Ask HN: Why are credit card chip readers so slow?

273 points by dv35z ↗ HN
I am interested in the technical specifics - what happens end-to-end, and where does the slowness/latency come from?

334 comments

[ 3.3 ms ] story [ 284 ms ] thread
Because with the swipe readers there is only one call to the payment processor.

However, with chip transactions there are multiple calls for different payment processing flows. For example, a transaction could require 5 round trip request responses from the chip to the payment process meaning 5x the time required.

+1. Not to mention each party will have their own VPN's so internal hops to the right machines. That said - these days even swipe reads have multiple payment processing flows especially for co-branded cards.
Next question then becomes why it needs those additional trips? Authorization is already done on the chip, it should only need to verify the amount is available.
Plus your card is half-way back to your wallet before the first call is even made when you swipe it, but with the chip, you can't retrieve your card from the machine until the transaction is done. Even if the transaction took exactly the same amount of time, the chip method takes longer because your execution thread is blocked waiting for a resource to be released.
A more interesting question for me is: why are NFC credit cards so much faster than chip ones? Presumably they require the same kind of round trip challenge-response with their internal chip, but I have heard they're much faster.
AFAIK (please correct me if I'm wrong) NFC is more akin to magnetic strip than chip cards are. i.e. a virtual number is created for each transaction that is tied to the merchant / time of use. so, you get an id from the merchant (i.e. direct communication between you and reader) you get a virtual number from you credit card provider (1 internet trip), and you give that virtual number to the reader), then phone is back in pocket while it does its thing.

Samsung pay even cuts out any knowledge of the reader, just gives a virtual number to the credit card mag reader.

NFC uses the same protocol and transaction flows as contact chip EMV. Only designed-in difference with regards to speed of processing is that card contains additional application that returns AID that should be used instead of terminal trying AIDs it knows blindly. Another thing is configuration. NFC typically has many "slow" transaction flows disabled (ie. anything that requires the card to be still present after some other interaction, be it pin entry or reply from payment processor).
If we're talking about contactless EMV cards (Phone NFC may be otherwise), then they do pretty much the same thing crypto-wise as in a contact transaction, the chip receives the transaction from the terminal.

The main practical difference is that you can't update the on-card data depending on the transaction outcome, since the card isn't there any more.

Pretty sure NFC transactions are "offline", i.e. the round trip to the bank happens after the card has left the reader.
This is correct. Which is why there is a low 'floor limit' on NFC/Contactless payments. Your card is not actually authorised at point of transaction.
Just from my personal experiance in Switzerland I think this is mostly the case, but not always. I have a contactless Visa with a rather low limit that I use for small day to day purchases. I only use it contactless and most of the time I can go over the monthly limit if I only use it contactless. Sometimes if I do this it will still be declined by a shop due to «insufficient funds», so some contactless terminals must be calling home. At this point the Card stops working at any terminal, even the contactless kind. I have to wait for the next month and use it the Chip and Pin way once to make it work again.
From experience in two European countries, this is not always the case. I have both a Visa and MC cards which can be used in contactless mode for transactions of any size, up to the card limit. For low amounts (<40EUR) the PIN is not requested. For larger transactions I have to enter the PIN, but I don't need the chip.
In the UK, Contactless is PIN free, hence the low floor limit. Anything over that amount (£30 typically) requires Chip+PIN, and remote authentication.
Sometimes.

Paying for the bus for me is offline, whereas in a supermarket it's processed online

Often the round trip to the bank happens after the card has left the reader but before the txn is authorised (i.e. the device prints a receipt, customer gets the product or service), that's still an online transaction.
That's probably optional, I usually get an Amex push notification from NFC transactions right after they occur (before I have time to put my phone back in my pocket).
(comment deleted)
Some of them are just like swiping your card - e.g. they just pass the same data as a swipe in one pass and go.

The other kind, AIUI, are indeed the same as the chip transactions, with all that entails.

e: Other posts seem to say that all the contactless transactions are offline, which means no multiple expensive round trips upstream either way, so nevermind.

(comment deleted)
Can you give an example of how the heck an EMV transaction could require 5 round trips ?

IIRC it should come down to 0 or 1 roundtrips, depending on the amount and risk profile - in most cases you do an offline authorization where only the chip is involved to verify the txn, PIN(if applicable) and limits; and if you can't do that, then you send an online authorization, get a response, and that's it. There's extra communication afterwards in the workflow, but that happens after the customer has left and has no impact on customer-observed latency.

Additional question: why is it faster in other countries? The first time I used a chip card in the US I was astounded by how long it took. I had been using chip (and pin) cards in Canada for years and it was never as slow as it is in the states.
Same impression here. I lived in France when chips were adopted 30 years or so years ago and i do not remember them being slower than the stripe version.
These are completely different (mostly national) systems, evidently optimized for different things. For example, in the Netherlands there is still plenty of retailers that don't even accept EMV cards (there is only a small number of (mostly foreign) visitors that'd be interested in such transactions, also the costs of supporting these are typically higher than just supporting the national system).
Try to pay with a foreign card in France and you'll see it can be pretty slow.

