It's not about paying by cash but paying by card offline. How is this going to be implemented I wonder.
On planes they often accept credit cards even when there's no internet. I assume this is a trust in-credit-based system because they don't accept debit cards, i.e. if you are worth being trusted with a card you can have your sandwich now and we will take care of the bank processing once we are on the ground. So maybe this will be like we trust you enough with basic goods that once we get a connection things will be sorted out situation?
The EMV standard has long supported an offline transaction flow. AFAIK it was the default almost everywhere in Finland circa 2011, contactless there was almost always instantaneous. Digging into why that was compared to the invariable wait when using contactless in the UK revealed this flow.
The card has a variety of risk counters on it that allow it to securely decide whether an offline transaction can proceed, at least some of which are also exposed to the terminal which can have its own separate policy. I imagine internally the banks and payment gateways have a huge variety of internal related tuneables.
Yes the EMV standard has offline card payments baked into it, and most banks in the EU and UK used to use offline transactions for contactless.
Your experiences in the UK are almost certainly linked to the card issuer you were using (was it a Monzo card by any chance), and nothing to do with it being the UK. The vast majority of the legacy banks have always used offline transactions for contactless.
However there has been a bit of shift towards online transactions, driven by EU rules likes strong customer authentication, which requires regular pin entries determined by cumulative spending and duration limits (which ever is hit first). It’s a lot easier to reliably meet the requirements of SCA using online transactions.
As for how offline transactions work. It’s reasonable simply. The terminal asks the card to sign the transaction using the cards private key. Now there is an extremely complicated set of rules around how liability shifts in the event of a fraud claim, depending on many factors like the type of transaction, if a pin was entered and validated by the card, if the card ask to go online and the terminal ignored the request, they type of merchant, the exact region your in etc etc.
But regardless of all that nonsense. The technical process is very simple. The terminal has the transaction cryptographically signed using symmetric encryption with a private key that is only known to the card and the issuer of the card. That signed transaction can later be presented to the issuer so the merchant gets paid.
Given it’s a symmetric key, you may wonder what happens in the event of a dispute between the issuer and the merchant, where the issuer claims they received a forged transaction. To which the answer is, the issuer sends a signed and sealed letter to card network operator saying they have double checked the transaction signature, and believe it to be forged. And if anyone doesn’t believe them, they can sue em (this is not at all a joke, it’s literally the documented and contractual process used by the major banks and card networks).
> However there has been a bit of shift towards online transactions
Not just a bit of a shift: Offline-preferred transactions are basically a thing of the past. EU rules have nothing to do with it (offline EMV is fully SCA compliant as well, as the chip can keep count, although it's a bit annoying to keep counters in sync if there's more than one); it's mostly for risk management and simplification reasons, I believe.
> The terminal has the transaction cryptographically signed using symmetric encryption with a private key
Offline transactions essentially always require card authentication as well, which requires asymmetric cryptography. (Otherwise, you could trivially forge valid-looking cards and offline terminals would be none the wise since they obviously don't hold the symmetric keys for every card issued; that would be way too risky).
> EU rules have nothing to do with it (offline EMV is fully SCA compliant as well, as the chip can keep count, although it's a bit annoying to keep counters in sync if there's more than one);
EU rules have everything to do with it. Meeting EMV with offline counters is tricky to get right. The reason I can confidently claim the SCA drove the migration of online transactions is because I was responsible for the technical implementation of SCA for a bank, and was part of the industry wide conversations that happened as banks figured out who they would comply with the rules, and tried to figure out what wiggle room existed. So I know SCA was a driver, because I talked to the people making this decisions.
> which requires asymmetric cryptography. (Otherwise, you could trivially forge valid-looking cards and offline terminals would be none the wise since they obviously don't hold the symmetric keys for every card issued; that would be way too risky).
This is where you are simply wrong. Again speaking as someone with actual experience working on this stuff, and having dealt with actual forged offline transactions as well. I can tell you the card uses symmetric encryption, the terminals themselves have zero ability to validate the signature a card produces. The terminals include some data that allows them to validate if a card number is routable, and also a hot list of card numbers to always reject, and thus reject transactions that can never be fulfilled, but they have no way of validating that a specific card or transaction hasn’t been forged.
The entire system depends on the physical security of the chips in cards to make key extraction extremely hard, and to also make the correct mimicking of cards extremely hard. But it’s hardly impossible, and there’s plenty of demonstrated EMV attacks out there in the wild. It’s just that they all hard to replicate, require special equipment, and generally make you look very dodge in the moment because you have to have a weird card with wires running your shelves so you can intercept the card comms. The manufacturer and distribution of the chips in cards is extremely tightly controlled, so you can’t just buy them. In theory anyone with a million dollars and ASIC contract could manufacture their own ICs, but there simply easier ways to steal money.
Ultimately EMV only needs provide enough security to make other methods of stealing more palatable. Cards are used for pretty low value transactions, so breaking EMV isn’t a very scalable way to steal money. You would be better off stealing products from merchants using decent pair of running shoes, rather than creating crazy ways to trick their payment terminals. Running shoes are cheaper and much more accessible than ASIC production.
> The reason I can confidently claim the SCA drove the migration of online transactions is because I was responsible for the technical implementation of SCA for a bank
Ok, "nothing to do with it" was too strong: I don't doubt that SCA was the death knell for many offline implementations. However, I've seen online-only cards in the field by many banks well before SCA became effective.
And on the other hand, I also know SCA-compliant EMV implementations that do still support offline transactions. As you say it's tricky, but it's possible. Europe is large, and you probably haven't talked to every single bank/processor :)
> This is where you are simply wrong. Again speaking as someone with actual experience working on this stuff, [...] they have no way of validating that a specific card or transaction hasn’t been forged.
Huh? If you have worked on this stuff, surely DDA and CDA ring a bell? They're both based on asymmetric cryptography, and they absolutely allow the terminal to dynamically verify whether a given card is authentic or cloned, without having to go online.
Without that, you could indeed copy the static signature data from any EMV card and replay it to an offline terminal and get away with it. That's why SDA has long been deprecated for offline transactions.
> The manufacturer and distribution of the chips in cards is extremely tightly controlled, so you can’t just buy them. [...] In theory anyone with a million dollars and ASIC contract could manufacture their own ICs
You can absolutely get them on Aliexpress straight from the manufacturer for a few bucks each, cheaper in bulk. They run Java, so you can just write your own software – the EMV specs are public!
What you can't get there is the cryptographic private key specific to the card number that the issuing bank embeds into it at personalization time.
EMV is a cryptographically sound (if dated and very complex) scheme, and secrecy of implementation is actually much less of a security factor than you seem to claim, despite the industry's (largely historical) obsession with secrecy.
> Huh? If you have worked on this stuff, surely DDA and CDA ring a bell? They're both based on asymmetric cryptography, and they absolutely allow the terminal to dynamically verify whether a given card is authentic or cloned, without having to go online.
Yes I was a little wrong here. My most recent experience in this area is dealing with messages on the issuer side. It’s been a while since I’ve done anything serious at the card config level, and don’t have a huge amount of experience with the handshakes that occur between card and terminal.
The missing nuance is that the transaction cryptogram is symmetrical encrypted, and that’s the only cryptographic blob sent over the card network to the issuer. As the asymmetric stuff only happens locally between card and terminal, and isn’t included in any data transmitted from terminal to issuer.
So the terminal can check that the card is a real card using asymmetric encryption, and that the produced transaction cryptogram was produced by that card. But none of that evidence is passed on to the issuer, only the symmetric cryptogram, which can’t be used for non-repudiation is sent to the issuer later.
Hence the experience dealing with forged transaction cryptograms, which were forged by an acquirer in a systematic manner to try and gain stronger chargeback protection because their sloppy transaction processing resulted in them processing a lot of fraudulent transactions, and then being hit with a lot of chargebacks. The process of “proving” to the network that this acquirer was forging cryptograms was sending a letter signed by legal team attesting to fact we had evidence of forgery, plus a much nastier letter sent to the acquirer in question to knock it off, and stop doing obviously illegal things. Ultimately it’s the acquirers legal counsel that acts as the enforcement mechanism here, and the obvious threat of lawsuit they’re clearly can’t win tends to be a very strong motivator for companies to tidy up their act.
> EMV is a cryptographically sound (if dated and very complex) scheme, and secrecy of implementation is actually much less of a security factor than you seem to claim, despite the industry's (largely historical) obsession with secrecy.
I may have overstated it a little. Bad habits from spending too much time dealing with PCI rubbish. The difficult thing to get across in these threads about payment networks is how much of the systems “security” really comes from clever legal contracts, and smart distribution of liability and risk. Effectively making in everyone’s interests to not do anything really silly, but the actual technical security is almost secondary to legal mechanisms that exist to ensure that participants are highly motivated to make sure that fraudulent transactions are kept to a minimum.
I used to have an online maestro card (was solo and now known as debit mastercard) and an offline card (was switch, now also known as debit mastercard) from a UK bank, due to having two current accounts there.
The offline card was from a current account with an overdraft and also worked as a cheque guarantee card, for cheques up to £250 under the (discontinued ~2011) cheque guarantee scheme[0] and had a special hologram on the back. The retailer would watch you sign the cheque and write details about you, the card and any CCTV etc. on the back of the cheque. I imagine the offline behavior of the card was similar, and was a carry over from that.
The online card was from a basic account with no overdraft facility and acted a bit like a prepaid debit card.
The tech is fundamentally fine - where the problem arises is human behaviour.
When offline contactless payments first emerged in the U.K., there was a significant spike in unplanned overdraft usage and disputed transactions, as people rapidly realised it essentially worked as a free line of credit, up to £100 or £250 depending on your issuer.
This quite quickly caused issuers to push up prices on offline transactions, which made them less appealing to merchants - add to that that people were talking about them being a hotbed of fraud, and merchants err away from offering them, PCNs start dropping the capability due to lack of demand, and here we are today.
