Foreign VISA cards blocked for select Japanese mobile in-app and online payments

Notice: latest situation updates here

SoftBank Payments network chart

When foreign issue VISA cards in Wallet stopped working for Apple Pay in-app Suica and PASMO recharge on August 5, the first people to howl in pain were Apple Pay PASMO users who suddenly couldn’t recharge with their Chase Sapphire VISA cards. Chase Sapphire still codes for 3x travel points with a PASMO recharge and long time resident Suica users migrated to PASMO when JR East and VISA shut down 3x travel points in May 2021.

I did the usual duty of talking with Mobile Suica support, official line: there should be no problem, contact the card issuer. I then contacted Wells Fargo card services support, official line: there should be no problem with your VISA, contact the merchant. Entirely expected of course but I did confirm that Mobile Suica transaction attempts were not even showing on the Wells Fago system. They said it seems to be a ‘communications issue’… code word for: something’s not right on the merchant transaction authorization side.

I suspected a larger issue than just Apple Pay and an Android Suica user confirmed the same non-JP VISA problem with Google Pay Suica. I also alerted IT journalist Junya Suzuki who focuses on mobile payments. His first thought was something might be going on with the VISA Japan merchant acquirer side of the payment network. For reference, the merchant acquirer handles transaction authorization from the merchant side, ‘this transaction is clear to send to the card issuer.’ The issuer then clears the transaction with the customer account, ‘this customer is good to pay for this charge.’

Merchant acquirers are very secretive and nobody knows who is the merchant acquirer is for Mobile Suica/Mobile PASMO. Maybe they were tightening online transaction security…or something else. Everything was clear as mud though one source did say this:

An acquirer made the decision stopping handling cards issued in other countries… Another guy suggests Apple or such acquirer may face money laundering issue by registering Apple Pay with pre-paid Visa cards or such.

A reader asked me if Japan was banning non-JP VISA cards across the board along with a screenshot of Universal Studios Japan advance ticket sales page with a red colored important notice on the top that said: “We apologize that currently Visa and Mastercard credit cards issued outside Japan are not available until further notice.”

The evidence pointed to a larger problem than just Mobile Suica and PASMO. The USJ wording also suggests that JTRWeb have their hands tied ‘until further notice’ and echos what JR East PR told Suzuki san about the non-JP VISA recharge problem being beyond their immediate control. Something seems to be happening with the VISA merchant acquirer…but in different highly selective ways. For example why does Apple Pay Suica work with foreign issue Mastercard and AMEX but not VISA, or why does foreign issue VISA work for Apple Pay in-app purchases with Japanese apps like Starbucks, but not in-app purchase with JR East for Suica recharge?

Phishing attacks and VISA Touch promotion
It’s helpful to examine the impact of phishing attacks that hit NTT Docomo, Line Pay, PayPay and other QR code mobile payment services in late 2020, and JR East online services (Mobile Suica, JRE POINT, Eki-Net and VIEW card) in early 2022. Responses to phishing attacks has been slow, varied and vague. Companies like to say they value customer security but are short detailing what they’re doing about it. Probably because most of the nitty gritty details are hashed out with the card brand merchant acquirer, which is secret non-disclosure territory.

Docomo quickly suspended, then killed off, their problematic docomo koza e-paymnet service. Then Japanese credit card issuers got serious and responded by upgrading to EMV 3-D Secure v2 (3-D stands for three domains: merchant/acquirer domain, the issuer domain, and the interoperability domain), for browser and mobile app payments and are due to phase out 3-D Secure v1 by October 2022. EMV 3-D Secure is the EMV e-commerce browser and app authentication spec but card brands use their own naming.

JR East upgraded Suica App to 3-D Secure v2 for in-house credit card purchases and changed the JRE POINT Suica recharge process to make it more secure, but seemly little else. Scratch under the surface however and you’ll notice unannounced recharge security blocks and daily limits even in Apple Pay Suica. There are also new limits for certain Japanese issue cards registered in Suica App. Recharge with Revolut VISA for example is now limited to 3,000 JPY per day despite the fact that Suica App uses 3-D Secure v2. Clear as mud…again.