Chips were introduced in France at a time where connecting all terminals wasn't practical/cheap. For this historical reason, most payment terminals aren't processing the transaction online in presence of a domestic card, even if they can. Offline transactions are very quick.

So if offline transactions are viable, and faster, then why doesn't the US use them?
They were viable 30 years ago, maybe not today
When first rolled out in New Zealand it was quite slow - as the EFTPOS hardware fleet was updated the performance improved to the point where chip-and-pin was just as quick as swipe-and-pin.

If it's slow in the US I would expect it's merchants choosing not to upgrade their terminals.

Just a theory but is it possible that the prevalence of DATAPAC in Canada means that most merchants were use to having a dedicated always on line just for their terminals and continued to have one after DATAPAC went away?
Here's an even more fun protip from the US chip+pin implementation: You don't need the PIN.

On most terminals, using a US debit card (Chase at least), you can press the green button without entering a PIN and it lets you through. Doesn't ask for a signature either.

Great question! Once I moved back to Romania after living in UK, Germany, and Israel for a while, I was pleasantly surprised how paying with a credit card here is almost instant – we even have contactless PoSes everywhere.
If you ever come back to the UK you'll be rather impressed. Pretty much everywhere accepts Contactless now.

Contactless POSes aren't really a thing though apart from Santander I think.

I believe the OP means POS as in Point Of Sales. Santander tends to have ATMs, as in Automated Teller Machines :)
UKs implementation of contactless is still behind other countries in the EU. In most other places I can use contactless to pay any amount, the terminal will simply ask for my pin if the transaction is over the pin-less payment threshold. In the UK that's impossible - even if the terminal displays the contactless logo when you are attempting to pay over 30 pounds, if you attempt to use your card that way it will just beep and tell you to insert the card. I'm guessing it's a peculiarity of UK banks which decided they would rather disable this system even though the terminals do technically support it.
That's not entirely correct. Some countries (e.g. Spain) have no floor limit and request a PIN, others use the same system as the UK (e.g. Germany). Wikipedia has a detailed list: https://en.wikipedia.org/wiki/Contactless_payment
I think the major complaint is (never tried paying contactless in the UK, no clue if that is correct) NOT the limit that doesn't require a PIN, but that you have to start from scratch and use a different method (insert card, provide PIN) if you cross that threshold. If that's true, that sounds like a UX problem and I'd hate that as well.

Here in DE it's not like that - or at least never happened for me. A transaction that I start contactless might (random verification or > threshold) require a PIN. But I never need to insert the card or get an error message like the GP described.

It is absolutely a UX problem. In the UK terminals will show this image:

https://cdn.barcodesinc.com/images/models/lg/Ingenico/ipp320...

Even if the amount is over the threshold - only once you tap your card on the terminal it beeps and says "insert/swipe card". Why even show the contactless logo then????

Not all do but the majority. I believe it's the manufacturer's fault, not the bank's (or store). But I guess in devices like this, pushing a software update to fix a non-critical UX flaw could take years.
Here in Australia, pretty much every retailer now has "paypass", which is the .au branding for contactless credit card payments.

Most payment terminals are connected to 3G or 4G mobile networks, and from tapping the card to confirmation of payment takes two seconds tops.

Transactions over $100 do require the PIN, but you can usually enter that on the terminal without being required to insert your card.

Paypass is actually the Mastercard version of contactless payments. The name is used in other countries as well. Visa calls it payWave, maybe retailers just put up one of the names.
I believe you're right. In .au they call it PayPass, but in .nz they call it PayWave. I believe some old Visa machines didn't support MasterCard, or the other way round. All I remember is my flatmate complaining that his new debit card kept failing contactless payments.
Yeah for some reason paypass was just the one that stuck in the collective consciousness here. The points of sale have paywave branding too, but people call it paypass.

The truly weird .au thing is that many merchants take your card and tap it for you. A holdover from the days when people got confused by all the options in swiping/inserting and selecting an account.

I recall reading an article from last year, when NFC-based payment was introduced at the German supermarket chain Rewe. The author went out to test it, but the cashiers didn't know how it worked. The author himself figured it out for himself, and just started touching the phone to the cardreader at the appropriate moment, when the cashier was waiting for him to present either cash or a card. The cashiers were allegedly oftentimes confused by the reader beeping to indicate success, and two receipts being printed (instead of the usual three).

Also, while I was looking around to see whether I could find the original article, I saw an article describing that German banks want to eliminate traditional banking cards and do everything via NFC-enabled apps on smartphones. WHAT CAN POSSIBLY GO WRONG.