I think metro trains in countries like The Netherlands and Singapore use this approach where in you tap your cards and entry and exit and you are billed usually somewhere at the end of the day.
Yes, stored value cards are a very mature technology.
For various reasons, they're mostly used in closed-loop systems these days (think laundromats, transit systems etc.), but historically there were open-loop deployments in many European countries, and in some countries, stored-value POS payments are still very popular, e.g. in Japan.
It's a real shame that the entire world moved to online-only. Sure, it's much easier and there's less opportunity for various kinds of fraud as a result, but in terms of availability during outages or cyber attacks, it was a big unforced step backwards.
> historically there were open-loop deployments in many European countries
Indeed, there used to be things like "Moneo". The problem is that banks never trusted really these systems, so you were limited to, say, 50E of stored value. Also for some reason in Europe the readers of such cards have never been great, I guess because most devices were built on the cheap, so even if the transaction is offline and supposedly fast, you would have to wiggle your cards all around most readers for 2s until it's picked up.
In Hong Kong there is the Octopus card, which started as a closed loop subway card, but ended up being so loved that now you can pay litterally anything with it. It can store up to $500, and you can set it up to automatically top-up to $500 more per day linked to your bank account. Also accepting payments from octopus cards is very easy, you don't need a physical device and small businesses can just have the customer card tapped on their phone with a merchant app.
These were storage only though, right? Such systems are trivial to compromise.
Stored-value payment cards usually contain at least a secret key and some logic that allows them to establish a secure channel to another trusted entity, such as a merchant smartcard (which can be embedded in a terminal) or a backend server (and a corresponding HSM).
Not in the Netherlands, no. The card can be a bank card, and you can be billed at the end of the month automatically through direct debit.
It also wouldn't work as you describe, as the terminal at the point of entry doesn't know how much to charge you since it doesn't know where your journey ends.
It will bill your 4 EUR (on a tram/bus) or the whole 20 (or something on a train) instead of the actual journey price if you forget to checkout. Pretty sure it can decline cards for insufficient balance too. Not sure the entry gate blocks the amount.
Actual chipcards don't bill you at the end of the month either -- they reload a fixed amount through direct debit (which takes a few days) the moment your balance crosses zero. If the direct debit isn't setup for a card (because it's not a personalized card) or the debit was rejected, the card is blocked.
For business chipcards cards it works somewhat the way you described.
Some transit systems work by putting a hold on your card for a nominal amount. When you finish your journey it then only claims the cost of your journey
It definitely exists in Amsterdam, no? When I visit I just tap my card/phone on NFC enabled card checking machines (which exist in and out of the stations)
A lot of internet payments work this way already anyways, not many gateways require auth before capture, processors/payfacs just do it because it gives lower interchange and reduces risk.
That depends on where you are. But all the major networks expect auths before capture, even if it isn’t technically enforced, and will punish gateways and merchants who have low auth rates.
Auth before capture doesn’t generally reduce interchange. What it primarily does is shift liability in the event of a dispute. If a chargeback is raised, and no auth happened, then the merchant simply looses immediately. They have no mechanism for fighting the chargeback. If they auth first, and got an approval, then it’s the banks problem in the event of a customer dispute. The merchant can reply to the chargeback by pointing out the valid auth they received from the bank, and the bank has to go pound sand.
You may see this as different “interchange” rates from a specific gateway. But that’s simply not true at the network level. The difference in pricing just exists so the gateways themselves can price in the additional risk associated with auth less captures, given the gateways are always on the hook, even if a merchant goes bust. The major networks force gateways to have funds kept in escrow that are guaranteed to cover any shortfall that might occur due to individual merchant failure, or failure of the gateway itself. That how networks make sure that zero real risk every accrues with them, they make everyone else put up huge stacks of cash to ensure that every virtual cent that’s in flight at any moment, is backed by a real cent in escrow somewhere.
I always wondered how come that some online merchants where I record the card do not ask for auth or 2 factor and some other does. For example, I have recorded my card info in a webapp that I use to pay the bills, and it never asks for anything, which is good, as I have many bills to pay, and I wouldn't want spam of 2FAs. Can you provide some technical terminology on this behavior or links, since you seem to be in the knows. Thanks.
Amazon as well seems to never do proper auth (at least here in the UK). When using an existing card where the delivery address matches the billing address, card transactions go through instantly
There is no rule that there has to be a single payment per authorization, if you read for example mastercard API https://in.gateway.mastercard.com/api/documentation/integrat... it says you can partially capture, you can extend authorization. So for all you know when you buy at amazon it just updates the authorization and charges you later but keeps authorization going and amazon might just check if they have auth token for your card and if they do system allows you to continue and to you it seems instant.
It’s a lot more complicated and nuanced than that. The API docs you link too are for an API that covers a tiny fraction of what can be expressed in the actual ISO 8583 messages which are the real “API” of the card networks. The docs for those are hundreds of pages long.
Plus you need to analyse how the different messages types and sequence of messages interact with the transaction processing rules, which are also hundreds of pages long.
Suffice to say, the entire system is insanely complicated, and just about everyone out there implements it all incorrectly, with the whole system on working because partners are only allowed to complain about the insanity if they actually loose money. Until that point they’re expected to just handle everything as best they can.
Ultimately all this stuff comes down to risk and risk management. The card networks themselves don’t provide any technical enforcement of most of their rules, beyond low level technical rules around message format and structure (and even that enforcement is pretty small).
Instead they effectively make all the parties that connect to the network responsible for rule enforcement. If a merchant follows all the rules correctly then they receive extremely strong chargeback protection, I.e. if an issuer sends a chargeback, and the merchant has plenty of grounds to dispute the chargeback and win.
If merchants don’t follow all the rules, then issuers can send chargebacks, and it’s much harder for the merchants to defend themselves.
In all scenarios it up to the issuers and merchants to explain in the chargeback what rules have been broken, by which party, and thus who should win based on network transaction rules. The networks themselves don’t even make a ruling directly, instead the issuer and merchant decide who wins via a back and forth process that includes escalating fees paid to each other, until one side gives up. The networks only get involved the two sides can’t resolve the issue themselves, and will charge the looser a significant fee for the privilege, so there’s a strong incentive for the parties to resolve the issue themselves.
How does of this interact with 2FA, auths etc etc. Basically 2FA, and ordinary auths are all just things a merchant can do, or trigger, to reduce their liability and get better chargeback protection. If the merchant performed a full 3DS auth, where the issuer is asked to perform 2FA, then they have pretty complete chargeback protection in the event of fraud, because they’ve basically asked issuer to make absolutely 100% that this transaction has been approved by the issuer’s customer, so there’s zero grounds later to claim that a stolen card was used or something similar. If the issuer’s customer wants to dispute the transaction, that’s the issuers problem.
But all of these mechanisms reduce checkout rates, and thus merchant revenue. As a result some extremely large merchants make a trade off of basically accepting all the risk of fraudulent transactions, and give up chargeback protection, but not following all the rules. The merchant does this because they’ve basically asked believe they have enough data to prevent fraudulent transactions, without using any of the tools the card networks provide.
For merchants that can do this (like Amazon), they build in-house fraud detection systems, and payment systems that evaluate the risk of each transaction, then change the exact way they perform the transaction to either reduce friction (because the transaction is very low risk) or increase friction (because the transaction is higher risk), thus allowing them to capture more revenue, without taking on more risk (because they have confidence their ability to detect fraud, and thus don’t need help from the issuers).
But there are very few merchants that can even do this, as it generally requires either a very collaborative payment gateway (who are ultimately on the hook for merchant misbehaviour), or a direct connection to the card networks (who aren’t interested in talking to people not moving millions of dollars every day). Which is why it tends to pretty rare.
The way gateways and networks handle auth are not the same thing and it gets really muddy and confusing, honestly.
If you’ve already tokenized the card on a gateway for a particular merchant, for example, they may allow you to keep pushing multiple charges while on their end still using the original network auth from the first tokenization - which ends up being entirely opaque to you, the client of the gateway.
Essentially you don’t have to care what the card network rules are, just how your gateway presents functionality to you.
Exactly like that most likely, I am old enough to remember those machines where credit cards left their mark on the receipt, that is why their numbers are higher than the card.
What’s fascinating (apart from the sound those things made is still in my head) is that the very nature of the technology meant who could and could not get credit varied. At first (1950 diners card onwards) only well off could use it at limited establishments (ie restaurants) and they would postal deliver lists of cars - initially white lists of valid card owners and later hot lists of delinquent card owners. Stick your privacy issues in the restaurant food bin there!
Calling a call centre to verify every transaction is too expensive so only purchases over certain limits came in following BofA/Visa - and that stated that way till the late eighties when larger stores started using back office to talk to Visa network etc. but even so the ability to do live updates and verification was too much and there were weird cacheing tricks
So banks could easily approve or be liable for transactions they would prefer not to approve - so they only gave credit to the rich at first, and then to those who paid back regularly. This info was shared and became credit reference agencies - because the credit card companies shared it initially like casinos but the abuse and mistakes brought legislation
I think what i am saying is our consumer credit culture was not designed, it just grew.
I think it was normal that you had to show ID that matched the card name, and compare the signatures too. Now the signatures are just a spot to draw something funny.
In the 80s and 90s in the UK you just signed. The card imprint was embossed by the machine which put it onto the carbon, and that was sent off to the bank for payment later in the week, like cheques.
I last used a carbon credit card in the early 00s. Electronic swipe and sign for a credit card had gone pretty much everywhere I went except the US by about 2010
My employer in the UK had a machine in around 2014, but it was only used for sales of their own products to employees.
It put all the transaction risk onto the employer, and had a high fee per-use, but since they only had these 'stock clearance' sales to employees once a year it was fine.
When I was working retail (almost 20 years ago :[ ) we imprinted more often because of a failed magstripe, than a computer outage. In the event the card couldn't be swiped, you could key the number in, but the printer would create an extra-long signature slip instead of the normal kind, and we'd imprint the card onto it, as proof the actual card was there. This was I assume to prevent us from having to pay a higher 'card not present' interchange fee, and in terms of fraud, made it really obvious if someone was doing something shady like typing in card numbers without the card or cardholder being present.