Which brings up to the most important point of the whole problem: why is the VISA payment network not accepting foreign issue cards for Apple Pay Suica and Google Pay Suica recharge when those digital wallets offer the highest levels of secure online transactions out there? A bumpy 3-D Secure v2 transition explains what’s happening for online sites who don’t use Apple Pay and have not updated to newer protocol. But the transition has been going on for a while now, and it certainly doesn’t explain what’s happening with Apple Pay Suica/PASMO and Google Pay Suica (Osaifu Keitai) merchant acquirer side which has nothing to do with EMV 3-D Secure.

Apple Pay comes with the extra security and guarantees that Apple provides to issuers and merchants, once a card is added to Apple Wallet, it is cleared for all things Apple Pay (ditto for Google Pay). This is why a plastic contactless card that doesn’t work on TfL open loop transit gates works when it is added to Apple Wallet. It’s the Apple Pay security guarantee difference.

VISA’s soft power play
So we circle back to foreign issue VISA again. Why are cards cleared for Apple Pay, cards that worked fine until August 5, suddenly not working? Is JR East shutting down recharge for foreign issue cards like Hong Kong Octopus and China T-Union do without telling us? So far JR East support says that all credit and debit cards that support Apple Pay in-app purchase are good to go. They certainly want inbound visitors to use Suica. What little evidence there is points to a change on the VISA merchant acquirer side. Everybody else seems to be doing what they always do.

The timing is perfect however when you consider that VISA is heavily promoting ‘VISA Touch’ EMV contactless and open loop transit. It’s very convenient for promoting VISA Touch open loop when Apple Pay Suica and PASMO are kneecapped as easy payment and transit options for inbound visitors.

VISA has a history of not playing nice with Japanese stored value cards on mobile. JP issue VISA cards didn’t work for Apple Pay in-app purchases and Suica recharge until last year, VISA waited 5 years to ‘resolve’ that issue. VISA cards still do not work with Mobile WAON and Mobile nanaco on Android and Apple Pay, they likely never will. My take is that VISA is happy with people buying things with VISA, they are certainly happy with people borrowing money at ATM machines with VISA, but they are not happy with people using VISA to move money into stored value prepaid cards for making payments, earning points, etc., that are not VISA.

Who knows? VISA has played hardball with Apple Pay in the Japanese market before, maybe they are doing so again. Perhaps they refuse to be an ATM-like recharge backend for Japanese e-money cards unless they also get ATM-like lending rate surcharges. They certainly want to promote open loop VISA Touch and Stera Transit at the expense Mobile Suica market and mindshare. You get the picture.

Junya Suzuki thinks the VISA merchant acquirers might be coming under pressure from potential money laundering risks. I say bunk, people have the right to move their money where they want to, after all we’re only talking a max Suica balance of ¥20,000 here. Whatever the reason let’s hope it is fixed, though I have learned over the years that card brand payment issues are never simple or solved quickly. Time will tell. At the very least we can mark this down as another skirmish in the ongoing digital payment turf wars.


2022-12-03 UPDATE
JR East appears to be working to resolve the unexplained problem with the VISA merchant acquirer, updating the entire JR East credit card system with a series of special maintenance downtimes in November 2022. The work covered everything connected to credit card purchases: JR East station kiosks, VIEW ATMs, Mobile Suica, Eki-Net, etc.

After the last scheduled overnight maintenance session on November 30~December 1, select foreign issue VISA cards started working again for Apple Pay Suica and PASMO recharge but everything stopped again 2022-12-03.

The Apple Pay EMV Express Mode Security Trade-off

The Practical EMV Relay Protection paper authored by Andreea-Ina Radu, Tom Chothia, Christopher J.P. Newton, Ioana Boureanu and Liqun Chen, outlines a potential weakness with VISA cards when used with Apple Pay Express Transit. The BBC reported the issue which was then widely reported on Apple news sites. The authors and the BBC both frame the security issue as known by Apple, who say it’s a VISA system problem, and VISA who say the hack is only a lab project, not a real world problem. Ionut Ilascu on BleepingComputer had a concise summary:

The tests were successful only with iPhone and Visa cards. With Mastercard, a check is performed to make sure that a locked iPhone accepts transactions only from card readers with a transit merchant code.

