Some of the answers are close, but no cigar. The main reason for the time delay is the offline authentication of the chip, combined with generation of the ARQC cryptogram. Additionally the EMV protocol is very chatty if there are multiple applications on the chip card, although the latency involved in the customer interaction far outweighs the protocol timings.
As mentioned in many comments online transactions will be an order of magnitude slower, as they need to be sent to the issuer, have their cryptogram verified and the challenge response returned if the card does host authentication - which most do these days.
The entry mode generally does not determine how a transaction is authorised - chip, PayPass (NFC) and stripe can either be off or online. In fact stripe transactions are invariably online unless you want your business to be overrun with fraudsters. One of the prime reasons in the early days of EMV was to have it so safe that offline transactions were fraud proof - or close to. Naturally this noble goal was shot full of holes the moment real fraudsters got to it. However, the card is personalised with various limits and counters and with the possibility of using an offline PIN, which combined with the static authentication does give reasonable protection for low value offline transactions. Fun fact - in the initial spec this offline PIN was communicated between the terminal and the card in the clear. What could possibly go wrong :-). These days it is encrypted.
Anyhow enough blather - hopefully this has given a bit of insight.
What I don't understand is that even when using a German card with multiple applications, online authentication, and online authorisation[0] it's quite fast in Germany – much faster than comparable or even simpler transactions in the US. On the other hand, the very same card is processed even faster when used in Sweden.
The difference is probably faster data connections and more efficient protocol implementations, I would think.
[0]: For some reason receipts here contain quite a lot of information on what happens behind the scenes if you know how to read it. I hope this link keeps working, it contains exercepts of receipts merchants give you here: http://docplayer.org/storage/33/16568026/1498495227/GbAKHYXN... With that information you can e.g. see which steps were perfomed offline.
Does Germany have exactly one financial interchange network?
Living in Canada, I tend to notice a wide variability in the response times of ATMs to withdrawal requests (i.e. the time between when you finalize the transaction request, and when it spins up the bill spitter) and I think the one factor I've noticed it coming down to is the number of interchange networks marked as being supported on the side of the machine.
The ones that just do Interac (the Canadian interbank debit-transaction network) are quite quick; the ones that do Interac and PLUS or Cirrus are slower; the ones that add support for cash advances on plain credit cards by supporting individual CC companies (Visa, AMEX) are slowest of all.
So, maybe it's not the number of applications on the card, per se, but rather the number of applications supported by the terminal, with some sort of O(N^2) interaction between them?
The POS terminals I talk about usually support at least MasterCard, Visa, Maestro, Vpay, and the German scheme Girocard (which in reality are multiple networks in its own). Some even more and they are still much faster than either using the same card in the US or using a US-issued card in the US. I'm honestly quite baffled as to why. I haven't tried a US card in a German terminal yet and neither looked closely at ATM speeds.
I made a screenshot of the most interesting example: http://imgur.com/ye5MJcH This is what they print out for the international schemes. On the left is what the customer gets (sometimes directly on the receipt, sometimes on an extra piece of paper), the right one is for the merchant (some only save it electronically now). Some terminals show less info but much of it is almost always present, something which I haven't seen much internationally in that level of detail.
What is the difference in the actual reader hardware itself ?
That is, what brand of terminal does walgreens use vs. safeway ?
In this late year of 2017 I know that many new NAS devices use cheap processors that make it difficult for them to run rsync over ssh ... it's too computationally expensive to encrypt the data stream at a high network speed.
If NAS vendors make that decision I wouldn't be surprised if some payment terminal vendors make similar decisions ...
> Fun fact - in the initial spec this offline PIN was communicated between the terminal and the card in the clear. What could possibly go wrong :-). These days it is encrypted.
How do you encrypt a 4 digit number (PIN) in a way that is resistant to brute force recovery?
You set up an secure session (e.g. TLS, but you wouldn't do it that way) and send the 4 digit number over it. Or you use any standard cryptosystem with appropriate security guarantees (RSA-OAEP, AES-GCM, you name it).
What you don't do is shove the 4 digit number straight into an ECB mode cipher.
You might want to qualify this with “in the US” as chip+pin cards are pretty fast in other countries by comparison.
Also there was a great episode of the podcast “Planet Money” a while back which goes into detail on your question [0]:
> Today on the show, we bring you a brief history of what's in your pocket. It's a story of convenience vs. fraud—and it also includes a hippie inventor, the origin of the last great upgrade on your card, the magnetic stripe, and why it takes so long to "dip the chip."
Thanks! And correct - should have added "in the US" in te title. Just got back from a trip, and am always reminded how archaic USA banking feels compared to most other countries' systems. With the recent industry switch to chip in the US, I'd hope transactions would be faster and easiee - but the implementation seems terrible: confusing POS interfaces, slow chip reading, still need to sign / no PIN, rarely any "bring the mobile POS to your restaurant table" requires still waiting on the waiter for 5min, etc.
Sure. And that's one of the problems with being first to infrastructure. It's really hard to just "change it all" once something new and better takes hold. It'll get better, even if it's not that great right now. Though, I largely take issue with your statement that U.S. banking feels archaic. I'd say U.S. banking is, if nothing else, generally at the forefront of digital technology despite heavy regulation. (I'm not arguing regulation bad/good, but it is a fact that the industry is heavily regulated).
The US was one of the last countries to get Chip + PIN, and even then they messed it up, and got chip + sign.
90% of the places I use a card in seem to be still swiping the cards, while we have had full chip + PIN implementation here (Ireland) since at least 2005 or 2006.
Chip+sign is a solution to a real market problem with chip+PIN in the US: the the typical consumer has many credit cards. https://www.quora.com/What-is-the-median-number-of-credit-ca... claims an average, not median, of 3.5 per cardholder, and that matches the numbers at http://www.creditcards.com/credit-card-news/ownership-statis... . Heavy credit card users have a lot more: it's common for stores to have store-brand cards that give you a discount at that store, so a number of people end up with a dozen different cards for stores they commonly shop at.
Expecting people to remember this many different PINs is not realistic. So every card issuer was worried that users would just stop using their card because they could not remember the PIN. This is the problem chip+sign is meant to solve.
In other countries, patterns of credit card use are quite different. http://www.theukcardsassociation.org.uk/wm_documents/UK%20Ca... page 6 claims an average of 2 cards for the UK, for example. So the "can't remember the PIN" problem was not as big a deal.
That's assuming the issuer allows you to set the PIN. In many cases they do not, in my experience with both debit cards and chip+PIN cards (the one chip+PIN card I have in fact does not allow that).
Chip+pin isn't the sole marker of innovation. Anyway, as I said, if you build out an entire infrastructure based on a different way of doing things, you can't just up and change that over night. It takes time. It costs money. There are associated opportunity costs, etc....
It's an obvious one, which indicates a superficial understanding of the financial industry and technology in particular. Credit cards, and their use, was from the outset largely an American phenomenon. When Europe finally caught up (and to this day, in the year 2017 there are still businesses that don't have credit card infrastructure set up - meanwhile even mobile food trucks in the US offer it), Americans had already built out the infrastructure and found out about the hard issues - which gave Europeans time to implement a better solution, which was chip + pin.
But all that aside, the real question is, why are you still using a physical credit card? In the US, I can use Apple/Google Pay at nearly every business I find, and all of the large banks and most regional and smaller firms offer support for their products on the platform.
When will Europe catch up with banking technology?
It's almost like you've never even been to Europe, and all you shop at in the U.S. is McDonald's, Chipotle and Starbucks.
For around a decade, many cities, example Prague, have accepted text message based payments for public transit. Today most public transit systems have their own apps for payment and ticketing. I can't think of a single U.S. city that does this. They're all exact change only or proprietary ticketing systems.
About the most advanced I can recall, Citi had a short lived tap and pay, NFC based, project in the NYC subway 10 years ago. You still got the 10% metrocard discount. It was ultra proprietary though, Citi cards only.
And then Citi and Amex went and ripped NFC out of all my credit cards for this slow EMV chip. Haha yeah, when will Europe catch up. What we did is catch up with their 3 decade old chip idea.
> I can't think of a single U.S. city that does this. They're all exact change only or proprietary ticketing systems
MBTA in Boston had the mTicket app for mobile ticketing and payments for years. I live in Boston and use the app regularly. Can't comment on other cities because when I visit for a short trip I typically don't bother installing apps.
Amtrak and most airlines use mobile boarding passes too. Interestingly enough, on my recent trip to Europe I used the mobile boarding pass in Logan airport just like everyone else. But in Frankfurt when I showed my phone to the agent they looked at me like I was from another planet, probably thinking "stipid americans"
And while we're on the subject of transportation, about 5 years ago I visited a bunch of european countries, including my home country in Europe, and at that time the only way to call a cab was via dialing the local phone number, cash only of course. Funny because on that trip heading to the airport in the States was matter of acouple taps in the Uber app.
> When Europe finally caught up (and to this day, in the year 2017 there are still businesses that don't have credit card infrastructure set up - meanwhile even mobile food trucks in the US offer it), Americans had already built out the infrastructure and found out about the hard issues - which gave Europeans time to implement a better solution, which was chip + pin.
It was a US based in the beginning - but by the time Chip + PIN started there was significant infrastructure already in place. Its not like we all just started to use cards in 2005
> But all that aside, the real question is, why are you still using a physical credit card? In the US, I can use Apple/Google Pay at nearly every business I find, and all of the large banks and most regional and smaller firms offer support for their products on the platform.
