As mentioned in many comments online transactions will be an order of magnitude slower, as they need to be sent to the issuer, have their cryptogram verified and the challenge response returned if the card does host authentication - which most do these days.
The entry mode generally does not determine how a transaction is authorised - chip, PayPass (NFC) and stripe can either be off or online. In fact stripe transactions are invariably online unless you want your business to be overrun with fraudsters. One of the prime reasons in the early days of EMV was to have it so safe that offline transactions were fraud proof - or close to. Naturally this noble goal was shot full of holes the moment real fraudsters got to it. However, the card is personalised with various limits and counters and with the possibility of using an offline PIN, which combined with the static authentication does give reasonable protection for low value offline transactions. Fun fact - in the initial spec this offline PIN was communicated between the terminal and the card in the clear. What could possibly go wrong :-). These days it is encrypted.
Anyhow enough blather - hopefully this has given a bit of insight.
The difference is probably faster data connections and more efficient protocol implementations, I would think.
: For some reason receipts here contain quite a lot of information on what happens behind the scenes if you know how to read it. I hope this link keeps working, it contains exercepts of receipts merchants give you here: http://docplayer.org/storage/33/16568026/1498495227/GbAKHYXN... With that information you can e.g. see which steps were perfomed offline.
Living in Canada, I tend to notice a wide variability in the response times of ATMs to withdrawal requests (i.e. the time between when you finalize the transaction request, and when it spins up the bill spitter) and I think the one factor I've noticed it coming down to is the number of interchange networks marked as being supported on the side of the machine.
The ones that just do Interac (the Canadian interbank debit-transaction network) are quite quick; the ones that do Interac and PLUS or Cirrus are slower; the ones that add support for cash advances on plain credit cards by supporting individual CC companies (Visa, AMEX) are slowest of all.
So, maybe it's not the number of applications on the card, per se, but rather the number of applications supported by the terminal, with some sort of O(N^2) interaction between them?
0000008000 (Byte 4 Bit 8) Transaction exceeds floor limit
Floor limit being the $/EUR/whatever amount that could be approved offline.
The 2 in the diagram appears to be pointing at a cleartext credit card number.
Have they decided to accept the risk of offline processing to speed up their checkout process?
That is, what brand of terminal does walgreens use vs. safeway ?
In this late year of 2017 I know that many new NAS devices use cheap processors that make it difficult for them to run rsync over ssh ... it's too computationally expensive to encrypt the data stream at a high network speed.
If NAS vendors make that decision I wouldn't be surprised if some payment terminal vendors make similar decisions ...
How do you encrypt a 4 digit number (PIN) in a way that is resistant to brute force recovery?
What you don't do is shove the 4 digit number straight into an ECB mode cipher.
Oh gosh, this feels just like my crypto finals :(
At least that's how I'd do it.
Also there was a great episode of the podcast “Planet Money” a while back which goes into detail on your question :
> Today on the show, we bring you a brief history of what's in your pocket. It's a story of convenience vs. fraud—and it also includes a hippie inventor, the origin of the last great upgrade on your card, the magnetic stripe, and why it takes so long to "dip the chip."
90% of the places I use a card in seem to be still swiping the cards, while we have had full chip + PIN implementation here (Ireland) since at least 2005 or 2006.
Chip+sign is a solution to a real market problem with chip+PIN in the US: the the typical consumer has many credit cards. https://www.quora.com/What-is-the-median-number-of-credit-ca... claims an average, not median, of 3.5 per cardholder, and that matches the numbers at http://www.creditcards.com/credit-card-news/ownership-statis... . Heavy credit card users have a lot more: it's common for stores to have store-brand cards that give you a discount at that store, so a number of people end up with a dozen different cards for stores they commonly shop at.
Expecting people to remember this many different PINs is not realistic. So every card issuer was worried that users would just stop using their card because they could not remember the PIN. This is the problem chip+sign is meant to solve.