Trying the method with Samsung Pay, the researchers found that transactions are always possible with locked Samsung devices. However, the value is always zero and transport providers charge for tickets based on data associated with these transactions.

The findings of this research have been sent to both Apple and Visa in October 2020 and May 2021, respectively, but neither fixed the problem.

Apple Pay with VISA lets hackers force payments on locked iPhones, BleepingComputer

Apple Pay uses a GlobalPlatform licensed secure element while Samsung Pay Knox technology uses a Trusted Execution Environment (TEE), it’s a flimsy apple vs orange comparison. A meaningful comparison should have compared iPhone with another secure element device, like Pixel using VISA. Because of the limited scope, it feels like an attention grabbing ploy as it involves iPhone, rather than meaningful security research.

The security paper authors concluded: “While either Visa or Apple implement a fix for the problem, we recommend users to not use Visa as a transport card in Apple Pay. If your iPhone is lost or stolen, activate the Lost Mode on your iPhone, and call your bank to block your card.” In other words, turn off the Express Transit Card option for VISA cards.

There was an interesting post on the TechRepublic site that sheds more light on the EMV for transit weakness and why VISA is the weak link. It boils down to offline data authentication (ODA) and how some card networks like VISA basically ignore it. Card companies run their payment networks how they like.

Yunusov said a lack of offline data authentication allows this exploit, even though there are EMVCo specifications covering these transactions. 

“The only problem is that now big companies like MasterCard, Visa and AMEX don’t need to follow these standards when we talk about NFC payments – these companies diverged in the early 2010s, and everyone is now doing what they want here,” he said.

Apple Pay, Google Pay and Samsung Pay apps are all vulnerable to this threat. There does seem to be a difference if a person is using a Visa card for payment instead of a Mastercard or American Express, according to Yunusov. 

“MasterCard decided that ODA is an important part of their security mechanisms and will stick to it,” he said. “Therefore, all terminals across the globe that accept MC cards should carry out the ODA, and if it fails, the NFC transaction should be declined.

Visa does not use this ODA verification at all point of sale terminals, according to Yunusov, which creates the vulnerability.

Security researcher: Flaw in Apple Pay, Samsung Pay and Google Pay makes fraud easy for thieves

This is not Apple’s problem to fix but Apple set themselves up for it.

Steve Jobs said it best: designing anything is about choices and trade-offs. The Apple Pay that launched in 2014 was designed for credit cards with bio-authentication to authorize payment transactions. This changed in 2016 with the arrival of Suica, the first transit card on Apple Pay, and Express Transit. Express Transit and Express Mode emulate the way that transit cards and student ID are designed to work. The FeliCa and MIFARE protocols used for these cards are very secure and have a long history of safe prepaid smartcard use.

For a time, the Apple Pay security protocol design was clearly defined: EMV bank payment cards required bio-authorization for transactions while transit cards, ID cards and digital keys worked in Express mode without it. All was good until iOS 12.3 and the arrival of EMV Express Mode that changed the rules so that credit cards could act like express mode transit cards too. No more Touch ID or Face ID authentication for using Apple Pay bank cards on Transport for London (TfL) and New York OMNY transit gates. It sounded like a good idea but Apple decided to promote these services by making EMV Express Transit ‘on by default’ when adding a credit/debit card to Wallet.

As any careful watcher of the OMNY rollout will tell you, there have been plenty of Express Transit problems, especially for MetroCard users. Most of whom have no idea Express Transit was a default on option. Express Transit issues continue to crop up as they did for Apple Card users recently with problems on the Mastercard network and Goldman Sachs side. Open loop transit comes with more downsides than promoters like to admit.

When Apple activated EMV Express Transit and make it a default on, presumably to promote all kinds of Apple Pay cards for transit…cards that were never designed for it, it made Apple Pay Express Transit Mode susceptible to bank card network security issues and glitches. Instead of Apple service quality or secure dedicated transit cards, the user ends up with bank card company service level quality at the transit gate. In other words, EMV Express Transit quality is up to banks, not Apple nor the transit agency. It’s their card, they call the shots. That’s the trade-off that won’t go away.

