Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Why are credit card chip readers so slow?
273 points by dv35z on June 26, 2017 | hide | past | web | favorite | 323 comments
I am interested in the technical specifics - what happens end-to-end, and where does the slowness/latency come from?

Some of the answers are close, but no cigar. The main reason for the time delay is the offline authentication of the chip, combined with generation of the ARQC cryptogram. Additionally the EMV protocol is very chatty if there are multiple applications on the chip card, although the latency involved in the customer interaction far outweighs the protocol timings.

As mentioned in many comments online transactions will be an order of magnitude slower, as they need to be sent to the issuer, have their cryptogram verified and the challenge response returned if the card does host authentication - which most do these days.

The entry mode generally does not determine how a transaction is authorised - chip, PayPass (NFC) and stripe can either be off or online. In fact stripe transactions are invariably online unless you want your business to be overrun with fraudsters. One of the prime reasons in the early days of EMV was to have it so safe that offline transactions were fraud proof - or close to. Naturally this noble goal was shot full of holes the moment real fraudsters got to it. However, the card is personalised with various limits and counters and with the possibility of using an offline PIN, which combined with the static authentication does give reasonable protection for low value offline transactions. Fun fact - in the initial spec this offline PIN was communicated between the terminal and the card in the clear. What could possibly go wrong :-). These days it is encrypted.

Anyhow enough blather - hopefully this has given a bit of insight.

What I don't understand is that even when using a German card with multiple applications, online authentication, and online authorisation[0] it's quite fast in Germany – much faster than comparable or even simpler transactions in the US. On the other hand, the very same card is processed even faster when used in Sweden.

The difference is probably faster data connections and more efficient protocol implementations, I would think.

[0]: For some reason receipts here contain quite a lot of information on what happens behind the scenes if you know how to read it. I hope this link keeps working, it contains exercepts of receipts merchants give you here: http://docplayer.org/storage/33/16568026/1498495227/GbAKHYXN... With that information you can e.g. see which steps were perfomed offline.

Does Germany have exactly one financial interchange network?

Living in Canada, I tend to notice a wide variability in the response times of ATMs to withdrawal requests (i.e. the time between when you finalize the transaction request, and when it spins up the bill spitter) and I think the one factor I've noticed it coming down to is the number of interchange networks marked as being supported on the side of the machine.

The ones that just do Interac (the Canadian interbank debit-transaction network) are quite quick; the ones that do Interac and PLUS or Cirrus are slower; the ones that add support for cash advances on plain credit cards by supporting individual CC companies (Visa, AMEX) are slowest of all.

So, maybe it's not the number of applications on the card, per se, but rather the number of applications supported by the terminal, with some sort of O(N^2) interaction between them?

The POS terminals I talk about usually support at least MasterCard, Visa, Maestro, Vpay, and the German scheme Girocard (which in reality are multiple networks in its own). Some even more and they are still much faster than either using the same card in the US or using a US-issued card in the US. I'm honestly quite baffled as to why. I haven't tried a US card in a German terminal yet and neither looked closely at ATM speeds.

Your link gives a 403, could you re-upload it somewhere else?

I made a screenshot of the most interesting example: http://imgur.com/ye5MJcH This is what they print out for the international schemes. On the left is what the customer gets (sometimes directly on the receipt, sometimes on an extra piece of paper), the right one is for the merchant (some only save it electronically now). Some terminals show less info but much of it is almost always present, something which I haven't seen much internationally in that level of detail.

You can decipher some of the fields printed on the receipt using https://tvr-decoder.appspot.com. The acronyms are from the EMV specs (https://www.emvco.com/specifications.aspx?id=223, probably book 3)

Eg. TVR: 0000008000 (Byte 4 Bit 8) Transaction exceeds floor limit

Floor limit being the $/EUR/whatever amount that could be approved offline.

The 2 in the diagram appears to be pointing at a cleartext credit card number.

Why are some retailers so much faster than others? At Walgreens, for example, I get to "remove card" in around 1/3rd the time it takes at Safeway.

Have they decided to accept the risk of offline processing to speed up their checkout process?

What is the difference in the actual reader hardware itself ?

That is, what brand of terminal does walgreens use vs. safeway ?

In this late year of 2017 I know that many new NAS devices use cheap processors that make it difficult for them to run rsync over ssh ... it's too computationally expensive to encrypt the data stream at a high network speed.

If NAS vendors make that decision I wouldn't be surprised if some payment terminal vendors make similar decisions ...

> Fun fact - in the initial spec this offline PIN was communicated between the terminal and the card in the clear. What could possibly go wrong :-). These days it is encrypted.

How do you encrypt a 4 digit number (PIN) in a way that is resistant to brute force recovery?

You set up an secure session (e.g. TLS, but you wouldn't do it that way) and send the 4 digit number over it. Or you use any standard cryptosystem with appropriate security guarantees (RSA-OAEP, AES-GCM, you name it).

What you don't do is shove the 4 digit number straight into an ECB mode cipher.

Diffie–Hellman key exchange?

Oh gosh, this feels just like my crypto finals :(

You don't. The card has a CPU on it that's the only thing that has access to the key and just refuses to authenticate any more after a few attempts.

At least that's how I'd do it.

You might want to qualify this with “in the US” as chip+pin cards are pretty fast in other countries by comparison.

Also there was a great episode of the podcast “Planet Money” a while back which goes into detail on your question [0]:

> Today on the show, we bring you a brief history of what's in your pocket. It's a story of convenience vs. fraud—and it also includes a hippie inventor, the origin of the last great upgrade on your card, the magnetic stripe, and why it takes so long to "dip the chip."

[0]: http://www.npr.org/sections/money/2016/04/13/474135422/episo...

Thanks! And correct - should have added "in the US" in te title. Just got back from a trip, and am always reminded how archaic USA banking feels compared to most other countries' systems. With the recent industry switch to chip in the US, I'd hope transactions would be faster and easiee - but the implementation seems terrible: confusing POS interfaces, slow chip reading, still need to sign / no PIN, rarely any "bring the mobile POS to your restaurant table" requires still waiting on the waiter for 5min, etc.

Sure. And that's one of the problems with being first to infrastructure. It's really hard to just "change it all" once something new and better takes hold. It'll get better, even if it's not that great right now. Though, I largely take issue with your statement that U.S. banking feels archaic. I'd say U.S. banking is, if nothing else, generally at the forefront of digital technology despite heavy regulation. (I'm not arguing regulation bad/good, but it is a fact that the industry is heavily regulated).

The US was one of the last countries to get Chip + PIN, and even then they messed it up, and got chip + sign.

90% of the places I use a card in seem to be still swiping the cards, while we have had full chip + PIN implementation here (Ireland) since at least 2005 or 2006.

Why do you think they messed it up?

Chip+sign is a solution to a real market problem with chip+PIN in the US: the the typical consumer has many credit cards. https://www.quora.com/What-is-the-median-number-of-credit-ca... claims an average, not median, of 3.5 per cardholder, and that matches the numbers at http://www.creditcards.com/credit-card-news/ownership-statis... . Heavy credit card users have a lot more: it's common for stores to have store-brand cards that give you a discount at that store, so a number of people end up with a dozen different cards for stores they commonly shop at.

Expecting people to remember this many different PINs is not realistic. So every card issuer was worried that users would just stop using their card because they could not remember the PIN. This is the problem chip+sign is meant to solve.

In other countries, patterns of credit card use are quite different. http://www.theukcardsassociation.org.uk/wm_documents/UK%20Ca... page 6 claims an average of 2 cards for the UK, for example. So the "can't remember the PIN" problem was not as big a deal.

Just set all your pins to be the same

That's assuming the issuer allows you to set the PIN. In many cases they do not, in my experience with both debit cards and chip+PIN cards (the one chip+PIN card I have in fact does not allow that).

This is in the US, with the broken Chip + PIN implementation.

I can go to pretty much any ATM in the EU and change the PIN on all of my cards.

Yes, I'm aware of that. I can't tell you why that difference exists, but it does.

Chip+pin isn't the sole marker of innovation. Anyway, as I said, if you build out an entire infrastructure based on a different way of doing things, you can't just up and change that over night. It takes time. It costs money. There are associated opportunity costs, etc....

Sure - but the rest of the world had the same assumptions, (and infrastructure) and we managed to do it.

Chip and PIN is not the sole marker, but it is the most obvious one, which is why people use it as a benchmark.

It's an obvious one, which indicates a superficial understanding of the financial industry and technology in particular. Credit cards, and their use, was from the outset largely an American phenomenon. When Europe finally caught up (and to this day, in the year 2017 there are still businesses that don't have credit card infrastructure set up - meanwhile even mobile food trucks in the US offer it), Americans had already built out the infrastructure and found out about the hard issues - which gave Europeans time to implement a better solution, which was chip + pin.