In other countries, patterns of credit card use are quite different. http://www.theukcardsassociation.org.uk/wm_documents/UK%20Ca... page 6 claims an average of 2 cards for the UK, for example. So the "can't remember the PIN" problem was not as big a deal.
I can go to pretty much any ATM in the EU and change the PIN on all of my cards.
Chip and PIN is not the sole marker, but it is the most obvious one, which is why people use it as a benchmark.
But all that aside, the real question is, why are you still using a physical credit card? In the US, I can use Apple/Google Pay at nearly every business I find, and all of the large banks and most regional and smaller firms offer support for their products on the platform.
When will Europe catch up with banking technology?
For around a decade, many cities, example Prague, have accepted text message based payments for public transit. Today most public transit systems have their own apps for payment and ticketing. I can't think of a single U.S. city that does this. They're all exact change only or proprietary ticketing systems.
About the most advanced I can recall, Citi had a short lived tap and pay, NFC based, project in the NYC subway 10 years ago. You still got the 10% metrocard discount. It was ultra proprietary though, Citi cards only.
And then Citi and Amex went and ripped NFC out of all my credit cards for this slow EMV chip. Haha yeah, when will Europe catch up. What we did is catch up with their 3 decade old chip idea.
MBTA in Boston had the mTicket app for mobile ticketing and payments for years. I live in Boston and use the app regularly. Can't comment on other cities because when I visit for a short trip I typically don't bother installing apps.
Amtrak and most airlines use mobile boarding passes too. Interestingly enough, on my recent trip to Europe I used the mobile boarding pass in Logan airport just like everyone else. But in Frankfurt when I showed my phone to the agent they looked at me like I was from another planet, probably thinking "stipid americans"
And while we're on the subject of transportation, about 5 years ago I visited a bunch of european countries, including my home country in Europe, and at that time the only way to call a cab was via dialing the local phone number, cash only of course. Funny because on that trip heading to the airport in the States was matter of acouple taps in the Uber app.
It was a US based in the beginning - but by the time Chip + PIN started there was significant infrastructure already in place. Its not like we all just started to use cards in 2005
> But all that aside, the real question is, why are you still using a physical credit card? In the US, I can use Apple/Google Pay at nearly every business I find, and all of the large banks and most regional and smaller firms offer support for their products on the platform.
Sure - that is down to market forces, not banking tech. There are banks here where I can use both Apple / Android pay, and all merchants take it (by virtue of our advanced usage of contactless payments - another thing that was introduced before the US).
What other areas is the US more advanced in (bank tech wise) ? We have online only banks, push notifications for transactions, and all the other things I see advertised by US banks.
Sure, but it was far more widespread in the United States. Even now, to this day, there are businesses all over Europe (I just did an 11-country tour not long ago) that simply don't take credit cards. In the United States, even student organizations take credit cards for selling things like shirts. Europeans haven't been using credit and debit cards like Americans have, and so even though similar infrastructure has existed, it hasn't existed to the same extent as it has in the United States. It follows that retooling the infrastructure costs significantly more in the United States, as every "swipe machine" had to be replaced with a machine that accepted a chip. Everything from drive-up ATMs to Square, to gasoline pumps have to be replaced. At this point we're kind of conflating technology with economics and market dynamics, but it's worth pointing out that it's not a lack of technology that made the US swipe-only for so long, but market forces. If, it cost me less money to deal with swipe fraud than it does to replace all of my credit card machines... what do you think a business would do?
> Sure - that is down to market forces, not banking tech. There are banks here where I can use both Apple / Android pay, and all merchants take it (by virtue of our advanced usage of contactless payments - another thing that was introduced before the US).
How do you arrive at this conclusion? I don't recall being able to use contactless payments anywhere in Italy, for example. Not that it doesn't exist, but my impression from visiting Europe and living in the United States has been that contactless payments are far more ubiquitous in the States than the countries I've visited in Europe.