VISA Japan finally signs on with Apple Pay (Updated)

UPDATE 5/11/21
Visa JP finally officially joined Apple Pay


Japanese credit card otaku tweeted late last night that the Apple Pay Wallet animation started displaying VISA, which it never did until now. Sure enough, VISA displays in the add card animation for the Apple Pay Japan region on iPhone, Apple Watch and iPad. Wallet only displays supported card brands for the selected Apple Pay region so the change indicates VISA JP is officially on board.

The trouble is we don’t know what that means without a press release from VISA Japan, Apple, or Japanese card issuers. So far we don’t have one. All we have are 2 questions that will hopefully be answered later today or the next few days.

Does it mean current iD/QUICPay VISA cards in Wallet fully support Apple Pay features?
A quick check adding a digital Kyash VISA prepaid card to my Wallet did not show anything new, just the same limitations: no VISA logo, no In App (Suica recharge) or web purchase support, no EMV/FeliCa dual mode. That doesn’t mean anything by itself: virtual Kyash VISA still has the limitations but it may be different for major VISA issuers like SMBC and MUFJ.

Does it mean that Apple Pay is simply matching the EMV only VISA Touch cards already on Google Pay from Sony Bank and others?
This seems more likely but also flies in the face of Apple Pay Japan encouraging ‘it just works anywhere’ dual mode EMV/FeliCa support for Wallet issue. If we don’t get announcements from VISA Japan or Apple, it could be a slow dribble of VISA Touch announcements from VISA JP card issuers, not much fun.

What I really want to know is: did VISA Japan blink, or Apple?

VISA Touch issuers currently on Google Pay

UPDATE 11/24
Somebody in Cupertino uploaded a new JSON payload to Apple Pay servers too soon. After showing in Wallet for almost 24 hours, VISA disappeared from the add card animation lineup around 6 pm JST. With a gaff this long at least we know VISA support is coming to Apple Pay Japan soon and likely with the Line Pay Apple Pay card announced in September for launch ‘later this year’.

Tokyo Cashless 2020: Blame the Japan Cashless Payments mess on VISA and EMVCo, not FeliCa

1️⃣ Dear JR East, we need a new Suica Charge App
2️⃣ Consumption tax relief with the CASHLESS rebate program
3️⃣ Are Apple Maps and Siri really Apple Pay level ready for the Tokyo Olympics?
4️⃣ > Blame the Japan Cashless Payments mess on VISA and EMVCo, not FeliCa

Tokyo Cashless 2020 is a series covering all things cashless as Japan gears up for the big event. If there is a topic that you’d like covered tweet me @Kanjo


Japanese journalist Akio Iwata just published a piece explaining why VISA has not signed with Apple Pay in Japan. It is paywalled and I have not read it, but Japanese readers noticed similar points in my earlier piece Why Visa refuses to join Apple Pay Japan and tweeted about it. The subject is timely and worth visiting again after the events of the past year.

Some western business journalists and industry pundits look at the Japanese payments market and write about failure: the failure of FeliCa to be universally accepted, the failure of Japanese society to use cashless payments instead of hard cash. It’s a kind of cut and paste narrative construct journalism that you see too much of these days, like the recent Financial Times piece, or worse the NFC TIMES. The narrative is persuasive enough to blind some Japanese journalists as well.

This kind of reporting plays to the expectations of a certain readership, but it completely fails to capture or explain the massive changes happening in Japan right now, set in motion by the arrival of Apple Pay in late 2016. The bulk of the cut and paste argument is that FeliCa failed to take off in Japan and because Japan failed to switch to the EMV ‘world standard’, that’s why we have the current messy situation. End of story. I don’t buy this argument at all.

FeliCa was around long before the EMVCo consortium got it’s NFC act together in the early 2000s. NFC-A is Philips, NFC-B is Motorola, NFC-F is Sony. The ISO/IEC 14443 standard was supposed to include NFC-F but the ISO ultimately decided not to include it. EMVCo created the EMV contactless standard on ISO/IEC 14443 NFC A/B.