But all that aside, the real question is, why are you still using a physical credit card? In the US, I can use Apple/Google Pay at nearly every business I find, and all of the large banks and most regional and smaller firms offer support for their products on the platform.

When will Europe catch up with banking technology?

It's almost like you've never even been to Europe, and all you shop at in the U.S. is McDonald's, Chipotle and Starbucks.

For around a decade, many cities, example Prague, have accepted text message based payments for public transit. Today most public transit systems have their own apps for payment and ticketing. I can't think of a single U.S. city that does this. They're all exact change only or proprietary ticketing systems.

About the most advanced I can recall, Citi had a short lived tap and pay, NFC based, project in the NYC subway 10 years ago. You still got the 10% metrocard discount. It was ultra proprietary though, Citi cards only.

And then Citi and Amex went and ripped NFC out of all my credit cards for this slow EMV chip. Haha yeah, when will Europe catch up. What we did is catch up with their 3 decade old chip idea.

> I can't think of a single U.S. city that does this. They're all exact change only or proprietary ticketing systems

MBTA in Boston had the mTicket app for mobile ticketing and payments for years. I live in Boston and use the app regularly. Can't comment on other cities because when I visit for a short trip I typically don't bother installing apps.

Amtrak and most airlines use mobile boarding passes too. Interestingly enough, on my recent trip to Europe I used the mobile boarding pass in Logan airport just like everyone else. But in Frankfurt when I showed my phone to the agent they looked at me like I was from another planet, probably thinking "stipid americans"

And while we're on the subject of transportation, about 5 years ago I visited a bunch of european countries, including my home country in Europe, and at that time the only way to call a cab was via dialing the local phone number, cash only of course. Funny because on that trip heading to the airport in the States was matter of acouple taps in the Uber app.

> When Europe finally caught up (and to this day, in the year 2017 there are still businesses that don't have credit card infrastructure set up - meanwhile even mobile food trucks in the US offer it), Americans had already built out the infrastructure and found out about the hard issues - which gave Europeans time to implement a better solution, which was chip + pin.

It was a US based in the beginning - but by the time Chip + PIN started there was significant infrastructure already in place. Its not like we all just started to use cards in 2005

> But all that aside, the real question is, why are you still using a physical credit card? In the US, I can use Apple/Google Pay at nearly every business I find, and all of the large banks and most regional and smaller firms offer support for their products on the platform.

Sure - that is down to market forces, not banking tech. There are banks here where I can use both Apple / Android pay, and all merchants take it (by virtue of our advanced usage of contactless payments - another thing that was introduced before the US).

What other areas is the US more advanced in (bank tech wise) ? We have online only banks, push notifications for transactions, and all the other things I see advertised by US banks.

> It was a US based in the beginning - but by the time Chip + PIN started there was significant infrastructure already in place. Its not like we all just started to use cards in 2005

Sure, but it was far more widespread in the United States. Even now, to this day, there are businesses all over Europe (I just did an 11-country tour not long ago) that simply don't take credit cards. In the United States, even student organizations take credit cards for selling things like shirts. Europeans haven't been using credit and debit cards like Americans have, and so even though similar infrastructure has existed, it hasn't existed to the same extent as it has in the United States. It follows that retooling the infrastructure costs significantly more in the United States, as every "swipe machine" had to be replaced with a machine that accepted a chip. Everything from drive-up ATMs to Square, to gasoline pumps have to be replaced. At this point we're kind of conflating technology with economics and market dynamics, but it's worth pointing out that it's not a lack of technology that made the US swipe-only for so long, but market forces. If, it cost me less money to deal with swipe fraud than it does to replace all of my credit card machines... what do you think a business would do?

> Sure - that is down to market forces, not banking tech. There are banks here where I can use both Apple / Android pay, and all merchants take it (by virtue of our advanced usage of contactless payments - another thing that was introduced before the US).

How do you arrive at this conclusion? I don't recall being able to use contactless payments anywhere in Italy, for example. Not that it doesn't exist, but my impression from visiting Europe and living in the United States has been that contactless payments are far more ubiquitous in the States than the countries I've visited in Europe.

> What other areas is the US more advanced in (bank tech wise) ? We have online only banks, push notifications for transactions, and all the other things I see advertised by US banks.

Scale. Blockchain. Products. Payments.

What are your thoughts?

I find most European cities are cashless, and accept MasterCard and Visa as well as the local country issuer for payments, attached to a local bank account.

You might have been running into the fact credit cards have much higher merchant fees, even if it's probably a violation of their EMV merchant agreement to refuse to accept these cards.

I see zero meaningful advancement of payments in the U.S. over Europe, to the contrary. There are more cash only restaurants in the U.S. especially if you're not in a big city, it's quite common. I think your opinion is based on a very limited experience across the U.S. and Europe.

And EFT payments in the U.S. are incredibly slow compared to their European counterparts. The fastest bank to bank transfer is Fedfunds wire, and that costs money, upwards of $30 for each party. It's cheap or free in Scandanavian and European cities.

I really have no idea what you're talking about when it comes to American innovation in this area... I see it as yet another example of American pay more to get less sort of classist mantra. Oh but if you have more money, and pay more fees, agree to give away more personal data in the EULA, you can get better services!

I have been using contactless payments for years here, and the 4 other EU countries I have been in this year, all accepted contactless. You may not have been able to use a US contactless card, but people do use it. It is also worth noting that each country in Europe has a different culture and history, which inform the choices people make with banks, and particularly credit cards.

Scale - sure, the US is larger than any of the EU countries population wise - but not sure how that is "innovation".

Blockchain - work on blockchain tech is global - American companies even export the R&D to EU countries ;)

Products + Payments - there is nothing ground breaking in the US, that is not in the rest of the world

The infrastructure in the US seems to support Chip+PIN just fine, it seems to be that the card issuers don't want to issue cards with PINs.

When I last visited the US, my Canadian credit card worked just like it does in Canada. Insert into the machine, verify the amount, enter my PIN, done.

That's right. It is basically a flag on the account, which ends up as a notification at the POS system. So you get this hilarious crap with a U.S. card outside the U.S. where you're still signing shit, because the POS system tells them you have to sign. I lost count of the various reactions when traveling outside the U.S.:

- Why is it printing extra receipts? Oh... you have to sign one of these.

- Hold on, let me go find a pen for you to sign.

- Asks coworker what this message means. Oh he has to sign, must be an American.

And get this shit. My debit card in the U.S.? I always use a PIN for it everywhere. But when I travel outside the U.S. that same goddamn card requires a signature every damn time.

It's really fucking stupid, there's no nice way to put it.

Yeah - my EU cards can use a PIN in some machines in the US now.

Since chip-and-pin seems to be used as an excuse to push liability for fraud onto the cardholder, I'd much rather stick with chip-and-signature. If we could have chip-and-pin while still keeping me at zero liability for fraud, I'd take it.

I don't want pin. I have half a dozen credit/debit cards in my pocket (the card I use for almost everything, my backup card just in case the first is lost, my HSA card, my company card, a debit card, and the store care for a store I shop at often) there are another half a dozen that the issuers want me to carry but are not worth the space they take up. I cannot mentally manage that many different pins.

verification comes in 3 parts: something you carry (card), something you know (card number, pin), something you are (your signature, fingerprint). Generally you need two. However since the card number is memorable (hard but possible) the pin is no additional security.

Signature isn't something you are, it's not in any of those three categories, it's closer to your address.

Chip + pin = Something you carry (card/chip) + something you know (pin). You need the physical card to use it, card number isn't sufficient.

Signature is also not something "you are" - it is an easily faked thing, that is basically never actually verified.

PINs can be changed, so if you came up with a way of memorising them, its easy.

You also don't need PINs for things like loyalty / membership cards traditionally - just for payment cards.

This is b.s. for numerous reasons:

- You can have the PIN reset for all of those cards so that they all match, (or better we should be using PK based push notifications to a smart phone app; plug in the card, and you get a push notification to deny/allow on your phone, instead of entering in a PIN.)

- Signatures aren't even verified the vast majority of transactions. They only come into play if you catch fraud and report it. So it's used after the fact, not in advance.

- Signatures are predicated on pen on paper on a flat writing surface perpendicular to gravity. Your signature is not at all the same to a handwriting expert if you change any of those things, and in particular the digital capture of signatures is complete utter bullcrap: no angular, or pressure information is captured. We should just use smiley faces on all such POS systems, in lieu of even attempting a signature (it is in fact what I do).

Digital signatures are Tonka Toys. They are nothing like a finger print.