Rewe is one of the better stores for this. Even though it didn't seem the staff was explicitly trained on that topic (the feature was just switched on one day), the register showed enough information that they knew exactly what to do. Never had any problems, only surprised looks. The other store is Aldi (actually both of them), where from day one every single cashier was trained very well on that and was happy to see a customer actually using it.

All the other stores created many opportunities for mistake by staff they badly trained and much confusion still happens today even long after the roll out. Most commonly, many cashiers demand a signature (on the back side of the receipt, where there is an authorisation text for using another payment technology) even though none is needed.

Ok, I'll bite: why on earth would German cash registers print 3 receipts by default? One for the customer, one for the store, and one for good luck?
Probably Händlerbeleg (Merchant receipt), Kundenbeleg (Customer receipt) and then a normal Kassenbon (just the receipt with what you bought) but I have only seen the two customer ones in one.
Many stores print one receipt for the goods you bought (which is yours to keep) printed by the register, and two receipts for the card transaction (so one for both) printed by the card terminal. This is mostly for historical reasons due to how card transactions were introduced to German merchants. They have stuck to that and still design new so-called "hybrid" terminals which have a receipt printer and take the card in for the full length (so the flow for magstripe and chip transactions is exactly the same with no confusion even though magstripe basically only happens for foreign cards now).

Smarter merchants print muss less: Rewe, which is used in the example, doesn't print receipts at all unless specifically requested by the cashier and then only one which contains both the goods bought and the card transaction data for the customer. A merchant receipt is only printed in case a signature is required.

Yeaah literally no cashier has ever seen these payments, apparently. H&M, Uniqlo, gas stations, Kaufland, Rewe, the list is just infinite.

I worked for 1 week at a Kaufland (you could compare it to Eroski/Carrefour/Walmart) as cashier and I have never seen anybody else except me pay contacless so no wonder they get surprised all the time :)

Had the same. Was shopping at a supermarket in Germany and was the first person to use it apparently. Was then forced to sign (even though there was no indication that I would have to sign and doing so doesn't make sense for contactless payments). I tried to protest but had to catch my train so scribbled something random..
> Yeah for some reason paypass was just the one that stuck in the collective consciousness here.

That seems to happen with bank product branding a fair bit. People _still_ talk about "pass machines" here; Bank of Ireland used to call its ATMs pass machines in the 80s/early 90s, and it stuck, for some reason.

Edit: Forget what I'm saying. I may be misremembering things. Batch is a thing, but maybe not the reason why chip and pin is fast in the EU.

Like I say elsewhere this is very likely a regional thing, having to do with regulations that either require the transaction to be completed in one go, or permit it to be stored in a batch to be processed overnight.

I live in the UK and travel around the EU a bit (France, Italy, Greece, Belgium recently) and I've never noticed chip-and-pin being slow in any way. That's because in most of those countries at least, as far as I can tell, transactions are stored and processed in overnight batches instead of being sent online to be dealt with immediately, which may take a long time depending on the network connection etc.

From what I understand, most places outside the EU don't do batch, they send the transaction online to be completed immediately. Which can take quite a bit longer.

It's fast in my country (EU member). Like no-more-than-five-seconds fast. Most of the time even faster. And it has nothing to do with batches, because if I check my balance in my banking app I can already see the transaction there right after checkout. Maybe infrastructure connecting PoSes and banks sucks in US?
It's been a while since I worked for an EMV vendor and I didn't remember that very clearly, but sometimes transactions are handled entirely offline. It depends on what card you have and where you're shopping (or, more specifically, your card issuer and the transaction acquirer, who determines the settings on the pinpad).

The card and the pinpad together make a decision about whether to send the transaction online or keep it offline and this decision may involve the connection speed of the device and the amount of money you spend.

So, in some cases you might check your account and notice that the money has not been taken out yet. Or you might not even check because the amount you spent was very low.

Obviously, if the connection speed is high enough there's no point in staying offline, so you'll always see your balance changing pretty much instantly. But, like I say, this depends on where you're shopping, what you're buying and what card you're using.

> but sometimes transactions are handled entirely offline

It depends. Some readers are set to accept offline payments for NFC for sure. Reason being that they only sell small items (lunch boxes and stuff) and an offline payment is instant. However in most places you can only do three offline payments before an online payment is forced.

Smart cards (ISO 7816), used for credit cards and SIMs, among other things, communicate through a relatively low-speed serial protocol. The secure microcontroller they contain is also quite slow, especially if you consider the cryptographic operations they're required to perform. I suspect part of it is due to power constraints, and also somewhat tamper resistance.
Line speed has nothing to do with it. The speed of the transmission from card to reader is dwarfed by the latency of the transaction as a whole.
And why on earth do you have to SIGN still? Seriously. I draw a picture of Shammoo most of the time, to the delight of many cashiers
Generally I just circle the part of the receipt that says "No signature necessary"
In August 2014, the whole of Australia switched from signature based to chip and PIN.

I'm guessing a lot of other countries have followed too.