Sure - that is down to market forces, not banking tech. There are banks here where I can use both Apple / Android pay, and all merchants take it (by virtue of our advanced usage of contactless payments - another thing that was introduced before the US).
What other areas is the US more advanced in (bank tech wise) ? We have online only banks, push notifications for transactions, and all the other things I see advertised by US banks.
> It was a US based in the beginning - but by the time Chip + PIN started there was significant infrastructure already in place. Its not like we all just started to use cards in 2005
Sure, but it was far more widespread in the United States. Even now, to this day, there are businesses all over Europe (I just did an 11-country tour not long ago) that simply don't take credit cards. In the United States, even student organizations take credit cards for selling things like shirts. Europeans haven't been using credit and debit cards like Americans have, and so even though similar infrastructure has existed, it hasn't existed to the same extent as it has in the United States. It follows that retooling the infrastructure costs significantly more in the United States, as every "swipe machine" had to be replaced with a machine that accepted a chip. Everything from drive-up ATMs to Square, to gasoline pumps have to be replaced. At this point we're kind of conflating technology with economics and market dynamics, but it's worth pointing out that it's not a lack of technology that made the US swipe-only for so long, but market forces. If, it cost me less money to deal with swipe fraud than it does to replace all of my credit card machines... what do you think a business would do?
> Sure - that is down to market forces, not banking tech. There are banks here where I can use both Apple / Android pay, and all merchants take it (by virtue of our advanced usage of contactless payments - another thing that was introduced before the US).
How do you arrive at this conclusion? I don't recall being able to use contactless payments anywhere in Italy, for example. Not that it doesn't exist, but my impression from visiting Europe and living in the United States has been that contactless payments are far more ubiquitous in the States than the countries I've visited in Europe.
> What other areas is the US more advanced in (bank tech wise) ? We have online only banks, push notifications for transactions, and all the other things I see advertised by US banks.
I find most European cities are cashless, and accept MasterCard and Visa as well as the local country issuer for payments, attached to a local bank account.
You might have been running into the fact credit cards have much higher merchant fees, even if it's probably a violation of their EMV merchant agreement to refuse to accept these cards.
I see zero meaningful advancement of payments in the U.S. over Europe, to the contrary. There are more cash only restaurants in the U.S. especially if you're not in a big city, it's quite common. I think your opinion is based on a very limited experience across the U.S. and Europe.
And EFT payments in the U.S. are incredibly slow compared to their European counterparts. The fastest bank to bank transfer is Fedfunds wire, and that costs money, upwards of $30 for each party. It's cheap or free in Scandanavian and European cities.
I really have no idea what you're talking about when it comes to American innovation in this area... I see it as yet another example of American pay more to get less sort of classist mantra. Oh but if you have more money, and pay more fees, agree to give away more personal data in the EULA, you can get better services!
I have been using contactless payments for years here, and the 4 other EU countries I have been in this year, all accepted contactless. You may not have been able to use a US contactless card, but people do use it. It is also worth noting that each country in Europe has a different culture and history, which inform the choices people make with banks, and particularly credit cards.
Scale - sure, the US is larger than any of the EU countries population wise - but not sure how that is "innovation".
Blockchain - work on blockchain tech is global - American companies even export the R&D to EU countries ;)
Products + Payments - there is nothing ground breaking in the US, that is not in the rest of the world
The infrastructure in the US seems to support Chip+PIN just fine, it seems to be that the card issuers don't want to issue cards with PINs.
When I last visited the US, my Canadian credit card worked just like it does in Canada. Insert into the machine, verify the amount, enter my PIN, done.
That's right. It is basically a flag on the account, which ends up as a notification at the POS system. So you get this hilarious crap with a U.S. card outside the U.S. where you're still signing shit, because the POS system tells them you have to sign. I lost count of the various reactions when traveling outside the U.S.:
- Why is it printing extra receipts? Oh... you have to sign one of these.
- Hold on, let me go find a pen for you to sign.
- Asks coworker what this message means. Oh he has to sign, must be an American.
And get this shit. My debit card in the U.S.? I always use a PIN for it everywhere. But when I travel outside the U.S. that same goddamn card requires a signature every damn time.
It's really fucking stupid, there's no nice way to put it.
Since chip-and-pin seems to be used as an excuse to push liability for fraud onto the cardholder, I'd much rather stick with chip-and-signature. If we could have chip-and-pin while still keeping me at zero liability for fraud, I'd take it.
I don't want pin. I have half a dozen credit/debit cards in my pocket (the card I use for almost everything, my backup card just in case the first is lost, my HSA card, my company card, a debit card, and the store care for a store I shop at often) there are another half a dozen that the issuers want me to carry but are not worth the space they take up. I cannot mentally manage that many different pins.
verification comes in 3 parts: something you carry (card), something you know (card number, pin), something you are (your signature, fingerprint). Generally you need two. However since the card number is memorable (hard but possible) the pin is no additional security.
- You can have the PIN reset for all of those cards so that they all match, (or better we should be using PK based push notifications to a smart phone app; plug in the card, and you get a push notification to deny/allow on your phone, instead of entering in a PIN.)
- Signatures aren't even verified the vast majority of transactions. They only come into play if you catch fraud and report it. So it's used after the fact, not in advance.
- Signatures are predicated on pen on paper on a flat writing surface perpendicular to gravity. Your signature is not at all the same to a handwriting expert if you change any of those things, and in particular the digital capture of signatures is complete utter bullcrap: no angular, or pressure information is captured. We should just use smiley faces on all such POS systems, in lieu of even attempting a signature (it is in fact what I do).
Digital signatures are Tonka Toys. They are nothing like a finger print.
I don't use my PIN either, for a different reason.
I force them to process it as a credit card because I get the consumer protections of the CC processing agreements. If I use my PIN, it's more like an ATM transaction.
Which law applies to the transaction is what the card account is; not the transaction. TILA applies to credit cards, and EFTA applies to debit cards.
Whether you're costing the merchant more money with higher fees for credit transactions, or if this gets normalized to a debit transaction later on, I'm not sure. But either way it's ridiculous to "force" a credit card transaction on the merchant.
Even though the different transactions on a debit card may have the same legal status by law, banks typically apply "zero liability" to transactions processed by Visa/MasterCard, while holding users accountable for fraudulent debit transactions processed by ATM networks, up to $50 if you report within 2 days, then $500 within 60 days, and then unlimited customer liability after that.
There is no benefit to me to go with a debit transaction and the risk of significant liability if there is a data breach. So, I don't do debit transactions.
> either way it's ridiculous to "force" a credit card transaction on the merchant.
I do it more often because of the number of times I've been screwed by trying to use debit mode and end up with a non-functional gas pump or forced to reswipe with the mag stripe because they only support credit transactions from the chip.
Considering how long it took chip and pin to become predominant (which is to say still not 100%) I would say US banking is pretty behind most of the world.
Yeah so supporting checks doesn't really mean you're not at the forefront of technology. If anything, the fact that US banks allow people to take pictures of checks, and have done so for like the last 5 years at least, is an example of the kind of innovation seen in the US banking system.
I actually have to write checks regularly to pay my utility bills, or I have to pay a $2.00 convenience fee to have the transaction processed by a third-party hired by the state. Not to mention, I randomly receive checks in the mail from events I speak at or for travel reimbursement or university reimbursement or the like. I love that I can snap a picture and wham my check is deposited.
Not to mention things like Apple Pay, which, without support, configuration, and advice from the banking industry wouldn't be a thing. Naturally they created the technology for the phone, but banks do the rest. How is that not innovation?
> I actually have to write checks regularly to pay my utility bills, or I have to pay a $2.00 convenience fee to have the transaction processed by a third-party hired by the state.
This is exactly why US payment systems are not at the forefront of technology.. whether one can snap a picture and use OCR or not is irrelevant (the phrase "like lipstick on a pig" comes to mind)
That is because of government regulations and infrastructure, not because banks are not technologically advanced. I can easily use something like, say, Chase's QuickPay to pay any recipient. The government just won't accept that form of payment. That has absolutely nothing to do with financial technology. The technology exists and is in use, the government just doesn't use it. I also can't use Apple Pay/Google Pay with the government. Does that mean that Apple/Google aren't technologically advanced? No. It means the government isn't.
First, you have a bunch of for-profit fiefdoms with mutually incompatible payment technologies all trying to own it all, refusing to adopt standards. No government should support non-standard payment systems, whereby they have to support all of them, and the on-going support and development baggage that entails.
Second, they lobby to prevent the proper funding of a fast federal payment transaction system, i.e. making the necessary improvements so EFT can take minutes instead of days. They don't want that to be fast or free because it then obliterates their business models if anyone can just plug into that standardized system. Other governments have done this and that's why they have faster in-country payments (and often even in the Eurozone), despite their "regulations and infrastructure" such as they are.
Your example of QuickPay takes 4-5 days to/from a non-Chase account. That's dog slow, no matter the reason, compared to same country transfers in almost any other industrialized country. I can't think of a slower country off hand.
U.S. banks are overwhelmingly using Windows XP as their OS of choice in ATMs, still today. The height of technological achievement!
The open source world has created an alternative system which works extremely well, lacking mostly in usability factors, which could be resolved pretty quickly...but proprietary networks are entrenched quite deeply, so it will be a while before we can use digital cash - probably legislative action will be required, or a mass rebellion against the costs imposed by the payment networks. Sadly, retailers can't seem to think that far ahead.