With lots of help from JR East, NFC-F was added to the ISO/IEC 10373-6 and GSMA/GCF (Global Certification Forum) TS. 26, TS. 27 specifications. From April 2017 GCF certification for all NFC mobile devices requires NFC-A, NFC-B and NFC-F support.

It is this later development, and especially the fruit of that development, Apple Pay Suica, that I believe is unacceptable to VISA and by extension EMVCo. VISA cooperates with Apple Pay in other countries because it promotes EMV, VISA refuses to cooperate with Apple Pay in Japan because it promotes FeliCa. Instead of promoting bank card use and new services VISA is promoting technology.

I have long suspected that VISA simply does not want anything to do with Apple’s support of the Global NFC standard put in place by the NFC Forum and GSMA/GCF in 2017. It’s not only Apple…VISA refuses to support dual mode (EMV/FeliCa) Docomo iD/NFC for Android Osaifu Keitai users abroad which Mastercard, American Express and JCB do. VISA simply wants to bide time until NFC Pay/EMV contactless support in Japan is everywhere and then simply ignore FeliCa (NFC-F) all together…

Unfortunately this strategy has only accomplished one thing: it provided an opening for QR Code payment system players…

Why Visa refuses to join Apple Pay Japan

My argument is simple. The VISA and EMVCo mindset is stuck in the one size fits all single mode plastic card era. This is easy to understand as the plastic card issuing business is a very lucrative one.

But like all things there is a downside: instead of embracing the full promise of global NFC digital wallets that can match the best NFC technology for the job with multiple mode cards that do everything and ‘just work’ everywhere, we have the contactless payment turf wars which are really just plastic era fighting moved to a digital arena.

Instead of pursuing the advantages of digital wallets that merge the best of native transit cards on the front end with the best of bank cards on the back end, where they perfectly complement each other, we have bank cards fighting to be everything, which they are not and will never be. This is why Apple markets Apple Card as ‘a new kind of credit card, created by Apple, not a bank.’ It’s the reason why Apple Card is Mastercard brand, not VISA.

In Japan specifically we have VISA refusing to join Apple Pay Japan and for the most part Google Pay, and VISA Japan key player Sumitomo Mitsui fighting on and off with Mobile FeliCa key player Docomo. And the result? None of this nonsense helped strengthen VISA Japan’s market position one bit. On the other hand VISA’s arrogance pulled all the other card companies down with it and provided a huge opening for the Japanese QR Code players like PayPay.

When I wrote Why Visa refuses to join Apple Pay Japan the frenzy of Japanese QR Code payments was just getting underway. Over a year later I think this conclusion is stronger than ever and the only one that explains the reality of the current market. VISA may like to think that the Tokyo Olympics is the last great opportunity to finally kill FeliCa. That’s not going to happen.

Only by setting aside the past and embracing the multimode digital future with forward looking cooperation, can VISA (and by extension EMVCo) help bring order to the payments chaos of the Japanese market. Only cooperation can deliver the promise of cashless payments to Japan, and strengthen the long term market opportunities for all players.

Visa Japan Finally Ready to Sign on to Apple Pay Japan?

IT journalist Junya Suzuki was answering a question of mine regarding dual mode (EMV/FeliCa) credit/debit cards which are somewhat mainstream, even on Docomo dCard, but the plastic issue Sumi Trust Visa contactless cards are EMV only.

I guess Visa Japan still wants to promote payWave (banded as Visa Touch in Japan) over better customer service. Because if Visa was promoting better customer service, they would offer dual mode for plastic cards and Apple Pay like Mastercard and American Express do.

Visa Japan has yet to sign directly with Apple Pay, the reason why Japanese issue Visa cards don’t work for Apple Pay Suica Recharge, but there may be hope. Suzuki san’s tweet suggests Visa Japan might finally sign with Apple Pay, “in the very near future.”

I certainly hope so, but given that Visa Japan has ‘been in discussions with Apple’ to officially join Apple Pay Japan since the service launched in October 2016, and have done nothing the whole time, I’ll believe it when I see it.