Yeah, I was pretty confused by the "signing" thing in the usa! I figured they'd have ditched signing, but instead, they created complicated digital signing machines! :-o
A lot of other countries have lead, really; Australia was very late in doing this. It was in France in the 90s, of course, and showed up in most of Europe by the mid-noughties.
Signing is mostly so that you can't file a chargeback saying you didn't mean to buy, not so much to show that you are the verified cardholder.
I don't follow. How does me scribbling a line affect my ability to fraudulently claim it wasn't me who used the card? Especially when the back of the card has my signature on it as well?
Yah signing has never made sense for that reason
It's there in the event that the fact that a purchase was made at all is disputed. Of course it doesn't do much to verify who signed, but it proves that someone actually meant to make a purchase.

One of the most foolproof ways to win a chargeback claim is not to claim a card was stolen, but merely that you didn't mean for them to charge you. How do you fight that? So for big ticket items we sold online we required a signature, thus (mostly) killing their ability to file that kind of a chargeback.

Of course that's a huge hassle for online sales, but if you're a grocery store and they're already there eh why not.

Ohh, that makes sense.

If I, as a disputing cardholder, try to claim that “I didn’t intend to purchase that widget”, it will require my card issuer to believe that the merchant signed it themselves and committed intentional fraud (as opposed to a simple misunderstanding)

Its generally far more convoluted "I saw an ad on TV last month that product is $5 so I assumed its $5 and I have no idea whats up with this $6 charge" and both the retailer and the CC company totally have no interest in arguing about how the advertised sale you saw last month ended last month or how it you had listened to the entire offer its not $5 but "$5 with a purchase of $20 or more" or whatever. Look buddy you signed for $6 right here, clearly you knew whats up at the time, so why you bringing this up 30 days later?

Even funnier with something like a debit card. "Well I just swipe, I have no idea what they withdrew, I assumed it was about $15 like every other time I dine here, and they raised prices such that it was actually $25 without my knowledge, and now my bank is giving me $500 in overdraft fees because they can"

Sometimes duplicate charges get entered for whatever reason especially if the terminal isn't connected to the register and uses manual entry. So two identical charges from the vendor, can I see the two signed register slips? No? There's only one? OK then. You can't just delete duplicate charges because there's too many people go to the bar and buy two beers pay up and decide to stay for another two and pay up and there you go two identical charges both valid and both signed. Vs go to the bar buy two beers pay up go home, the printer jams or some drunk trips over the modem cord or whatever and someone hits a "resubmit all" button to "fix" it and now you got two charges with only one signed slip at least in theory they can clean that up themselves.

Signing is working in your interest. You can ask to see the receipt that you signed in case of fraud.

With PIN, the burden of proof is on you - the bank will say you were careless with the PIN and let other people see it, abrogating their responsibility. Even if it's a security vulnerabilty in their system. (Not a theory, this is how it goes in Europe - see Ross Anderson's group's work on this)

Do you mean this 2010 paper: https://www.cl.cam.ac.uk/research/security/banking/nopin/oak...

Here's their blog post about it at the time (but the YouTube video is down, unfortunately): http://www. lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-broken/

From the paper: "Because stolen cards can be used without knowing the PIN, by our definition, Chip and PIN is broken. We do not believe that the system is broken beyond repair, but neither is it the case that a simple fix will suffice, due to the unmanageable complexity of EMV."

They have been doing a lot of work in the area, I think 2009-2015 at least. There are several publications, and more than one attack.
Is there any evidence that the Ross Anderson attack has happened in the wild? Someone using a stolen card and the bank just washing their hands of it because PIN?
>You can ask to see the receipt that you signed in case of fraud.

I understand that's how it's supposed to work, but what does the signature accomplish in practice? If anything, a "signature" that even contained recognizable letters, much less anything that looked like my name, would be a sure sign of fraud, because I never enter anything that resembles a real signature.

Most justice systems have a practice of verifying signatures of documents. I believe it's generally based on comparing the disputed signature to a body of your regular signatures and, in contentious cases, handwriting experts.

I'm not sure how it would play out in court if you intentionally make random unattributable scribblings each time. Sounds like something that might be seen as intentional obfuscation.

> I draw a picture of Shammoo most of the time

I like you.

I almost always just do a random scribble. Sometimes I just write an X.

I think it'd be funny to do celebrity signatures, though, but I don't have the patience for it.

Note this isn't true in all countries. My UK cards within the UK all follow some apparently online process in any UK merchant, however during a stint in Finland a few years back, I didn't find a single example of a merchant where their reader didn't instantly approve my transaction as soon as I correctly entered my pin.

Never received a (note: I know, we can all make guesses) conclusive answer explaining the difference.

There's no technical reason for the difference, simply it's up to the merchant & issuer that can arbitrarily set all kinds of limits where certain checks will be required.

It's a tradeoff between convenience and security, different places will make different choices, but generally competitors within a single market (e.g. UK or Finland) will try to make the same choices so they don't get customers asking why they're slower than a competitor.