It has little to do with the government. I dare say the vast major of US small and even some medium businesses are like this. I still have to write a rent check to my rental company every month, because otherwise I'd have to shell out an additional $30 every month for the privilege of paying through their website.
Hmm not sure if if that's serious or a subtle satire on the complexity of backwards compatibility...
But it seems like the EU method of requiring a systematic API access to your banking and being able to send direct payments for all of those things above (minus the 'convenience fee' I think) would be nicer...
USA still hasn't adopted the faster payment model of same-day payments between the banks (without charge). Compare that to the UK which most payment transactions are completed within 4 hours
US is archaic in many ways too: the necessity for paper checks in many situations (and still having to pay for them in many banks), no contactless payment cards, the aforementioned dire signature/chip situation... It's certainly anything but at the 'forefront of digital technology.' Not to mention fees. Fees everywhere! The effort it takes to avoid meaningless 'gotcha' fees is just insane -- and must surely stifle innovation too, in creating friction against change.
First, most ACH transactions clear in the same day [0]. Second, that's also completely ignoring newer networks like clearXchange / Zelle, which clears in minutes [1].
"Specifically, the NACHA Operating Rules require that ACH credits settle in one to two business days and ACH debits settle on the next business day. Recent enhancements to the NACHA Operating Rules now enable same-day settlement of virtually all ACH transactions."
The US had mag stripes in widespread use first. We are looking at 20 or 30 years ago: most of the rest of the world caught up long ago, but they caught up after the problems with mag stripes were known and so the rest of the world built infrastructure to attempt to fix the now known problems.
Note too that the US has a legal limit of $50 if your card is stolen. As such to the consumer there is no incentive to care about security. Other countries don't have that protection and so consumers rightly refused to take a change until things were more secure. All that security comes at a cost, one consumers cannot afford to gamble on, but to a larger business can call cost of doing business and weigh against the cost of upgrading security.
Other countries have the sort of limits. The banks and processors just storing armed vendors into emv using lower ratesas the carrot and legal requir,nets as the stick.
Most US credit cards are chip and sign (debit uses a pin, but did before chip cards as well). Occasionally I'll see a transaction where the pos wants a pin and the user has no idea what pin because they have never used a pin with that account.
I'm glad you added that. In the UK chip and pin machines are fastest using the Ethernet connection, much slower on the phone line. One advantage of the phone connection however is reduced PCI requirements. SAQ B is simpler than SAQ B-IP
In the UK, the older generation of readers are pretty slow. The newer models are pretty fast, I'm not sure if it's also because they have reliable broadband connections but they basically ask you to remove the card almost as soon as you insert it.
We have the same console as I've seen in Tesco petrol station. Ours take a lot longer for auth, I'm guessing that Tesco have a local stopped card list to check against and don't do a full auth with the bank in order to save time.
Might be wrong, just my assumption based on contactless payment being almost instantaneous (like that petrol station).
I'm pretty sure that Transport for London do something similar (ie: transactions get batched and then charged at end of day, blacklisting for bad cards).
However, using a contactless chip card is still a lot slower compared to using an Oyster card. Where as the Oyster card seems to process in a matter of milliseconds, the contactless card takes perhaps 2 seconds or more.
With a long queue of people all using contactless, this potentially adds up to quite a significant delay at the ticket gates.
It would help if they had more Oyster readers and/or better situated ones - at one popular station I use, there's two readers, side-by-side, right next to a tiny exit hole. Even just moving those two a couple of metres apart would improve the flow of humans greatly.
Oyster cards are settled between the reader and the card at the time of contact (then the reader will batch the transactions for forwarding later). POS are generally settled on the switch network, obviously this takes a lot longer.
TfL can and do batch contactless transactions, too.
The charge for travel on a given day is not made against your account until early the next morning. And card readers on buses, for example, don't always have a reliable data connection, so must be able to be processed offline.
You might be right that they are authorising in real time on the Tube readers, though. This would explain the poor performance.
The ones that use GPRS can also be _fairly_ fast, though it introduces a couple of seconds of unavoidable latency. They're not long for this world, though; some countries are already shutting down GPRS networks.
The really slow ones just used dial-up. They mostly seem to be gone now.
With a magnetic card, after you slide your card, you can put your card immediately in your wallet, while the Point-Of-Sale solution authorizes with the electronic payment host in the background.
With a chip card (EMV card), the EMV spec required the Point-Of-Sale solution to write an authorization number to the chip card. This means you need to leave your card inserted in the PIN pad until the payment host authorizes. Authorization usually takes 2-3 seconds.
To improve this perception, the industry came up with Quick Chip, which Point-Of-Sale software companies started to work on recently. With Quick Chip, the POS software doesn't need to write the payment host authorization number to your card chip anymore. You insert your card, account number is read, you take your card from the PIN pad immediately without waiting for payment host authorization.
-Software engineer working at a Point-Of-Sale software company.
The original question described chip readers as "slow." But slow relative to what? Cocoa19 is taking issue with the question to some degree, pointing out that they're not actually as slow relative to swiping as you might think (and how the perception issue is being addressed).
I used the term "authorization number", but that was misleading. The real name is issuer scripts. It is used by card issuers to update the card parameters (chips have memory). According to EFT lab, these are 16 functions which include:
Card Block, PIN Change or Unblock, Update other data
I haven't read the full Quick Chip spec, but here is my guess (take it with a grain of salt):
If card issuers are not able to update the card, then they won't be able to block the card. If the card is misused (e.g. stolen), there is a very small chance of retailers accepting fraudulent payments, but at least the following conditions should be met:
1. The POS solution should be offline from the authorization host,
2. The card should allow offline authorization and it has a "max offline amount" configured,
3. The sales amount does not exceed the configured offline amount in the card.
Additional question: why is it faster in other countries? The first time I used a chip card in the US I was astounded by how long it took. I had been using chip (and pin) cards in Canada for years and it was never as slow as it is in the states.
Paypass is actually the Mastercard version of contactless payments. The name is used in other countries as well. Visa calls it payWave, maybe retailers just put up one of the names.
Yeah for some reason paypass was just the one that stuck in the collective consciousness here. The points of sale have paywave branding too, but people call it paypass.
The truly weird .au thing is that many merchants take your card and tap it for you. A holdover from the days when people got confused by all the options in swiping/inserting and selecting an account.
I recall reading an article from last year, when NFC-based payment was introduced at the German supermarket chain Rewe. The author went out to test it, but the cashiers didn't know how it worked. The author himself figured it out for himself, and just started touching the phone to the cardreader at the appropriate moment, when the cashier was waiting for him to present either cash or a card. The cashiers were allegedly oftentimes confused by the reader beeping to indicate success, and two receipts being printed (instead of the usual three).
Also, while I was looking around to see whether I could find the original article, I saw an article describing that German banks want to eliminate traditional banking cards and do everything via NFC-enabled apps on smartphones. WHAT CAN POSSIBLY GO WRONG.
Rewe is one of the better stores for this. Even though it didn't seem the staff was explicitly trained on that topic (the feature was just switched on one day), the register showed enough information that they knew exactly what to do. Never had any problems, only surprised looks. The other store is Aldi (actually both of them), where from day one every single cashier was trained very well on that and was happy to see a customer actually using it.
All the other stores created many opportunities for mistake by staff they badly trained and much confusion still happens today even long after the roll out. Most commonly, many cashiers demand a signature (on the back side of the receipt, where there is an authorisation text for using another payment technology) even though none is needed.
Yeaah literally no cashier has ever seen these payments, apparently. H&M, Uniqlo, gas stations, Kaufland, Rewe, the list is just infinite.
I worked for 1 week at a Kaufland (you could compare it to Eroski/Carrefour/Walmart) as cashier and I have never seen anybody else except me pay contacless so no wonder they get surprised all the time :)
Had the same. Was shopping at a supermarket in Germany and was the first person to use it apparently. Was then forced to sign (even though there was no indication that I would have to sign and doing so doesn't make sense for contactless payments). I tried to protest but had to catch my train so scribbled something random..
Many stores print one receipt for the goods you bought (which is yours to keep) printed by the register, and two receipts for the card transaction (so one for both) printed by the card terminal. This is mostly for historical reasons due to how card transactions were introduced to German merchants. They have stuck to that and still design new so-called "hybrid" terminals which have a receipt printer and take the card in for the full length (so the flow for magstripe and chip transactions is exactly the same with no confusion even though magstripe basically only happens for foreign cards now).
Smarter merchants print muss less: Rewe, which is used in the example, doesn't print receipts at all unless specifically requested by the cashier and then only one which contains both the goods bought and the card transaction data for the customer. A merchant receipt is only printed in case a signature is required.
Probably Händlerbeleg (Merchant receipt), Kundenbeleg (Customer receipt) and then a normal Kassenbon (just the receipt with what you bought) but I have only seen the two customer ones in one.
> Yeah for some reason paypass was just the one that stuck in the collective consciousness here.
That seems to happen with bank product branding a fair bit. People _still_ talk about "pass machines" here; Bank of Ireland used to call its ATMs pass machines in the 80s/early 90s, and it stuck, for some reason.
I believe you're right. In .au they call it PayPass, but in .nz they call it PayWave. I believe some old Visa machines didn't support MasterCard, or the other way round. All I remember is my flatmate complaining that his new debit card kept failing contactless payments.
