Ask HN: Why are credit card chip readers so slow?

Some of the answers are close, but no cigar. The main reason for the time delay is the offline authentication of the chip, combined with generation of the ARQC cryptogram. Additionally the EMV protocol is very chatty if there are multiple applications on the chip card, although the latency involved in the customer interaction far outweighs the protocol timings.<p>As mentioned in many comments online transactions will be an order of magnitude slower, as they need to be sent to the issuer, have their cryptogram verified and the challenge response returned if the card does host authentication - which most do these days.<p>The entry mode generally does not determine how a transaction is authorised - chip, PayPass (NFC) and stripe can either be off or online. In fact stripe transactions are invariably online unless you want your business to be overrun with fraudsters. One of the prime reasons in the early days of EMV was to have it so safe that offline transactions were fraud proof - or close to. Naturally this noble goal was shot full of holes the moment real fraudsters got to it. However, the card is personalised with various limits and counters and with the possibility of using an offline PIN, which combined with the static authentication does give reasonable protection for low value offline transactions. Fun fact - in the initial spec this offline PIN was communicated between the terminal and the card in the clear. What could possibly go wrong :-). These days it is encrypted.<p>Anyhow enough blather - hopefully this has given a bit of insight.

You might want to qualify this with “in the US” as chip+pin cards are pretty fast in other countries by comparison.<p>Also there was a great episode of the podcast “Planet Money” a while back which goes into detail on your question [0]:<p>&gt; Today on the show, we bring you a brief history of what&#x27;s in your pocket. It&#x27;s a story of convenience vs. fraud—and it also includes a hippie inventor, the origin of the last great upgrade on your card, the magnetic stripe, and why it takes so long to &quot;dip the chip.&quot;<p>[0]: <a href="http:&#x2F;&#x2F;www.npr.org&#x2F;sections&#x2F;money&#x2F;2016&#x2F;04&#x2F;13&#x2F;474135422&#x2F;episode-695-put-a-chip-on-it" rel="nofollow">http:&#x2F;&#x2F;www.npr.org&#x2F;sections&#x2F;money&#x2F;2016&#x2F;04&#x2F;13&#x2F;474135422&#x2F;episo...</a>

This is partly perception.<p>With a magnetic card, after you slide your card, you can put your card immediately in your wallet, while the Point-Of-Sale solution authorizes with the electronic payment host in the background.<p>With a chip card (EMV card), the EMV spec required the Point-Of-Sale solution to write an authorization number to the chip card. This means you need to leave your card inserted in the PIN pad until the payment host authorizes. Authorization usually takes 2-3 seconds.<p>To improve this perception, the industry came up with Quick Chip, which Point-Of-Sale software companies started to work on recently. With Quick Chip, the POS software doesn&#x27;t need to write the payment host authorization number to your card chip anymore. You insert your card, account number is read, you take your card from the PIN pad immediately without waiting for payment host authorization.<p>-Software engineer working at a Point-Of-Sale software company.

Additional question: why is it faster in other countries? The first time I used a chip card in the US I was astounded by how long it took. I had been using chip (and pin) cards in Canada for years and it was never as slow as it is in the states.

Interesting fact: the best card terminals, if they are connected to a phone line rather than the merchant&#x27;s broadband internet connection, use a 1200-baud modem. You would think that this would be slower, but the amount of data to transfer is relatively small. This means that the transaction time is dominated by time it takes to dial the modem and establish a connection rather than the time it takes to send the data. A 1200 baud modem takes much less time to negotiate a connection than a 56k modem, because it doesn&#x27;t have to check the quality of the line as thoroughly. Reliability is better on noisy phone lines as well, and I&#x27;m sure they&#x27;re cheaper. It&#x27;s a win all around, but it&#x27;s not something they mention on the spec sheet because it looks terrible.<p>Of course that has nothing to do with the chip-based authentication.

In Europe processing cards with chip &amp; PIN at POS is quite fast. It usually takes 2-3 seconds for me before &quot;Approved&quot; appears on the reader screen. This might have something to do with US retailers still running legacy POS terminals &#x2F; tech.