> What other areas is the US more advanced in (bank tech wise) ? We have online only banks, push notifications for transactions, and all the other things I see advertised by US banks.
Scale. Blockchain. Products. Payments.
What are your thoughts?
You might have been running into the fact credit cards have much higher merchant fees, even if it's probably a violation of their EMV merchant agreement to refuse to accept these cards.
I see zero meaningful advancement of payments in the U.S. over Europe, to the contrary. There are more cash only restaurants in the U.S. especially if you're not in a big city, it's quite common. I think your opinion is based on a very limited experience across the U.S. and Europe.
And EFT payments in the U.S. are incredibly slow compared to their European counterparts. The fastest bank to bank transfer is Fedfunds wire, and that costs money, upwards of $30 for each party. It's cheap or free in Scandanavian and European cities.
I really have no idea what you're talking about when it comes to American innovation in this area... I see it as yet another example of American pay more to get less sort of classist mantra. Oh but if you have more money, and pay more fees, agree to give away more personal data in the EULA, you can get better services!
Scale - sure, the US is larger than any of the EU countries population wise - but not sure how that is "innovation".
Blockchain - work on blockchain tech is global - American companies even export the R&D to EU countries ;)
Products + Payments - there is nothing ground breaking in the US, that is not in the rest of the world
When I last visited the US, my Canadian credit card worked just like it does in Canada. Insert into the machine, verify the amount, enter my PIN, done.
- Why is it printing extra receipts? Oh... you have to sign one of these.
- Hold on, let me go find a pen for you to sign.
- Asks coworker what this message means. Oh he has to sign, must be an American.
And get this shit. My debit card in the U.S.? I always use a PIN for it everywhere. But when I travel outside the U.S. that same goddamn card requires a signature every damn time.
It's really fucking stupid, there's no nice way to put it.
verification comes in 3 parts: something you carry (card), something you know (card number, pin), something you are (your signature, fingerprint). Generally you need two. However since the card number is memorable (hard but possible) the pin is no additional security.
Chip + pin = Something you carry (card/chip) + something you know (pin). You need the physical card to use it, card number isn't sufficient.
PINs can be changed, so if you came up with a way of memorising them, its easy.
You also don't need PINs for things like loyalty / membership cards traditionally - just for payment cards.
- You can have the PIN reset for all of those cards so that they all match, (or better we should be using PK based push notifications to a smart phone app; plug in the card, and you get a push notification to deny/allow on your phone, instead of entering in a PIN.)
- Signatures aren't even verified the vast majority of transactions. They only come into play if you catch fraud and report it. So it's used after the fact, not in advance.
- Signatures are predicated on pen on paper on a flat writing surface perpendicular to gravity. Your signature is not at all the same to a handwriting expert if you change any of those things, and in particular the digital capture of signatures is complete utter bullcrap: no angular, or pressure information is captured. We should just use smiley faces on all such POS systems, in lieu of even attempting a signature (it is in fact what I do).
Digital signatures are Tonka Toys. They are nothing like a finger print.
Pick 4 digits on the card, multiply/add them by some constant number you know. You're now done 'memorizing'.
I force them to process it as a credit card because I get the consumer protections of the CC processing agreements. If I use my PIN, it's more like an ATM transaction.
Whether you're costing the merchant more money with higher fees for credit transactions, or if this gets normalized to a debit transaction later on, I'm not sure. But either way it's ridiculous to "force" a credit card transaction on the merchant.
There is no benefit to me to go with a debit transaction and the risk of significant liability if there is a data breach. So, I don't do debit transactions.
I do it more often because of the number of times I've been screwed by trying to use debit mode and end up with a non-functional gas pump or forced to reswipe with the mag stripe because they only support credit transactions from the chip.