When first rolled out in New Zealand it was quite slow - as the EFTPOS hardware fleet was updated the performance improved to the point where chip-and-pin was just as quick as swipe-and-pin.
If it's slow in the US I would expect it's merchants choosing not to upgrade their terminals.
Same impression here. I lived in France when chips were adopted 30 years or so years ago and i do not remember them being slower than the stripe version.
These are completely different (mostly national) systems, evidently optimized for different things. For example, in the Netherlands there is still plenty of retailers that don't even accept EMV cards (there is only a small number of (mostly foreign) visitors that'd be interested in such transactions, also the costs of supporting these are typically higher than just supporting the national system).
Try to pay with a foreign card in France and you'll see it can be pretty slow.
Chips were introduced in France at a time where connecting all terminals wasn't practical/cheap. For this historical reason, most payment terminals aren't processing the transaction online in presence of a domestic card, even if they can. Offline transactions are very quick.
Edit: Forget what I'm saying. I may be misremembering things. Batch is a thing, but maybe not the reason why chip and pin is fast in the EU.
Like I say elsewhere this is very likely a regional thing, having to do with regulations that either require the transaction to be completed in one go, or permit it to be stored in a batch to be processed overnight.
I live in the UK and travel around the EU a bit (France, Italy, Greece, Belgium recently) and I've never noticed chip-and-pin being slow in any way. That's because in most of those countries at least, as far as I can tell, transactions are stored and processed in overnight batches instead of being sent online to be dealt with immediately, which may take a long time depending on the network connection etc.
From what I understand, most places outside the EU don't do batch, they send the transaction online to be completed immediately. Which can take quite a bit longer.
It's fast in my country (EU member). Like no-more-than-five-seconds fast. Most of the time even faster. And it has nothing to do with batches, because if I check my balance in my banking app I can already see the transaction there right after checkout.
Maybe infrastructure connecting PoSes and banks sucks in US?
It's been a while since I worked for an EMV vendor and I didn't remember that very clearly, but sometimes transactions are handled entirely offline. It depends on what card you have and where you're shopping (or, more specifically, your card issuer and the transaction acquirer, who determines the settings on the pinpad).
The card and the pinpad together make a decision about whether to send the transaction online or keep it offline and this decision may involve the connection speed of the device and the amount of money you spend.
So, in some cases you might check your account and notice that the money has not been taken out yet. Or you might not even check because the amount you spent was very low.
Obviously, if the connection speed is high enough there's no point in staying offline, so you'll always see your balance changing pretty much instantly. But, like I say, this depends on where you're shopping, what you're buying and what card you're using.
> but sometimes transactions are handled entirely offline
It depends. Some readers are set to accept offline payments for NFC for sure. Reason being that they only sell small items (lunch boxes and stuff) and an offline payment is instant. However in most places you can only do three offline payments before an online payment is forced.
Here's an even more fun protip from the US chip+pin implementation: You don't need the PIN.
On most terminals, using a US debit card (Chase at least), you can press the green button without entering a PIN and it lets you through. Doesn't ask for a signature either.
Great question! Once I moved back to Romania after living in UK, Germany, and Israel for a while, I was pleasantly surprised how paying with a credit card here is almost instant – we even have contactless PoSes everywhere.
UKs implementation of contactless is still behind other countries in the EU. In most other places I can use contactless to pay any amount, the terminal will simply ask for my pin if the transaction is over the pin-less payment threshold. In the UK that's impossible - even if the terminal displays the contactless logo when you are attempting to pay over 30 pounds, if you attempt to use your card that way it will just beep and tell you to insert the card. I'm guessing it's a peculiarity of UK banks which decided they would rather disable this system even though the terminals do technically support it.
That's not entirely correct. Some countries (e.g. Spain) have no floor limit and request a PIN, others use the same system as the UK (e.g. Germany). Wikipedia has a detailed list: https://en.wikipedia.org/wiki/Contactless_payment
I think the major complaint is (never tried paying contactless in the UK, no clue if that is correct) NOT the limit that doesn't require a PIN, but that you have to start from scratch and use a different method (insert card, provide PIN) if you cross that threshold. If that's true, that sounds like a UX problem and I'd hate that as well.
Here in DE it's not like that - or at least never happened for me. A transaction that I start contactless might (random verification or > threshold) require a PIN. But I never need to insert the card or get an error message like the GP described.
Even if the amount is over the threshold - only once you tap your card on the terminal it beeps and says "insert/swipe card". Why even show the contactless logo then????
Not all do but the majority. I believe it's the manufacturer's fault, not the bank's (or store). But I guess in devices like this, pushing a software update to fix a non-critical UX flaw could take years.
Just a theory but is it possible that the prevalence of DATAPAC in Canada means that most merchants were use to having a dedicated always on line just for their terminals and continued to have one after DATAPAC went away?
Interesting fact: the best card terminals, if they are connected to a phone line rather than the merchant's broadband internet connection, use a 1200-baud modem. You would think that this would be slower, but the amount of data to transfer is relatively small. This means that the transaction time is dominated by time it takes to dial the modem and establish a connection rather than the time it takes to send the data. A 1200 baud modem takes much less time to negotiate a connection than a 56k modem, because it doesn't have to check the quality of the line as thoroughly. Reliability is better on noisy phone lines as well, and I'm sure they're cheaper. It's a win all around, but it's not something they mention on the spec sheet because it looks terrible.
Of course that has nothing to do with the chip-based authentication.
It's been 18 years since I was involved in that industry, but I remember it being more a decision to use 1200, 2400, or 9600 baud with most processors. I don't remember any that even offered the option to connect at 56k.
I think there were a few processors with protocols that were chatty enough that the time spent negotiating 56k might have been worthwhile. I remember the Gensar and FDMS protocols mostly being sane but there were a couple others that were "hey look at this BBS software I adapted to be a credit card processor for some reason."
A lot of POS terminals in Canada just use Ethernet to connect to the payment processor. For stores that already have internet they just hook into that, but for those who don't one of the local ISPs even offered (they might still) a $5/mo cable modem package just for POS machines.
In Europe processing cards with chip & PIN at POS is quite fast. It usually takes 2-3 seconds for me before "Approved" appears on the reader screen. This might have something to do with US retailers still running legacy POS terminals / tech.
Yes indeed, I don't really get this post, it takes around 2 seconds to validate the transaction, is that slow? And you have contactless for small amounts as well which is instant.
Chip readers were incredibly slow when they were first rolled out in Europe, too. Stores would tape over the chip slot and put on a note saying "Wipe instead".
Maybe I'm just showing my age here, but if it were a hardware problem, it seems weird that the US would still have the launch woes Europe had over ten years ago.
I work near a Chase building which has a cafeteria in the basement open to everyone. Every checkout register there still hasn't moved their readers to chip transactions. They have 40+ floors of Chase above them and this is happening. It's ridiculous and telling of the U.S. chip reader rollout.
I ate there today at lunch. I pulled out my phone to do Apple Pay at the register and... nope not supported either. In the Chicago HQ of Americas #2 retail bank!
The US banks have been talking about "smart cards" and updating payment tech for 25 years, but from what I see they've only been talking...
Stores in the US do that here now. It's also incredibly annoying when it tells you to insert the chip and then decide "oh THAT's how you want to pay? Swipe it instead" after telling you to insert it.
Not to mention that some of the higher-volume corner stores in my area still use the magnetic stripe reader. So the interaction usually has me inserting my card, the cashier noticing, telling me to swipe instead, and going from there.
So unless I'm going to a big retailer (rare) or the stores directly around work/home, the interaction is usually complicated and annoying for human factors layered on top of the complicated, annoying, and insecure chip+sig protocol the banks settled on because chip+pin was too annoying.
> it seems weird that the US would still have the launch woes Europe had over ten years ago
Ha. That doesn't surprise me at all - "It's too hard or expensive for the US to change compared to other nations" is not an uncommon argument for opponents of change.
It used to drive me insane when I first moved here now but is now one of the quirks I love about the US - people aren't Luddites they just really value a national sense of individualism and urge to seek their own solutions!
>Stores would tape over the chip slot and put on a note saying "Wipe instead".
I don't know about the EU, but US stores did this too. It has nothing to do with chip transactions being slow though. My chip card will not work when swiped at a chip-enabled PoS terminal. The issue, in the US at least, is that stores updated the physical terminal before (sometimes long before) enabling chip transactions at the processor level.
Yes. All my EU bank cards also support contactless payment. But there is a limit over which you have to enter PIN to approve transaction. But small purchases like coffee at Starbucks I just touch my card with the card reader and it instantly approves. Taking money from ATM always requires PIN though.
In the UK not only is the contactless payment instantly (I think less than a second, probably even better) approved but for the cards that I have in my apple wallet I get the push notification with the payment details in about the same time. And this is actual physical card payment not apple pay. It means that all the other background systems that are needed to trigger and deliver push notifications (over mobile network) are incredibly fast as well.
Since I'm outside the US and couldn't find that info in the thread - just how slow these payments are? To me, waiting these 2 seconds for confirmation already seems slow.
At Lowes (a big box hardware store) in a major US city, I'd say consistently 3-5 seconds.
Caveat that perceptually this seems like a lot longer due to the variable action flow (sometimes sign, sometimes take card immediately, sometimes error) that demands attention.
Apple and Android Pay are not mag stripe, they're proper encrypted nfc payments.
Samsung pay CAN be a magstripe emulation, for terminals that don't support NFC.
To clarify, EMV supports tokenized transactions that emulate the _contents_ of the magnetic stripe over NFC, and this is what is broadly used in the US.
Note here[0] that Chase states that only contactless MSD support (contactless magstripe emulation over NFC with a dynamically-generated security code) is required for Apple Pay; a subset of contactless EMV.
Ah I see. Yes we don't swipe mag strip in Europe. The only time somebody asked me to swipe my card was on my vacation in Asia. That was first time I needed to do that and they also asked for my signature which surprised me as it was first time in my life I needed to sign a receipt!
I also use Apple Pay sometimes but these days I mostly default to contactless payments as the prepaid debit card I use for small purchases is connected to a mobile app on my phone where I can track my spending and get instance push notifications
> That was first time I needed to do that and they also asked for my signature which surprised me as it was first time in my life I needed to sign a receipt!
That's wild. Here in the U.S., I sign a couple of receipts every day.
That is wild! I'm very used to signing receipts as that is the way it is done with a credit card. With debit cards there is a PIN for the debit network, but we're told by the bank to swipe it and sign in (instead of entering a PIN0 order to get the full protection of the Visa network including zero fraud liability even though it comes out the same either way from the consumer's point of view. That usually involves insisting to machine that this is a credit card rather than a debit card.
I only use debit cards (a prepaid Mastercard for small daily purchases and VISA bank debit card for any bigger purchase or to take cash from ATM, plus my business debit card for any expenses while working so it takes money from my business account and not personal) and they always have a chip & PIN. I guess credit cards might work differently as you want to be able to charge back. With debit card there are no charge backs so it makes sense to always use chip & PIN process because it's very secure even though slower.
There is debate about the security of the PIN when the POS has been compromised. So the threat is that your PIN gets stolen and then you have to dispute unauthorized charges against your bank without the protection of Visa or MasterCard's fraud protection.
The banks outfitted buses, bars, pretty much everywhere with readers but even after inducements to use it such as half price beer(!) it still failed. Why? Because it was soooo slow. Waiting for ~45 seconds at the bar for a payment to go through got old really fast. It barely lasted a year.
I'd have thought the friction of the payment would have been a lesson learned, but here we are 22 years later and it's still a pain.
45 seconds is a ridiculous amount of time. I wouldn't use it either. It would put a big bite in a cashiers items per minute figure too, so they would hate it.
It was even worse on public transport apparently. I can't even imagine being there for 45 seconds in front of a load of angry old ladies trying to get on.
Although a lot of restaurants have notices to the effect that they'll only split bills up to 2 ways or something along those lines. I don't use cash a lot but it's still a good idea to carry some.
There's an express Target in the San Francisco Financial District that gets around this by assigning cashiers to two registers. They start the chip payment transaction on one register, and the slide over to the second register to start another customer's checkout. Then they slide back to hand the receipt to the first customer, etc. Absurd but effective.
In Germany, Aldi Süd uses a similar method. While the customer inserts the card and enters the PIN (which is the slow part – the machine itself is really fast) the cashier starts scanning the items of the next customer. All this happens with the same register so the switch happens in software (they invest a lot in register technology).
In Sweden people usually start the slow part (entering the pin) while their items are scanned. When all items are scanned you just press ok to authorise the amount and wait for 1-2 seconds for the transaction to go through.
Ah yes. I have written about this on HN before. I have never seen this outside Sweden für some reason.
At Aldi specifically it wouldn't be useful as you have to keep up with the cashier's scanning speed while bagging. In other stores you can start bagging at the end. Not sure why they don't use the same idea as Swedish stores. Once I tried inserting my card while scanning in a German store but the machine didn't like it at all.
We have it in the UK for some petrol stations. My local one before they had pay at the pump allowed you to go to the cashier put your card in the machine and enter your pin tell them how much fuel you wanted and then the pump would only deal out up to that amount.
You only got charged for the amount of fuel taken, so it didn't matter if you said you needed 30 pounds worth and only took 26 pounds worth.
I guess it was similar to pay at pump now, where you enter your card and pin to pre-approve up to 99 pounds, fill up and then only get charged for the amount you took.
Used to be able to do this in the US with magnetic swipe but now you can't because of chip reading taking place at a specific time in the checkout process.
As has already been pointed out, EMV transaction flows go through many steps. From what I understand, the protocol was designed with a focus on flexibility, and little attention was paid to low latency.
Until some years ago, most terminals would mirror that. Most prominently, they used to have separate "enter pin" and "verify transaction amount" steps, and included longer delays for displayed status codes. Recent devices have started combining these steps ("Amount: xy. Enter PIN to confirm") and status messages.
Newer use-cases like the contactless qVDSC application have been tuned for better performance, limiting the amount of communication between reader and card.
The USA was an early adopter of Point of Sale systems. I'm under the impression that retailers haven't upgraded the computer systems attached to credit card chip readers.
Aye, in South Texas at least, I've noticed that newer terminal systems seem to process things just as fast as card swipes, if not more so. But older systems that have obviously been retrofitted with the technology are hit and miss. I often feel like it's the user interface slowing things down more than the transaction itself though, I can't recall any recent instances of delays waiting on the authorization to happen that were longer than a few seconds.
"upgraded the computer systems attached to credit card chip readers"
A quarter century ago the way grocery retailers implemented credit and debit card payment was a physically separate unconnected terminal, you swiped and entered the amount on the separate terminal, and the only modification to the cash registers or workflow was hitting the "credit" button instead of "cash" when recording a transaction (there was already functionality for a "check" button). So there was no connection. Before credit/debit terminals you'd balance your register at the end of a shift using data from the "check" or "cash" button, afterwards you had a third column the "credit" button transactions, and that figure should match the terminal printout.
Its possible that connecting the systems results in slower speeds for an end user, although not having the cashier hand enter charge amounts saves enough cashier time that the overall system is faster although the end user feels its slower. What I don't understand is beyond some manner of witchcraft why connecting the register to the terminal would be assumed to slow down the process. Unless architecture has staggeringly changed in the last quarter century, the CPU in the cash register is not doing the crypto or running some kind of dialup winmodem, its in sleep mode awaiting an "Ack" or "Nack" while the terminal is doing whatever crypto magic that terminals do.
Great post. Now I finally learned why when I use my debit card I'm asked "INTL VISA" or "US DEBIT BANK" every time. I thought it was the PIN pad software, it's actually an app running on my own card that is causing that to come up with every transaction.
Here is Germany it usually takes a few seconds (less than 5 I'd say) - I noticed however that paying at Aldi Nord is very fast. They really do tweak the cash register speeds at Aldi...
> They really do tweak the cash register speeds at Aldi...
Not only that, but the Aldi checkout operators are extremely fast at scanning products compared to other supermarkets (at least that has been my experience in the UK).
A primary reason for this is that ALDI products (at least here in the US, I don't remember whether this was true shopping in Europe a few years ago) typically have 4-6 barcodes per package--a box will often have a bar code on every face, if it's a house brand product. Makes for extremely fast scanning, true.
I also just noticed the dual-conveyor model in operation at a newly-opened Lidl near me yesterday. ALDI here typically doesn't do that--most stores are set up to place groceries (and unfilled bags) directly into a customer cart, and have a nearby counter to bag your groceries at.
Their scanners also don't suck. IBM used to make very high speed, accurate POS terminals in the early 90's. You could basically toss products across the sensor non-stop without any delay as long as the code was within view. The modern stuff is glacially slow by comparison.
ALDI/LIDL are outliers here in Germany. Other supermarket checkouts like Rewe, Edeka, and Kaisers are slower at scanning items. So don't take the speed of ALDI/LIDL cashiers to be indicative of every supermarket checkout in Germany.
Overall, German supermarkets scan items faster than in North America, but ALDI/LIDL are really in their own league. I sometimes think they are faster to scan items than to drop the contents of the belt onto the floor. Impossible to pack in real-time!
For stuff like vegetables and fruits sold by the unit cashiers still pretty much have to learn the codes to be fast. There's a grid overview with images of the groceries and their numbers to help, but eh, you can't look at that or else you are slow.
I still remember that 515 were cucumbers and I believe 529 were 2.5kg of potatoes?...
Interestingly, Monzo takes a few seconds (~5) to notify me of a transaction if I do it in Germany. UK, Belgium, Malaysia and Indonesia are all instant.
I assumed that there must be some further process that it goes through, between telling the credit card reader that it is completed and Monzo getting informed.
I wouldn't muddy the waters here with talk of Monzo. Most chip reader cards don't do what Monzo does in terms of real-time backend transaction verification, that's a generation further than the stuff being rolled out in the US.
Correct. Cards can indicate whether they need to be verified online or not. Most do not require this (so transactions are just recorded and processed some time later), apart from Visa Electron which was designed for under 18s, and therefore does not have an overdraft, so requires an online balance check.
Monzo take advantage of this to enable their realtime notifications and related features, otherwise Monzo would receive the notification of the charge up to 48 hours later which would be a significant harm to the UX.
Yeah because Aldi entered the play only very recently and so used top-of-the-line CC readers only, plus always a solid DSL link.
Old stores, especially small mom-and-pop ones, are still stuck with readers built a decade ago, or with modern readers uplinked by POTS. I recently helped my vet switch from an old POTS terminal to a brand-new, DSL-linked one; the speed difference is huge.
Also in Germany, I recently paid a bill by EC at my dentist, and it took over 2 minutes for the transaction to go through because they have a shitty old reader that connects individually for every transaction, and also over a shitty link (maybe GPRS only?).
I remember in uni the corner store near my apartment used dial-up (or possibly ISDN since at the time that was the telco's default solution for "I want 2 lines") for its card reader. If you were in a line of customers it was fast but if the store was empty you were waiting for 30-60 seconds while it connected...
We had one that dialed through maybe with a 56k modem but probably slower. Ended up sticking it on the fax line because a customer couldn't pay over the phone when it shared the same line.
Because with the swipe readers there is only one call to the payment processor.
However, with chip transactions there are multiple calls for different payment processing flows. For example, a transaction could require 5 round trip request responses from the chip to the payment process meaning 5x the time required.
Plus your card is half-way back to your wallet before the first call is even made when you swipe it, but with the chip, you can't retrieve your card from the machine until the transaction is done. Even if the transaction took exactly the same amount of time, the chip method takes longer because your execution thread is blocked waiting for a resource to be released.
A more interesting question for me is: why are NFC credit cards so much faster than chip ones? Presumably they require the same kind of round trip challenge-response with their internal chip, but I have heard they're much faster.
Often the round trip to the bank happens after the card has left the reader but before the txn is authorised (i.e. the device prints a receipt, customer gets the product or service), that's still an online transaction.
That's probably optional, I usually get an Amex push notification from NFC transactions right after they occur (before I have time to put my phone back in my pocket).
From experience in two European countries, this is not always the case. I have both a Visa and MC cards which can be used in contactless mode for transactions of any size, up to the card limit. For low amounts (<40EUR) the PIN is not requested. For larger transactions I have to enter the PIN, but I don't need the chip.
Just from my personal experiance in Switzerland I think this is mostly the case, but not always. I have a contactless Visa with a rather low limit that I use for small day to day purchases. I only use it contactless and most of the time I can go over the monthly limit if I only use it contactless. Sometimes if I do this it will still be declined by a shop due to «insufficient funds», so some contactless terminals must be calling home.
At this point the Card stops working at any terminal, even the contactless kind. I have to wait for the next month and use it the Chip and Pin way once to make it work again.
AFAIK (please correct me if I'm wrong) NFC is more akin to magnetic strip than chip cards are. i.e. a virtual number is created for each transaction that is tied to the merchant / time of use. so, you get an id from the merchant (i.e. direct communication between you and reader) you get a virtual number from you credit card provider (1 internet trip), and you give that virtual number to the reader), then phone is back in pocket while it does its thing.
Samsung pay even cuts out any knowledge of the reader, just gives a virtual number to the credit card mag reader.
NFC uses the same protocol and transaction flows as contact chip EMV. Only designed-in difference with regards to speed of processing is that card contains additional application that returns AID that should be used instead of terminal trying AIDs it knows blindly. Another thing is configuration. NFC typically has many "slow" transaction flows disabled (ie. anything that requires the card to be still present after some other interaction, be it pin entry or reply from payment processor).
If we're talking about contactless EMV cards (Phone NFC may be otherwise), then they do pretty much the same thing crypto-wise as in a contact transaction, the chip receives the transaction from the terminal.
The main practical difference is that you can't update the on-card data depending on the transaction outcome, since the card isn't there any more.
Some of them are just like swiping your card - e.g. they just pass the same data as a swipe in one pass and go.
The other kind, AIUI, are indeed the same as the chip transactions, with all that entails.
e: Other posts seem to say that all the contactless transactions are offline, which means no multiple expensive round trips upstream either way, so nevermind.
Can you give an example of how the heck an EMV transaction could require 5 round trips ?
IIRC it should come down to 0 or 1 roundtrips, depending on the amount and risk profile - in most cases you do an offline authorization where only the chip is involved to verify the txn, PIN(if applicable) and limits; and if you can't do that, then you send an online authorization, get a response, and that's it. There's extra communication afterwards in the workflow, but that happens after the customer has left and has no impact on customer-observed latency.
Next question then becomes why it needs those additional trips? Authorization is already done on the chip, it should only need to verify the amount is available.
+1. Not to mention each party will have their own VPN's so internal hops to the right machines. That said - these days even swipe reads have multiple payment processing flows especially for co-branded cards.
My question is why chip readers flash like 6 or 7 screens that all say DO NOT REMOVE CARD in one way or another before giving you a noise that could be described as, "transaction failed" before finally being successful. I wouldn't mind waiting the extra couple seconds if the process was a little more customer friendly.
All the ones I've used also prompt "is this amount correct?", "do you want cash back", which are additional time-consuming steps which require your attention to be on the terminal and were never part of the process before these same terminals switched over from swipe transactions.
This is so funny, as this is an internal thought I have nearly every transaction. So counter-intuitive on the actual device interface, the LCD messages, and the audio queues...
Here in the UK I'm generally amazed at how fast they are - slowest part is typing my PIN in if that is required (some places still require it or if the transaction size is over the limit for contact-less).
I'm guessing the OP is from the U.S. A few notable differences in the U.S.: they've only been rolling it out for a few years and they use a signature instead of a PIN.
This is a suspicion, but I think they're slower in the U.S. because a) they're just slower b) the UX is worse. You insert the card, wait, then it asks for a signature (presumably because not all accounts, vendors, and dollar amounts require a signature?). From what I've seen overseas you insert the card, type in your PIN (in parallel to card processing)--so it appears to process more quickly because you're not waiting.
It is never, ever compared in the US. In fact, I haven't signed the back of a credit card in years, and the only time I did was when I was in Europe where every cashier thinks they're a forensic handwriting specialist.
Most likely this. I'm not sure why card readers in Germany don't ask for the PIN every time but when they don't you're generally asked to sign the cashier's copy of the receipt and they'll verify the signature against what's on the card.
However not only will the cashier generally let you simply put the card next to the receipt while you sign (because this makes verification easier for them) but it doesn't seem like they actually apply any scrutiny: the signature on my card is very different from the one I use for signing these days and it never raised an eyebrow.
FWIW, I've signed for card transactions in all kinds of places across Germany, from small shops to large hotels. I can't figure out what triggers the decision between PIN and signature but I swear I've used either in the same place at different times for equivalent amounts.
The transactions with PIN are more expensive for merchants, but the merchant isn’t liable. They are done via the EC network.
The transactions with signature have lower fees, but the merchant is liable, and you’re actually authorizing them to do a Bankeinzug via the Elektronisches Lastschriftverfahren.
EC transactions are done instantly, ELV are done overnight.
Yes. Above a dollar amount depending on the store. But basically no one compares it the card and inputting it on the pad is so crude you might as well just write an X (which my signature isn't much more sophisticated than anyway these days).
We have chip and pin too but only on debit cards. My Amex doesn't require a signature for anything under 50 dollars and can be very fast depending on the store. I think a lot of the blame is on legacy software. Some places have the chip readers but make you swipe first only for it to say insert card.
The chip and pin speeds have gotten better but still a ways off.
Never swipe before entering your PIN. If you do that, they can clone a card for use in ATMs, and withdraw your money as untraceable cash.
Connecting via the chip does not reveal enough information to reconstruct a magnetic strip for an ATM to accept, particularly if the machine is a total fake. But if you swipe the magnetic stripe, you can easily clone it exactly.
Don't the ATMs use the chip? All the ATMs I've seen here in Brazil either use the chip exclusively, or use the magstripe to identify the account but use the chip to confirm everything (not only withdrawals, but also simpler things like looking at the account balance).
Same in France - in the past you used to have enough time to finish filling your grocery bags while the transaction was being authorized. But for... maybe the last decade or so, transactions most often get authorized within a second of validating your PIN.
Plus now most shops have contact less card readers. Which is funny when you think about it, because it's the same speed / security than the swipe from 40 years ago, except limited to 20€.
They both allow the card to be used when stolen. Magnetic band can be duplicated. Contact less allow people with a portable modified machine to request transaction without the owner knowing.
Signing is working in your interest. You can ask to see the receipt that you signed in case of fraud.
With PIN, the burden of proof is on you - the bank will say you were careless with the PIN and let other people see it, abrogating their responsibility. Even if it's a security vulnerabilty in their system. (Not a theory, this is how it goes in Europe - see Ross Anderson's group's work on this)
Here's their blog post about it at the time (but the YouTube video is down, unfortunately): http://www.
lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-broken/
From the paper: "Because stolen cards can be used without knowing the PIN, by our definition, Chip and PIN is broken. We do not believe that the system is broken beyond repair, but neither is it the case that a simple fix will suffice, due to the unmanageable complexity of EMV."
>You can ask to see the receipt that you signed in case of fraud.
I understand that's how it's supposed to work, but what does the signature accomplish in practice? If anything, a "signature" that even contained recognizable letters, much less anything that looked like my name, would be a sure sign of fraud, because I never enter anything that resembles a real signature.
Most justice systems have a practice of verifying signatures of documents. I believe it's generally based on comparing the disputed signature to a body of your regular signatures and, in contentious cases, handwriting experts.
I'm not sure how it would play out in court if you intentionally make random unattributable scribblings each time. Sounds like something that might be seen as intentional obfuscation.
Is there any evidence that the Ross Anderson attack has happened in the wild? Someone using a stolen card and the bank just washing their hands of it because PIN?
Yeah, I was pretty confused by the "signing" thing in the usa! I figured they'd have ditched signing, but instead, they created complicated digital signing machines! :-o
A lot of other countries have lead, really; Australia was very late in doing this. It was in France in the 90s, of course, and showed up in most of Europe by the mid-noughties.
I don't follow. How does me scribbling a line affect my ability to fraudulently claim it wasn't me who used the card? Especially when the back of the card has my signature on it as well?
It's there in the event that the fact that a purchase was made at all is disputed. Of course it doesn't do much to verify who signed, but it proves that someone actually meant to make a purchase.
One of the most foolproof ways to win a chargeback claim is not to claim a card was stolen, but merely that you didn't mean for them to charge you. How do you fight that? So for big ticket items we sold online we required a signature, thus (mostly) killing their ability to file that kind of a chargeback.
Of course that's a huge hassle for online sales, but if you're a grocery store and they're already there eh why not.
If I, as a disputing cardholder, try to claim that “I didn’t intend to purchase that widget”, it will require my card issuer to believe that the merchant signed it themselves and committed intentional fraud (as opposed to a simple misunderstanding)
Its generally far more convoluted "I saw an ad on TV last month that product is $5 so I assumed its $5 and I have no idea whats up with this $6 charge" and both the retailer and the CC company totally have no interest in arguing about how the advertised sale you saw last month ended last month or how it you had listened to the entire offer its not $5 but "$5 with a purchase of $20 or more" or whatever. Look buddy you signed for $6 right here, clearly you knew whats up at the time, so why you bringing this up 30 days later?
Even funnier with something like a debit card. "Well I just swipe, I have no idea what they withdrew, I assumed it was about $15 like every other time I dine here, and they raised prices such that it was actually $25 without my knowledge, and now my bank is giving me $500 in overdraft fees because they can"
Sometimes duplicate charges get entered for whatever reason especially if the terminal isn't connected to the register and uses manual entry. So two identical charges from the vendor, can I see the two signed register slips? No? There's only one? OK then. You can't just delete duplicate charges because there's too many people go to the bar and buy two beers pay up and decide to stay for another two and pay up and there you go two identical charges both valid and both signed. Vs go to the bar buy two beers pay up go home, the printer jams or some drunk trips over the modem cord or whatever and someone hits a "resubmit all" button to "fix" it and now you got two charges with only one signed slip at least in theory they can clean that up themselves.
I use N26 as my personal bank, and I must say it's pretty much instantaneous - when I pay contactless, I can hear my phone notification before I get to put the card back in the wallet. I've tested the card across Europe while traveling and the speed at which I get push notifications is consistently fast.
Note this isn't true in all countries. My UK cards within the UK all follow some apparently online process in any UK merchant, however during a stint in Finland a few years back, I didn't find a single example of a merchant where their reader didn't instantly approve my transaction as soon as I correctly entered my pin.
Never received a (note: I know, we can all make guesses) conclusive answer explaining the difference.
There's no technical reason for the difference, simply it's up to the merchant & issuer that can arbitrarily set all kinds of limits where certain checks will be required.
It's a tradeoff between convenience and security, different places will make different choices, but generally competitors within a single market (e.g. UK or Finland) will try to make the same choices so they don't get customers asking why they're slower than a competitor.
Smart cards (ISO 7816), used for credit cards and SIMs, among other things, communicate through a relatively low-speed serial protocol. The secure microcontroller they contain is also quite slow, especially if you consider the cryptographic operations they're required to perform. I suspect part of it is due to power constraints, and also somewhat tamper resistance.
This post explains why I was so frustrated using my card in the USA the other month. I figured it was super-slow because I had an international card, and it was confused.
Back here in Australia, almost every retailer (including those on 3g eftpos machines) takes < 4s from when i tap my card, to when I can start walking away. So much quicker than cash :-)
Depends on network situations. Here in Perth I'll get a beep immediately on Paywave, but still have to wait a few seconds for Payment Approved to appear on the screen. Some stores seem to have really terrible mobile reception for their mobile payment terminals.
In many cases (RiteAid pharmacy terminals are the absolute worst about this, but far from the only offender) it's just crappy UX design.
I have an American Express card and a RiteAid rewards card. Here's my checkout flow at the pharmacy:
1. Punch in phone number for rewards card
2. Get prompted to use my "Plenti" points; which require PIN entry
3. Swipe/insert card (most RiteAid terminals used to work with Apple Pay, but had it disabled)
4. Get prompted to use my American Express points. Say no.
5. Enter relevant pharmacy details (DOB, verify pharmacist reviewed prescriptions for you)
6. Remove chip card
7. Sign paper receipt
This UX flow is simply too complicated for a checkout process. It's got way too much friction, and they disable contactless payments to ensure you can't circumvent that.
Making these payments process more quickly is great; but Apple basically already solved that problem with Apple Pay. But it's not effective because it seems that some retailers want more friction in this process.
It really doesn't make any sense to me why retailers want to be doing this. I thought people would really get behind the credit cardless approach.
When I went to China, I was absolutely amazed by how well everything in Shanghai integrated with AliPay. My family was able to go to some restaurants and order + pay with minimal interaction with a waiter.
My guess as someone who doesn't actively work in this stuff (but have dabbled in it) is that some large merchants get a break on transaction fees with chip/swipe that they don't get with Apple Pay/Samsung Pay/etc.
An extra 0.05% in savings wouldn't matter to a small store, but for a national retailer, it's probably a meaningful amount of revenue.
I can't talk about the US but over here (Austria) the slow chip readers typically are GRPS based and connect for every single transaction. There is one nearby in a lunch place where I really consider telling them how to hook it up with their wifi :)
I recently helped a shop connect their terminal to the wired connection instead of the POTS one. The time it takes for a payment to go through went from 25 seconds to 2 seconds :)
Also they used to pay a few cents for each transaction...
I suspect it's because a lot of merchants are using terminals that are connecting over PSTN, or they don't hold a connection open between transactions so they have to do the connection dance for every transaction. Or they have connections that are just plain slow.
From my time writing backend banking integrations for a PSP, going on 5 years ago now, the time to authorise a card transaction (that's IP to BT gateway to X.25 network to acquiring bank to issuing bank and back again) would take anything between 0.2 and 1.0 seconds. So I don't believe it's actually down to any complexity in the authorisation steps if the transactions are done online.
I see the same behavior in large chain stores such as Target, Lowes, and Walmart that would have dedicated private lines between the stores, their datacenter(s) and the banks. I've worked at a few large retailers and they typically had a hub and spoke model of network where all the stores would communicate over a private MPLS network to the datacenter where we had a "payment switch" (also called a payment gateway or router) dedicated individual redundant T3 lines to each card network (Amex, Discover, Mastercard/Visa, EBT, and gift card processors). This was at a chain with 200 stores. Larger chains would be even more robust I would imagine.
I think the delays aren't network related, but more along the lines of the process that is happening. With mag stripe the approval flow was much simpler and happened in fractions of a second end to end. EMV is a different ballgame unfortunately.
It depends on the card you use. The transaction suffers under several communication latencies and most importantly fraud checking takes up a significant amount of time. A lot is implemented utilizing legacy technologies (I implemented a system once), as the initial systems were setup in these and the banking/payment sector moves quite slowly. Anybody remembers the Y2K problem [0] ? ;-).
Do you mean the actual chip back and fourth? The inherent problem is that the 7816-d standard is a mess. It requires extremely small data exchanges on the order of seconds to get a cert out of the card.
This has been a mess since the mid 90s, when I first worked on these things.
Here a cruddy not at all usefule link to the standard:
The time varies widely. The remove card notice comes as fast as 3 seconds, I find 6 seconds more typical, and up to 15 seconds for the local grocery, and nearly 30 seconds for small pizza, sandwich, liquor stores.
There is no possible way it was taking this long for swipe authorizations; or even NFC authorizations which seemed faster than swipe but were probably the same, but more secure.
I still think the U.S. did this exactly wrong. 1. we were late to the game; 2. had started adopting better NFC technology; 3. instead of building on that, regressed to an old slow contact chip-based system; 4. instead of moving directly to PIN entry, retained signing, hence chip & sign, rather than chip & PIN. It's idiotic.
And that's just the customer size idiocy. The merchant idiocy is even worse. They paid for this transition. Not the banks, the processors, or EMV who ensure they make money hand over fist no matter what. If a customer has a chip card, and your POS does not support chip reading, the liability for fraudulent transactions is shifted to the merchant.
Edit: this is not entirely correct; transactions may go online or stay offline, depending on amount and connection speed. See comments below.
It might depend on where you are. Where I am, in the UK, chip card transactions are quite fast. Fast enough to use contactless (tap and go a.k.a. "pay by bonk") where you literally just tap your card on the pinpad and go on your merry way [1].
The difference is that in the UK, transactions are not immediately sent online. I repeat: they're not immediately sent online. So you don't have to wait for the merchant to contact the acquirer, for the acquirer to respond and so on and so forth.
Instead what happens is that you dip, or swipe, or tap your card; the pinpad and the card figure it out between themselves whether you are the rightful owner of the card; the pinpad makes a record of the transaction; and you're told the transaction is "approved", then pick up your goods and go home. Later in the day, the merchant (i.e. an automated process at the store) sends an overnight "batch" of transactions to the acquirer, (i.e. the bank or credit network etc) and the acquirer either transfers the funds directly to the merchant, or blocks out the funds so you can't use them again and they can be transferred to the merchant later.
That's the EMV standard in a nutshell and entirely from memory, with a distance of a good few years from the time I worked for an EMV vendor (we sold a bit of EMV software that went on the Point-Of-Sale machine and handled all of the above). I might be misremembering a few things but I believe the above is mostly accurate.
tl;dr: having to go online for each and every transaction takes forever.
___________
[1] Or of course sometimes do a double take, realise the transaction hasn't gone through, tap again, eyball the pinpad, then possibly insert or swipe etc. Sometimes it doesn't work.
I'm still a little unsure about all the details in the UK, but I know that in at least some cases the process you describe isn't entirely accurate. I mostly use a card from Monzo (https://monzo.com) and I get a mobile push notification on every use – almost always within seconds of the transaction. This would seem to be a requirement for prepaid cards, at least, because otherwise overspends would be possible.
I seem to remember that there is a whole class of cards which are coded as 'online only', meaning that transactions will fail unless they're taken online. The only place I've frequently seen this happen is on trains, where the mobile equipment is sometimes not capable of online transactions, or doesn't have a signal.
Anyway, the point was that these transactions don't appear to be any slower than with any other card I've used, so I'm not totally sure that the speed really is down to not being online.
Uhmmm I'm fairly certain that's not entirely correct. There may be terminals which batch transactions and send them later, but in most cases you can even see the terminal going "connecting to <bank> servers" and only after it obtains the connection it authorizes the transaction. Larger stores have a constant connection open so the transaction goes through straight away, in smaller shops the terminal actually has to connect with the bank first.
But I guess the best proof is that if you have zero money in your account you can't actually buy anything with your card, the transaction will get declined immediately(unless you have overdraft, obviously), so the terminal has to check with the bank if you have funds to pay or not.
In short, whether a transaction will go online, stay offline or be denied, depends on the settings on the card (configured by the issuer) and the settings on the pinpad (configured by the acquirer). The two of them together decide what happens.
So in some cases the combined settings on the card may allow offline processing, which is the batch process in my previous comment. Others, like ATMs (according to the article) will always go online, and yet others may set a "floor limit" - a transaction amount above which the transaction should always go online.
Another factor is the "terminal capabilities", so basically connection speed- if that's too slow transactions may default to offline only.
So what I remember must be that if the transaction is under a certain floor limit, or terminal speed, it can stay offline, maximising some speed-vs-risk tradeoff. And what you note, that the card will deny your transaction when you don't have enough money in the bank, is basically the flip side of that.
What would be harder to notice is the cases when a transaction goes through even when you don't have enough money in the bank, e.g. because the amount you spent is below the floor limit for your issuer and acquirer. But I'm not sure what happens after that- is the transaction declined later? Does the bank charge your account as if it's overdrawn?
It's been a while and I don't remember those things very well I'm afraid :0
I agree with this - offlining transactions are a possibility for some instances, but in most cases, there is a significant difference in speed - I'm in Russia at the moment and when I have a transaction go through the terminal, my bank sends a notification of the transaction usually before the pay terminal is done with it's processing; so there must be some rapid communication happening to authorize the transaction within a short period, even if the actual transfer of funds transaction takes longer (which is expected). When I briefly returned to the US last year after the chip terminals were implemented, I was a bit frustrated to see that it did indeed take significantly longer than I was used to, neverminding how inconvenient it was to not have the ability to use the NFC or the card slot on the majority of terminals.
The card can and will remember your latest balance, so it's quite possible to have transactions accepted/denied based on your balance without checking with the bank.
It does add some risks since the balance is "stale" i.e. may have old info, so it'd be configured that way only if the terminal physically can't connect online all the time, but it's certainly possible.
To be honest, I don't remember how that works so you're right I might not be entirely correct.
The point is though, when the pin pad says it's connecting, that usually means the transaction is taking longer than usual. It might also depend on the vendor, for instance, in the Waitrose I never see the connection message whereas in the news agent I always do.
It depends not only on the POS itself (old models vs. new ones) but on the kind of connection.
Here in Italy, besides "portable" POS that have a SIM card and go through GSM/GPRS (and are "good speed, but not that much fast") now also 3g/4g, the "corded version" can be:
1) Dial in (analogic)
2) Dial in (ISDN)
3) IP connected
The difference between #2 and #1 is like 4/5 times faster ISDN vs. analogic, and the IP (provided that there are no network issues) is instantaneous.
I would say:
1) 5-20 seconds
2) 1-5 seconds (and GPRS is roughly the same, 3g/4g is on the lower side)
3) 0-1 seconds (really, the sheer moment you press the green button, the receipt starts being printed)
I have no idea what you consider slow, but the latest improvement here is contactless payments for anything under 25 EUR, which only requires holding the card close to the terminal for about a second. After which the payment is confirmed after another second.
Payments for which a PIN is needed are confirmed in the same amount of time and entering the PIN is the slowest part.
Using Samsung Pay which uses NFC on my S8 / Gear S3 here in Australia and it's pretty much instant. And I get a digital receipt on my device straight away, which is awesome. Protected by fingerprint, or code, so feels more secure than the Mastercard plastic with embedded NFC pay wave.
Tap based pay has become ubiquitous in Australia, and I love it.
It seems to differ between implementation. In Iceland the readers have usually been superfast. We just had a Costco open and the readers there are superslow. Goes through multiple handshakes and notifies you of the process. They might be hooked up to a different payment processor than the local ones, hence higher latency.
That's odd. My costco recently switched to using chip readers and they are SUPER fast. They're the fastest I've ever seen. I can't imagine there's any way they're contacting a host at all...
Previously the mag-stripe conducted your card number to the merchant and they could charge essentially whatever they wanted (but there were various reasons they would likely charge the amount you owed). With chip, they have to compute the final amount while your card is inserted and cannot deviate.
Place I part time at the card terminal isn't even hooked into the cash register. I have to manually enter the amount from the register screen into the card terminal. But I have to do that for mag stripe and contactless as well.
I don't know why but there is a convenience store around here that is faster than everybody else... I need to ask them what their trick is. I think that it is as fast as magnetic strip readers (not as fast as McDonald's strip reader, but as fast as most).
Just two days ago I wondered how Costco was so blazing fast. I have the same hardware on my desk for development, but whatever they are doing is very different than what our partner is doing. I was only guessing - but they only have one bank to deal with?
So you think they are bad in the US? Live somewhere else for a while... you try the system in Australia and you'll REALLY think they are bad in the US. Ha. But yeah, compared to other places the US is lagging. By a fair bit.
Can confirm. Just set a Square reader up for my local school's parents' association and it's so quick I had to do a double-take as to whether the payment actually had been made.
also,
other countries have completely switched over to chip/pin for security reasons with little or no problems but due to not wanting to confuse US tourists the terminal software must allow pin-bypass so they can still sign instead of using a pin.
my bad, it's been years since i last worked in that field. And I just remember sighing a lot at all the hoops that had to be jumped through in the name of security and then to just allow people to bypass it.
Bad internet speeds, WiFi or business skimping on internet. It's never usually the terminal, it's the connection to their payment provider, or their payment provider reseller's connection to THEIR payment provider.
It's very common for bars and restaurants to have a dedicated line for the terminal, but usually they'll skimp on tech (have seen dial-up over POTS or in a fibre-capable premises). Also very common to use 3G or 2.5G.
It'd take a tech all of 5 minutes to diagnose and suggest a fix for 98% of these slow terminals. It's strange seeing businesses not look to fix these issues. If I was a payment provider I'd probably run diagnostics against my customers terminals every day and force poor performing customers to have someone come in and fix it.
It certainly does. Swipes are settled (transmitted to the bank) once a day, after store closure. The chip, meanwhile, is in almost all cases online - which means that when the terminal is connected via POTS or ISDN, there is a minimum delay of 10-30s for establishing the connection, while this is nearly instant with a DSL/fiber uplink.
Not true - the entry mode is irrelevant to whether it is batched or online. In fact it is more likely in modern systems to be the other way around. Chip may use offline, including offline PIN, whereas stripe is nearly always online. Source: 30 years EFT Banking experience, specialising in EMV.
This is not remotely common in the US. Almost all transactions are on-line, issuing an auth against the card.
You are correct that end of the day batches then happen to settle all those auths into actual sales - but that's so you can do things like instantly refund a customer for a cashier fuckup/etc. and not get charged the discount fee both ways like how a regular refund works.
There are no stores simply accepting any/all magnetic swipe transactions and then only at the end of the day figuring out that oops, that card didn't have enough credit available after all.
As mentioned in many comments online transactions will be an order of magnitude slower, as they need to be sent to the issuer, have their cryptogram verified and the challenge response returned if the card does host authentication - which most do these days.
The entry mode generally does not determine how a transaction is authorised - chip, PayPass (NFC) and stripe can either be off or online. In fact stripe transactions are invariably online unless you want your business to be overrun with fraudsters. One of the prime reasons in the early days of EMV was to have it so safe that offline transactions were fraud proof - or close to. Naturally this noble goal was shot full of holes the moment real fraudsters got to it. However, the card is personalised with various limits and counters and with the possibility of using an offline PIN, which combined with the static authentication does give reasonable protection for low value offline transactions. Fun fact - in the initial spec this offline PIN was communicated between the terminal and the card in the clear. What could possibly go wrong :-). These days it is encrypted.
Anyhow enough blather - hopefully this has given a bit of insight.