We did sailing charters growing up and had one of these on the boat, I was in charge of it and the sound & feel of the CH-CHUNK is seared into my memories like nothing else. We never got any declines, but I always wondered how that reconciliation process actually worked out.
We never got any declines, but I always wondered how that reconciliation process actually worked out.
IIRC, the merchant gets paid if hitting a credit limit or similar decline reason. The card holder then gets hit with a financial penalty (usurious interest rates, or extra charges). If the card has been stolen, it ends up in a big phonebook-like book for offline use (otherwise the merchant just called it in for big purchases).
I remember buying books at a shop in Denver in the late 80s and watching the proprietor look to see if my card was in the big book of stolen credit cards numbers before he ran my card through the kachunka machine.
You didn't get any declines because you didn't ask for any approvals :)
If you mean chargebacks: I believe imprinters had card issuer liability for the longest time, at least as long as the transaction was under the (network-defined) "floor limit".
So if these were relatively low value transactions, the bank would simply not have any standing to decline payment.
When I got my first account to accept credit cards in the 90s, they sent me a kachunka machine along with a bunch of window stickers, all of which were kind of silly since it was for a magazine and I almost never took payments in person (it was also a challenge to persuade banks that the fraud risk was low since magazine subscriptions required a stable mailing address over the course of a year—as it turned out, the only instance of fraud I ever had was a subscription plus back issue order sent to Hungary—still kind of weird to think someone would engage in crime to get issues of a magazine about typography).
In the 90s through political turmoil in the Balkans (former Yugoslavia, so perhaps Hungary which borders it to the North was similar), it was impossible for young adults to acquire a payment instrument that worked online (even my dad had a tough job getting a Visa card: you had to deposit something like 500 Deutsche Marks for a limit of 200 DMs, which was like 50x monthly salary, and only one or two banks issued them). Thus, lists of stolen credit cards were circulating online after 1995 when we got dial-up internet into homes (it was only in Unis before that).
If you had any interest in any topic you read about on the web or in a book, that was the only way to get things even if you had the money otherwise.
Just because an imprinter was used doesn't mean the transaction was necessarily "offline". Depending on merchant's policy, the cashier would call their processor, give them some transaction details and receive an auth code for the transaction which would be written on the imprinted ticket, thus authorizing the transaction at the POS just the same way it's done today (except with humans and phones, instead of an electronic handshake).
Given that GP was the one doing the imprinting, I believe they'd have remembered having done a phone call to a processor or card network on a sailboat :)
I think there was a limit of something like 60 days. At least my bank apparently refused all transactions that were settled too late.
I had a job which involved a lot of taxi trips, and when I cross checked 30% of the trips where never charged my account. I suppose they just filled up the glove box with old slips until they couldn't shut it. Hotels never failed.
In Canada, taxi drivers could be charged horrendous fees for these transactions so sometimes you’d see the charge coming through some random convenience store
My company had them on-hand until around 2021, when I told everyone to throw them out. They'd last been used - at one location, during a complete POS meltdown (I don't miss Aloha at all) - in maybe 2018? No one could remember a previous time.
I'm trying to think the last time I saw one in use, last year or a couple years ago when there were large scale power outages. Of course the newer cards lack raised digits so I'm not sure how well they worked for keeping business moving. I had cash.
As I recall, the slips do have a spot where you can just write the numbers down. But widespread lack of raised numbers makes them hard to use. I think all my cards have been reissued flat by now.
I used those machines to charge cc’s at a major ski resort in California in 2004. At the end of the day I would enter all the details in an online terminal and process the charges for real.
this is what first came to mind for me too. I'm in my 40s and still saw them used semi-frequently during my life. In ~2015 I actually paid using one in a taxi, that was the last time.
Heh, in 2014 I remember taking a taxi that only accepted card using an imprinter, which was unfortunate because I had just gotten a new card and the numbers weren't embossed. He had to drive me to a gas station to get cash from an ATM.
I imagine there is a clear and distinct line between "I've never seen one of those" and "I can remember exactly how those sound". The sound of sliding that handle over the card is ... distinctive. I can discuss it with someone, slide my hand left and right, and say "shunk, shunk" and lots of people will very clearly remember them.
“Never heard of these”, meanwhile I was remembering a credit card that I used so often that I wore the coloring off the raised numbers.
And I guess if one has never seen these, I need to explain. In order to leave an impression on the carbon paper (I should probably explain that, too, huh?), a fair amount of pressure was needed (those old card imprinters didn’t require a gym membership, but a child could not operate one). That rolling pressure would eventually wear on the surface of the card, and turn the numbers white when the outer layer wore through.
If I remember correctly, this sound is part of Pink Floyd's song "Money"... part of the background rhythm. I wonder how many of the "Never heard of these" crowd would recognize it if they hard it in person... smile
> It's not about paying by cash but paying by card offline. How is this going to be implemented I wonder.
Considering that the card has memory on it, you can store there how much balance you have when you do an online payment. The bank can send back your available balance, so you cannot spend offline more than you have.
In the past embossed credit and debit cards were both accepted on planes. That's why they were embossed in the first place: for offline processing which in even more distant path was the only option. Later CC machines and offline chip/stripe transactions co-existed with online transactions.
Normally (at least in Europe) you couldn't get an embossed card, even a debit one, without proving your credit worthiness. The possibility of offline transactions assumes overdraft — the same as with check books.
When online transactions appeared, banks started to issue Visa Electron and Maestro cards which didn't work offline, could explicitly prohibit overdraft and were easier to get.
But nowadays all boundaries gradually disappeared. Nothing is embossed, Visa Electron doesn't exist, bank issue debit cards with credit codes. It's all much simpler and more confusing at the same time.
Ironically, the few embossed cards I still have are from debit or prepaid issuers, presumably in a plot to make them look more "official", so at this point we've looped around completely and I've started associating it with a dated/tacky look. (They also take up twice the space in my card wallet and often lose their cheap metallic paint over time, annoyingly spreading glitter across my pockets.)
star/plus/cirrus etc - pure debit-only networks - aren't accepted on a plane
debit cards that are on one of the credit card rails (visa, mastercard, etc) are very common. those work because they're just a normal visa transaction
> those work because they're just a normal visa transaction
I wouldn’t be so sure about that. In some payment situations you’re asked whether you’d like to have the transaction go through as debit or as credit—so those two must be different somewhere. And probably in more than just a bit in a packet, as, for example, paying with debit Visas or MasterCards (normal ones, not Electron resp. Maestro) in the Netherlands (where locals almost universally have credit cards) is something of a crapshoot.
They use largely the same rails/network (for example Mastercard). The only meaningful difference is on how and when funds are reconciled.
Some payment providers ask up front to simplify the flows as it's not totally trivial to determine what sort of card it is, and also because different fees apply - historically some merchants added specific fees to basket etc. (less so nowadays but the UI convention sticks)
> Some payment providers ask up front to simplify the flows as it's not totally trivial to determine what sort of card it is
And because the same card can be both. At least here in Brazil, most bank cards have multiple uses (credit, debit, ATM) in the same card. AFAIK, they're separate applications within the same chip, and the terminal has to select which one to use before starting.
Interesting! Did not know that offhand but just looked it up in the technical docs and this is part of the standard. Interesting to hear how other countries have adopted different approaches.
From memory, online and offline transactions are usually split out by BIN number (first six digits)
The BIN will tell you which bank was the issuer and which class of card you have, like standard or premium, though most readers probably don't take that into account beyond the card scheme and card type associated with the range that the individual BIN is in. Many banks will have multiple BINs for the same card type if they are large.
Credit / online debit / offline debit usually get different ranges. The reader gets a list of the ranges when it updates and they don't change super often. Offline readers can be configured to reject cards with a number in an online only range.
It's usually based on the chip settings. Rules aren't as simple as "always online" or "never offline"; an issuer can e.g. convey that they'd prefer online transactions for certain types of payments, while offline is ok for others, via relatively complex configurations of the code of the chip application.
Before that, there was the service code on the magnetic stripe, which also can convey things like "online only" or "domestic use only".
The BIN is only involved in risk management on the terminal's side: Many of these in-flight terminal accept deferred online transactions, which means that, even though they're completely offline, they take the risk of accepting an online-only card. (For truly offline capable cards, the risk is often with the issuing bank.)
That type of risk management can benefit from knowing what type of card it is, and prepaid cards are often seen as riskier (because customers might intentionally drain them before a flight). Of course, debit and credit cards can also be empty/marked as stolen, but these are marginally harder to get and replace.
Yep you are completely correct; people don't realise how complex the chip is - it has what you'd legitimately recognise as an operating system! It can also be reprogrammed over the wire, if your chip and pin is taking a bit toooo long that might be what's happening.
Your correct on the risk spread. I wasn't confident last night (I'm not totally versed on the terminals) but looked it up. As I understand if you choose to accept offline only payments then you accept the risk of the transaction failing. If it's the issuers choice they own the risk.
> The only meaningful difference is on how and when funds are reconciled.
Nope, even this is identical. These days the difference between a debit/credit card is pretty much aesthetic, from a transaction processing perspective there generally isn’t any actual differences. Differences that people see today are most artificial for the purpose of justifying extra fees, or higher interchange based an entirely arbitrary factor that has zero correlation to any risks that appear in the transaction processing and clearing mechanisms.
Basically the only reason anyone really bothers keeping the difference between credit/debit cards around, is as a technical excuse for discrimination and abusive fees. Notably in the EU nobody cares if a debit or credit card is used, because the EU outlawed all the crazy fees and other bullshit, so now there’s no commercial reason to differentiate between the two 99% of the time.
There are a few differences for sure. All entirely technical in how the money moves or clears. The most obvious point here is debit card moves your money from your account, credit moves the issuers money from their account.
But to your wider point; from a transaction fee point of view you are dead right. Of course a credit card has other attractions; for example it's credit :D but also things like section 75 protection.
