
Ask HN: Why are credit card chip readers so slow? - dv35z
I am interested in the technical specifics - what happens end-to-end, and where does the slowness&#x2F;latency come from?
======
redbluff
Some of the answers are close, but no cigar. The main reason for the time
delay is the offline authentication of the chip, combined with generation of
the ARQC cryptogram. Additionally the EMV protocol is very chatty if there are
multiple applications on the chip card, although the latency involved in the
customer interaction far outweighs the protocol timings.

As mentioned in many comments online transactions will be an order of
magnitude slower, as they need to be sent to the issuer, have their cryptogram
verified and the challenge response returned if the card does host
authentication - which most do these days.

The entry mode generally does not determine how a transaction is authorised -
chip, PayPass (NFC) and stripe can either be off or online. In fact stripe
transactions are invariably online unless you want your business to be overrun
with fraudsters. One of the prime reasons in the early days of EMV was to have
it so safe that offline transactions were fraud proof - or close to. Naturally
this noble goal was shot full of holes the moment real fraudsters got to it.
However, the card is personalised with various limits and counters and with
the possibility of using an offline PIN, which combined with the static
authentication does give reasonable protection for low value offline
transactions. Fun fact - in the initial spec this offline PIN was communicated
between the terminal and the card in the clear. What could possibly go wrong
:-). These days it is encrypted.

Anyhow enough blather - hopefully this has given a bit of insight.

~~~
loeg
> Fun fact - in the initial spec this offline PIN was communicated between the
> terminal and the card in the clear. What could possibly go wrong :-). These
> days it is encrypted.

How do you encrypt a 4 digit number (PIN) in a way that is resistant to brute
force recovery?

~~~
amluto
You set up an secure session (e.g. TLS, but you wouldn't do it that way) and
send the 4 digit number over it. Or you use any standard cryptosystem with
appropriate security guarantees (RSA-OAEP, AES-GCM, you name it).

What you _don 't_ do is shove the 4 digit number straight into an ECB mode
cipher.

------
nstj
You might want to qualify this with “in the US” as chip+pin cards are pretty
fast in other countries by comparison.

Also there was a great episode of the podcast “Planet Money” a while back
which goes into detail on your question [0]:

> Today on the show, we bring you a brief history of what's in your pocket.
> It's a story of convenience vs. fraud—and it also includes a hippie
> inventor, the origin of the last great upgrade on your card, the magnetic
> stripe, and why it takes so long to "dip the chip."

[0]:
[http://www.npr.org/sections/money/2016/04/13/474135422/episo...](http://www.npr.org/sections/money/2016/04/13/474135422/episode-695-put-
a-chip-on-it)

~~~
signal11
In the UK, the older generation of readers are pretty slow. The newer models
are pretty fast, I'm not sure if it's also because they have reliable
broadband connections but they basically ask you to remove the card almost as
soon as you insert it.

~~~
pbhjpbhj
We have the same console as I've seen in Tesco petrol station. Ours take a lot
longer for auth, I'm guessing that Tesco have a local stopped card list to
check against and don't do a full auth with the bank in order to save time.

Might be wrong, just my assumption based on contactless payment being almost
instantaneous (like that petrol station).

~~~
Reason077
I'm pretty sure that Transport for London do something similar (ie:
transactions get batched and then charged at end of day, blacklisting for bad
cards).

However, using a contactless chip card is still a lot slower compared to using
an Oyster card. Where as the Oyster card seems to process in a matter of
milliseconds, the contactless card takes perhaps 2 seconds or more.

With a long queue of people all using contactless, this potentially adds up to
quite a significant delay at the ticket gates.

~~~
mianos
Oyster cards are settled between the reader and the card at the time of
contact (then the reader will batch the transactions for forwarding later).
POS are generally settled on the switch network, obviously this takes a lot
longer.

~~~
Reason077
TfL can and do batch contactless transactions, too.

The charge for travel on a given day is not made against your account until
early the next morning. And card readers on buses, for example, don't always
have a reliable data connection, so must be able to be processed offline.

You might be right that they are authorising in real time on the Tube readers,
though. This would explain the poor performance.

------
cocoa19
This is partly perception.

With a magnetic card, after you slide your card, you can put your card
immediately in your wallet, while the Point-Of-Sale solution authorizes with
the electronic payment host in the background.

With a chip card (EMV card), the EMV spec required the Point-Of-Sale solution
to write an authorization number to the chip card. This means you need to
leave your card inserted in the PIN pad until the payment host authorizes.
Authorization usually takes 2-3 seconds.

To improve this perception, the industry came up with Quick Chip, which Point-
Of-Sale software companies started to work on recently. With Quick Chip, the
POS software doesn't need to write the payment host authorization number to
your card chip anymore. You insert your card, account number is read, you take
your card from the PIN pad immediately without waiting for payment host
authorization.

-Software engineer working at a Point-Of-Sale software company.