> I cannot mentally manage that many different pins.

Pick 4 digits on the card, multiply/add them by some constant number you know. You're now done 'memorizing'.

Don't simple mnemonics have a risk of helping to reduce the search space to guess a pin?

We're talking about a 4-digit search space. The system already needs (and presumably already has) extreme rate-limiting measures.

Signatures are not in the category, "something you are."

I don't use my PIN either, for a different reason.

I force them to process it as a credit card because I get the consumer protections of the CC processing agreements. If I use my PIN, it's more like an ATM transaction.


Chip and PIN credit card transactions are still credit card transactions everywhere else, with all of the attendant protections.

Which law applies to the transaction is what the card account is; not the transaction. TILA applies to credit cards, and EFTA applies to debit cards.

Whether you're costing the merchant more money with higher fees for credit transactions, or if this gets normalized to a debit transaction later on, I'm not sure. But either way it's ridiculous to "force" a credit card transaction on the merchant.

Even though the different transactions on a debit card may have the same legal status by law, banks typically apply "zero liability" to transactions processed by Visa/MasterCard, while holding users accountable for fraudulent debit transactions processed by ATM networks, up to $50 if you report within 2 days, then $500 within 60 days, and then unlimited customer liability after that.

This! Precisely this!

There is no benefit to me to go with a debit transaction and the risk of significant liability if there is a data breach. So, I don't do debit transactions.

> either way it's ridiculous to "force" a credit card transaction on the merchant.

I do it more often because of the number of times I've been screwed by trying to use debit mode and end up with a non-functional gas pump or forced to reswipe with the mag stripe because they only support credit transactions from the chip.

  I'd say U.S. banking is, if nothing else, generally at the forefront of digital technology despite heavy regulation
I wouldn't call checks, which are still widely used in the US the forefront of digital technolgy.

I think it must have been more than 10 years ago since I've seen my last check and that was an Amex Traveller Cheque

You can be at the forefront and still support older stuff.

Considering how long it took chip and pin to become predominant (which is to say still not 100%) I would say US banking is pretty behind most of the world.

Excellent point. I've never encountered chip and pin in practice in the US, rather chip and signature.

All of my debit card POS uses in NYC have been chip+pin for several months.

Yeah so supporting checks doesn't really mean you're not at the forefront of technology. If anything, the fact that US banks allow people to take pictures of checks, and have done so for like the last 5 years at least, is an example of the kind of innovation seen in the US banking system.

I actually have to write checks regularly to pay my utility bills, or I have to pay a $2.00 convenience fee to have the transaction processed by a third-party hired by the state. Not to mention, I randomly receive checks in the mail from events I speak at or for travel reimbursement or university reimbursement or the like. I love that I can snap a picture and wham my check is deposited.

Not to mention things like Apple Pay, which, without support, configuration, and advice from the banking industry wouldn't be a thing. Naturally they created the technology for the phone, but banks do the rest. How is that not innovation?

> I actually have to write checks regularly to pay my utility bills, or I have to pay a $2.00 convenience fee to have the transaction processed by a third-party hired by the state.

This is exactly why US payment systems are not at the forefront of technology.. whether one can snap a picture and use OCR or not is irrelevant (the phrase "like lipstick on a pig" comes to mind)

That is because of government regulations and infrastructure, not because banks are not technologically advanced. I can easily use something like, say, Chase's QuickPay to pay any recipient. The government just won't accept that form of payment. That has absolutely nothing to do with financial technology. The technology exists and is in use, the government just doesn't use it. I also can't use Apple Pay/Google Pay with the government. Does that mean that Apple/Google aren't technologically advanced? No. It means the government isn't.

First, you have a bunch of for-profit fiefdoms with mutually incompatible payment technologies all trying to own it all, refusing to adopt standards. No government should support non-standard payment systems, whereby they have to support all of them, and the on-going support and development baggage that entails.

Second, they lobby to prevent the proper funding of a fast federal payment transaction system, i.e. making the necessary improvements so EFT can take minutes instead of days. They don't want that to be fast or free because it then obliterates their business models if anyone can just plug into that standardized system. Other governments have done this and that's why they have faster in-country payments (and often even in the Eurozone), despite their "regulations and infrastructure" such as they are.

Your example of QuickPay takes 4-5 days to/from a non-Chase account. That's dog slow, no matter the reason, compared to same country transfers in almost any other industrialized country. I can't think of a slower country off hand.

U.S. banks are overwhelmingly using Windows XP as their OS of choice in ATMs, still today. The height of technological achievement!

The open source world has created an alternative system which works extremely well, lacking mostly in usability factors, which could be resolved pretty quickly...but proprietary networks are entrenched quite deeply, so it will be a while before we can use digital cash - probably legislative action will be required, or a mass rebellion against the costs imposed by the payment networks. Sadly, retailers can't seem to think that far ahead.

It has little to do with the government. I dare say the vast major of US small and even some medium businesses are like this. I still have to write a rent check to my rental company every month, because otherwise I'd have to shell out an additional $30 every month for the privilege of paying through their website.

Hmm not sure if if that's serious or a subtle satire on the complexity of backwards compatibility...

But it seems like the EU method of requiring a systematic API access to your banking and being able to send direct payments for all of those things above (minus the 'convenience fee' I think) would be nicer...

USA still hasn't adopted the faster payment model of same-day payments between the banks (without charge). Compare that to the UK which most payment transactions are completed within 4 hours

> within 4 hours

It's usually quoted as hours, but in practice is often 'instant.' More info: https://en.wikipedia.org/wiki/Faster_Payments_Service

US is archaic in many ways too: the necessity for paper checks in many situations (and still having to pay for them in many banks), no contactless payment cards, the aforementioned dire signature/chip situation... It's certainly anything but at the 'forefront of digital technology.' Not to mention fees. Fees everywhere! The effort it takes to avoid meaningless 'gotcha' fees is just insane -- and must surely stifle innovation too, in creating friction against change.

> I'd say U.S. banking is, if nothing else, generally at the forefront of digital technology despite heavy regulation.

Transferring money with ACH takes multiple business days, this is not at the forefront of digital technology.

First, most ACH transactions clear in the same day [0]. Second, that's also completely ignoring newer networks like clearXchange / Zelle, which clears in minutes [1].

[0] https://www.nacha.org/news/what-ach-quick-facts-about-automa...

"Specifically, the NACHA Operating Rules require that ACH credits settle in one to two business days and ACH debits settle on the next business day. Recent enhancements to the NACHA Operating Rules now enable same-day settlement of virtually all ACH transactions."

[1] https://en.wikipedia.org/wiki/ClearXchange

One example of an inefficiency (especially without any reasoning behind why this inefficiency is happening) doesn't mean much.

> And that's one of the problems with being first to infrastructure

Is this really true? I thought the US only started getting chip and PIN about 4 or 5 years ago?

The US had mag stripes in widespread use first. We are looking at 20 or 30 years ago: most of the rest of the world caught up long ago, but they caught up after the problems with mag stripes were known and so the rest of the world built infrastructure to attempt to fix the now known problems.

Note too that the US has a legal limit of $50 if your card is stolen. As such to the consumer there is no incentive to care about security. Other countries don't have that protection and so consumers rightly refused to take a change until things were more secure. All that security comes at a cost, one consumers cannot afford to gamble on, but to a larger business can call cost of doing business and weigh against the cost of upgrading security.

Other countries have the sort of limits. The banks and processors just storing armed vendors into emv using lower ratesas the carrot and legal requir,nets as the stick.

Most US credit cards are chip and sign (debit uses a pin, but did before chip cards as well). Occasionally I'll see a transaction where the pos wants a pin and the user has no idea what pin because they have never used a pin with that account.

I'm glad you added that. In the UK chip and pin machines are fastest using the Ethernet connection, much slower on the phone line. One advantage of the phone connection however is reduced PCI requirements. SAQ B is simpler than SAQ B-IP

In the UK, the older generation of readers are pretty slow. The newer models are pretty fast, I'm not sure if it's also because they have reliable broadband connections but they basically ask you to remove the card almost as soon as you insert it.

We have the same console as I've seen in Tesco petrol station. Ours take a lot longer for auth, I'm guessing that Tesco have a local stopped card list to check against and don't do a full auth with the bank in order to save time.

Might be wrong, just my assumption based on contactless payment being almost instantaneous (like that petrol station).

I'm pretty sure that Transport for London do something similar (ie: transactions get batched and then charged at end of day, blacklisting for bad cards).

However, using a contactless chip card is still a lot slower compared to using an Oyster card. Where as the Oyster card seems to process in a matter of milliseconds, the contactless card takes perhaps 2 seconds or more.