I'd say U.S. banking is, if nothing else, generally at the forefront of digital technology despite heavy regulation
I think it must have been more than 10 years ago since I've seen my last check and that was an Amex Traveller Cheque
I actually have to write checks regularly to pay my utility bills, or I have to pay a $2.00 convenience fee to have the transaction processed by a third-party hired by the state. Not to mention, I randomly receive checks in the mail from events I speak at or for travel reimbursement or university reimbursement or the like. I love that I can snap a picture and wham my check is deposited.
Not to mention things like Apple Pay, which, without support, configuration, and advice from the banking industry wouldn't be a thing. Naturally they created the technology for the phone, but banks do the rest. How is that not innovation?
This is exactly why US payment systems are not at the forefront of technology.. whether one can snap a picture and use OCR or not is irrelevant (the phrase "like lipstick on a pig" comes to mind)
Second, they lobby to prevent the proper funding of a fast federal payment transaction system, i.e. making the necessary improvements so EFT can take minutes instead of days. They don't want that to be fast or free because it then obliterates their business models if anyone can just plug into that standardized system. Other governments have done this and that's why they have faster in-country payments (and often even in the Eurozone), despite their "regulations and infrastructure" such as they are.
Your example of QuickPay takes 4-5 days to/from a non-Chase account. That's dog slow, no matter the reason, compared to same country transfers in almost any other industrialized country. I can't think of a slower country off hand.
U.S. banks are overwhelmingly using Windows XP as their OS of choice in ATMs, still today. The height of technological achievement!
But it seems like the EU method of requiring a systematic API access to your banking and being able to send direct payments for all of those things above (minus the 'convenience fee' I think) would be nicer...
It's usually quoted as hours, but in practice is often 'instant.' More info: https://en.wikipedia.org/wiki/Faster_Payments_Service
US is archaic in many ways too: the necessity for paper checks in many situations (and still having to pay for them in many banks), no contactless payment cards, the aforementioned dire signature/chip situation... It's certainly anything but at the 'forefront of digital technology.' Not to mention fees. Fees everywhere! The effort it takes to avoid meaningless 'gotcha' fees is just insane -- and must surely stifle innovation too, in creating friction against change.
Transferring money with ACH takes multiple business days, this is not at the forefront of digital technology.
"Specifically, the NACHA Operating Rules require that ACH credits settle in one to two business days and ACH debits settle on the next business day. Recent enhancements to the NACHA Operating Rules now enable same-day settlement of virtually all ACH transactions."
Is this really true? I thought the US only started getting chip and PIN about 4 or 5 years ago?
Note too that the US has a legal limit of $50 if your card is stolen. As such to the consumer there is no incentive to care about security. Other countries don't have that protection and so consumers rightly refused to take a change until things were more secure. All that security comes at a cost, one consumers cannot afford to gamble on, but to a larger business can call cost of doing business and weigh against the cost of upgrading security.
Might be wrong, just my assumption based on contactless payment being almost instantaneous (like that petrol station).
However, using a contactless chip card is still a lot slower compared to using an Oyster card. Where as the Oyster card seems to process in a matter of milliseconds, the contactless card takes perhaps 2 seconds or more.
With a long queue of people all using contactless, this potentially adds up to quite a significant delay at the ticket gates.
The charge for travel on a given day is not made against your account until early the next morning. And card readers on buses, for example, don't always have a reliable data connection, so must be able to be processed offline.
You might be right that they are authorising in real time on the Tube readers, though. This would explain the poor performance.
The really slow ones just used dial-up. They mostly seem to be gone now.
With a magnetic card, after you slide your card, you can put your card immediately in your wallet, while the Point-Of-Sale solution authorizes with the electronic payment host in the background.
With a chip card (EMV card), the EMV spec required the Point-Of-Sale solution to write an authorization number to the chip card. This means you need to leave your card inserted in the PIN pad until the payment host authorizes. Authorization usually takes 2-3 seconds.
To improve this perception, the industry came up with Quick Chip, which Point-Of-Sale software companies started to work on recently. With Quick Chip, the POS software doesn't need to write the payment host authorization number to your card chip anymore. You insert your card, account number is read, you take your card from the PIN pad immediately without waiting for payment host authorization.