~~~
sillysaurus3
_Authorization usually takes 2-3 seconds._

The question seemed more along the lines of "Why does it take 2-3 seconds to
authorize?"

~~~
elicash
The original question described chip readers as "slow." But slow relative to
what? Cocoa19 is taking issue with the question to some degree, pointing out
that they're not actually as slow relative to swiping as you might think (and
how the perception issue is being addressed).

Others have laid out reasons for the 2-3 seconds.

~~~
jandrese
Slow relative to that quarter of a second it takes to swipe a magstripe.

------
ca12et
Additional question: why is it faster in other countries? The first time I
used a chip card in the US I was astounded by how long it took. I had been
using chip (and pin) cards in Canada for years and it was never as slow as it
is in the states.

~~~
laurentoget
Same impression here. I lived in France when chips were adopted 30 years or so
years ago and i do not remember them being slower than the stripe version.

~~~
hocuspocus
Try to pay with a foreign card in France and you'll see it can be pretty slow.

Chips were introduced in France at a time where connecting all terminals
wasn't practical/cheap. For this historical reason, most payment terminals
aren't processing the transaction online in presence of a domestic card, even
if they can. Offline transactions are very quick.

~~~
shawnz
So if offline transactions are viable, and faster, then why doesn't the US use
them?

~~~
kalleboo
They were viable 30 years ago, maybe not today

------
db48x
Interesting fact: the best card terminals, if they are connected to a phone
line rather than the merchant's broadband internet connection, use a 1200-baud
modem. You would think that this would be slower, but the amount of data to
transfer is relatively small. This means that the transaction time is
dominated by time it takes to dial the modem and establish a connection rather
than the time it takes to send the data. A 1200 baud modem takes much less
time to negotiate a connection than a 56k modem, because it doesn't have to
check the quality of the line as thoroughly. Reliability is better on noisy
phone lines as well, and I'm sure they're cheaper. It's a win all around, but
it's not something they mention on the spec sheet because it looks terrible.

Of course that has nothing to do with the chip-based authentication.

~~~
aninhumer
Surely in a busy enough store it would be worth just keeping the connection
open, at least during peak times?

~~~
Mister_Snuggles
A lot of POS terminals in Canada just use Ethernet to connect to the payment
processor. For stores that already have internet they just hook into that, but
for those who don't one of the local ISPs even offered (they might still) a
$5/mo cable modem package just for POS machines.

------
richardknop
In Europe processing cards with chip & PIN at POS is quite fast. It usually
takes 2-3 seconds for me before "Approved" appears on the reader screen. This
might have something to do with US retailers still running legacy POS
terminals / tech.

~~~
realusername
Yes indeed, I don't really get this post, it takes around 2 seconds to
validate the transaction, is that slow? And you have contactless for small
amounts as well which is instant.

~~~
kmfrk
Chip readers were incredibly slow when they were first rolled out in Europe,
too. Stores would tape over the chip slot and put on a note saying "Wipe
instead".

Maybe I'm just showing my age here, but if it were a hardware problem, it
seems weird that the US would still have the launch woes Europe had over ten
years ago.

~~~
knz
> it seems weird that the US would still have the launch woes Europe had over
> ten years ago

Ha. That doesn't surprise me at all - "It's too hard or expensive for the US
to change compared to other nations" is not an uncommon argument for opponents
of change.

It used to drive me insane when I first moved here now but is now one of the
quirks I love about the US - people aren't Luddites they just really value a
national sense of individualism and urge to seek their own solutions!

~~~
njloof
Explains why the US still has the penny. Canada removed it (back when CAD was
on par with USD!) and I haven't missed it.

------
sofaofthedamned
I was a user in the Mondex card trial in 1995. This was like modern chip
cards, but a stored wallet instead of online auth to an account:

[https://en.wikipedia.org/wiki/Mondex](https://en.wikipedia.org/wiki/Mondex)

The banks outfitted buses, bars, pretty much everywhere with readers but even
after inducements to use it such as half price beer(!) it still failed. Why?
Because it was soooo slow. Waiting for ~45 seconds at the bar for a payment to
go through got old really fast. It barely lasted a year.

I'd have thought the friction of the payment would have been a lesson learned,
but here we are 22 years later and it's still a pain.

~~~
jandrese
45 seconds is a ridiculous amount of time. I wouldn't use it either. It would
put a big bite in a cashiers items per minute figure too, so they would hate
it.

~~~
sofaofthedamned
It was even worse on public transport apparently. I can't even imagine being
there for 45 seconds in front of a load of angry old ladies trying to get on.