> There are a few differences for sure. All entirely technical in how the money moves or clears. The most obvious point here is debit card moves your money from your account, credit moves the issuers money from their account.
From the perspective of the card network and the merchant, there is no difference here. The card network has a contract with the issuer, so all transactions, in all scenarios, are always first paid by the issuer. It’s then the issuers problem to figure out where they get the money from.
It’s entirely possible to perform transactions on debit card that will place the account attached to it in a negative balance, and for the person owning that account to vanish. The card issuer is still on the hook for the money, neither the card network, nor the merchant, care if the issuer recovers the funds or not, they always get paid.
Edit: OK maybe there's different level of trust and some take a leap of faith :) In my experience debit didn't work but it appears that its not the same everywhere.
I don’t see why not, they can be run just like a credit card through the same network.
When a debit card prompts for a PIN, don’t enter it, press submit, and it runs as credit instead of debit, but functionally works the same as far as the card-holder is concerned. It might take slightly longer to settle, and the merchant likely gets charged higher fees, but it works just fine. When I got my first debit card 20+ years ago my bank specifically told me to select credit and using it, instead of using it with the PIN as a debit card.
These days I’ve noticed the systems tend to auto-prompt for the PIN instead of asking credit or debit. But skipping it functionally works the same as pressing credit used to.
This is not the case of debit cards in Europe. Debit cards are tied to bank accounts. Most people only have a debit card or don’t even know what a credit card is (or what the difference is). We just call them “cards”.
You can buy debit (or more accurately prepaid) cards in supermarkets in Europe too (which is a big and relatively diverse place, so just because that is/was not a thing in the countries you're familiar with doesn't mean it didn't exist).
I have no idea how the terminals operate, but I was on a flight two days ago and paid with a debit card. The flight otherwise required devices to be in airplane mode. Though there are flights that offer wifi, so there's a good chance the terminal can communicate with the ground, but they just don't allow anything else.
Yep, but IIRC only if they are credit, not debit. I guess they also have certain special conditions with the processor...
Edit: I've also seen it when paying on the cafe car while on train trips in Spain. Even without any cellphone/internet coverage they'll let you pay, but only with credit.
It’s definitely not that simple. It’s totally random. I have only European debit cards, and I can pay everywhere. The same was true with my cards from other countries. Sometimes only Apple Pay/other NFC based system worked for some reason, which is connected to the same cards, when on the same airline I could pay with my physical cards in any other instances. Sometimes I can pay only with my physical cards. Sometimes one of my card doesn’t work. However, I didn’t have problems with them in the US in the past few years. It was more complicated over there before COVID.
Can’t debit account go negative where you live? It’s definitely possible. Even when you don’t have an account credit, or what it’s called. Of course, this is possible only in strange circumstances, but still, I had a debit account with negative statement once. If I remember well, it was because similarly delayed offline transactions. It probably depends on country and/or bank.
> paying by card offline. How is this going to be implemented I wonder.
Paying offline used to be the norm for credit cards, from their introduction in the 1960s until some two decades ago.
Wikipedia: [...] until always-connected payment terminals became ubiquitous at the beginning of the 21st century, many merchants accepted all charges, especially those below a threshold value or from known and trusted customers, without verifying them by phone. Books with lists of stolen card numbers were distributed to merchants who were expected in any case to check cards against the list before accepting them, as well as verifying the signature on the charge slip against that on the card.
Often this is indeed trust-based, but the trust isn't due to you having a card issued by a trusted bank (most airlines accept debit cards too), but rather due to passengers being extremely visible and well-identified:
In-flight credit card fraud is an incredibly bad idea, given that most countries check your ID at least at some point during getting on the plane, and seats are usually assigned as well. (Doesn't mean that nobody tries, of course [1]).
Sometimes airlines also use ACARS (basically airline-specific telex over VHF, HF, or satellite) to send the card number to their backoffice for authorizations of large amounts, such as business class upgrades.
These days, of course, Internet connectivity is getting more common, and with that the problem will likely go away.
Not that I disagree, but it does make me wonder if this would be one rare instance where American Express which I know is notorious for siding with their customers (at least for a time? - my father worked as an accounts payable accountant at a big hotel in Orlando near Disney World and he said American Express was notorious at not paying even with signature if their customer claimed it was fraud) would still side with their customers. Leaves one to wonder if they even take Amex on flights.
I still remember them taking my card which I think was a debit card on a flight and shoving it into carbon copy paper and basically billing me whenever we landed. This was late 2000s. From Puerto Rico to Florida.
I doubt you'll see any bank not siding with the cardholder in an offline or deferred-online scenario, since they're usually not liable for any ensuing fraud and accordingly can just charge the transaction back from the merchant.
In Norway, the card terminals usually go into an "accept with signature" mode if they are temporarily offline. So they print a receipt that the customer has to sign. (This is for BankAxept debit cards, which are standard in Norway.)
In a grocery store line once, I remember a distraught customer whose card was declined due to insufficient funds. The store manager came over, yanked the ethernet cable from the payment terminal, and told the customer to try again. "Accepted with signature."
I’m a millennial and even I remember when all card payments were offline.
I remember a bar I worked at had trouble because some customers had begun writing wrong signatures and the receipt had been rejected by the bank the following week.
Restaurant POCs have an offline mode. They had to ask my zip code so I suppose it just counts as a "card not present" transaction that goes through later. Does present the question of whether that data is temporarily stored unencrypted or if it's immediately encrypted to be sent to the bank when it comes online
I, for my sins, have had to read PCI certification standards, and they're required to be encrypted, or not stored at all. Not that every implementation follows that, of course, but that's the expectation.
I work for a POS company and we support offline payments. The SDK(s) we use for our card readers give us an encrypted block of data that we can store and retry when back online. We don’t support “Card Not Present” when offline, we always tokenize cards if we enter them manually (HPP) which we can’t do when offline.
What would asking for the ZIP code help if it can't be validated on the spot? If the terminal submits the transaction in batch later, it's too late for that to catch a stolen card.
Providing an incorrect ZIP code also makes the transaction more likely to be declined than not providing one at all for card-not-present transactions (and is also allowed), so it really makes no sense for a merchant to do that.
On every flight I've been on recently, Internet was available to passengers. Surely a few KiB (I assume that this is what a credit or debit transaction requires) could go over this system?
That said, just because there is no passenger connectivity doesn't mean the airline doesn't have some, for operational reasons. Even if that's just a narrowband satellite or VHF (ACARS) link, credit card transactions take very little data (POS terminals are 80s technology, after all).
That said, I still don't think that that's too common – building out cabin Wi-Fi for card authorizations only is probably not worth it, given how hard it is to get away with fraud in an environment where every seat has a passenger name to it, and that name is often verified by the airline or government at the airport or at boarding time.
Well while seats do have a passenger name to them, people end up in interesting places on underbooked long flights like over the Atlantic. Cabin crew sometimes gets excited if people move too much. But this is rare.
Most EU flights I’ve been on offer Internet to travelers for a fee. Even if they don’t offer it to travelers, it doesn’t mean they themselves do not have Internet connection… I’m sure most of the time, they have access to the internet and paying by card is not more complicated than paying in any other store.
> Even if they don’t offer it to travelers, it doesn’t mean they themselves do not have Internet connection
It usually does, it requires quite a bit of equipment and it doesn’t make economical sense to install it and not sell it to passengers. Airplanes have other means communicating with the ground and airline offices though.
I took a Spirit about a year or two and accidentally gave them an old card for payment. They didn’t bill til a day after landing and it got denied. I settled it on a later flight but they definitely lose some money from this.
Credit cards were originally an offline payment method. The merchant would create a receipt that included a contact paper imprint of the card (which is why the card has raised lettering) and would present it to the bank for reimbursement.
I got my first Credit Card in 2000 (I think that was 2000 or may be 2001). Credit Card swiping devices were rare and many a store just use that Imprinter thingy, and I sign on the carbon papers. That was an offline process. This was in Bombay (INDIA).
Using a card-to-card transfer of some sort of credits/units, with eventual online settlement. Using chip cards, obviously. The tech for this existed since at least mid '00s.
I mean that is what mondex was and oystercard is today. Closest we can get on the us is a prepaid refillable gift card. I Keep hoping for digital cash, no dice so far
My Garmin watch has Garmin Pay, which works even if I don't have my phone with me. I think I just presumed that there is a bank balance cached somewhere in the app so that an attempt to spend up to a hard limit or that amount will work.
Mobile/wearable wallets are usually online-only, since you can add one card to many devices, so offline limits would be really painful to synchronize (or alternatively banks would be taking a big risk by allowing more than one or two devices and duplicating limits).
Airlines typically are already in possession of your credit card, so most likely it's just "if he stiffs us, we can always find the carrier they registered with"
Essentially, you (the merchant) just write down their card number, and how much they paid you, and then later you send that list to your bank who sends it to the credit card network.
There is no big technical hurdle. There is a big social hurdle in convincing your bank and the network that you should be allowed to do this. Also the card number gets copied by a little pressing machine onto carbon paper or something like that, not just written down.
Being able to spend money you don't have is not a new thing, and poses no technical problems. American readers will know you can easily do that with a cheque. It's your responsibility not to do that, and that's one reason why the bank wants so much personal information to open an account, so they can send the police over to break your kneecaps.
I don't think they do, people move around and swap seats. I expect they just find the losses small enough to write off. I was once travelling shortly after being issued a new debit card, but still had the old one in my wallet and used it by mistake and I wasn't charged. They never tracked me down for the cost of that packet of crisps!
A "debit" card could have 1000 crypto wallets, each with $10 in them. If you want to pay $90, it forks over keys to 9 of the wallets, and they get drained by the merchant as soon as they have a connection.
Offline, without double spending risk? Absolutely not, or at least not without a lot of extra headaches.