As has already been pointed out, EMV transaction flows go through many steps. From what I understand, the protocol was designed with a focus on flexibility, and little attention was paid to low latency.

Until some years ago, most terminals would mirror that. Most prominently, they used to have separate "enter pin" and "verify transaction amount" steps, and included longer delays for displayed status codes. Recent devices have started combining these steps ("Amount: xy. Enter PIN to confirm") and status messages.

Newer use-cases like the contactless qVDSC application have been tuned for better performance, limiting the amount of communication between reader and card.

For more details, have a look at this guide from VISA: https://www.visa.com/chip/merchants/grow-your-business/payme...

That would make sense if the USA was an early adopter, but it's the latest adopter. They should have jumped straight to the latest systems.

Also, I don't remember EMV being slow in the UK, and that was an early adopter of the modern protocol (2004).

The USA was an early adopter of Point of Sale systems. I'm under the impression that retailers haven't upgraded the computer systems attached to credit card chip readers.
Aye, in South Texas at least, I've noticed that newer terminal systems seem to process things just as fast as card swipes, if not more so. But older systems that have obviously been retrofitted with the technology are hit and miss. I often feel like it's the user interface slowing things down more than the transaction itself though, I can't recall any recent instances of delays waiting on the authorization to happen that were longer than a few seconds.
"upgraded the computer systems attached to credit card chip readers"

A quarter century ago the way grocery retailers implemented credit and debit card payment was a physically separate unconnected terminal, you swiped and entered the amount on the separate terminal, and the only modification to the cash registers or workflow was hitting the "credit" button instead of "cash" when recording a transaction (there was already functionality for a "check" button). So there was no connection. Before credit/debit terminals you'd balance your register at the end of a shift using data from the "check" or "cash" button, afterwards you had a third column the "credit" button transactions, and that figure should match the terminal printout.

Its possible that connecting the systems results in slower speeds for an end user, although not having the cashier hand enter charge amounts saves enough cashier time that the overall system is faster although the end user feels its slower. What I don't understand is beyond some manner of witchcraft why connecting the register to the terminal would be assumed to slow down the process. Unless architecture has staggeringly changed in the last quarter century, the CPU in the cash register is not doing the crypto or running some kind of dialup winmodem, its in sleep mode awaiting an "Ack" or "Nack" while the terminal is doing whatever crypto magic that terminals do.

There's an express Target in the San Francisco Financial District that gets around this by assigning cashiers to two registers. They start the chip payment transaction on one register, and the slide over to the second register to start another customer's checkout. Then they slide back to hand the receipt to the first customer, etc. Absurd but effective.
Similarly Starbucks employees will initiate a transaction then step away to prepare the order then come back and finish up.
In Germany, Aldi Süd uses a similar method. While the customer inserts the card and enters the PIN (which is the slow part – the machine itself is really fast) the cashier starts scanning the items of the next customer. All this happens with the same register so the switch happens in software (they invest a lot in register technology).
In Sweden people usually start the slow part (entering the pin) while their items are scanned. When all items are scanned you just press ok to authorise the amount and wait for 1-2 seconds for the transaction to go through.
Ah yes. I have written about this on HN before. I have never seen this outside Sweden für some reason.

At Aldi specifically it wouldn't be useful as you have to keep up with the cashier's scanning speed while bagging. In other stores you can start bagging at the end. Not sure why they don't use the same idea as Swedish stores. Once I tried inserting my card while scanning in a German store but the machine didn't like it at all.

We have it in the UK for some petrol stations. My local one before they had pay at the pump allowed you to go to the cashier put your card in the machine and enter your pin tell them how much fuel you wanted and then the pump would only deal out up to that amount.

You only got charged for the amount of fuel taken, so it didn't matter if you said you needed 30 pounds worth and only took 26 pounds worth.

I guess it was similar to pay at pump now, where you enter your card and pin to pre-approve up to 99 pounds, fill up and then only get charged for the amount you took.

(comment deleted)
We did that in Australia for a year or two but then it seemed to vanish. I guess not enough shoppers took it up.

Or, come to think of it, it probably lowered the likelihood of people using the supermarket loyalty cards so they nixed it.

(comment deleted)
Used to be able to do this in the US with magnetic swipe but now you can't because of chip reading taking place at a specific time in the checkout process.
FWIW, Square's chip reader seems to be much faster than many others.
Can confirm. Just set a Square reader up for my local school's parents' association and it's so quick I had to do a double-take as to whether the payment actually had been made.
I've noticed this too. It's blazing compared to the average Verisign
Previously the mag-stripe conducted your card number to the merchant and they could charge essentially whatever they wanted (but there were various reasons they would likely charge the amount you owed). With chip, they have to compute the final amount while your card is inserted and cannot deviate.
Place I part time at the card terminal isn't even hooked into the cash register. I have to manually enter the amount from the register screen into the card terminal. But I have to do that for mag stripe and contactless as well.
Do you mean the actual chip back and fourth? The inherent problem is that the 7816-d standard is a mess. It requires extremely small data exchanges on the order of seconds to get a cert out of the card.