------
asciimo
There's an express Target in the San Francisco Financial District that gets
around this by assigning cashiers to two registers. They start the chip
payment transaction on one register, and the slide over to the second register
to start another customer's checkout. Then they slide back to hand the receipt
to the first customer, etc. Absurd but effective.

~~~
germanier
In Germany, Aldi Süd uses a similar method. While the customer inserts the
card and enters the PIN (which is the slow part – the machine itself is really
fast) the cashier starts scanning the items of the next customer. All this
happens with the same register so the switch happens in software (they invest
a lot in register technology).

~~~
mediascreen
In Sweden people usually start the slow part (entering the pin) while their
items are scanned. When all items are scanned you just press ok to authorise
the amount and wait for 1-2 seconds for the transaction to go through.

~~~
germanier
Ah yes. I have written about this on HN before. I have never seen this outside
Sweden für some reason.

At Aldi specifically it wouldn't be useful as you have to keep up with the
cashier's scanning speed while bagging. In other stores you can start bagging
at the end. Not sure why they don't use the same idea as Swedish stores. Once
I tried inserting my card while scanning in a German store but the machine
didn't like it at all.

~~~
c12
We have it in the UK for some petrol stations. My local one before they had
pay at the pump allowed you to go to the cashier put your card in the machine
and enter your pin tell them how much fuel you wanted and then the pump would
only deal out up to that amount.

You only got charged for the amount of fuel taken, so it didn't matter if you
said you needed 30 pounds worth and only took 26 pounds worth.

I guess it was similar to pay at pump now, where you enter your card and pin
to pre-approve up to 99 pounds, fill up and then only get charged for the
amount you took.

------
phlo
As has already been pointed out, EMV transaction flows go through many steps.
From what I understand, the protocol was designed with a focus on flexibility,
and little attention was paid to low latency.

Until some years ago, most terminals would mirror that. Most prominently, they
used to have separate "enter pin" and "verify transaction amount" steps, and
included longer delays for displayed status codes. Recent devices have started
combining these steps ("Amount: xy. Enter PIN to confirm") and status
messages.

Newer use-cases like the contactless qVDSC application have been tuned for
better performance, limiting the amount of communication between reader and
card.

For more details, have a look at this guide from VISA:
[https://www.visa.com/chip/merchants/grow-your-
business/payme...](https://www.visa.com/chip/merchants/grow-your-
business/payment-technologies/credit-card-chip/docs/visa-emv-merchant-
tadg.pdf)

~~~
Symbiote
That would make sense if the USA was an early adopter, but it's the latest
adopter. They should have jumped straight to the latest systems.

Also, I don't remember EMV being slow in the UK, and that was an early adopter
of the modern protocol (2004).

~~~
cbhl
The USA was an early adopter of Point of Sale systems. I'm under the
impression that retailers haven't upgraded the computer systems attached to
credit card chip readers.

~~~
zeta0134
Aye, in South Texas at least, I've noticed that newer terminal systems seem to
process things just as fast as card swipes, if not more so. But older systems
that have obviously been retrofitted with the technology are hit and miss. I
often feel like it's the user interface slowing things down more than the
transaction itself though, I can't recall any recent instances of delays
waiting on the authorization to happen that were longer than a few seconds.

------
vasusen
Here's a good blog post from a WePay engineer that explains some of the
slowness - [https://wecode.wepay.com/posts/supporting-chip-cards-at-
wepa...](https://wecode.wepay.com/posts/supporting-chip-cards-at-wepay)

~~~
coleca
Great post. Now I finally learned why when I use my debit card I'm asked "INTL
VISA" or "US DEBIT BANK" every time. I thought it was the PIN pad software,
it's actually an app running on my own card that is causing that to come up
with every transaction.

------
Tepix
Here is Germany it usually takes a few seconds (less than 5 I'd say) - I
noticed however that paying at Aldi Nord is very fast. They really do tweak
the cash register speeds at Aldi...

~~~
aembleton
Interestingly, Monzo takes a few seconds (~5) to notify me of a transaction if
I do it in Germany. UK, Belgium, Malaysia and Indonesia are all instant.

I assumed that there must be some further process that it goes through,
between telling the credit card reader that it is completed and Monzo getting
informed.

~~~
SpeakMouthWords
I wouldn't muddy the waters here with talk of Monzo. Most chip reader cards
don't do what Monzo does in terms of real-time backend transaction
verification, that's a generation further than the stuff being rolled out in
the US.

------
bericjones
Because with the swipe readers there is only one call to the payment
processor.