For that, you'll need at least some trusted hardware (generally an antithesis to trustless crypto schemes) and/or a clever incentive system (e.g. with senders staking a multiple of their balance as collateral, and never being quite sure if receivers are really offline, or only pretending to be, ready to claim their stake once they get publicly verifiable proof of double spending).
Some context might be useful here. I spent some time living Sweden not too long ago and Swedes practically don't use cash. It's usually not said out loud, but cash is often considered to be dirty and criminal, to the point that most don't have any at all. Digital payments are very convenient and deeply integrated, so long as you have a local ID which allows you use the local payment system Swish etc.
This worked nicely until the tensions in Europe lead to more cyberattacks rolling in and suddenly you have people not being able to buy food, medicine, and so forth. Not too long after, there was a government advisory urging people to keep some cash reserves in case a larger cyberattack happens, but cultural habits at large are hard to change. This is of course a coarse simplification of the context, but might help understand this incentive a bit better.
> "It's usually not said out loud, but cash is often considered to be dirty and criminal ..."
Are you sure this isn't impression you've gotten from isolated reactions involving a small number of individuals, perhaps just a single individual? I can't relate to the sentiment at all, having lived here for just over three decades and experiencing the popularity shift from cash to debit card. I can, in fact, not recall a single time ever that someone has divulged the opinion that they consider cash "dirty and criminal".
More than anything else the Swede's favor of debit card is the convenience. Second to that I would say is the security of not immediately losing funds if you misplace the card or it being stolen - it feels less risky carrying a debit card, in particular if you're the type who prefers having more than a few "tens" on you in case you'd need or want to buy something.
I'm Swedish and if someone insists on doing a transaction using cash when Swish or card is available, I'd immediately start to wonder if it's for some kind of more or less shady reason, probably tax evasion at the very least.
You have to differentiate common purchases from "large" purchases in this discussion. I'm certain you don't think there's something shady going on, or tax evasion happening, if someone uses cash in the grocery store or at Pressbyrån, or to pay for some little gadget or whatever at Kjell&Co.
This is what people think of when someone "uses cash". Not hauling tens of thousands to buy a used car or to settle the bill for having your bathroom tiled, which would be cases I too would raise an eyebrow over.
I think they're talking about when merchants insist that you give them cash ("cash only"), not when buyers insist on giving cash. The usual assumption is that if e.g. a street-food cart is cash-only, it's not because they can't accept cards (it's rather trivial nowadays) but rather that 1. they don't want to pay the interchange fees, and more importantly, 2. they want to be able to cook their books when reporting revenue.
There are businesses that attract people that use cards fraudulently and the business gets flagged demand eventually dropped. Gas stations in less desirable neighborhoods in the US have this issue and some only take cash.
Credit card fraud is not nearly as common in Europe as it is in the US.
Additionally, and specifically in Sweden, the fees that banks charge businesses for handling cash (picking it up and depositing it at the end of each business day) have increased significantly in the last decade or two. This has been a significant factor in driving businesses away from cash - it's just expensive for them to deal with.
A cheaper alternative to cards here is app payment via Swish (approximately like Venmo). Goes straight to the vendor's bank account at a flat rate of the equivalent of USD ~$0.15 per transaction.
That used to be semi-common for smaller transactions in Sweden but was made illegal. Not sure why, probably to fight tax avoidance.
At this point the cost of handling cash is way higher than handling cards and as no one in Sweden ever uses cash its no longer relevant at all anyway. Now many (maybe even most?) dont accept cash to avoid the cost of handling cash instead.
No, it really doesn't, besides the fixed investment of buying a cash register. The idea of being forced to hand over a percentage of all my earnings to private company is abominable. I pay taxes to the elected government, not to some bank. It's why I only accept checks, ACH transfers or cash as payment, and it saves me 3% of my income a year over taking credit cards.
In the EU fees are capped at around 0.3 % I believe.
And you're mistaken if you think cash is cheaper for most stores. You risk theft (so need to pay for measures against that), you have straight losses from mistakes, have to spend time handling and counting cash, spend time depositing, spend time buying change, etc etc
I’m pretty sure there are fees involved with running a cash register, aren’t there? At least in Sweden, the machine has to be certified, registers with the tax authority and then inspected for re-certification regularly.
Regarding cash, does your bank not charge a fee for depositing cash?
What do you think happens to the cash at the end of the day?
Managing cash has costs too, they're just harder to quantify: you have to ferry it to a bank, you have increased risk of theft, fraud, and robberies, you need extra time to actually check the register etc.
And then you risk losing business if you don't offer card payments because it's just more convenient for most customers (you may like wise lose some if you don't take cash, but that's a vanishing market).
One big difference is that there's competition between cash handling providers, while there's essentially zero wiggle room for interchange fees.
That's what makes interchange and network fees so much more problematic than acquiring fees. There's very healthy competition between credit card acquirers and payment service providers on both features and price, but in the end, you have to accept whatever card your customer has or there won't be a transaction.
In the EU the authorities have recognized the power of the card networks and introduced price controls on interchange fees in 2015, capping them at 0.2% for debit cards and 0.3% for credit cards.
Note that Europe passed a law that limits interchange fees to something very low by US standards, like $0.20 or 0.05%, so it's not a reasonable excuse.
(The fact that credit card networks continue doing business in Europe proves they're still profitable and the US is getting ripped off by these fees)
Definitely cultural: Italy has a big tradition of merchants evading taxes, and there have been multiple steps over the year to mandate card payments cause those imply the merchant will pay taxes.
So if you are a law abiding citizen you can easily be pissed off that you get to pay taxes and they don't.
For a few years "we don't take card" was widely interpreted as a strong indicator the merchant would evade taxes, and "I won't go there anymore" was a common reaction from some people. These days it's technically illegal and yet you will still find _some_ shops that only want cash.
Yeah there's that cash only bar in central Stockholm that's cash only. Everyone just "knows" they launder money there. I forget the name of the bar, it's on a barge near Tantolunden. it's the shadiest place I know where you can't barely find any shade!
FWIW I am Australian and we have a similar adoption rate of cashless payments.
If a merchant tries to promote cash options I immediately think they’re doing it for tax evasion reasons - not because of the touted reason that “card payments cost more to process” (they don’t once you factor in the cost of handling cash).
People forget that the credit card companies charge businesses to process transactions. Some stores/restaurants even give discounts for paying in cash because of this.
This is explicitly forbidden by almost all card processing networks (and by the government, in many countries). If you report a business who is doing this to the card processor, they'll likely get their card processing privileges suspended.
On the other hand, cash has its costs. You need to have a register, more training, more insurance, processing of cash at the bank, having it deposit cash at the end of every day, etc.
With credit cards you pay a fee, but you don't have to deal with all of those other things that people often don't consider.
If a significant amount of your business is cash based then the risk is much higher. If you're doing $100 worth of cash transactions per day then your registers and safe probably don't have much and you can probably get away with weekly or even monthly deposits. Whereas if you're dealing with $1000s in cash then you probably want to deposit daily, need a lot more security around your register and safe, and probably have a much higher quality safe too.
I've lived in Seattle for decades, and have -never- found a business that would not accept cash. If I -had- I would have set down my prospective purchase and walked out the door with a promise never to return.
Apart from a transit card (all the mass transit also takes cash ... no fee added), I'm not going to pay to feed the surveillance machine.
There have been a number of food trucks in the Seattle area that don't accept cash for the past 5 years. A popular food truck might have >$5k in cash sitting there by the end of the lunch rush - it puts an awfully tempting target on your back.
Where I live in Seattle, a lot of businesses simply don't handle cash at all, because break-ins for the cash register are quite expensive to deal with, and they circumvent that problem by simply posting outside the business that there is no cash.
One of the few businesses near me that must take cash, a dispensary, recently had an issue where somebody tried to break in using a stolen pickup truck to crash into the building. They didn't get the cash because they didn't get past the interior bollard system, but they did cause enough structural damage that the roof partially collapsed into the street.
I mean sure, US is special in this case, especially since you don't actually persecute small time thieves...
But i've paid with cash all over europe, and except for some vending machines, i've never been turned down, be it london, paris, berlin, belgrade or athens... from large supermarkets and museums, to local corner newsstands with a small fridge and cold drinks and local fast food joints. On the other hand, the most unsafe I ever felt as a traveller was in chicago, supposedly in a "nicer/safe area", and I've been through the balkans in the 1990s.
In my country if you pay with credit card at a grocery store (or anywhere) you get 3.5% tacked on to your bill. Merchants don't eat the cost, and don't hide it in the listed price of goods; it's explicitly passed on.
Here in the deep (American) South, small businesses give discounts for cash because those global elites are trying to take away our cash and want to track us or whatever. To that mindset, cash is a way to resist a theoretical oppression.
This is the reason I try to pay everything I reasonably can with cash. I’m about as northern as you get.
I’m definitely looked as crazy in my friend group from time to time, but over the years I’ve just become known as the guy who will always have cash on him if necessary so I guess the walking ATM bit helped with acceptance of it?
I figure that if folks don’t take a stand and use cash even if they don’t need to now, we will lose the ability to later. I don’t want to live in a world where all my purchases are mineable, because that eventually turns into monitored and then authorized.
The inconvenience is a small price to pay for freedom from surveillance.
It has amused me though over the years how bad cash handling skills have become. When I was a cashier as a teenager 25+ years ago, myself and all my fellow coworkers could break change at relative light speed and often just from mental math/memory. Now it’s amusing watching a young cashier give change back on a $48.31 order after handing them a $100 bill. Sometimes takes longer than the proverbial grandma writing a check back in my day.
Here in the Pacific Northwest, businesses give discounts for cash just because it saves them money. In Portland, we still have a fair number of bars that are cash only. And yeah, liberals here also consider it an invasion of privacy to have to use a card, but they couch it in terms of it being unfair to people without credit or bank accounts (which, tbh, is also a fair argument).
It's been 10 years since I lived in Argentina, but at that point having a credit card (not a debit card) was still reserved mostly for the folks in Barrio Norte. Has that changed now, or is it still mostly debit?
I know that this is true (I used to work in card payment infrastructure), but I've also talked to people who run cash businesses and deliberately under report their income. So I think it's not so uncommon.
I, as a private individual, can accept card payments for 1.69%. I have a physical chip and pin reader (that pairs with my phone), it cost me £25, but I can take contactless payments using just my phone. If I didn't want to use my phone, I'd need the £75 reader that comes with a 4G connection (at no extra transaction or subscription cost).
If I were charging £3k/month, I'd be just above the threshold where paying £19.99/month to get a transaction fee of 0.99% saves money overall.
0.2% of 3000€ is 6€. I’m not sure how big of an impact that is, considering the non-negligible costs of handling this much money in cash. If a business earns more money after accepting cash, it’s probably because they don’t pay taxes.
I get the terminal directly from my bank here in Spain, it's something like €5/month + 0.02% of transaction. Is it much higher in other parts of the EU?
> "FWIW I am Australian and we have a similar adoption rate of cashless payments. If a merchant tries to promote cash options I immediately think they’re doing it for tax evasion reasons"
I don't know about Australia, but in New Zealand many small retailers and restaurants add a card payment surcharge (typically 1.5%-2.5%) automatically when you pay by card. So you are somewhat penalised for the convenience of using a card. This never happens in Europe.
1.5%-2.5% card surcharges (both, debit and credit) are a commonplace in Australia as well.
Visa and Mastercard have successfully lobbied and conspired with local banks in both countries to bury EFTPOS, which were national debit card payment systems with a flat transaction fee ranging between 10 and 50 cents per transaction (depending on the bank).
A while back, Visa/MC realised that debit card transactions, being on the rise, were a highly lucrative market to tap into that they had been missing out on, so they set out on a war of attrition and conspired with the local big banks to phase out EFTPOS cards in favour of Visa/MC debit cards, where the cost of transaction was to be passed on to the card user. Tiered debit cards quickly followed (Platinum, etc.), that attracted higher fee percentages for Visa/MC – payment network commission fees are published on the respective payment network websites. Other than consumers, all parties involved (big banks, payment networks) became moist with excitement at getting a huge slice of the card transactions pie.
But there is the light at the end of the tunnel (other than the light of the oncoming train) – the RBA has moved to ban all card surcharges from July 2026.
It’s quite common in the US everywhere I’ve lived. Every tradesman I’ve used outside of large companies will offer a large discount for cash if you ask about it. They will likely not be the first to initiate though at a certain level of customer, since the social expectations change at a certain level of wealth.
This is almost always in a portion of the invoice written up at around half the agreed amount, and the rest in cash. Or for smaller jobs just on the side with no paperwork involved outside of a firm handshake.
This is the norm for the lower end of the trades. If you’re dealing with a single owner company with a few employees I’d be very surprised if they would not be willing.
Yeah, once you get into “real companies” that are charging upper middle class rates on million dollar properties it changes.
I haven’t had trades work done in Mexico, but considering all my visits were effectively cash only transactions I’d be pretty surprised if it wasn’t at least as common as in the US.
When you say "buying a used car"... do you mean from a dealership, or from a private party? In America, I almost can't imagine buying a used car from an individual without paying them in cash. Indeed, it's one of the few situations where a large amount of cash is almost always required. It's a pain to go to the bank and get that cash. However, this is not because of tax evasion or something ... it's to avoid any sort of dispute or reversal once the sale is final. I would take Bitcoin for a car, or a check I could cash before signing over the vehicle, but I'd never take paypal or some other method where the buyer could contest the charges.
We usually use an app for that (Swish, it's kind of like Venmo I guess, developed in collaboration between the six largest banks). We don't really do transaction reversals in the same way or as commonly as in the US.
Paying for a used car in cash would actually be difficult because handling an amount greater than the equivalent of around USD $1k immediately starts tripping KYC/AML flags at any bank if you try to deposit it, and it's hard to use in day to day life because few places other than grocery stores even accept cash anymore.
Wow... depositing more than $1k would trigger AML. That's incredible. In the US it's not uncommon for contractors to pull $10k cash at the end of a week to pay their workers. Some of that may be due to tax evasion or, just as likely, the workers being in the country illegally. I suppose this is another major reason cash is still "tolerated" in the US, because the casual labor market depends so heavily on undocumented workers. No one besides a few ultra-nationalists would really want to enforce such a thing, as it would drive up construction costs. And the nationalists are paranoid and stock up on cash and gold themselves.
Honestly, that system sounds a bit Orwellian. But also, does that mean that you have to pay a bank transfer fee every time you buy anything?
Generally there are never any transfer fees for private individuals doing domestic transfers. The banks just provide that service for free and eat the cost. Businesses wanting to accept payments via the Swish app usually pay a flat rate of the equivalent of approximately USD $0.15 per transaction (exact terms depends on which bank you use).
It's also worth noting that credit card interchange fees are price controlled in Europe; there's a EU directive that caps the interchange fees at 0.2% for debit cards and 0.3% for credit cards. Because of this, cashback on credit cards is pitiful in the EU; you can get 0.5% cashback but not much more than that.
> But also, does that mean that you have to pay a bank transfer fee every time you buy anything?
No, not at all. The Swish rails are free to users. But I've never had to pay any transfer fees for domestic transfers anyway. They are just much slower than using Swish (instant transfers) and much more clunky (bank account number etc. vs. phone number/QR-code).
Not every time, very certainly less than on 5% of all normal transactions, and the actual fraction will depend more on whether you count currency conversion fees and how frequently the person you are asking is buying from outside the EES.
I am danish so not quite as anti-cash as Sweden but if people use cash in grocery stores or just stores in general the general sentiment will be that its either because they are old , the cash they have is undeclared income or that it is income from illegal activities.
Swish uses the proprietary "BankID" system, and the company behind it has let frauds go on for years and blaming the victims. Therefore I have chosen not to support them.
It didn't have proper two-factor authentication when you just had to tap a button on the smartphone to approve a log-in or a bank transfer (and users didn't always tell which was which). Now it requires reading a QR code — which it should have done all the time.
AFAIK it still does not use any secure key storage on the smartphone, so if your phone gets rooted by an attacker, the attacker could gain access to your bank accounts. So far, frauds have been much easier to pull off, so criminals have not bothered to hack it. (that we know of)
I’d say he’s correct, people under 60 that uses cash are considered, if not criminal, at least suspicious, like they have something to hide. Or simply wackos.
I haven’t used cash for the last 15 years or so. Except for when I had carpenters at home who wanted to get paid in cash (to avoid taxes, so called black money).
>"people under 60 that uses cash are considered, if not criminal, at least suspicious, like they have something to hide. Or simply wackos."
I have barely used cash in 25 years. This doesn't mean anything at all. You're probably putting this solely in the context of using cash for significantly large purchases, e.g. higher 4 digit sum or above, or as in your example a craftsman who want to exempt it from his or her accounting. Nobody bats an eye at a person buying groceries, or some gadget for a couple of hundred, with cash.
no we use cards for everything, even for just buying an icecream or something.
most older people use cards too actually, but sometimes you can see one struggling with their coins and notes when buying groceries yes.
So do you like always take split bills for everything? Like when eg. 4 coworkers go to eat together (ie. not a situation where one person pays everything)? Over here in the balkans/mitteleuropa you just put some approximate amount of cash on the table. Same for kids, you're not giving a kid your credit card when you send him to a bakery to get bread, you give him a couple of euros in cash.
> Same for kids, you're not giving a kid your credit card when you send him to a bakery to get bread, you give him a couple of euros in cash.
I got caught out by a thing like this, recently. (I'm on the east coast of the US.)
My kids had a day off from school, and it was a nice day to ride bikes. There's a small municipal park around 5 miles (8 km) away, with a nice mini-golf course and a grill/cafe next to it. They were eager to go by themselves, so I told them they could ride their bikes there and gave each kid enough cash for a round of mini-golf, a cold drink and some lunch.
The park was card only! While that has been happening more and more, I was not expecting that from a city park. Thankfully, they're not shy kids, and they persuaded one of the park employees to use a personal card in exchange for cash. But I was shocked. They're 10 and 13 years old... it had not previously occurred to me that I should give them cards of any kind.
In that situation either (1) someone will pay for everyone at the table and then everyone else will “Swish” (the name of the local money transfer app) them their respective share of the total bill; or (2) they’ll just ask the server to split the bill and each person pays for their part. Both are actually quite common, and having lived many years in Sweden, I’ve never eaten at a restaurant where asking the server to split the bill was a problem.
Or, if it's a group that goes out together often and doesn't vary their orders much (in terms of order-of-magnitude of spend), then this will sometimes evolve into a rotation on one person picking up the tab each time.
In Denmark someone will pay, and the others will use MobilePay to pay back their share.
But you've reminded me of a case I still use cash: on business trips abroad with a mixed group of people from several countries, most people put money on the table to pay their share.
Reporting for Hungary and Italy here: at the restaurant you ask for split bills or someone pays and the others will just pay back. It's been a few years since this was a problem, shops have adapted.
quite often we pay separate by cards, that is so common the personell even asks if that is how we like to pay. otherwise one pay using his card and we swish (tranfer money instantly using the swish app) him the money.
Tradespeople sometimes request cash payment or provide a good discount for cash payments (well above any fee they would be charged). I guess where you are no one considers this dubious (really???) but at least in discussions with family the feeling is that the request for cash only payment is dubious.
We also have a local retail establishment that is cash only. I think it's looked at dubiously.
I personally have experienced it. Someone wanted to split payment on something between cash and a check so they could report the value of the item was lower because it would save them taxes every year. Again, the use of cash was I think a bit dubious.
Note: Cash allows you to avoid all sorts of obligations (tax / family support / debt collection and garnishment etc etc), ineligiblity for banking (europe is pretty strict in some cases for example with folks with no legal status with banking) and is still used in things like the drug trade. Even if everyone around you considers large cash transactions reasonable that might be naivety or they may simply not have been exposed to larger cash transaction activity.
I come from the UK where not accepting cash is only ok in hipster areas of London (or, was at the time).
When I joined my gamedev studio I had colleagues asking me why I had cash, and many of them didn’t even recognise what it looked like (there was a switchover of the notes a year or two prior).
There was an insinuation that I would use it for drugs. So, I suspect that the parent is right here.
Natives asking why someone has cash, and not even recognizing bank notes...? It sounds so absurd that I'm certain you're exaggerating wildly. If not, you've had an outlier experience during a limited window of time in the country. Just like the parent. This isn't really representative.
Add.: another poster suggested that someone had a bit of a laugh with you by saying it, which is also entirely possible. Basic joke.
I've had young (ish, 25 say) Danes say they'd never seen the most recent design of 500DKK notes before. Many more hadn't seen the 1000DKK, though that's since been withdrawn from use.
I believe them. Cash machines dispense(d) them, but usually only if you withdraw 1000DKK or more in a single transaction. That's unusual for people that rarely use cash.
I had them as I was following the official advice to keep some cash around in case the banking system is hacked etc, but I spent them and withdrew 100DKK notes when the advice was updated to point out that if everyone had only 500DKKs at home it wasn't very flexible.
I am slightly ashamed to realise that my banking app shows I haven't made a cash withdrawal in Denmark for more than 12 months — the second part of the official advice is to use cash occasionally to keep that system working.
I am Swedish and have lived here all my life and I have no idea what the current banknotes look like. I have literally never used them. I remember what they used to look like 20 years ago, but I know they have changed since then.
I carry a few in my wallet, just in case, but I could honestly not tell what color the different notes are or what portrait is on each without looking. Bad forgeries would easily trick me.
I'm in the UK and I have friends who will tell you hand on heart that they have never handled a £50 note. They know they exist but they haven't had one.
which as well as explaining the background to the note and debates over whether it should be taken out of circulation also points out the context the average British adult was making about 20 cash transactions a month as of 2018 (none of them involving £50 notes)
I've never handled a £50 note. (I am young enough that if you gave me £1 for every year I've never handled one, I wouldn't be able to afford one. But I am old enough that I could dip into my lifetime of savings to make up the difference.)
A friend's dad showed me one when I was at school - that's it. He seemed amused I hadn't seen one before, then after making a minor show of it, as if it was some precious, rare item, said he'd never previously seen one either. They've been uncommon my whole life, and apparently could/can be difficult to actually use, shop assistants being unfamiliar with them and not confident in their legitimacy.
I expect today most people would use bank transfers for the sort of sum where the sheer number of notes would make a £50 one useful.
I would very much disagree with the latter assertion. I work as a cashier, and I get 50s and 100s _all the time_. I wish they'd stop because it drains my till very fast. Lol.
I'm not even sure if that I knew there was a $50 bill. And that's as an American of 30+ years that uses cash routinely. Multiple times I've cashed checks and gotten it all in 2's, but honestly can't ever remember a $50 bill. I always have at least one $100 bill in my wallet and don't ever recall getting a $50 in change, has to be the least common note. But now I'm thinking waaaaay back and does the President on it have a big mustache? Time to see what a $50 looks like.
It would be a "unique" situation. Most AMTs (not all, but most) only dispense $20 bills, the rarer ones will dispense $5s or $10s, and they're rare enough that I make a note of them. I have never encountered an ATM that gives a $50.
Your best bet of happening into a $50 is if you go to a bank for an in-person withdraw and they ask you for preferred denominations. Generally the money is dispensed in $20s even there unless specified.
Your second best bet would be if you're selling something "on the side" and the purchaser uses a $50 in a transaction, which I would say is also rare these days, most people use Venmo or equiv.
Your best bet of handling a $50 is probably as a bartender, or of course as a bank teller.
I have held $50s a few times in my life, and even my reaction is "huh, a $50, don't see those often"
Huh, the Wells Fargo ATMs here in San Francisco actively offer me $50 bills on a regular basis! I wonder how much this various by bank, by region, or by ATM manufacturer.
I use them regularly and have never had anyone not accept them.
I have had many places reject $100 bills though.
I’m that weirdo that tries to pay cash for most everything, so sample size is large and across a diverse set of businesses.
Due to what I tend to pay cash for these days (lunches, drinks with a friend, etc.) and prices being what they are, they are rapidly becoming my “go-to” denomination.
this is definitely more widepsread than you imagine in the UK. Most major cities are heading in the cashless direction - the only time I use cash is for my window cleaner.
Swedish banks (even the Riksbank linked above) regularly refuse to turn cash into digital money unless you can ”prove” where you got it from. It’s not sufficient to say (with immense credibility) that you worked hard all your life and saved it. Entire inheritances are regularly wiped out due to this, when high denomination bills are obsoleted by the Riksbank. So I’d say it’s not only a common sentiment but also government policy.
I fully understand why the Swedish government wants to get rid of cash. What I'm saying is that the people simply don't feel that cash is in any way dirty.
That article does not at all make the assertion you are claiming it does: "The new law allows police to seize expensive goods even from people who are not under investigation for a crime, if they cannot prove they acquired them lawfully."
I don't love the law, but having cash on its own is not grounds for seizure. Having expensive goods that you cannot explain how you managed to pay for is what they are targeting, according to your source.
This is basically a law that takes your expensive shit away if you are too stupid to launder your ill-gotten cash.
You can put lipstick on a pig all you want, but if you reverse the burden of proof from "we have to prove your money is dirty" to "you have to prove your money is clean", that is a very clear cut case of "possessing cash is grounds for seizure" to me.
By the way, have you ever wondered what the definition of "expensive goods" is? Of course, the powers that be want to make it all about the Rolexes and Lamborghinis, but a cursory peek at the actual law reveals [1]:
> Section 4 If the property has been seized and the value of what may be confiscated does not exceed one tenth of the price base amount according to Chapter 2, Sections 6 and 7 of the Social Insurance Code, a question about confiscation of the property may be examined by 1. a police officer, or 2. another employee of the Police Authority or the Security Service appointed by the respective authority.
Which effectively means that using the "price base amount" value of ~59k SEK in 2025, you are subject to asset forfeiture at the whims of any police officer once you have more than 600 bucks in your wallet or under the mattress.
But I'm sure they will only use it on brown gang bangers or knife wielding foreign drunks and not law abiding citizens such as myself, so it's fine!
You said: "Sweden has introduced civil asset forfeiture where the mere possession of cash can make you a suspect." in a conversation about cash in Sweden, and posted an article about how there is a law that allows police to seize goods in certain circumstance.
I pointed out that cash != luxury goods.
I already said it was a law I don't agree with. But it also isn't a law that says that police can just take cash from you according to your sources . The section that you quoted doesn't seem to support your assertion about cash either, but I need the rest of the context.
In reading the law it is allowed to seize cash under very specific circumstances, but simply possessing cash is not enough evidence to seize it.
Cash seizure ("penningbeslag") can be used in an investigation concerning independent forfeiture ("utredning om självständigt förverkande").
The initiation of an investigation and the use of "penningbeslag" are contingent on the "reason to assume that property originates from criminal activity." This implies that merely possessing cash, without any connection or suspicion of it being linked to criminal activity, would not be sufficient grounds for seizure under this law. There needs to be an antecedent suspicion that the cash is proceeds of crime.
An investigation for independent forfeiture should be initiated "if there is reason to assume that property originates from criminal activity" (2 kap. 2 §). The purpose of such an investigation is to "investigate whether the property originates from criminal activity" (2 kap. 1 §).
Therefore, the primary circumstance for cash seizure is when there is reason to believe that the cash originates from criminal activity.
> You can put lipstick on a pig all you want, but if you reverse the burden of proof from "we have to prove your money is dirty" to "you have to prove your money is clean", that is a very clear cut case of "possessing cash is grounds for seizure" to me.
Swedish law does not describe such a reversal for the initial act of seizure or investigation. As previously discussed, the law states: "En utredning om självständigt förverkande ska inledas om det finns anledning att anta att egendom härrör från brottslig verksamhet" (2 kap. 2 §). This means there must first be a "reason to assume" that the property (including cash) originates from criminal activity before an investigation is initiated and seizure measures like "penningbeslag" (cash seizure) are applied.
> Section 4 If the property has been seized and the value of what may be confiscated does not exceed one tenth of the price base amount according to Chapter 2, Sections 6 and 7 of the Social Insurance Code, a question about confiscation of the property may be examined by 1. a police officer, or 2. another employee of the Police Authority or the Security Service appointed by the respective authority.
This section, "Beslut om förverkande" (Decisions on forfeiture), discusses who can decide on the forfeiture of already seized property (beslag or penningbeslag) if its value is below a certain threshold. It pertains to the administrative decision to forfeit after the property has already been seized based on the criteria in 2 kap., not the criteria for the initial seizure itself.
You are right I think. I lived in Finland and rarely used cash. Even people selling their clothes at pop up second hand markets seemed to be able to take card. It has nothing to do with criminality, just culture. Germans use cash a lot and it's harder for me now I live outside the eurozone to go there.
Most Swedes have Swish (mobile payments) so fleamarkets etc. mostly require that. Before I had my Swedish bank account set up (so six years ago) and thus BankId & Swish I often had to get my partner to pay for things even though I had a Visa card and Swedish cash.
> Are you sure this isn't impression you've gotten from isolated reactions involving a small number of individuals, perhaps just a single individual?
Swedish here. The impression is common. Sweden is a small country and has long had a fairly cohesive culture. The culture has decided that digital payments are the way. Deviation from the collective way is always suspect.
Your impression is misguided. Maybe it's the norm in Stockholm, but 80% of the population live elsewhere. We do use cash and nobody thinks its suspicious to pay with cash, stop making stuff up.
Not sure its considered criminal and dirty. I agree its more a convenience thing. There is no need ever to have cash (other than when payments systems are down but then lots of stores systems in general are down). I don't even think I have seen any cash for many years.