With a long queue of people all using contactless, this potentially adds up to quite a significant delay at the ticket gates.

It would help if they had more Oyster readers and/or better situated ones - at one popular station I use, there's two readers, side-by-side, right next to a tiny exit hole. Even just moving those two a couple of metres apart would improve the flow of humans greatly.

Oyster cards are settled between the reader and the card at the time of contact (then the reader will batch the transactions for forwarding later). POS are generally settled on the switch network, obviously this takes a lot longer.

TfL can and do batch contactless transactions, too.

The charge for travel on a given day is not made against your account until early the next morning. And card readers on buses, for example, don't always have a reliable data connection, so must be able to be processed offline.

You might be right that they are authorising in real time on the Tube readers, though. This would explain the poor performance.

The ones that use GPRS can also be _fairly_ fast, though it introduces a couple of seconds of unavoidable latency. They're not long for this world, though; some countries are already shutting down GPRS networks.

The really slow ones just used dial-up. They mostly seem to be gone now.

This is partly perception.

With a magnetic card, after you slide your card, you can put your card immediately in your wallet, while the Point-Of-Sale solution authorizes with the electronic payment host in the background.

With a chip card (EMV card), the EMV spec required the Point-Of-Sale solution to write an authorization number to the chip card. This means you need to leave your card inserted in the PIN pad until the payment host authorizes. Authorization usually takes 2-3 seconds.

To improve this perception, the industry came up with Quick Chip, which Point-Of-Sale software companies started to work on recently. With Quick Chip, the POS software doesn't need to write the payment host authorization number to your card chip anymore. You insert your card, account number is read, you take your card from the PIN pad immediately without waiting for payment host authorization.

-Software engineer working at a Point-Of-Sale software company.

Authorization usually takes 2-3 seconds.

The question seemed more along the lines of "Why does it take 2-3 seconds to authorize?"

The original question described chip readers as "slow." But slow relative to what? Cocoa19 is taking issue with the question to some degree, pointing out that they're not actually as slow relative to swiping as you might think (and how the perception issue is being addressed).

Others have laid out reasons for the 2-3 seconds.

Slow relative to that quarter of a second it takes to swipe a magstripe.

What's the advantage of writing the authorization number to the chip card? Will removing it reduce security in some way?

I used the term "authorization number", but that was misleading. The real name is issuer scripts. It is used by card issuers to update the card parameters (chips have memory). According to EFT lab, these are 16 functions which include:

Card Block, PIN Change or Unblock, Update other data

I haven't read the full Quick Chip spec, but here is my guess (take it with a grain of salt):

If card issuers are not able to update the card, then they won't be able to block the card. If the card is misused (e.g. stolen), there is a very small chance of retailers accepting fraudulent payments, but at least the following conditions should be met: 1. The POS solution should be offline from the authorization host, 2. The card should allow offline authorization and it has a "max offline amount" configured, 3. The sales amount does not exceed the configured offline amount in the card.

Additional question: why is it faster in other countries? The first time I used a chip card in the US I was astounded by how long it took. I had been using chip (and pin) cards in Canada for years and it was never as slow as it is in the states.

Here in Australia, pretty much every retailer now has "paypass", which is the .au branding for contactless credit card payments.

Most payment terminals are connected to 3G or 4G mobile networks, and from tapping the card to confirmation of payment takes two seconds tops.

Transactions over $100 do require the PIN, but you can usually enter that on the terminal without being required to insert your card.

Paypass is actually the Mastercard version of contactless payments. The name is used in other countries as well. Visa calls it payWave, maybe retailers just put up one of the names.

Yeah for some reason paypass was just the one that stuck in the collective consciousness here. The points of sale have paywave branding too, but people call it paypass.

The truly weird .au thing is that many merchants take your card and tap it for you. A holdover from the days when people got confused by all the options in swiping/inserting and selecting an account.

I recall reading an article from last year, when NFC-based payment was introduced at the German supermarket chain Rewe. The author went out to test it, but the cashiers didn't know how it worked. The author himself figured it out for himself, and just started touching the phone to the cardreader at the appropriate moment, when the cashier was waiting for him to present either cash or a card. The cashiers were allegedly oftentimes confused by the reader beeping to indicate success, and two receipts being printed (instead of the usual three).

Also, while I was looking around to see whether I could find the original article, I saw an article describing that German banks want to eliminate traditional banking cards and do everything via NFC-enabled apps on smartphones. WHAT CAN POSSIBLY GO WRONG.

Rewe is one of the better stores for this. Even though it didn't seem the staff was explicitly trained on that topic (the feature was just switched on one day), the register showed enough information that they knew exactly what to do. Never had any problems, only surprised looks. The other store is Aldi (actually both of them), where from day one every single cashier was trained very well on that and was happy to see a customer actually using it.

All the other stores created many opportunities for mistake by staff they badly trained and much confusion still happens today even long after the roll out. Most commonly, many cashiers demand a signature (on the back side of the receipt, where there is an authorisation text for using another payment technology) even though none is needed.

Yeaah literally no cashier has ever seen these payments, apparently. H&M, Uniqlo, gas stations, Kaufland, Rewe, the list is just infinite.

I worked for 1 week at a Kaufland (you could compare it to Eroski/Carrefour/Walmart) as cashier and I have never seen anybody else except me pay contacless so no wonder they get surprised all the time :)

Had the same. Was shopping at a supermarket in Germany and was the first person to use it apparently. Was then forced to sign (even though there was no indication that I would have to sign and doing so doesn't make sense for contactless payments). I tried to protest but had to catch my train so scribbled something random..

Ok, I'll bite: why on earth would German cash registers print 3 receipts by default? One for the customer, one for the store, and one for good luck?

Many stores print one receipt for the goods you bought (which is yours to keep) printed by the register, and two receipts for the card transaction (so one for both) printed by the card terminal. This is mostly for historical reasons due to how card transactions were introduced to German merchants. They have stuck to that and still design new so-called "hybrid" terminals which have a receipt printer and take the card in for the full length (so the flow for magstripe and chip transactions is exactly the same with no confusion even though magstripe basically only happens for foreign cards now).

Smarter merchants print muss less: Rewe, which is used in the example, doesn't print receipts at all unless specifically requested by the cashier and then only one which contains both the goods bought and the card transaction data for the customer. A merchant receipt is only printed in case a signature is required.

Probably Händlerbeleg (Merchant receipt), Kundenbeleg (Customer receipt) and then a normal Kassenbon (just the receipt with what you bought) but I have only seen the two customer ones in one.

> Yeah for some reason paypass was just the one that stuck in the collective consciousness here.

That seems to happen with bank product branding a fair bit. People _still_ talk about "pass machines" here; Bank of Ireland used to call its ATMs pass machines in the 80s/early 90s, and it stuck, for some reason.

I believe you're right. In .au they call it PayPass, but in .nz they call it PayWave. I believe some old Visa machines didn't support MasterCard, or the other way round. All I remember is my flatmate complaining that his new debit card kept failing contactless payments.

When first rolled out in New Zealand it was quite slow - as the EFTPOS hardware fleet was updated the performance improved to the point where chip-and-pin was just as quick as swipe-and-pin.

If it's slow in the US I would expect it's merchants choosing not to upgrade their terminals.

Same impression here. I lived in France when chips were adopted 30 years or so years ago and i do not remember them being slower than the stripe version.

These are completely different (mostly national) systems, evidently optimized for different things. For example, in the Netherlands there is still plenty of retailers that don't even accept EMV cards (there is only a small number of (mostly foreign) visitors that'd be interested in such transactions, also the costs of supporting these are typically higher than just supporting the national system).

Try to pay with a foreign card in France and you'll see it can be pretty slow.

Chips were introduced in France at a time where connecting all terminals wasn't practical/cheap. For this historical reason, most payment terminals aren't processing the transaction online in presence of a domestic card, even if they can. Offline transactions are very quick.

So if offline transactions are viable, and faster, then why doesn't the US use them?

They were viable 30 years ago, maybe not today

Edit: Forget what I'm saying. I may be misremembering things. Batch is a thing, but maybe not the reason why chip and pin is fast in the EU.

Like I say elsewhere this is very likely a regional thing, having to do with regulations that either require the transaction to be completed in one go, or permit it to be stored in a batch to be processed overnight.

I live in the UK and travel around the EU a bit (France, Italy, Greece, Belgium recently) and I've never noticed chip-and-pin being slow in any way. That's because in most of those countries at least, as far as I can tell, transactions are stored and processed in overnight batches instead of being sent online to be dealt with immediately, which may take a long time depending on the network connection etc.

From what I understand, most places outside the EU don't do batch, they send the transaction online to be completed immediately. Which can take quite a bit longer.