However, with chip transactions there are multiple calls for different payment
processing flows. For example, a transaction could require 5 round trip
request responses from the chip to the payment process meaning 5x the time
required.

~~~
tdeck
A more interesting question for me is: why are NFC credit cards so much faster
than chip ones? Presumably they require the same kind of round trip challenge-
response with their internal chip, but I have heard they're much faster.

~~~
ajdlinux
Pretty sure NFC transactions are "offline", i.e. the round trip to the bank
happens after the card has left the reader.

~~~
Jaruzel
This is correct. Which is why there is a low 'floor limit' on NFC/Contactless
payments. Your card is not actually authorised at point of transaction.

~~~
occamrazor
From experience in two European countries, this is not always the case. I have
both a Visa and MC cards which can be used in contactless mode for
transactions of any size, up to the card limit. For low amounts (<40EUR) the
PIN is not requested. For larger transactions I have to enter the PIN, but I
don't need the chip.

~~~
Jaruzel
In the UK, Contactless is PIN free, hence the low floor limit. Anything over
that amount (£30 typically) requires Chip+PIN, and remote authentication.

------
Taylor_OD
My question is why chip readers flash like 6 or 7 screens that all say DO NOT
REMOVE CARD in one way or another before giving you a noise that could be
described as, "transaction failed" before finally being successful. I wouldn't
mind waiting the extra couple seconds if the process was a little more
customer friendly.

~~~
Sohcahtoa82
Yeah, whoever decided the "Remove card" sound should sound like a buzzer needs
a few lessons in UX. A simple "Ding!" sound would be far better.

------
arethuza
Here in the UK I'm generally amazed at how _fast_ they are - slowest part is
typing my PIN in if that is required (some places still require it or if the
transaction size is over the limit for contact-less).

~~~
pfranz
I'm guessing the OP is from the U.S. A few notable differences in the U.S.:
they've only been rolling it out for a few years and they use a signature
instead of a PIN.

This is a suspicion, but I think they're slower in the U.S. because a) they're
just slower b) the UX is worse. You insert the card, wait, then it asks for a
signature (presumably because not all accounts, vendors, and dollar amounts
require a signature?). From what I've seen overseas you insert the card, type
in your PIN (in parallel to card processing)--so it appears to process more
quickly because you're not waiting.

~~~
tokenizerrr
Huh? How does the signature thing work? Do you input your signature into your
signature into the device somehow?

~~~
bodyloss
I believe you give a physical signature and its compared to what's on the back
of the card.

~~~
slackingoff2017
Not in the US.

For most terminals the small screen is actually a touch screen that (in the
US) has a stylus attached to sign with.

However as you would expect, the signature is completely worthless and
basically everyone signs with a simple scribble.

~~~
justusthane
I draw little pictures for the cashiers at a store I frequent.

------
exabrial
And why on earth do you have to SIGN still? Seriously. I draw a picture of
Shammoo most of the time, to the delight of many cashiers

~~~
zurn
Signing is working in your interest. You can ask to see the receipt that you
signed in case of fraud.

With PIN, the burden of proof is on you - the bank will say you were careless
with the PIN and let other people see it, abrogating their responsibility.
Even if it's a security vulnerabilty in their system. (Not a theory, this is
how it goes in Europe - see Ross Anderson's group's work on this)

~~~
avar
Do you mean this 2010 paper:
[https://www.cl.cam.ac.uk/research/security/banking/nopin/oak...](https://www.cl.cam.ac.uk/research/security/banking/nopin/oakland10chipbroken.pdf)

Here's their blog post about it at the time (but the YouTube video is down,
unfortunately): [http://www](http://www).
lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-broken/

From the paper: "Because stolen cards can be used without knowing the PIN, by
our definition, Chip and PIN is broken. We do not believe that the system is
broken beyond repair, but neither is it the case that a simple fix will
suffice, due to the unmanageable complexity of EMV."

~~~
zurn
They have been doing a lot of work in the area, I think 2009-2015 at least.
There are several publications, and more than one attack.

------
welanes
This guide from N26 bank is informative:

[https://n26.com/how-realtime-notifications-work/](https://n26.com/how-
realtime-notifications-work/)

Each time you use your card for a payment (which is almost instant), you
receive a realtime notification within 0.5 seconds.

~~~
tzaman
I use N26 as my personal bank, and I must say it's pretty much instantaneous -
when I pay contactless, I can hear my phone notification before I get to put
the card back in the wallet. I've tested the card across Europe while
traveling and the speed at which I get push notifications is consistently
fast.

~~~
Moter8
Can confirm, phone vibrates before the POS beeps.

------
_wmd
Note this isn't true in all countries. My UK cards within the UK all follow
some apparently online process in any UK merchant, however during a stint in
Finland a few years back, I didn't find a single example of a merchant where
their reader didn't instantly approve my transaction as soon as I correctly
entered my pin.