-Software engineer working at a Point-Of-Sale software company.
The question seemed more along the lines of "Why does it take 2-3 seconds to authorize?"
Others have laid out reasons for the 2-3 seconds.
Card Block, PIN Change or Unblock, Update other data
I haven't read the full Quick Chip spec, but here is my guess (take it with a grain of salt):
If card issuers are not able to update the card, then they won't be able to block the card. If the card is misused (e.g. stolen), there is a very small chance of retailers accepting fraudulent payments, but at least the following conditions should be met:
1. The POS solution should be offline from the authorization host,
2. The card should allow offline authorization and it has a "max offline amount" configured,
3. The sales amount does not exceed the configured offline amount in the card.
Most payment terminals are connected to 3G or 4G mobile networks, and from tapping the card to confirmation of payment takes two seconds tops.
Transactions over $100 do require the PIN, but you can usually enter that on the terminal without being required to insert your card.
The truly weird .au thing is that many merchants take your card and tap it for you. A holdover from the days when people got confused by all the options in swiping/inserting and selecting an account.
Also, while I was looking around to see whether I could find the original article, I saw an article describing that German banks want to eliminate traditional banking cards and do everything via NFC-enabled apps on smartphones. WHAT CAN POSSIBLY GO WRONG.
All the other stores created many opportunities for mistake by staff they badly trained and much confusion still happens today even long after the roll out. Most commonly, many cashiers demand a signature (on the back side of the receipt, where there is an authorisation text for using another payment technology) even though none is needed.
I worked for 1 week at a Kaufland (you could compare it to Eroski/Carrefour/Walmart) as cashier and I have never seen anybody else except me pay contacless so no wonder they get surprised all the time :)
Smarter merchants print muss less: Rewe, which is used in the example, doesn't print receipts at all unless specifically requested by the cashier and then only one which contains both the goods bought and the card transaction data for the customer. A merchant receipt is only printed in case a signature is required.
That seems to happen with bank product branding a fair bit. People _still_ talk about "pass machines" here; Bank of Ireland used to call its ATMs pass machines in the 80s/early 90s, and it stuck, for some reason.
If it's slow in the US I would expect it's merchants choosing not to upgrade their terminals.
Chips were introduced in France at a time where connecting all terminals wasn't practical/cheap. For this historical reason, most payment terminals aren't processing the transaction online in presence of a domestic card, even if they can. Offline transactions are very quick.
Like I say elsewhere this is very likely a regional thing, having to do with regulations that either require the transaction to be completed in one go, or permit it to be stored in a batch to be processed overnight.
I live in the UK and travel around the EU a bit (France, Italy, Greece, Belgium recently) and I've never noticed chip-and-pin being slow in any way. That's because in most of those countries at least, as far as I can tell, transactions are stored and processed in overnight batches instead of being sent online to be dealt with immediately, which may take a long time depending on the network connection etc.
From what I understand, most places outside the EU don't do batch, they send the transaction online to be completed immediately. Which can take quite a bit longer.
The card and the pinpad together make a decision about whether to send the transaction online or keep it offline and this decision may involve the connection speed of the device and the amount of money you spend.
So, in some cases you might check your account and notice that the money has not been taken out yet. Or you might not even check because the amount you spent was very low.
Obviously, if the connection speed is high enough there's no point in staying offline, so you'll always see your balance changing pretty much instantly. But, like I say, this depends on where you're shopping, what you're buying and what card you're using.
It depends. Some readers are set to accept offline payments for NFC for sure. Reason being that they only sell small items (lunch boxes and stuff) and an offline payment is instant. However in most places you can only do three offline payments before an online payment is forced.
On most terminals, using a US debit card (Chase at least), you can press the green button without entering a PIN and it lets you through. Doesn't ask for a signature either.