It's fast in my country (EU member). Like no-more-than-five-seconds fast. Most of the time even faster. And it has nothing to do with batches, because if I check my balance in my banking app I can already see the transaction there right after checkout. Maybe infrastructure connecting PoSes and banks sucks in US?

It's been a while since I worked for an EMV vendor and I didn't remember that very clearly, but sometimes transactions are handled entirely offline. It depends on what card you have and where you're shopping (or, more specifically, your card issuer and the transaction acquirer, who determines the settings on the pinpad).

The card and the pinpad together make a decision about whether to send the transaction online or keep it offline and this decision may involve the connection speed of the device and the amount of money you spend.

So, in some cases you might check your account and notice that the money has not been taken out yet. Or you might not even check because the amount you spent was very low.

Obviously, if the connection speed is high enough there's no point in staying offline, so you'll always see your balance changing pretty much instantly. But, like I say, this depends on where you're shopping, what you're buying and what card you're using.

> but sometimes transactions are handled entirely offline

It depends. Some readers are set to accept offline payments for NFC for sure. Reason being that they only sell small items (lunch boxes and stuff) and an offline payment is instant. However in most places you can only do three offline payments before an online payment is forced.

Here's an even more fun protip from the US chip+pin implementation: You don't need the PIN.

On most terminals, using a US debit card (Chase at least), you can press the green button without entering a PIN and it lets you through. Doesn't ask for a signature either.

Great question! Once I moved back to Romania after living in UK, Germany, and Israel for a while, I was pleasantly surprised how paying with a credit card here is almost instant – we even have contactless PoSes everywhere.

If you ever come back to the UK you'll be rather impressed. Pretty much everywhere accepts Contactless now.

Contactless POSes aren't really a thing though apart from Santander I think.

I believe the OP means POS as in Point Of Sales. Santander tends to have ATMs, as in Automated Teller Machines :)

UKs implementation of contactless is still behind other countries in the EU. In most other places I can use contactless to pay any amount, the terminal will simply ask for my pin if the transaction is over the pin-less payment threshold. In the UK that's impossible - even if the terminal displays the contactless logo when you are attempting to pay over 30 pounds, if you attempt to use your card that way it will just beep and tell you to insert the card. I'm guessing it's a peculiarity of UK banks which decided they would rather disable this system even though the terminals do technically support it.

That's not entirely correct. Some countries (e.g. Spain) have no floor limit and request a PIN, others use the same system as the UK (e.g. Germany). Wikipedia has a detailed list: https://en.wikipedia.org/wiki/Contactless_payment

I think the major complaint is (never tried paying contactless in the UK, no clue if that is correct) NOT the limit that doesn't require a PIN, but that you have to start from scratch and use a different method (insert card, provide PIN) if you cross that threshold. If that's true, that sounds like a UX problem and I'd hate that as well.

Here in DE it's not like that - or at least never happened for me. A transaction that I start contactless might (random verification or > threshold) require a PIN. But I never need to insert the card or get an error message like the GP described.

It is absolutely a UX problem. In the UK terminals will show this image:


Even if the amount is over the threshold - only once you tap your card on the terminal it beeps and says "insert/swipe card". Why even show the contactless logo then????

Not all do but the majority. I believe it's the manufacturer's fault, not the bank's (or store). But I guess in devices like this, pushing a software update to fix a non-critical UX flaw could take years.

Just a theory but is it possible that the prevalence of DATAPAC in Canada means that most merchants were use to having a dedicated always on line just for their terminals and continued to have one after DATAPAC went away?

Interesting fact: the best card terminals, if they are connected to a phone line rather than the merchant's broadband internet connection, use a 1200-baud modem. You would think that this would be slower, but the amount of data to transfer is relatively small. This means that the transaction time is dominated by time it takes to dial the modem and establish a connection rather than the time it takes to send the data. A 1200 baud modem takes much less time to negotiate a connection than a 56k modem, because it doesn't have to check the quality of the line as thoroughly. Reliability is better on noisy phone lines as well, and I'm sure they're cheaper. It's a win all around, but it's not something they mention on the spec sheet because it looks terrible.

Of course that has nothing to do with the chip-based authentication.

It's been 18 years since I was involved in that industry, but I remember it being more a decision to use 1200, 2400, or 9600 baud with most processors. I don't remember any that even offered the option to connect at 56k.

I think there were a few processors with protocols that were chatty enough that the time spent negotiating 56k might have been worthwhile. I remember the Gensar and FDMS protocols mostly being sane but there were a couple others that were "hey look at this BBS software I adapted to be a credit card processor for some reason."

Surely in a busy enough store it would be worth just keeping the connection open, at least during peak times?

A lot of POS terminals in Canada just use Ethernet to connect to the payment processor. For stores that already have internet they just hook into that, but for those who don't one of the local ISPs even offered (they might still) a $5/mo cable modem package just for POS machines.

In Europe processing cards with chip & PIN at POS is quite fast. It usually takes 2-3 seconds for me before "Approved" appears on the reader screen. This might have something to do with US retailers still running legacy POS terminals / tech.

Yes indeed, I don't really get this post, it takes around 2 seconds to validate the transaction, is that slow? And you have contactless for small amounts as well which is instant.

Chip readers were incredibly slow when they were first rolled out in Europe, too. Stores would tape over the chip slot and put on a note saying "Wipe instead".

Maybe I'm just showing my age here, but if it were a hardware problem, it seems weird that the US would still have the launch woes Europe had over ten years ago.

I work near a Chase building which has a cafeteria in the basement open to everyone. Every checkout register there still hasn't moved their readers to chip transactions. They have 40+ floors of Chase above them and this is happening. It's ridiculous and telling of the U.S. chip reader rollout.

I ate there today at lunch. I pulled out my phone to do Apple Pay at the register and... nope not supported either. In the Chicago HQ of Americas #2 retail bank!

The US banks have been talking about "smart cards" and updating payment tech for 25 years, but from what I see they've only been talking...

Stores in the US do that here now. It's also incredibly annoying when it tells you to insert the chip and then decide "oh THAT's how you want to pay? Swipe it instead" after telling you to insert it.

Not to mention that some of the higher-volume corner stores in my area still use the magnetic stripe reader. So the interaction usually has me inserting my card, the cashier noticing, telling me to swipe instead, and going from there.

So unless I'm going to a big retailer (rare) or the stores directly around work/home, the interaction is usually complicated and annoying for human factors layered on top of the complicated, annoying, and insecure chip+sig protocol the banks settled on because chip+pin was too annoying.

This is why we can't have nice things.

> it seems weird that the US would still have the launch woes Europe had over ten years ago

Ha. That doesn't surprise me at all - "It's too hard or expensive for the US to change compared to other nations" is not an uncommon argument for opponents of change.

It used to drive me insane when I first moved here now but is now one of the quirks I love about the US - people aren't Luddites they just really value a national sense of individualism and urge to seek their own solutions!

Explains why the US still has the penny. Canada removed it (back when CAD was on par with USD!) and I haven't missed it.

>Stores would tape over the chip slot and put on a note saying "Wipe instead".

I don't know about the EU, but US stores did this too. It has nothing to do with chip transactions being slow though. My chip card will not work when swiped at a chip-enabled PoS terminal. The issue, in the US at least, is that stores updated the physical terminal before (sometimes long before) enabling chip transactions at the processor level.

2 or 3 seconds feels like an eternity compared to the old "swipe and done" you used to have with credit cards.

There are places where it takes most of a minute or longer, somehow.

A lot of terminals are that fast but even a few seconds feels like forever compared with swiping and it going through instantaneously.

Yes. All my EU bank cards also support contactless payment. But there is a limit over which you have to enter PIN to approve transaction. But small purchases like coffee at Starbucks I just touch my card with the card reader and it instantly approves. Taking money from ATM always requires PIN though.

In the UK not only is the contactless payment instantly (I think less than a second, probably even better) approved but for the cards that I have in my apple wallet I get the push notification with the payment details in about the same time. And this is actual physical card payment not apple pay. It means that all the other background systems that are needed to trigger and deliver push notifications (over mobile network) are incredibly fast as well.

Here in Japan I get my payment notification email before the terminal is handed back to me with chip payments.

To be fair contactless payments are just as fast in the US. Its just the chip that is slow here.

Since I'm outside the US and couldn't find that info in the thread - just how slow these payments are? To me, waiting these 2 seconds for confirmation already seems slow.

At Lowes (a big box hardware store) in a major US city, I'd say consistently 3-5 seconds.

Caveat that perceptually this seems like a lot longer due to the variable action flow (sometimes sign, sometimes take card immediately, sometimes error) that demands attention.

Sometimes 10-15 seconds.