Never received a (note: I know, we can all make guesses) conclusive answer
explaining the difference.

~~~
PeterisP
There's no technical reason for the difference, simply it's up to the merchant
& issuer that can arbitrarily set all kinds of limits where certain checks
will be required.

It's a tradeoff between convenience and security, different places will make
different choices, but generally competitors within a single market (e.g. UK
or Finland) will try to make the same choices so they don't get customers
asking why they're slower than a competitor.

------
userbinator
Smart cards (ISO 7816), used for credit cards and SIMs, among other things,
communicate through a relatively low-speed serial protocol. The secure
microcontroller they contain is also quite slow, especially if you consider
the cryptographic operations they're required to perform. I suspect part of it
is due to power constraints, and also somewhat tamper resistance.

~~~
teilo
Line speed has nothing to do with it. The speed of the transmission from card
to reader is dwarfed by the latency of the transaction as a whole.

------
Humphrey
This post explains why I was so frustrated using my card in the USA the other
month. I figured it was super-slow because I had an international card, and it
was confused.

Back here in Australia, almost every retailer (including those on 3g eftpos
machines) takes < 4s from when i tap my card, to when I can start walking
away. So much quicker than cash :-)

~~~
noway421
4s is outrageous, paywave works within 1s.

~~~
SyneRyder
Depends on network situations. Here in Perth I'll get a beep immediately on
Paywave, but still have to wait a few seconds for Payment Approved to appear
on the screen. Some stores seem to have really terrible mobile reception for
their mobile payment terminals.

Still faster than Bitcoin confirmations though.

------
exelius
In many cases (RiteAid pharmacy terminals are the absolute _worst_ about this,
but far from the only offender) it's just crappy UX design.

I have an American Express card and a RiteAid rewards card. Here's my checkout
flow at the pharmacy:

1\. Punch in phone number for rewards card

2\. Get prompted to use my "Plenti" points; which require PIN entry

3\. Swipe/insert card (most RiteAid terminals used to work with Apple Pay, but
had it disabled)

4\. Get prompted to use my American Express points. Say no.

5\. Enter relevant pharmacy details (DOB, verify pharmacist reviewed
prescriptions for you)

6\. Remove chip card

7\. Sign paper receipt

This UX flow is simply too complicated for a checkout process. It's got way
too much friction, and they disable contactless payments to ensure you can't
circumvent that.

Making these payments process more quickly is great; but Apple basically
already solved that problem with Apple Pay. But it's not effective because it
seems that some retailers _want_ more friction in this process.

~~~
BlackjackCF
It really doesn't make any sense to me why retailers want to be doing this. I
thought people would really get behind the credit cardless approach.

When I went to China, I was absolutely amazed by how well everything in
Shanghai integrated with AliPay. My family was able to go to some restaurants
and order + pay with minimal interaction with a waiter.

~~~
exelius
My guess as someone who doesn't actively work in this stuff (but have dabbled
in it) is that some large merchants get a break on transaction fees with
chip/swipe that they don't get with Apple Pay/Samsung Pay/etc.

An extra 0.05% in savings wouldn't matter to a small store, but for a national
retailer, it's probably a meaningful amount of revenue.

------
the_mitsuhiko
I can't talk about the US but over here (Austria) the slow chip readers
typically are GRPS based and connect for every single transaction. There is
one nearby in a lunch place where I really consider telling them how to hook
it up with their wifi :)

~~~
codfrantic
I recently helped a shop connect their terminal to the wired connection
instead of the POTS one. The time it takes for a payment to go through went
from 25 seconds to 2 seconds :) Also they used to pay a few cents for each
transaction...

------
leejo
I suspect it's because a lot of merchants are using terminals that are
connecting over PSTN, or they don't hold a connection open between
transactions so they have to do the connection dance for every transaction. Or
they have connections that are just plain slow.

From my time writing backend banking integrations for a PSP, going on 5 years
ago now, the time to authorise a card transaction (that's IP to BT gateway to
X.25 network to acquiring bank to issuing bank and back again) would take
anything between 0.2 and 1.0 seconds. So I don't believe it's actually down to
any complexity in the authorisation steps _if_ the transactions are done
online.

~~~
coleca
I see the same behavior in large chain stores such as Target, Lowes, and
Walmart that would have dedicated private lines between the stores, their
datacenter(s) and the banks. I've worked at a few large retailers and they
typically had a hub and spoke model of network where all the stores would
communicate over a private MPLS network to the datacenter where we had a
"payment switch" (also called a payment gateway or router) dedicated
individual redundant T3 lines to each card network (Amex, Discover,
Mastercard/Visa, EBT, and gift card processors). This was at a chain with 200
stores. Larger chains would be even more robust I would imagine.