I was a user in the Mondex card trial in 1995. This was like modern chip cards, but a stored wallet instead of online auth to an account:<p><a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Mondex" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Mondex</a><p>The banks outfitted buses, bars, pretty much everywhere with readers but even after inducements to use it such as half price beer(!) it still failed. Why? Because it was soooo slow. Waiting for ~45 seconds at the bar for a payment to go through got old really fast. It barely lasted a year.<p>I&#x27;d have thought the friction of the payment would have been a lesson learned, but here we are 22 years later and it&#x27;s still a pain.

There&#x27;s an express Target in the San Francisco Financial District that gets around this by assigning cashiers to two registers. They start the chip payment transaction on one register, and the slide over to the second register to start another customer&#x27;s checkout. Then they slide back to hand the receipt to the first customer, etc. Absurd but effective.

As has already been pointed out, EMV transaction flows go through many steps. From what I understand, the protocol was designed with a focus on flexibility, and little attention was paid to low latency.<p>Until some years ago, most terminals would mirror that. Most prominently, they used to have separate &quot;enter pin&quot; and &quot;verify transaction amount&quot; steps, and included longer delays for displayed status codes. Recent devices have started combining these steps (&quot;Amount: xy. Enter PIN to confirm&quot;) and status messages.<p>Newer use-cases like the contactless qVDSC application have been tuned for better performance, limiting the amount of communication between reader and card.<p>For more details, have a look at this guide from VISA: <a href="https:&#x2F;&#x2F;www.visa.com&#x2F;chip&#x2F;merchants&#x2F;grow-your-business&#x2F;payment-technologies&#x2F;credit-card-chip&#x2F;docs&#x2F;visa-emv-merchant-tadg.pdf" rel="nofollow">https:&#x2F;&#x2F;www.visa.com&#x2F;chip&#x2F;merchants&#x2F;grow-your-business&#x2F;payme...</a>

Here&#x27;s a good blog post from a WePay engineer that explains some of the slowness - <a href="https:&#x2F;&#x2F;wecode.wepay.com&#x2F;posts&#x2F;supporting-chip-cards-at-wepay" rel="nofollow">https:&#x2F;&#x2F;wecode.wepay.com&#x2F;posts&#x2F;supporting-chip-cards-at-wepa...</a>

Here is Germany it usually takes a few seconds (less than 5 I&#x27;d say) - I noticed however that paying at Aldi Nord is very fast. They really do tweak the cash register speeds at Aldi...

Because with the swipe readers there is only one call to the payment processor.<p>However, with chip transactions there are multiple calls for different payment processing flows. For example, a transaction could require 5 round trip request responses from the chip to the payment process meaning 5x the time required.

My question is why chip readers flash like 6 or 7 screens that all say DO NOT REMOVE CARD in one way or another before giving you a noise that could be described as, &quot;transaction failed&quot; before finally being successful. I wouldn&#x27;t mind waiting the extra couple seconds if the process was a little more customer friendly.

Here in the UK I&#x27;m generally amazed at how <i>fast</i> they are - slowest part is typing my PIN in if that is required (some places still require it or if the transaction size is over the limit for contact-less).

And why on earth do you have to SIGN still? Seriously. I draw a picture of Shammoo most of the time, to the delight of many cashiers

This guide from N26 bank is informative:<p><a href="https:&#x2F;&#x2F;n26.com&#x2F;how-realtime-notifications-work&#x2F;" rel="nofollow">https:&#x2F;&#x2F;n26.com&#x2F;how-realtime-notifications-work&#x2F;</a><p>Each time you use your card for a payment (which is almost instant), you receive a realtime notification within 0.5 seconds.

Note this isn&#x27;t true in all countries. My UK cards within the UK all follow some apparently online process in any UK merchant, however during a stint in Finland a few years back, I didn&#x27;t find a single example of a merchant where their reader didn&#x27;t instantly approve my transaction as soon as I correctly entered my pin.<p>Never received a (note: I know, we can all make guesses) conclusive answer explaining the difference.

Smart cards (ISO 7816), used for credit cards and SIMs, among other things, communicate through a relatively low-speed serial protocol. The secure microcontroller they contain is also quite slow, especially if you consider the cryptographic operations they&#x27;re required to perform. I suspect part of it is due to power constraints, and also somewhat tamper resistance.

This post explains why I was so frustrated using my card in the USA the other month. I figured it was super-slow because I had an international card, and it was confused.<p>Back here in Australia, almost every retailer (including those on 3g eftpos machines) takes &lt; 4s from when i tap my card, to when I can start walking away. So much quicker than cash :-)

In many cases (RiteAid pharmacy terminals are the absolute <i>worst</i> about this, but far from the only offender) it&#x27;s just crappy UX design.<p>I have an American Express card and a RiteAid rewards card. Here&#x27;s my checkout flow at the pharmacy:<p>1. Punch in phone number for rewards card<p>2. Get prompted to use my &quot;Plenti&quot; points; which require PIN entry<p>3. Swipe&#x2F;insert card (most RiteAid terminals used to work with Apple Pay, but had it disabled)<p>4. Get prompted to use my American Express points. Say no.<p>5. Enter relevant pharmacy details (DOB, verify pharmacist reviewed prescriptions for you)<p>6. Remove chip card<p>7. Sign paper receipt<p>This UX flow is simply too complicated for a checkout process. It&#x27;s got way too much friction, and they disable contactless payments to ensure you can&#x27;t circumvent that.<p>Making these payments process more quickly is great; but Apple basically already solved that problem with Apple Pay. But it&#x27;s not effective because it seems that some retailers <i>want</i> more friction in this process.

I can&#x27;t talk about the US but over here (Austria) the slow chip readers typically are GRPS based and connect for every single transaction. There is one nearby in a lunch place where I really consider telling them how to hook it up with their wifi :)

I suspect it&#x27;s because a lot of merchants are using terminals that are connecting over PSTN, or they don&#x27;t hold a connection open between transactions so they have to do the connection dance for every transaction. Or they have connections that are just plain slow.<p>From my time writing backend banking integrations for a PSP, going on 5 years ago now, the time to authorise a card transaction (that&#x27;s IP to BT gateway to X.25 network to acquiring bank to issuing bank and back again) would take anything between 0.2 and 1.0 seconds. So I don&#x27;t believe it&#x27;s actually down to any complexity in the authorisation steps <i>if</i> the transactions are done online.

It depends on the card you use. The transaction suffers under several communication latencies and most importantly fraud checking takes up a significant amount of time. A lot is implemented utilizing legacy technologies (I implemented a system once), as the initial systems were setup in these and the banking&#x2F;payment sector moves quite slowly. Anybody remembers the Y2K problem [0] ? ;-).<p>[0]: <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Year_2000_problem" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Year_2000_problem</a>

Do you mean the actual chip back and fourth? The inherent problem is that the 7816-d standard is a mess. It requires extremely small data exchanges on the order of <i>seconds</i> to get a cert out of the card.<p>This has been a mess since the mid 90s, when I first worked on these things.<p>Here a cruddy not at all usefule link to the standard:<p><a href="http:&#x2F;&#x2F;www.cardwerk.com&#x2F;smartcards&#x2F;smartcard_standard_ISO7816-4_annex-d.aspx" rel="nofollow">http:&#x2F;&#x2F;www.cardwerk.com&#x2F;smartcards&#x2F;smartcard_standard_ISO781...</a>

<a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;EMV#Transaction_flow" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;EMV#Transaction_flow</a>

The time varies widely. The remove card notice comes as fast as 3 seconds, I find 6 seconds more typical, and up to 15 seconds for the local grocery, and nearly 30 seconds for small pizza, sandwich, liquor stores.<p>There is no possible way it was taking this long for swipe authorizations; or even NFC authorizations which seemed faster than swipe but were probably the same, but more secure.<p>I still think the U.S. did this exactly wrong. 1. we were late to the game; 2. had started adopting better NFC technology; 3. instead of building on that, regressed to an old slow contact chip-based system; 4. instead of moving directly to PIN entry, retained signing, hence chip &amp; sign, rather than chip &amp; PIN. It&#x27;s idiotic.<p>And that&#x27;s just the customer size idiocy. The merchant idiocy is even worse. They paid for this transition. Not the banks, the processors, or EMV who ensure they make money hand over fist no matter what. If a customer has a chip card, and your POS does not support chip reading, the liability for fraudulent transactions is shifted to the merchant.

Edit: this is not entirely correct; transactions may go online or stay offline, depending on amount and connection speed. See comments below.<p>It might depend on where you are. Where I am, in the UK, chip card transactions are quite fast. Fast enough to use contactless (tap and go a.k.a. &quot;pay by bonk&quot;) where you literally just tap your card on the pinpad and go on your merry way [1].<p>The difference is that in the UK, transactions are not immediately sent online. I repeat: <i>they&#x27;re not immediately sent online</i>. So you don&#x27;t have to wait for the merchant to contact the acquirer, for the acquirer to respond and so on and so forth.<p>Instead what happens is that you dip, or swipe, or tap your card; the pinpad and the card figure it out between themselves whether you are the rightful owner of the card; the pinpad makes a record of the transaction; and you&#x27;re told the transaction is &quot;approved&quot;, then pick up your goods and go home. Later in the day, the merchant (i.e. an automated process at the store) sends an overnight &quot;batch&quot; of transactions to the acquirer, (i.e. the bank or credit network etc) and the acquirer either transfers the funds directly to the merchant, or blocks out the funds so you can&#x27;t use them again and they can be transferred to the merchant later.<p>That&#x27;s the EMV standard in a nutshell and entirely from memory, with a distance of a good few years from the time I worked for an EMV vendor (we sold a bit of EMV software that went on the Point-Of-Sale machine and handled all of the above). I might be misremembering a few things but I believe the above is mostly accurate.<p>tl;dr: having to go online for each and every transaction takes forever.<p>___________<p>[1] Or of course sometimes do a double take, realise the transaction hasn&#x27;t gone through, tap again, eyball the pinpad, then possibly insert or swipe etc. Sometimes it doesn&#x27;t work.

Planet Money did a story on this last year.<p><a href="http:&#x2F;&#x2F;www.npr.org&#x2F;sections&#x2F;money&#x2F;2016&#x2F;04&#x2F;13&#x2F;474135422&#x2F;episode-695-put-a-chip-on-it" rel="nofollow">http:&#x2F;&#x2F;www.npr.org&#x2F;sections&#x2F;money&#x2F;2016&#x2F;04&#x2F;13&#x2F;474135422&#x2F;episo...</a>

It depends not only on the POS itself (old models vs. new ones) but on the kind of connection.<p>Here in Italy, besides &quot;portable&quot; POS that have a SIM card and go through GSM&#x2F;GPRS (and are &quot;good speed, but not that much fast&quot;) now also 3g&#x2F;4g, the &quot;corded version&quot; can be:<p>1) Dial in (analogic)<p>2) Dial in (ISDN)<p>3) IP connected<p>The difference between #2 and #1 is like 4&#x2F;5 times faster ISDN vs. analogic, and the IP (provided that there are no network issues) is instantaneous.<p>I would say:<p>1) 5-20 seconds<p>2) 1-5 seconds (and GPRS is roughly the same, 3g&#x2F;4g is on the lower side)<p>3) 0-1 seconds (really, the sheer moment you press the green button, the receipt starts being printed)

I&#x27;ll recommend the following white paper. It explains in quite some detail the specifics of your question.<p>Cheers<p><a href="https:&#x2F;&#x2F;www.ul-ts.com&#x2F;offerings&#x2F;knowledge-sharing&#x2F;white-papers&#x2F;featured-white-papers&#x2F;insights-on-emv-transaction-speed-pos-performance-optimization-&#x2F;c-39&#x2F;c-2004&#x2F;p-2089" rel="nofollow">https:&#x2F;&#x2F;www.ul-ts.com&#x2F;offerings&#x2F;knowledge-sharing&#x2F;white-pape...</a>

I mean <i>worldwide</i> Monzo (UK challenger bank) get&#x27;s a buzz in my pocket from their app in &lt; 5 seconds to say accepted&#x2F;declined.

I have no idea what you consider slow, but the latest improvement here is contactless payments for anything under 25 EUR, which only requires holding the card close to the terminal for about a second. After which the payment is confirmed after another second.<p>Payments for which a PIN is needed are confirmed in the same amount of time and entering the PIN is the slowest part.

Using Samsung Pay which uses NFC on my S8 &#x2F; Gear S3 here in Australia and it&#x27;s pretty much instant. And I get a digital receipt on my device straight away, which is awesome. Protected by fingerprint, or code, so feels more secure than the Mastercard plastic with embedded NFC pay wave.<p>Tap based pay has become ubiquitous in Australia, and I love it.

It seems to differ between implementation. In Iceland the readers have usually been superfast. We just had a Costco open and the readers there are superslow. Goes through multiple handshakes and notifies you of the process. They might be hooked up to a different payment processor than the local ones, hence higher latency.

I believe Index was working on speeding up EMV transactions: <a href="http:&#x2F;&#x2F;www.index.com&#x2F;payments-and-security&#x2F;emv&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.index.com&#x2F;payments-and-security&#x2F;emv&#x2F;</a><p>I thought it now depends on the firmware in the card readers, which it seems companies like Index control.

Previously the mag-stripe conducted your card number to the merchant and they could charge essentially whatever they wanted (but there were various reasons they would likely charge the amount you owed). With chip, they have to compute the final amount while your card is inserted and cannot deviate.

I don&#x27;t know why but there is a convenience store around here that is faster than everybody else... I need to ask them what their trick is. I think that it is as fast as magnetic strip readers (not as fast as McDonald&#x27;s strip reader, but as fast as most).

Just two days ago I wondered how Costco was so blazing fast. I have the same hardware on my desk for development, but whatever they are doing is very different than what our partner is doing. I was only guessing - but they only have one bank to deal with?

Came across this article which talks about what goes on in the background: <a href="https:&#x2F;&#x2F;tech.affirm.com&#x2F;deep-dive-payments-60f5d17f6c71" rel="nofollow">https:&#x2F;&#x2F;tech.affirm.com&#x2F;deep-dive-payments-60f5d17f6c71</a>

And how come Apple Pay is so much faster than the chips + signature or chip + pin method?

So you think they are bad in the US? Live somewhere else for a while... you try the system in Australia and you&#x27;ll REALLY think they are bad in the US. Ha. But yeah, compared to other places the US is lagging. By a fair bit.

My hot take on them:<p>- my wait is annoying, population person-hour waits are breathtaking to consider<p>- all of my breaches are internet-based anyway, so I don&#x27;t see how it helps much<p>If all my CC transactions had an optional, on-the-spot second factor, now we&#x27;re talking.

The workflow can be quite quite complicated.<p>card&lt;-&gt;reader&lt;-&gt;pc&#x2F;terminal&lt;-&gt;transport (ip&#x2F;phone line&#x2F;gprs)&lt;-&gt;financial switch&lt;-&gt;financial institution.<p>Add to that emv, tripledes etc and it all adds up.

FWIW, Square&#x27;s chip reader seems to be much faster than many others.

All I can say is it was very slow at the McMurdo gift shop

could it be on purpose? to have it more secure? like, wait before you can retry?

also, other countries have completely switched over to chip&#x2F;pin for security reasons with little or no problems but due to not wanting to confuse US tourists the terminal software must allow pin-bypass so they can still sign instead of using a pin.<p>sigh.

Network latency

just another reason we&#x27;ll move faster into blockchain and decentralized crypto currencies...

I don&#x27;t know what the reason actually is, but I assumed it was slow <i>by design</i> to make it harder to compromise, similar to bcrypt.

Bad internet speeds, WiFi or business skimping on internet. It&#x27;s never usually the terminal, it&#x27;s the connection to their payment provider, or their payment provider reseller&#x27;s connection to THEIR payment provider.<p>It&#x27;s very common for bars and restaurants to have a dedicated line for the terminal, but usually they&#x27;ll skimp on tech (have seen dial-up over POTS or in a fibre-capable premises). Also very common to use 3G or 2.5G.<p>It&#x27;d take a tech all of 5 minutes to diagnose and suggest a fix for 98% of these slow terminals. It&#x27;s strange seeing businesses not look to fix these issues. If I was a payment provider I&#x27;d probably run diagnostics against my customers terminals every day and force poor performing customers to have someone come in and fix it.