Hate to be the bearer of bad news, but contactless in the US is fast because it generally transmits magstripe data.

Apple/Samsung/NFC Pay is not mag stripe. It is generally faster than a chip card.

Apple and Android Pay are not mag stripe, they're proper encrypted nfc payments. Samsung pay CAN be a magstripe emulation, for terminals that don't support NFC.

To clarify, EMV supports tokenized transactions that emulate the _contents_ of the magnetic stripe over NFC, and this is what is broadly used in the US.

Note here[0] that Chase states that only contactless MSD support (contactless magstripe emulation over NFC with a dynamically-generated security code) is required for Apple Pay; a subset of contactless EMV.

[0] https://www.chasepaymentech.com/developercenter/applepaymode...

I think rhodysurf means swiping the magentic strip on the back of the card, not contactless payment.

I pay with my watch or phone when i can actually because that is faster than both swiping or putting the chip in.

But yes, my original comment was talking about swiping the card using the mag strip.

Ah I see. Yes we don't swipe mag strip in Europe. The only time somebody asked me to swipe my card was on my vacation in Asia. That was first time I needed to do that and they also asked for my signature which surprised me as it was first time in my life I needed to sign a receipt!

I also use Apple Pay sometimes but these days I mostly default to contactless payments as the prepaid debit card I use for small purchases is connected to a mobile app on my phone where I can track my spending and get instance push notifications

> That was first time I needed to do that and they also asked for my signature which surprised me as it was first time in my life I needed to sign a receipt!

That's wild. Here in the U.S., I sign a couple of receipts every day.

That is wild! I'm very used to signing receipts as that is the way it is done with a credit card. With debit cards there is a PIN for the debit network, but we're told by the bank to swipe it and sign in (instead of entering a PIN0 order to get the full protection of the Visa network including zero fraud liability even though it comes out the same either way from the consumer's point of view. That usually involves insisting to machine that this is a credit card rather than a debit card.

I only use debit cards (a prepaid Mastercard for small daily purchases and VISA bank debit card for any bigger purchase or to take cash from ATM, plus my business debit card for any expenses while working so it takes money from my business account and not personal) and they always have a chip & PIN. I guess credit cards might work differently as you want to be able to charge back. With debit card there are no charge backs so it makes sense to always use chip & PIN process because it's very secure even though slower.

There is debate about the security of the PIN when the POS has been compromised. So the threat is that your PIN gets stolen and then you have to dispute unauthorized charges against your bank without the protection of Visa or MasterCard's fraud protection.

I was a user in the Mondex card trial in 1995. This was like modern chip cards, but a stored wallet instead of online auth to an account:


The banks outfitted buses, bars, pretty much everywhere with readers but even after inducements to use it such as half price beer(!) it still failed. Why? Because it was soooo slow. Waiting for ~45 seconds at the bar for a payment to go through got old really fast. It barely lasted a year.

I'd have thought the friction of the payment would have been a lesson learned, but here we are 22 years later and it's still a pain.

45 seconds is a ridiculous amount of time. I wouldn't use it either. It would put a big bite in a cashiers items per minute figure too, so they would hate it.

It was even worse on public transport apparently. I can't even imagine being there for 45 seconds in front of a load of angry old ladies trying to get on.

Yet now, in the card dominated era, we routinely split checks into 10 parts when dining in a group because people don't carry enough cash..

Although a lot of restaurants have notices to the effect that they'll only split bills up to 2 ways or something along those lines. I don't use cash a lot but it's still a good idea to carry some.

There's an express Target in the San Francisco Financial District that gets around this by assigning cashiers to two registers. They start the chip payment transaction on one register, and the slide over to the second register to start another customer's checkout. Then they slide back to hand the receipt to the first customer, etc. Absurd but effective.

In Germany, Aldi Süd uses a similar method. While the customer inserts the card and enters the PIN (which is the slow part – the machine itself is really fast) the cashier starts scanning the items of the next customer. All this happens with the same register so the switch happens in software (they invest a lot in register technology).

In Sweden people usually start the slow part (entering the pin) while their items are scanned. When all items are scanned you just press ok to authorise the amount and wait for 1-2 seconds for the transaction to go through.

Ah yes. I have written about this on HN before. I have never seen this outside Sweden für some reason.

At Aldi specifically it wouldn't be useful as you have to keep up with the cashier's scanning speed while bagging. In other stores you can start bagging at the end. Not sure why they don't use the same idea as Swedish stores. Once I tried inserting my card while scanning in a German store but the machine didn't like it at all.

We have it in the UK for some petrol stations. My local one before they had pay at the pump allowed you to go to the cashier put your card in the machine and enter your pin tell them how much fuel you wanted and then the pump would only deal out up to that amount.

You only got charged for the amount of fuel taken, so it didn't matter if you said you needed 30 pounds worth and only took 26 pounds worth.

I guess it was similar to pay at pump now, where you enter your card and pin to pre-approve up to 99 pounds, fill up and then only get charged for the amount you took.

We did that in Australia for a year or two but then it seemed to vanish. I guess not enough shoppers took it up.

Or, come to think of it, it probably lowered the likelihood of people using the supermarket loyalty cards so they nixed it.

Used to be able to do this in the US with magnetic swipe but now you can't because of chip reading taking place at a specific time in the checkout process.

Similarly Starbucks employees will initiate a transaction then step away to prepare the order then come back and finish up.

As has already been pointed out, EMV transaction flows go through many steps. From what I understand, the protocol was designed with a focus on flexibility, and little attention was paid to low latency.

Until some years ago, most terminals would mirror that. Most prominently, they used to have separate "enter pin" and "verify transaction amount" steps, and included longer delays for displayed status codes. Recent devices have started combining these steps ("Amount: xy. Enter PIN to confirm") and status messages.

Newer use-cases like the contactless qVDSC application have been tuned for better performance, limiting the amount of communication between reader and card.

For more details, have a look at this guide from VISA: https://www.visa.com/chip/merchants/grow-your-business/payme...

That would make sense if the USA was an early adopter, but it's the latest adopter. They should have jumped straight to the latest systems.

Also, I don't remember EMV being slow in the UK, and that was an early adopter of the modern protocol (2004).

The USA was an early adopter of Point of Sale systems. I'm under the impression that retailers haven't upgraded the computer systems attached to credit card chip readers.

Aye, in South Texas at least, I've noticed that newer terminal systems seem to process things just as fast as card swipes, if not more so. But older systems that have obviously been retrofitted with the technology are hit and miss. I often feel like it's the user interface slowing things down more than the transaction itself though, I can't recall any recent instances of delays waiting on the authorization to happen that were longer than a few seconds.

"upgraded the computer systems attached to credit card chip readers"

A quarter century ago the way grocery retailers implemented credit and debit card payment was a physically separate unconnected terminal, you swiped and entered the amount on the separate terminal, and the only modification to the cash registers or workflow was hitting the "credit" button instead of "cash" when recording a transaction (there was already functionality for a "check" button). So there was no connection. Before credit/debit terminals you'd balance your register at the end of a shift using data from the "check" or "cash" button, afterwards you had a third column the "credit" button transactions, and that figure should match the terminal printout.

Its possible that connecting the systems results in slower speeds for an end user, although not having the cashier hand enter charge amounts saves enough cashier time that the overall system is faster although the end user feels its slower. What I don't understand is beyond some manner of witchcraft why connecting the register to the terminal would be assumed to slow down the process. Unless architecture has staggeringly changed in the last quarter century, the CPU in the cash register is not doing the crypto or running some kind of dialup winmodem, its in sleep mode awaiting an "Ack" or "Nack" while the terminal is doing whatever crypto magic that terminals do.

Here's a good blog post from a WePay engineer that explains some of the slowness - https://wecode.wepay.com/posts/supporting-chip-cards-at-wepa...

Great post. Now I finally learned why when I use my debit card I'm asked "INTL VISA" or "US DEBIT BANK" every time. I thought it was the PIN pad software, it's actually an app running on my own card that is causing that to come up with every transaction.

Here is Germany it usually takes a few seconds (less than 5 I'd say) - I noticed however that paying at Aldi Nord is very fast. They really do tweak the cash register speeds at Aldi...

> They really do tweak the cash register speeds at Aldi...

Not only that, but the Aldi checkout operators are extremely fast at scanning products compared to other supermarkets (at least that has been my experience in the UK).

A primary reason for this is that ALDI products (at least here in the US, I don't remember whether this was true shopping in Europe a few years ago) typically have 4-6 barcodes per package--a box will often have a bar code on every face, if it's a house brand product. Makes for extremely fast scanning, true.