I think the delays aren't network related, but more along the lines of the
process that is happening. With mag stripe the approval flow was much simpler
and happened in fractions of a second end to end. EMV is a different ballgame
unfortunately.

------
rawland
It depends on the card you use. The transaction suffers under several
communication latencies and most importantly fraud checking takes up a
significant amount of time. A lot is implemented utilizing legacy technologies
(I implemented a system once), as the initial systems were setup in these and
the banking/payment sector moves quite slowly. Anybody remembers the Y2K
problem [0] ? ;-).

[0]:
[https://en.wikipedia.org/wiki/Year_2000_problem](https://en.wikipedia.org/wiki/Year_2000_problem)

------
cdibona
Do you mean the actual chip back and fourth? The inherent problem is that the
7816-d standard is a mess. It requires extremely small data exchanges on the
order of _seconds_ to get a cert out of the card.

This has been a mess since the mid 90s, when I first worked on these things.

Here a cruddy not at all usefule link to the standard:

[http://www.cardwerk.com/smartcards/smartcard_standard_ISO781...](http://www.cardwerk.com/smartcards/smartcard_standard_ISO7816-4_annex-d.aspx)

------
sgustard
[https://en.wikipedia.org/wiki/EMV#Transaction_flow](https://en.wikipedia.org/wiki/EMV#Transaction_flow)

------
cmurf
The time varies widely. The remove card notice comes as fast as 3 seconds, I
find 6 seconds more typical, and up to 15 seconds for the local grocery, and
nearly 30 seconds for small pizza, sandwich, liquor stores.

There is no possible way it was taking this long for swipe authorizations; or
even NFC authorizations which seemed faster than swipe but were probably the
same, but more secure.

I still think the U.S. did this exactly wrong. 1. we were late to the game; 2.
had started adopting better NFC technology; 3. instead of building on that,
regressed to an old slow contact chip-based system; 4. instead of moving
directly to PIN entry, retained signing, hence chip & sign, rather than chip &
PIN. It's idiotic.

And that's just the customer size idiocy. The merchant idiocy is even worse.
They paid for this transition. Not the banks, the processors, or EMV who
ensure they make money hand over fist no matter what. If a customer has a chip
card, and your POS does not support chip reading, the liability for fraudulent
transactions is shifted to the merchant.

------
YeGoblynQueenne
Edit: this is not entirely correct; transactions may go online or stay
offline, depending on amount and connection speed. See comments below.

It might depend on where you are. Where I am, in the UK, chip card
transactions are quite fast. Fast enough to use contactless (tap and go a.k.a.
"pay by bonk") where you literally just tap your card on the pinpad and go on
your merry way [1].

The difference is that in the UK, transactions are not immediately sent
online. I repeat: _they 're not immediately sent online_. So you don't have to
wait for the merchant to contact the acquirer, for the acquirer to respond and
so on and so forth.

Instead what happens is that you dip, or swipe, or tap your card; the pinpad
and the card figure it out between themselves whether you are the rightful
owner of the card; the pinpad makes a record of the transaction; and you're
told the transaction is "approved", then pick up your goods and go home. Later
in the day, the merchant (i.e. an automated process at the store) sends an
overnight "batch" of transactions to the acquirer, (i.e. the bank or credit
network etc) and the acquirer either transfers the funds directly to the
merchant, or blocks out the funds so you can't use them again and they can be
transferred to the merchant later.

That's the EMV standard in a nutshell and entirely from memory, with a
distance of a good few years from the time I worked for an EMV vendor (we sold
a bit of EMV software that went on the Point-Of-Sale machine and handled all
of the above). I might be misremembering a few things but I believe the above
is mostly accurate.

tl;dr: having to go online for each and every transaction takes forever.

___________

[1] Or of course sometimes do a double take, realise the transaction hasn't
gone through, tap again, eyball the pinpad, then possibly insert or swipe etc.
Sometimes it doesn't work.

~~~
gambiting
Uhmmm I'm fairly certain that's not entirely correct. There may be terminals
which batch transactions and send them later, but in most cases you can even
see the terminal going "connecting to <bank> servers" and only after it
obtains the connection it authorizes the transaction. Larger stores have a
constant connection open so the transaction goes through straight away, in
smaller shops the terminal actually has to connect with the bank first.

But I guess the best proof is that if you have zero money in your account you
can't actually buy anything with your card, the transaction will get declined
immediately(unless you have overdraft, obviously), so the terminal has to
check with the bank if you have funds to pay or not.