Contactless POSes aren't really a thing though apart from Santander I think.
Here in DE it's not like that - or at least never happened for me. A transaction that I start contactless might (random verification or > threshold) require a PIN. But I never need to insert the card or get an error message like the GP described.
Even if the amount is over the threshold - only once you tap your card on the terminal it beeps and says "insert/swipe card". Why even show the contactless logo then????
Of course that has nothing to do with the chip-based authentication.
I think there were a few processors with protocols that were chatty enough that the time spent negotiating 56k might have been worthwhile. I remember the Gensar and FDMS protocols mostly being sane but there were a couple others that were "hey look at this BBS software I adapted to be a credit card processor for some reason."
Maybe I'm just showing my age here, but if it were a hardware problem, it seems weird that the US would still have the launch woes Europe had over ten years ago.
The US banks have been talking about "smart cards" and updating payment tech for 25 years, but from what I see they've only been talking...
So unless I'm going to a big retailer (rare) or the stores directly around work/home, the interaction is usually complicated and annoying for human factors layered on top of the complicated, annoying, and insecure chip+sig protocol the banks settled on because chip+pin was too annoying.
This is why we can't have nice things.
Ha. That doesn't surprise me at all - "It's too hard or expensive for the US to change compared to other nations" is not an uncommon argument for opponents of change.
It used to drive me insane when I first moved here now but is now one of the quirks I love about the US - people aren't Luddites they just really value a national sense of individualism and urge to seek their own solutions!
I don't know about the EU, but US stores did this too. It has nothing to do with chip transactions being slow though. My chip card will not work when swiped at a chip-enabled PoS terminal. The issue, in the US at least, is that stores updated the physical terminal before (sometimes long before) enabling chip transactions at the processor level.
Caveat that perceptually this seems like a lot longer due to the variable action flow (sometimes sign, sometimes take card immediately, sometimes error) that demands attention.
Note here that Chase states that only contactless MSD support (contactless magstripe emulation over NFC with a dynamically-generated security code) is required for Apple Pay; a subset of contactless EMV.
But yes, my original comment was talking about swiping the card using the mag strip.
I also use Apple Pay sometimes but these days I mostly default to contactless payments as the prepaid debit card I use for small purchases is connected to a mobile app on my phone where I can track my spending and get instance push notifications
That's wild. Here in the U.S., I sign a couple of receipts every day.
The banks outfitted buses, bars, pretty much everywhere with readers but even after inducements to use it such as half price beer(!) it still failed. Why? Because it was soooo slow. Waiting for ~45 seconds at the bar for a payment to go through got old really fast. It barely lasted a year.
I'd have thought the friction of the payment would have been a lesson learned, but here we are 22 years later and it's still a pain.
At Aldi specifically it wouldn't be useful as you have to keep up with the cashier's scanning speed while bagging. In other stores you can start bagging at the end. Not sure why they don't use the same idea as Swedish stores. Once I tried inserting my card while scanning in a German store but the machine didn't like it at all.
You only got charged for the amount of fuel taken, so it didn't matter if you said you needed 30 pounds worth and only took 26 pounds worth.
I guess it was similar to pay at pump now, where you enter your card and pin to pre-approve up to 99 pounds, fill up and then only get charged for the amount you took.
Or, come to think of it, it probably lowered the likelihood of people using the supermarket loyalty cards so they nixed it.
Until some years ago, most terminals would mirror that. Most prominently, they used to have separate "enter pin" and "verify transaction amount" steps, and included longer delays for displayed status codes. Recent devices have started combining these steps ("Amount: xy. Enter PIN to confirm") and status messages.
Newer use-cases like the contactless qVDSC application have been tuned for better performance, limiting the amount of communication between reader and card.
For more details, have a look at this guide from VISA: https://www.visa.com/chip/merchants/grow-your-business/payme...
Also, I don't remember EMV being slow in the UK, and that was an early adopter of the modern protocol (2004).
A quarter century ago the way grocery retailers implemented credit and debit card payment was a physically separate unconnected terminal, you swiped and entered the amount on the separate terminal, and the only modification to the cash registers or workflow was hitting the "credit" button instead of "cash" when recording a transaction (there was already functionality for a "check" button). So there was no connection. Before credit/debit terminals you'd balance your register at the end of a shift using data from the "check" or "cash" button, afterwards you had a third column the "credit" button transactions, and that figure should match the terminal printout.
Its possible that connecting the systems results in slower speeds for an end user, although not having the cashier hand enter charge amounts saves enough cashier time that the overall system is faster although the end user feels its slower. What I don't understand is beyond some manner of witchcraft why connecting the register to the terminal would be assumed to slow down the process. Unless architecture has staggeringly changed in the last quarter century, the CPU in the cash register is not doing the crypto or running some kind of dialup winmodem, its in sleep mode awaiting an "Ack" or "Nack" while the terminal is doing whatever crypto magic that terminals do.
Not only that, but the Aldi checkout operators are extremely fast at scanning products compared to other supermarkets (at least that has been my experience in the UK).
I also just noticed the dual-conveyor model in operation at a newly-opened Lidl near me yesterday. ALDI here typically doesn't do that--most stores are set up to place groceries (and unfilled bags) directly into a customer cart, and have a nearby counter to bag your groceries at.
Because in Germany it's very fast
ALDI/LIDL are outliers here in Germany. Other supermarket checkouts like Rewe, Edeka, and Kaisers are slower at scanning items. So don't take the speed of ALDI/LIDL cashiers to be indicative of every supermarket checkout in Germany.
Overall, German supermarkets scan items faster than in North America, but ALDI/LIDL are really in their own league. I sometimes think they are faster to scan items than to drop the contents of the belt onto the floor. Impossible to pack in real-time!
Some years ago they punched in all items by number and were even faster.
The downside was that for the first months of your employment you were at home learning all codes.
I still remember that 515 were cucumbers and I believe 529 were 2.5kg of potatoes?...
I assumed that there must be some further process that it goes through, between telling the credit card reader that it is completed and Monzo getting informed.
Monzo take advantage of this to enable their realtime notifications and related features, otherwise Monzo would receive the notification of the charge up to 48 hours later which would be a significant harm to the UX.
Old stores, especially small mom-and-pop ones, are still stuck with readers built a decade ago, or with modern readers uplinked by POTS. I recently helped my vet switch from an old POTS terminal to a brand-new, DSL-linked one; the speed difference is huge.
However, with chip transactions there are multiple calls for different payment processing flows. For example, a transaction could require 5 round trip request responses from the chip to the payment process meaning 5x the time required.
Paying for the bus for me is offline, whereas in a supermarket it's processed online
Samsung pay even cuts out any knowledge of the reader, just gives a virtual number to the credit card mag reader.
The main practical difference is that you can't update the on-card data depending on the transaction outcome, since the card isn't there any more.
The other kind, AIUI, are indeed the same as the chip transactions, with all that entails.
e: Other posts seem to say that all the contactless transactions are offline, which means no multiple expensive round trips upstream either way, so nevermind.
IIRC it should come down to 0 or 1 roundtrips, depending on the amount and risk profile - in most cases you do an offline authorization where only the chip is involved to verify the txn, PIN(if applicable) and limits; and if you can't do that, then you send an online authorization, get a response, and that's it. There's extra communication afterwards in the workflow, but that happens after the customer has left and has no impact on customer-observed latency.
This is a suspicion, but I think they're slower in the U.S. because a) they're just slower b) the UX is worse. You insert the card, wait, then it asks for a signature (presumably because not all accounts, vendors, and dollar amounts require a signature?). From what I've seen overseas you insert the card, type in your PIN (in parallel to card processing)--so it appears to process more quickly because you're not waiting.
For most terminals the small screen is actually a touch screen that (in the US) has a stylus attached to sign with.
However as you would expect, the signature is completely worthless and basically everyone signs with a simple scribble.
However not only will the cashier generally let you simply put the card next to the receipt while you sign (because this makes verification easier for them) but it doesn't seem like they actually apply any scrutiny: the signature on my card is very different from the one I use for signing these days and it never raised an eyebrow.
FWIW, I've signed for card transactions in all kinds of places across Germany, from small shops to large hotels. I can't figure out what triggers the decision between PIN and signature but I swear I've used either in the same place at different times for equivalent amounts.
The transactions with signature have lower fees, but the merchant is liable, and you’re actually authorizing them to do a Bankeinzug via the Elektronisches Lastschriftverfahren.
EC transactions are done instantly, ELV are done overnight.
The chip and pin speeds have gotten better but still a ways off.
Connecting via the chip does not reveal enough information to reconstruct a magnetic strip for an ATM to accept, particularly if the machine is a total fake. But if you swipe the magnetic stripe, you can easily clone it exactly.
UK has contactless, but lower limit and from my recent visit, seems to not be as common.
They both allow the card to be used when stolen. Magnetic band can be duplicated. Contact less allow people with a portable modified machine to request transaction without the owner knowing.
With PIN, the burden of proof is on you - the bank will say you were careless with the PIN and let other people see it, abrogating their responsibility. Even if it's a security vulnerabilty in their system. (Not a theory, this is how it goes in Europe - see Ross Anderson's group's work on this)
Here's their blog post about it at the time (but the YouTube video is down, unfortunately): http://www.
From the paper: "Because stolen cards can be used without knowing the PIN, by our definition, Chip and PIN is broken. We do not believe that the system is broken beyond repair, but neither is it the case that a simple fix will suffice, due to the unmanageable complexity of EMV."
I understand that's how it's supposed to work, but what does the signature accomplish in practice? If anything, a "signature" that even contained recognizable letters, much less anything that looked like my name, would be a sure sign of fraud, because I never enter anything that resembles a real signature.
I'm not sure how it would play out in court if you intentionally make random unattributable scribblings each time. Sounds like something that might be seen as intentional obfuscation.
I haven't followed closely, there may be more / better evidence.
Edit: this article has more on the french case quoted in the above paper: https://arstechnica.com/tech-policy/2015/10/how-a-criminal-r...
I'm guessing a lot of other countries have followed too.
One of the most foolproof ways to win a chargeback claim is not to claim a card was stolen, but merely that you didn't mean for them to charge you. How do you fight that? So for big ticket items we sold online we required a signature, thus (mostly) killing their ability to file that kind of a chargeback.
Of course that's a huge hassle for online sales, but if you're a grocery store and they're already there eh why not.
If I, as a disputing cardholder, try to claim that “I didn’t intend to purchase that widget”, it will require my card issuer to believe that the merchant signed it themselves and committed intentional fraud (as opposed to a simple misunderstanding)
Even funnier with something like a debit card. "Well I just swipe, I have no idea what they withdrew, I assumed it was about $15 like every other time I dine here, and they raised prices such that it was actually $25 without my knowledge, and now my bank is giving me $500 in overdraft fees because they can"
Sometimes duplicate charges get entered for whatever reason especially if the terminal isn't connected to the register and uses manual entry. So two identical charges from the vendor, can I see the two signed register slips? No? There's only one? OK then. You can't just delete duplicate charges because there's too many people go to the bar and buy two beers pay up and decide to stay for another two and pay up and there you go two identical charges both valid and both signed. Vs go to the bar buy two beers pay up go home, the printer jams or some drunk trips over the modem cord or whatever and someone hits a "resubmit all" button to "fix" it and now you got two charges with only one signed slip at least in theory they can clean that up themselves.
I like you.
I think it'd be funny to do celebrity signatures, though, but I don't have the patience for it.