I also just noticed the dual-conveyor model in operation at a newly-opened Lidl near me yesterday. ALDI here typically doesn't do that--most stores are set up to place groceries (and unfilled bags) directly into a customer cart, and have a nearby counter to bag your groceries at.

Their scanners also don't suck. IBM used to make very high speed, accurate POS terminals in the early 90's. You could basically toss products across the sensor non-stop without any delay as long as the code was within view. The modern stuff is glacially slow by comparison.

Makes me wonder if they are at German speeds.

Because in Germany it's very fast

> Because in Germany it's very fast

ALDI/LIDL are outliers here in Germany. Other supermarket checkouts like Rewe, Edeka, and Kaisers are slower at scanning items. So don't take the speed of ALDI/LIDL cashiers to be indicative of every supermarket checkout in Germany.

Overall, German supermarkets scan items faster than in North America, but ALDI/LIDL are really in their own league. I sometimes think they are faster to scan items than to drop the contents of the belt onto the floor. Impossible to pack in real-time!

They got slower.

Some years ago they punched in all items by number and were even faster.

The downside was that for the first months of your employment you were at home learning all codes.

For stuff like vegetables and fruits sold by the unit cashiers still pretty much have to learn the codes to be fast. There's a grid overview with images of the groceries and their numbers to help, but eh, you can't look at that or else you are slow.

I still remember that 515 were cucumbers and I believe 529 were 2.5kg of potatoes?...

NahKauf (I think it's Rewe) wasn't too bad

Interestingly, Monzo takes a few seconds (~5) to notify me of a transaction if I do it in Germany. UK, Belgium, Malaysia and Indonesia are all instant.

I assumed that there must be some further process that it goes through, between telling the credit card reader that it is completed and Monzo getting informed.

I wouldn't muddy the waters here with talk of Monzo. Most chip reader cards don't do what Monzo does in terms of real-time backend transaction verification, that's a generation further than the stuff being rolled out in the US.

Correct. Cards can indicate whether they need to be verified online or not. Most do not require this (so transactions are just recorded and processed some time later), apart from Visa Electron which was designed for under 18s, and therefore does not have an overdraft, so requires an online balance check.

Monzo take advantage of this to enable their realtime notifications and related features, otherwise Monzo would receive the notification of the charge up to 48 hours later which would be a significant harm to the UX.

Monzo tends to notify me before the card reader has actually registered the payment in the UK

One reason Aldi checkers can scan so fast: multiple, huge bar codes! http://www.motherjones.com/kevin-drum/2016/06/aldi-has-very-...

Yeah because Aldi entered the play only very recently and so used top-of-the-line CC readers only, plus always a solid DSL link.

Old stores, especially small mom-and-pop ones, are still stuck with readers built a decade ago, or with modern readers uplinked by POTS. I recently helped my vet switch from an old POTS terminal to a brand-new, DSL-linked one; the speed difference is huge.

Also in Germany, I recently paid a bill by EC at my dentist, and it took over 2 minutes for the transaction to go through because they have a shitty old reader that connects individually for every transaction, and also over a shitty link (maybe GPRS only?).

I remember in uni the corner store near my apartment used dial-up (or possibly ISDN since at the time that was the telco's default solution for "I want 2 lines") for its card reader. If you were in a line of customers it was fast but if the store was empty you were waiting for 30-60 seconds while it connected...

ISDN circuit level connections occur almost instantly because it is a digital connection..

We had one that dialed through maybe with a 56k modem but probably slower. Ended up sticking it on the fax line because a customer couldn't pay over the phone when it shared the same line.

GPRS is usually pretty quick for this. The dentist's one was probably using some form of dial-up, either over GSM or POTS.

Because with the swipe readers there is only one call to the payment processor.

However, with chip transactions there are multiple calls for different payment processing flows. For example, a transaction could require 5 round trip request responses from the chip to the payment process meaning 5x the time required.

Plus your card is half-way back to your wallet before the first call is even made when you swipe it, but with the chip, you can't retrieve your card from the machine until the transaction is done. Even if the transaction took exactly the same amount of time, the chip method takes longer because your execution thread is blocked waiting for a resource to be released.

A more interesting question for me is: why are NFC credit cards so much faster than chip ones? Presumably they require the same kind of round trip challenge-response with their internal chip, but I have heard they're much faster.

Pretty sure NFC transactions are "offline", i.e. the round trip to the bank happens after the card has left the reader.

Often the round trip to the bank happens after the card has left the reader but before the txn is authorised (i.e. the device prints a receipt, customer gets the product or service), that's still an online transaction.


Paying for the bus for me is offline, whereas in a supermarket it's processed online

That's probably optional, I usually get an Amex push notification from NFC transactions right after they occur (before I have time to put my phone back in my pocket).

This is correct. Which is why there is a low 'floor limit' on NFC/Contactless payments. Your card is not actually authorised at point of transaction.

From experience in two European countries, this is not always the case. I have both a Visa and MC cards which can be used in contactless mode for transactions of any size, up to the card limit. For low amounts (<40EUR) the PIN is not requested. For larger transactions I have to enter the PIN, but I don't need the chip.

In the UK, Contactless is PIN free, hence the low floor limit. Anything over that amount (£30 typically) requires Chip+PIN, and remote authentication.

Just from my personal experiance in Switzerland I think this is mostly the case, but not always. I have a contactless Visa with a rather low limit that I use for small day to day purchases. I only use it contactless and most of the time I can go over the monthly limit if I only use it contactless. Sometimes if I do this it will still be declined by a shop due to «insufficient funds», so some contactless terminals must be calling home. At this point the Card stops working at any terminal, even the contactless kind. I have to wait for the next month and use it the Chip and Pin way once to make it work again.

AFAIK (please correct me if I'm wrong) NFC is more akin to magnetic strip than chip cards are. i.e. a virtual number is created for each transaction that is tied to the merchant / time of use. so, you get an id from the merchant (i.e. direct communication between you and reader) you get a virtual number from you credit card provider (1 internet trip), and you give that virtual number to the reader), then phone is back in pocket while it does its thing.

Samsung pay even cuts out any knowledge of the reader, just gives a virtual number to the credit card mag reader.

NFC uses the same protocol and transaction flows as contact chip EMV. Only designed-in difference with regards to speed of processing is that card contains additional application that returns AID that should be used instead of terminal trying AIDs it knows blindly. Another thing is configuration. NFC typically has many "slow" transaction flows disabled (ie. anything that requires the card to be still present after some other interaction, be it pin entry or reply from payment processor).

If we're talking about contactless EMV cards (Phone NFC may be otherwise), then they do pretty much the same thing crypto-wise as in a contact transaction, the chip receives the transaction from the terminal.

The main practical difference is that you can't update the on-card data depending on the transaction outcome, since the card isn't there any more.

Some of them are just like swiping your card - e.g. they just pass the same data as a swipe in one pass and go.

The other kind, AIUI, are indeed the same as the chip transactions, with all that entails.

e: Other posts seem to say that all the contactless transactions are offline, which means no multiple expensive round trips upstream either way, so nevermind.

Can you give an example of how the heck an EMV transaction could require 5 round trips ?

IIRC it should come down to 0 or 1 roundtrips, depending on the amount and risk profile - in most cases you do an offline authorization where only the chip is involved to verify the txn, PIN(if applicable) and limits; and if you can't do that, then you send an online authorization, get a response, and that's it. There's extra communication afterwards in the workflow, but that happens after the customer has left and has no impact on customer-observed latency.

Next question then becomes why it needs those additional trips? Authorization is already done on the chip, it should only need to verify the amount is available.

+1. Not to mention each party will have their own VPN's so internal hops to the right machines. That said - these days even swipe reads have multiple payment processing flows especially for co-branded cards.

My question is why chip readers flash like 6 or 7 screens that all say DO NOT REMOVE CARD in one way or another before giving you a noise that could be described as, "transaction failed" before finally being successful. I wouldn't mind waiting the extra couple seconds if the process was a little more customer friendly.

Yeah, whoever decided the "Remove card" sound should sound like a buzzer needs a few lessons in UX. A simple "Ding!" sound would be far better.

All the ones I've used also prompt "is this amount correct?", "do you want cash back", which are additional time-consuming steps which require your attention to be on the terminal and were never part of the process before these same terminals switched over from swipe transactions.

This is so funny, as this is an internal thought I have nearly every transaction. So counter-intuitive on the actual device interface, the LCD messages, and the audio queues...

Here in the UK I'm generally amazed at how fast they are - slowest part is typing my PIN in if that is required (some places still require it or if the transaction size is over the limit for contact-less).

I'm guessing the OP is from the U.S. A few notable differences in the U.S.: they've only been rolling it out for a few years and they use a signature instead of a PIN.