This has been a mess since the mid 90s, when I first worked on these things.

Here a cruddy not at all usefule link to the standard:

http://www.cardwerk.com/smartcards/smartcard_standard_ISO781...

Bad internet speeds, WiFi or business skimping on internet. It's never usually the terminal, it's the connection to their payment provider, or their payment provider reseller's connection to THEIR payment provider.

It's very common for bars and restaurants to have a dedicated line for the terminal, but usually they'll skimp on tech (have seen dial-up over POTS or in a fibre-capable premises). Also very common to use 3G or 2.5G.

It'd take a tech all of 5 minutes to diagnose and suggest a fix for 98% of these slow terminals. It's strange seeing businesses not look to fix these issues. If I was a payment provider I'd probably run diagnostics against my customers terminals every day and force poor performing customers to have someone come in and fix it.

Your conjecture doesn't address why the swipe is fast while the chip is slow.
It certainly does. Swipes are settled (transmitted to the bank) once a day, after store closure. The chip, meanwhile, is in almost all cases online - which means that when the terminal is connected via POTS or ISDN, there is a minimum delay of 10-30s for establishing the connection, while this is nearly instant with a DSL/fiber uplink.
This. Sorry, I thought this was a given. Thanks for filling in the blanks mschuster91.
This is not remotely common in the US. Almost all transactions are on-line, issuing an auth against the card.

You are correct that end of the day batches then happen to settle all those auths into actual sales - but that's so you can do things like instantly refund a customer for a cashier fuckup/etc. and not get charged the discount fee both ways like how a regular refund works.

There are no stores simply accepting any/all magnetic swipe transactions and then only at the end of the day figuring out that oops, that card didn't have enough credit available after all.

Not true - the entry mode is irrelevant to whether it is batched or online. In fact it is more likely in modern systems to be the other way around. Chip may use offline, including offline PIN, whereas stripe is nearly always online. Source: 30 years EFT Banking experience, specialising in EMV.
I don't know what the reason actually is, but I assumed it was slow by design to make it harder to compromise, similar to bcrypt.
This post explains why I was so frustrated using my card in the USA the other month. I figured it was super-slow because I had an international card, and it was confused.

Back here in Australia, almost every retailer (including those on 3g eftpos machines) takes < 4s from when i tap my card, to when I can start walking away. So much quicker than cash :-)

4s is outrageous, paywave works within 1s.
You haven't used a myki machine, clearly!

(myki is the horrible Melbourne version of the Oyster card. a bungled project from start to finish)

Depends on network situations. Here in Perth I'll get a beep immediately on Paywave, but still have to wait a few seconds for Payment Approved to appear on the screen. Some stores seem to have really terrible mobile reception for their mobile payment terminals.

Still faster than Bitcoin confirmations though.

Here's a good blog post from a WePay engineer that explains some of the slowness - https://wecode.wepay.com/posts/supporting-chip-cards-at-wepa...
Great post. Now I finally learned why when I use my debit card I'm asked "INTL VISA" or "US DEBIT BANK" every time. I thought it was the PIN pad software, it's actually an app running on my own card that is causing that to come up with every transaction.
I was a user in the Mondex card trial in 1995. This was like modern chip cards, but a stored wallet instead of online auth to an account:

https://en.wikipedia.org/wiki/Mondex

The banks outfitted buses, bars, pretty much everywhere with readers but even after inducements to use it such as half price beer(!) it still failed. Why? Because it was soooo slow. Waiting for ~45 seconds at the bar for a payment to go through got old really fast. It barely lasted a year.

I'd have thought the friction of the payment would have been a lesson learned, but here we are 22 years later and it's still a pain.

Yet now, in the card dominated era, we routinely split checks into 10 parts when dining in a group because people don't carry enough cash..
Although a lot of restaurants have notices to the effect that they'll only split bills up to 2 ways or something along those lines. I don't use cash a lot but it's still a good idea to carry some.
45 seconds is a ridiculous amount of time. I wouldn't use it either. It would put a big bite in a cashiers items per minute figure too, so they would hate it.
It was even worse on public transport apparently. I can't even imagine being there for 45 seconds in front of a load of angry old ladies trying to get on.
just another reason we'll move faster into blockchain and decentralized crypto currencies...
So we can increase the latency to confirmation by orders of magnitude...?

Chip readers are a couple seconds with a good setup, and a couple minutes with a bad setup. Blockchains drag that into minutes and hours.

could it be on purpose? to have it more secure? like, wait before you can retry?
The workflow can be quite quite complicated.

card<->reader<->pc/terminal<->transport (ip/phone line/gprs)<->financial switch<->financial institution.

Add to that emv, tripledes etc and it all adds up.

also, other countries have completely switched over to chip/pin for security reasons with little or no problems but due to not wanting to confuse US tourists the terminal software must allow pin-bypass so they can still sign instead of using a pin.

sigh.

It's not due to not wanting to confuse US tourists, it's wanting to accommodate US tourists; American credit cards don't have a PIN, period.
my bad, it's been years since i last worked in that field. And I just remember sighing a lot at all the hoops that had to be jumped through in the name of security and then to just allow people to bypass it.
Edit: this is not entirely correct; transactions may go online or stay offline, depending on amount and connection speed. See comments below.

It might depend on where you are. Where I am, in the UK, chip card transactions are quite fast. Fast enough to use contactless (tap and go a.k.a. "pay by bonk") where you literally just tap your card on the pinpad and go on your merry way [1].

The difference is that in the UK, transactions are not immediately sent online. I repeat: they're not immediately sent online. So you don't have to wait for the merchant to contact the acquirer, for the acquirer to respond and so on and so forth.

Instead what happens is that you dip, or swipe, or tap your card; the pinpad and the card figure it out between themselves whether you are the rightful owner of the card; the pinpad makes a record of the transaction; and you're told the transaction is "approved", then pick up your goods and go home. Later in the day, the merchant (i.e. an automated process at the store) sends an overnight "batch" of transactions to the acquirer, (i.e. the bank or credit network etc) and the acquirer either transfers the funds directly to the merchant, or blocks out the funds so you can't use them again and they can be transferred to the merchant later.

That's the EMV standard in a nutshell and entirely from memory, with a distance of a good few years from the time I worked for an EMV vendor (we sold a bit of EMV software that went on the Point-Of-Sale machine and handled all of the above). I might be misremembering a few things but I believe the above is mostly accurate.

tl;dr: having to go online for each and every transaction takes forever.

___________

[1] Or of course sometimes do a double take, realise the transaction hasn't gone through, tap again, eyball the pinpad, then possibly insert or swipe etc. Sometimes it doesn't work.

Uhmmm I'm fairly certain that's not entirely correct. There may be terminals which batch transactions and send them later, but in most cases you can even see the terminal going "connecting to <bank> servers" and only after it obtains the connection it authorizes the transaction. Larger stores have a constant connection open so the transaction goes through straight away, in smaller shops the terminal actually has to connect with the bank first.

But I guess the best proof is that if you have zero money in your account you can't actually buy anything with your card, the transaction will get declined immediately(unless you have overdraft, obviously), so the terminal has to check with the bank if you have funds to pay or not.

I agree with this - offlining transactions are a possibility for some instances, but in most cases, there is a significant difference in speed - I'm in Russia at the moment and when I have a transaction go through the terminal, my bank sends a notification of the transaction usually before the pay terminal is done with it's processing; so there must be some rapid communication happening to authorize the transaction within a short period, even if the actual transfer of funds transaction takes longer (which is expected). When I briefly returned to the US last year after the chip terminals were implemented, I was a bit frustrated to see that it did indeed take significantly longer than I was used to, neverminding how inconvenient it was to not have the ability to use the NFC or the card slot on the majority of terminals.
To be honest, I don't remember how that works so you're right I might not be entirely correct.

The point is though, when the pin pad says it's connecting, that usually means the transaction is taking longer than usual. It might also depend on the vendor, for instance, in the Waitrose I never see the connection message whereas in the news agent I always do.

Alright, I got a bit of a memory refresher (thanks wikipedia https://en.wikipedia.org/wiki/EMV#Terminal_action_analysis). I didn't entirely misremember this, but I'm not entirely correct either, like you say.

In short, whether a transaction will go online, stay offline or be denied, depends on the settings on the card (configured by the issuer) and the settings on the pinpad (configured by the acquirer). The two of them together decide what happens.

So in some cases the combined settings on the card may allow offline processing, which is the batch process in my previous comment. Others, like ATMs (according to the article) will always go online, and yet others may set a "floor limit" - a transaction amount above which the transaction should always go online.

Another factor is the "terminal capabilities", so basically connection speed- if that's too slow transactions may default to offline only.

So what I remember must be that if the transaction is under a certain floor limit, or terminal speed, it can stay offline, maximising some speed-vs-risk tradeoff. And what you note, that the card will deny your transaction when you don't have enough money in the bank, is basically the flip side of that.

What would be harder to notice is the cases when a transaction goes through even when you don't have enough money in the bank, e.g. because the amount you spent is below the floor limit for your issuer and acquirer. But I'm not sure what happens after that- is the transaction declined later? Does the bank charge your account as if it's overdrawn?

It's been a while and I don't remember those things very well I'm afraid :0

The card can and will remember your latest balance, so it's quite possible to have transactions accepted/denied based on your balance without checking with the bank.

It does add some risks since the balance is "stale" i.e. may have old info, so it'd be configured that way only if the terminal physically can't connect online all the time, but it's certainly possible.

This might be the case sometimes, but not always. Sometimes the transaction is sent immediately (which means a longer wait).

Edit: Typo.

I'm still a little unsure about all the details in the UK, but I know that in at least some cases the process you describe isn't entirely accurate. I mostly use a card from Monzo (https://monzo.com) and I get a mobile push notification on every use – almost always within seconds of the transaction. This would seem to be a requirement for prepaid cards, at least, because otherwise overspends would be possible.

I seem to remember that there is a whole class of cards which are coded as 'online only', meaning that transactions will fail unless they're taken online. The only place I've frequently seen this happen is on trains, where the mobile equipment is sometimes not capable of online transactions, or doesn't have a signal.

Anyway, the point was that these transactions don't appear to be any slower than with any other card I've used, so I'm not totally sure that the speed really is down to not being online.

(comment deleted)
Here is Germany it usually takes a few seconds (less than 5 I'd say) - I noticed however that paying at Aldi Nord is very fast. They really do tweak the cash register speeds at Aldi...
Interestingly, Monzo takes a few seconds (~5) to notify me of a transaction if I do it in Germany. UK, Belgium, Malaysia and Indonesia are all instant.

I assumed that there must be some further process that it goes through, between telling the credit card reader that it is completed and Monzo getting informed.

I wouldn't muddy the waters here with talk of Monzo. Most chip reader cards don't do what Monzo does in terms of real-time backend transaction verification, that's a generation further than the stuff being rolled out in the US.
Monzo tends to notify me before the card reader has actually registered the payment in the UK
Correct. Cards can indicate whether they need to be verified online or not. Most do not require this (so transactions are just recorded and processed some time later), apart from Visa Electron which was designed for under 18s, and therefore does not have an overdraft, so requires an online balance check.

Monzo take advantage of this to enable their realtime notifications and related features, otherwise Monzo would receive the notification of the charge up to 48 hours later which would be a significant harm to the UX.

Yeah because Aldi entered the play only very recently and so used top-of-the-line CC readers only, plus always a solid DSL link.

Old stores, especially small mom-and-pop ones, are still stuck with readers built a decade ago, or with modern readers uplinked by POTS. I recently helped my vet switch from an old POTS terminal to a brand-new, DSL-linked one; the speed difference is huge.

Also in Germany, I recently paid a bill by EC at my dentist, and it took over 2 minutes for the transaction to go through because they have a shitty old reader that connects individually for every transaction, and also over a shitty link (maybe GPRS only?).
We had one that dialed through maybe with a 56k modem but probably slower. Ended up sticking it on the fax line because a customer couldn't pay over the phone when it shared the same line.
GPRS is usually pretty quick for this. The dentist's one was probably using some form of dial-up, either over GSM or POTS.
I remember in uni the corner store near my apartment used dial-up (or possibly ISDN since at the time that was the telco's default solution for "I want 2 lines") for its card reader. If you were in a line of customers it was fast but if the store was empty you were waiting for 30-60 seconds while it connected...
ISDN circuit level connections occur almost instantly because it is a digital connection..
> They really do tweak the cash register speeds at Aldi...

Not only that, but the Aldi checkout operators are extremely fast at scanning products compared to other supermarkets (at least that has been my experience in the UK).

Makes me wonder if they are at German speeds.

Because in Germany it's very fast

> Because in Germany it's very fast

ALDI/LIDL are outliers here in Germany. Other supermarket checkouts like Rewe, Edeka, and Kaisers are slower at scanning items. So don't take the speed of ALDI/LIDL cashiers to be indicative of every supermarket checkout in Germany.

Overall, German supermarkets scan items faster than in North America, but ALDI/LIDL are really in their own league. I sometimes think they are faster to scan items than to drop the contents of the belt onto the floor. Impossible to pack in real-time!

They got slower.

Some years ago they punched in all items by number and were even faster.

The downside was that for the first months of your employment you were at home learning all codes.

For stuff like vegetables and fruits sold by the unit cashiers still pretty much have to learn the codes to be fast. There's a grid overview with images of the groceries and their numbers to help, but eh, you can't look at that or else you are slow.

I still remember that 515 were cucumbers and I believe 529 were 2.5kg of potatoes?...

A primary reason for this is that ALDI products (at least here in the US, I don't remember whether this was true shopping in Europe a few years ago) typically have 4-6 barcodes per package--a box will often have a bar code on every face, if it's a house brand product. Makes for extremely fast scanning, true.

I also just noticed the dual-conveyor model in operation at a newly-opened Lidl near me yesterday. ALDI here typically doesn't do that--most stores are set up to place groceries (and unfilled bags) directly into a customer cart, and have a nearby counter to bag your groceries at.

Their scanners also don't suck. IBM used to make very high speed, accurate POS terminals in the early 90's. You could basically toss products across the sensor non-stop without any delay as long as the code was within view. The modern stuff is glacially slow by comparison.