~~~
YeGoblynQueenne
Alright, I got a bit of a memory refresher (thanks wikipedia
[https://en.wikipedia.org/wiki/EMV#Terminal_action_analysis](https://en.wikipedia.org/wiki/EMV#Terminal_action_analysis)).
I didn't entirely misremember this, but I'm not entirely correct either, like
you say.

In short, whether a transaction will go online, stay offline or be denied,
depends on the settings on the card (configured by the issuer) and the
settings on the pinpad (configured by the acquirer). The two of them together
decide what happens.

So in some cases the combined settings on the card may allow offline
processing, which is the batch process in my previous comment. Others, like
ATMs (according to the article) will always go online, and yet others may set
a "floor limit" \- a transaction amount above which the transaction should
always go online.

Another factor is the "terminal capabilities", so basically connection speed-
if that's too slow transactions may default to offline only.

So what I remember must be that if the transaction is under a certain floor
limit, or terminal speed, it can stay offline, maximising some speed-vs-risk
tradeoff. And what you note, that the card will deny your transaction when you
don't have enough money in the bank, is basically the flip side of that.

What would be harder to notice is the cases when a transaction goes through
even when you don't have enough money in the bank, e.g. because the amount you
spent is below the floor limit for your issuer and acquirer. But I'm not sure
what happens after that- is the transaction declined later? Does the bank
charge your account as if it's overdrawn?

It's been a while and I don't remember those things very well I'm afraid :0

------
toast42
Planet Money did a story on this last year.

[http://www.npr.org/sections/money/2016/04/13/474135422/episo...](http://www.npr.org/sections/money/2016/04/13/474135422/episode-695-put-
a-chip-on-it)

------
jaclaz
It depends not only on the POS itself (old models vs. new ones) but on the
kind of connection.

Here in Italy, besides "portable" POS that have a SIM card and go through
GSM/GPRS (and are "good speed, but not that much fast") now also 3g/4g, the
"corded version" can be:

1) Dial in (analogic)

2) Dial in (ISDN)

3) IP connected

The difference between #2 and #1 is like 4/5 times faster ISDN vs. analogic,
and the IP (provided that there are no network issues) is instantaneous.

I would say:

1) 5-20 seconds

2) 1-5 seconds (and GPRS is roughly the same, 3g/4g is on the lower side)

3) 0-1 seconds (really, the sheer moment you press the green button, the
receipt starts being printed)

------
Fbleite
I'll recommend the following white paper. It explains in quite some detail the
specifics of your question.

Cheers

[https://www.ul-ts.com/offerings/knowledge-sharing/white-
pape...](https://www.ul-ts.com/offerings/knowledge-sharing/white-
papers/featured-white-papers/insights-on-emv-transaction-speed-pos-
performance-optimization-/c-39/c-2004/p-2089)

------
andy_ppp
I mean _worldwide_ Monzo (UK challenger bank) get's a buzz in my pocket from
their app in < 5 seconds to say accepted/declined.

------
Confusion
I have no idea what you consider slow, but the latest improvement here is
contactless payments for anything under 25 EUR, which only requires holding
the card close to the terminal for about a second. After which the payment is
confirmed after another second.

Payments for which a PIN is needed are confirmed in the same amount of time
and entering the PIN is the slowest part.

~~~
camiller
Most cards issued in the US are not contactless, so the only contactless
transaction are I-pay/Android/Samsung-pay.

------
sundvor
Using Samsung Pay which uses NFC on my S8 / Gear S3 here in Australia and it's
pretty much instant. And I get a digital receipt on my device straight away,
which is awesome. Protected by fingerprint, or code, so feels more secure than
the Mastercard plastic with embedded NFC pay wave.

Tap based pay has become ubiquitous in Australia, and I love it.

------
Beltiras
It seems to differ between implementation. In Iceland the readers have usually
been superfast. We just had a Costco open and the readers there are superslow.
Goes through multiple handshakes and notifies you of the process. They might
be hooked up to a different payment processor than the local ones, hence
higher latency.

~~~
firebird84
That's odd. My costco recently switched to using chip readers and they are
SUPER fast. They're the fastest I've ever seen. I can't imagine there's any
way they're contacting a host at all...

------
callumjones
I believe Index was working on speeding up EMV transactions:
[http://www.index.com/payments-and-
security/emv/](http://www.index.com/payments-and-security/emv/)

I thought it now depends on the firmware in the card readers, which it seems
companies like Index control.

------
pbreit
Previously the mag-stripe conducted your card number to the merchant and they
could charge essentially whatever they wanted (but there were various reasons
they would likely charge the amount you owed). With chip, they have to compute
the final amount while your card is inserted and cannot deviate.

~~~
camiller
Place I part time at the card terminal isn't even hooked into the cash
register. I have to manually enter the amount from the register screen into
the card terminal. But I have to do that for mag stripe and contactless as
well.

------
zeep
I don't know why but there is a convenience store around here that is faster
than everybody else... I need to ask them what their trick is. I think that it
is as fast as magnetic strip readers (not as fast as McDonald's strip reader,
but as fast as most).

------
twothamendment
Just two days ago I wondered how Costco was so blazing fast. I have the same
hardware on my desk for development, but whatever they are doing is very
different than what our partner is doing. I was only guessing - but they only
have one bank to deal with?

------
FrostAlot
Came across this article which talks about what goes on in the background:
[https://tech.affirm.com/deep-dive-
payments-60f5d17f6c71](https://tech.affirm.com/deep-dive-
payments-60f5d17f6c71)

------
IgorPartola
And how come Apple Pay is so much faster than the chips + signature or chip +
pin method?

------
dbg31415
So you think they are bad in the US? Live somewhere else for a while... you
try the system in Australia and you'll REALLY think they are bad in the US.
Ha. But yeah, compared to other places the US is lagging. By a fair bit.

------
astrostl
My hot take on them:

\- my wait is annoying, population person-hour waits are breathtaking to
consider

\- all of my breaches are internet-based anyway, so I don't see how it helps
much

If all my CC transactions had an optional, on-the-spot second factor, now
we're talking.

------
jimjimjim
The workflow can be quite quite complicated.

card<->reader<->pc/terminal<->transport (ip/phone line/gprs)<->financial
switch<->financial institution.

Add to that emv, tripledes etc and it all adds up.

------
randomfool
FWIW, Square's chip reader seems to be much faster than many others.

~~~
photojosh
Can confirm. Just set a Square reader up for my local school's parents'
association and it's so quick I had to do a double-take as to whether the
payment actually had been made.

------
cozzyd
All I can say is it was very slow at the McMurdo gift shop

------
tomerbd
could it be on purpose? to have it more secure? like, wait before you can
retry?

~~~
mkagenius
no :) but good idea.

------
jimjimjim
also, other countries have completely switched over to chip/pin for security
reasons with little or no problems but due to not wanting to confuse US
tourists the terminal software must allow pin-bypass so they can still sign
instead of using a pin.

sigh.

~~~
TulliusCicero
It's not due to not wanting to confuse US tourists, it's wanting to
accommodate US tourists; American credit cards don't have a PIN, period.

~~~
jimjimjim
my bad, it's been years since i last worked in that field. And I just remember
sighing a lot at all the hoops that had to be jumped through in the name of
security and then to just allow people to bypass it.

------
m3kw9
Network latency

------
ronpeled
just another reason we'll move faster into blockchain and decentralized crypto
currencies...

~~~
Dylan16807
So we can increase the latency to confirmation by orders of magnitude...?

Chip readers are a couple seconds with a good setup, and a couple minutes with
a bad setup. Blockchains drag that into minutes and hours.

------
Figs
I don't know what the reason actually is, but I assumed it was slow _by
design_ to make it harder to compromise, similar to bcrypt.

------
Mandatum
Bad internet speeds, WiFi or business skimping on internet. It's never usually
the terminal, it's the connection to their payment provider, or their payment
provider reseller's connection to THEIR payment provider.

It's very common for bars and restaurants to have a dedicated line for the
terminal, but usually they'll skimp on tech (have seen dial-up over POTS or in
a fibre-capable premises). Also very common to use 3G or 2.5G.

It'd take a tech all of 5 minutes to diagnose and suggest a fix for 98% of
these slow terminals. It's strange seeing businesses not look to fix these
issues. If I was a payment provider I'd probably run diagnostics against my
customers terminals every day and force poor performing customers to have
someone come in and fix it.

~~~
droopyEyelids
Your conjecture doesn't address why the swipe is fast while the chip is slow.

~~~
mschuster91
It certainly does. Swipes are settled (transmitted to the bank) once a day,
after store closure. The chip, meanwhile, is in almost all cases online -
which means that when the terminal is connected via POTS or ISDN, there is a
minimum delay of 10-30s for establishing the connection, while this is nearly
instant with a DSL/fiber uplink.

~~~
Mandatum
This. Sorry, I thought this was a given. Thanks for filling in the blanks
mschuster91.

~~~
phil21
This is not remotely common in the US. Almost all transactions are on-line,
issuing an auth against the card.

You are correct that end of the day batches then happen to settle all those
auths into actual sales - but that's so you can do things like instantly
refund a customer for a cashier fuckup/etc. and not get charged the discount
fee both ways like how a regular refund works.

There are no stores simply accepting any/all magnetic swipe transactions and
then only at the end of the day figuring out that oops, that card didn't have
enough credit available after all.