This is a suspicion, but I think they're slower in the U.S. because a) they're just slower b) the UX is worse. You insert the card, wait, then it asks for a signature (presumably because not all accounts, vendors, and dollar amounts require a signature?). From what I've seen overseas you insert the card, type in your PIN (in parallel to card processing)--so it appears to process more quickly because you're not waiting.

Huh? How does the signature thing work? Do you input your signature into your signature into the device somehow?

I believe you give a physical signature and its compared to what's on the back of the card.

It is never, ever compared in the US. In fact, I haven't signed the back of a credit card in years, and the only time I did was when I was in Europe where every cashier thinks they're a forensic handwriting specialist.

Not in the US.

For most terminals the small screen is actually a touch screen that (in the US) has a stylus attached to sign with.

However as you would expect, the signature is completely worthless and basically everyone signs with a simple scribble.

I draw little pictures for the cashiers at a store I frequent.

Most likely this. I'm not sure why card readers in Germany don't ask for the PIN every time but when they don't you're generally asked to sign the cashier's copy of the receipt and they'll verify the signature against what's on the card.

However not only will the cashier generally let you simply put the card next to the receipt while you sign (because this makes verification easier for them) but it doesn't seem like they actually apply any scrutiny: the signature on my card is very different from the one I use for signing these days and it never raised an eyebrow.

FWIW, I've signed for card transactions in all kinds of places across Germany, from small shops to large hotels. I can't figure out what triggers the decision between PIN and signature but I swear I've used either in the same place at different times for equivalent amounts.

The transactions with PIN are more expensive for merchants, but the merchant isn’t liable. They are done via the EC network.

The transactions with signature have lower fees, but the merchant is liable, and you’re actually authorizing them to do a Bankeinzug via the Elektronisches Lastschriftverfahren.

EC transactions are done instantly, ELV are done overnight.

Yes. Above a dollar amount depending on the store. But basically no one compares it the card and inputting it on the pad is so crude you might as well just write an X (which my signature isn't much more sophisticated than anyway these days).

We have chip and pin too but only on debit cards. My Amex doesn't require a signature for anything under 50 dollars and can be very fast depending on the store. I think a lot of the blame is on legacy software. Some places have the chip readers but make you swipe first only for it to say insert card.

The chip and pin speeds have gotten better but still a ways off.

Never swipe before entering your PIN. If you do that, they can clone a card for use in ATMs, and withdraw your money as untraceable cash.

Connecting via the chip does not reveal enough information to reconstruct a magnetic strip for an ATM to accept, particularly if the machine is a total fake. But if you swipe the magnetic stripe, you can easily clone it exactly.

Don't the ATMs use the chip? All the ATMs I've seen here in Brazil either use the chip exclusively, or use the magstripe to identify the account but use the chip to confirm everything (not only withdrawals, but also simpler things like looking at the account balance).

Even better in Australia - A$100 limit on 'PayWave'/Contactless transactions. All you have to do is tap your card and wait a few seconds.

UK has contactless, but lower limit and from my recent visit, seems to not be as common.

Correct. I'm from US (and should have put that in the title). Just got back from the UK, where the chip process is so fast (even including PIN entry).

Same in France - in the past you used to have enough time to finish filling your grocery bags while the transaction was being authorized. But for... maybe the last decade or so, transactions most often get authorized within a second of validating your PIN.

Plus now most shops have contact less card readers. Which is funny when you think about it, because it's the same speed / security than the swipe from 40 years ago, except limited to 20€.

I wouldn't say it's the same security - presumably the contactless chip is much harder to copy than the old magnetic stripe.

Contactless transactions generate a one-time use code, they're much more secure than your standard magnetic swipe.

No they just have different issues.

They both allow the card to be used when stolen. Magnetic band can be duplicated. Contact less allow people with a portable modified machine to request transaction without the owner knowing.

And why on earth do you have to SIGN still? Seriously. I draw a picture of Shammoo most of the time, to the delight of many cashiers

Signing is working in your interest. You can ask to see the receipt that you signed in case of fraud.

With PIN, the burden of proof is on you - the bank will say you were careless with the PIN and let other people see it, abrogating their responsibility. Even if it's a security vulnerabilty in their system. (Not a theory, this is how it goes in Europe - see Ross Anderson's group's work on this)

Do you mean this 2010 paper: https://www.cl.cam.ac.uk/research/security/banking/nopin/oak...

Here's their blog post about it at the time (but the YouTube video is down, unfortunately): http://www. lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-broken/

From the paper: "Because stolen cards can be used without knowing the PIN, by our definition, Chip and PIN is broken. We do not believe that the system is broken beyond repair, but neither is it the case that a simple fix will suffice, due to the unmanageable complexity of EMV."

They have been doing a lot of work in the area, I think 2009-2015 at least. There are several publications, and more than one attack.

>You can ask to see the receipt that you signed in case of fraud.

I understand that's how it's supposed to work, but what does the signature accomplish in practice? If anything, a "signature" that even contained recognizable letters, much less anything that looked like my name, would be a sure sign of fraud, because I never enter anything that resembles a real signature.

Most justice systems have a practice of verifying signatures of documents. I believe it's generally based on comparing the disputed signature to a body of your regular signatures and, in contentious cases, handwriting experts.

I'm not sure how it would play out in court if you intentionally make random unattributable scribblings each time. Sounds like something that might be seen as intentional obfuscation.

Is there any evidence that the Ross Anderson attack has happened in the wild? Someone using a stolen card and the bank just washing their hands of it because PIN?

Looks like there is is some evidence quoted in the background section of this paper: http://sec.cs.ucl.ac.uk/users/smurdoch/papers/oakland14chipa...

I haven't followed closely, there may be more / better evidence.

Edit: this article has more on the french case quoted in the above paper: https://arstechnica.com/tech-policy/2015/10/how-a-criminal-r...

In August 2014, the whole of Australia switched from signature based to chip and PIN.

I'm guessing a lot of other countries have followed too.

Yeah, I was pretty confused by the "signing" thing in the usa! I figured they'd have ditched signing, but instead, they created complicated digital signing machines! :-o

A lot of other countries have lead, really; Australia was very late in doing this. It was in France in the 90s, of course, and showed up in most of Europe by the mid-noughties.

Signing is mostly so that you can't file a chargeback saying you didn't mean to buy, not so much to show that you are the verified cardholder.

I don't follow. How does me scribbling a line affect my ability to fraudulently claim it wasn't me who used the card? Especially when the back of the card has my signature on it as well?

It's there in the event that the fact that a purchase was made at all is disputed. Of course it doesn't do much to verify who signed, but it proves that someone actually meant to make a purchase.

One of the most foolproof ways to win a chargeback claim is not to claim a card was stolen, but merely that you didn't mean for them to charge you. How do you fight that? So for big ticket items we sold online we required a signature, thus (mostly) killing their ability to file that kind of a chargeback.

Of course that's a huge hassle for online sales, but if you're a grocery store and they're already there eh why not.

Ohh, that makes sense.

If I, as a disputing cardholder, try to claim that “I didn’t intend to purchase that widget”, it will require my card issuer to believe that the merchant signed it themselves and committed intentional fraud (as opposed to a simple misunderstanding)

Its generally far more convoluted "I saw an ad on TV last month that product is $5 so I assumed its $5 and I have no idea whats up with this $6 charge" and both the retailer and the CC company totally have no interest in arguing about how the advertised sale you saw last month ended last month or how it you had listened to the entire offer its not $5 but "$5 with a purchase of $20 or more" or whatever. Look buddy you signed for $6 right here, clearly you knew whats up at the time, so why you bringing this up 30 days later?

Even funnier with something like a debit card. "Well I just swipe, I have no idea what they withdrew, I assumed it was about $15 like every other time I dine here, and they raised prices such that it was actually $25 without my knowledge, and now my bank is giving me $500 in overdraft fees because they can"

Sometimes duplicate charges get entered for whatever reason especially if the terminal isn't connected to the register and uses manual entry. So two identical charges from the vendor, can I see the two signed register slips? No? There's only one? OK then. You can't just delete duplicate charges because there's too many people go to the bar and buy two beers pay up and decide to stay for another two and pay up and there you go two identical charges both valid and both signed. Vs go to the bar buy two beers pay up go home, the printer jams or some drunk trips over the modem cord or whatever and someone hits a "resubmit all" button to "fix" it and now you got two charges with only one signed slip at least in theory they can clean that up themselves.

Yah signing has never made sense for that reason

> I draw a picture of Shammoo most of the time

I like you.

I almost always just do a random scribble. Sometimes I just write an X.

I think it'd be funny to do celebrity signatures, though, but I don't have the patience for it.

Generally I just circle the part of the receipt that says "No signature necessary"

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact