA) to Odawara (Suica) for regular non-Shinkansen transit. In this case the cross region solution is easy and acceptable to all JR companies because each transit card issuer owns the SF purse, in this case JR Central. The same applies to JR East when issuing the same commute pass route for Suica. The same scenario would likely be acceptable to all Transit IC companies, sharing a common physical card as a common container for their data, but only if the SF purse ownership was clearly defined as it is in totra Suica so it works on the reader side: this is Suica SF, this is a ICOCA SF, etc., otherwise the reader doesn’t know which one to use.

In other words, let’s 2 in 1 and all-in-one for the shared resources like points, commuter passes and special discount fares for elderly and disabled users, but the SF purse is not shared for 2 in 1 or anything else. Common data format, yes. Common shared SF purse, no. At the end of the day you can’t have a Suica and a PASMO on the same card as the reader won’t know which one to use. We’ll see if Extended Overlap and Value-Limited Purse solves this wanna have cake and eat it too Transit IC dilemma. Sony is now shipping FeliCa Standard SD2 antenna module chips for the reader side of the equation so readers will be getting smarter and evolve too. That’s how I see it for Suica all-in-one, Transit IC and mobile, a gradual evolution.

Mobile hardware barriers
On the mobile front we have a smartphone hardware barrier: the Mobile PASMO Osaifu Keitai Type 1, Type 2, Type 3, mess landed on Mobile Suica with addition of multiple Mobile Suica cards on March 21. Only Osaifu Keitai Type 1 devices can handle multiple Suica and PASMO cards.

This has implications for Mobile FeliCa features such as the Japanese Government My Number Digital Card and UWB Touchless digital car keys. Mobile FeliCa 4.0 and later on Pixel devices indicate the ability to upgrade FeliCa JAVA Card applets and even Mobile FeliCa itself. Whether Android device makers will actually use this OTA ability is a mystery. To date the standard industry practice has been if you want new features, you buy a new device.

And then there is Apple. iPhone 7 JP models that support Suica do not support PASMO, UWB is only available on iPhone 11 and later, and so on. There is no guarantee that Apple will update, say iPhone 11 models, for UWB Touchless, Mobile FeliCa My Number Digital cards or even Suica 2 in 1, if and when the format comes to Mobile Suica.

We’ll see what FeliCa Dude has to say about the all-in-one subject, hopefully in a future Reddit post. It may take a while but worth the wait.

UPDATE
I’m sticking with Super Suica. Yanik’s All-in-one take is a great name focused on the 2 in 1 card architecture that fits all of Transit IC on a single card. My Super Suica take is a wider set of developing platform initiatives. Yanik’s feedback was valuable in forcing me to review my posts and define Super Suica as a platform, I thank him for it.

A great reality check

I was pleasantly surprised to find some hits coming from a website called limitless possibility, followed the link and discovered a great podcast by Luc-Olivier Dumais-Blais and Yanik Magnan on Japanese transit IC cards, Suica 2 in 1, the new features of FeliCa Standard SD2, Ultra Wideband Touchless and more…things I’ve been writing about for a while that never get any traffic.

Yanik does a much better job of summarizing the transit technology landscape than my messy collection of posts. I wholeheartedly agree that UWB Touchless is the perfect opportunity for Japanese Transit IC members to put aside political differences and merge, or at least ‘harmonize’ their data formats for a real all in one Super Suica. We shall see. There are things coming down the pike such as multi-secure element domain/multi-protocol Mobile FeliCa that might have transit implications. And I thank Yanik for his constructive criticism of my ‘Super Suica’ coverage. It’s very helpful and rare that anybody takes the time these days.

Extra bonus: their discussion of the Japan QR Code payment mess and a sendup of PayPay ‘gamification’ campaigns using the Canadian Tim Hortons roll up the rim thing is hilarious and spot on.