This is something I've heard from multiple locals, not something I inferred myself. As you can see, even here in the comment section you have people both for and against the idea. The notion definitely exists, how widely it's held exactly, hard to say. In my experience, that explanation came up often enough to catch my attention.
Depends. Very long time ago I was approached by a group of seemingly friendly people asking for direction, then I felt sharp object to my belly and they told me to walk slowly towards cash point. They said they'll stab me if I don't withdraw all money I can. So I did. When cards were not popular, I would have small amount of cash in the wallet and anything more substantial hidden in a sock or elsewhere. Thieves would take what would be comfortable for me to lose. I guess it can be the same with cards - have a card with small amount and actual card hidden, but it is not as easy to hide as cash. Then you have whole other kettle of fish - banking apps. There's been instances of people being forced to do transfer at knifepoint. For that reason I don't use any apps, apart from throwaway bank account - again with small balance just in case. Shame more banks are restricting web access, which I think is most secure.
We hardly use cash in New Zealand, over 85% of transactions are electronic. There’s a lot of places that don’t accept cash anymore because cash handling is annoying and risky.
That said, nobody thinks of cash as dirty, just annoying. Also our payment system has always been able to work offline, because it started rolling out in the 80s.
Since when does EFTPOS work offline? It works off the internet, but not "offline", if the phones are down, EFTPOS is down. It happens with relative frequency, given the weather. Or trucks hitting boxes, or diggers cutting cables. Shit happens.
Regarding places not accepting cash: NZ First (political party) is proposing to protect the right to use cash and make all businesses accept cash for up to $500 items.
> The Cash Transactions Protection Bill would mandate businesses in trade accept cash payment for goods valued up to $500.
Since always. EFTPOS was designed with offline support (signed receipts) as an emergency fallback when the network is down. It’s been like that since the 90s, I know because I’ve been using EFTPOS since then and experienced many outages.
It is capped at $300 per card used and 200 transactions stored (I believe some large merchants can vary this, but not by much), it’s only for temporary failures not multi-hour outages.
You can quickly find information with your favourite search engine.
I've visited New Zealand a few times en route to Antarctica. The only time I've ever needed to take out cash was for the Christchurch bus service. I was in MIQ on the way in, but they gave us free reign on the way out because Antarctica was considered virus-free (and according to immigration NZ, it counts as the Ross Dependency). There was obviously a lot of push for contactless payments in 2021. I get the impression that the pandemic helped really cement it, although it sounds like the UK where we've had widespread contactless for almost 20 years.
The pandemic helped the banks push contactless which they love, because it’s not EFTPOS.
EFTPOS is our national post of sale system, it has very low or no fees for any party involved. Merchants pay a fixed machine rental per month which can include unlimited transactions, or may have a per transaction fee of up to $0.20. Most individuals do not pay a fee for using EFTPOS and there’s normally no card fee, though some banks have accounts with fees that have other benefits (eg higher deposit interest rates to encourage saving).
Contactless goes via the standard card network extortion. Since 2022 the interchange rate has been capped by legislation which has helped merchants a lot, but the per transaction fee over the card network is still far higher than EFTPOS.
Contactless EFTPOS does exist in Australia - we share a lot of the underlying tech - but the banks won’t activate it here because they’d lose the interchange fees.
Online EFTPOS is starting to gain market share though, which is nice.
It is interesting how the European cash culture is so very different between the countries. In Austria I struggled to find places that would take any kind of digital payments. Germany wasn't as bad, but was pretty bad. My experience is about 3 years old.
It's funny. I live in rural USA and I overheard a girl say she wouldn't date a guy who uses a card as it wasn't very manly. He needs to use cash apparently. Where I live cards are seen as controlled by "them" and allow the government to spy on you and come after you for taxes.
To add some more context to your comment. One of the big attacks was in 2021 with the Kaseya ransomware attack that caused one of the larger grocers (coop) to essentially be unable to operate. Made national news as they had to give away product for free in some places.
> And yes, we use cash so seldom that most people cannot from memory recall what the bills/coins look like!
It didn't help that the Riskbank replaced all bills and coins during a relatively short time period, and did it badly. People used up/deposited their old and didn't get new.
The new coins and bills have unnecessary denominations and bad design that made cash bothersome to use.
They introduced an unnecessary 2 SEK coin, that is almost indistinguishable from the 1 SEK coin — especially if you are unused to them.
They also introduced an unnecessary 200 SEK bill, that was just too big to be useful for small purchases. Several times I've seen people at ATMs withdrawing 100 SEK over and over again, just because they wanted the more useful 100 SEK bills.
> Digital payments are very convenient and deeply integrated, so long as you have a local ID which allows you use the local payment system Swish etc.
Just to reiterate how ubiquitous Swish and BankID are here: 99.9% of Swedish residents age 18-67 have BankID (8.6M users), while Swish has 8.7M private users, and 93% of those users send or receive money via Swish at least once per month.
Physical attacks are also possible, this site focuses on software so much of the time, while acts occur in the physical world. Cyberattacks are grey areas, but based on some of the undersea cable cutting and factory fires Russia has been performing, physical attacks are very much on the table if you can obscure the source.
It's funny how these attitudes vary across the EU. Here in Spain the government is trying to move everyone to digital payments so they can keep an eye on the flow of money, but normal folks are transacting as much as possible in cash to hide from the tax man...
How do you pay for things that are just one or two euros? In my local boulangerie they don't accept cards for less than 5€, so if I just want a baguette I need to have cash.
That was a thing in Sweden as well, but it's illegal to charge an extra fee when using cards since 2010. So to answer the question, everyone just uses cards even for small purchases, and often those "cards" aren't physical cards but Apple or Google Pay on the phone.
If you ignore supermarkets, basically no place sells stuff in that low of an amount. Using Stripe as an example, transaction fees are 1.5%+1.8kr. I’m hard pressed to find a place that sells items with a price below 20kr, and even cheap crap from china costs at least that when buying online. So unless your business has an unexpectedly large amount of low price transactions, it’s not a big issue.
Not sure what you are talking about. A baguette is ~1€, same for a croissant or a chocolatine. Maybe 1.10 or 1.20 depending on the place. I do it all the time. It forces me to have the cash otherwise I need to take another random item I don't really need.
In the UK most small shops had this same 'minimum spend' requirement for card. It disappeared a few years ago (maybe during Covid) and now I haven't come across minimum spend in a long time. That was one of the last things that made me always keep some cash on hand. Now, I genuinely cannot remember the last time I used cash - it's been at least 2-3 years, probably longer.
Oh it's easy: they don't use Visa / Mastercard, but their own domestic system called Swish, which is much cheaper for businesses and of course completely free for individuals.
Similar instant payment systems have really blossomed across the world, especially in recent years. One by one, countries are finally figuring out that there's no reason to rely on American brands for all of the payment processing.
A lot of stores have minimums if you want to pay with Swish, the more common answer to how we pay for small amounts like that is... we just use our cards like any other purchase.
No because you need BankID which is issued by your bank and to get BankID you need a Swedish bank and a personnummer. You can use a foreign phone number with Swish but some banks don't allow it (or only allow some countries, e.g. finland).
How do kids get pocket money in Sweden? I can't imagine grandparents handing over prepaid debit cards to 8 years old to go buy candy at the neighborhood store?
Swedbank offers debit cards to kids as young as seven [1]. Depending on the kid's age (and what the parents configure), there will be different limits on how much the kid can spend.
Swish is the de facto standard for sending money between individuals [2], and that's what grandparents tend to use to send money to their grandchildren.
It's fee-less (for person-to-person transfers use at least) and it connects your bank account with your phone number. So if anyone wants to send you money, they can just open Swish and enter your phone number (or scan a QR code) and send you some. You also have to sign the payment with the BankID app, which is the de facto standard for authentication [3].
And when I write de facto standard I really mean it. 99.9% of Swedish residents age 18-67 have BankID (8.6M users), while Swish has 8.7M private users (93% of which use Swish at least once per month).
In Canada there's MyDoh, which is specifically a debit card you can give to kids including in that age range. One of the major Canadian banks runs this. Can only imagine that it's more advanced in Sweden.
That may be practical, but many kids I observe in my family etc like to collect the money and see it and are proud of their collection and about what they saved. That goes away with a card ... and I wonder how that impacts the "feeling" for it. Counting and making likes and plans about what to buy is a big part of learning to deal with it.
Like or not the world is a digital currency world for the most part these days. I want my kids to understand that those numbers on a computer screen have real world value. How many young adults get into trouble with their first credit card or debit card because the money isn't "real" to them? In the US it's quite a few.
I don't have a final answer to this. However in m observation with different families and kids is that some start relatively early, before the kid can do arithmetics or such, they can count till a pile got enough money for the sweets or toy they want and then count the other pile to see how much is left and if they can buy the other.
Doing this in a digital system requires first some computing device (be it phone or laptop or whatever) then check the account value, read it correctly, then do some arithmetics and then interpret the result. That's a year or two older.
More or less exactly so. There is another downside to it: When money is just a piece of plastic which you touch the cash register with and get what you want, how to you learn to appreciate money? Coins and paper money is also excellent for counting, as they naturally come in different valuations.
When counting money is just arithmetics and never cash, something is missing, and it's very clear in many young kids. Money is just points in a game, suddenly you're out, and then you can't get what you want anymore.
Where I grew up, (sadly) it's not been common since at least 50 years for 8 year olds to go buy candy at a neighborhood store by themselves. Parents had to drive us everywhere.
If your local hairdresser gives you a cheaper price when paying cash, wouldn't you assume tax evasion? (criminal).
Someone selling a used bike, or other items of similar value, on second hand market and not accepting Swish would maybe not directly be considered criminal, but would for sure raise an extra eyebrow about the origins of the goods.
Otherwise correct, nobody would blink if you use cash for other daily purchases like ice cream or groceries, even if unusual.
Wouldn't say it's dirty or criminal, it's just convenient to use card, but if you buy a car it would be a bit weird if you insist on cash. It's mostly old people paying with cash these days.
I live in the US and never use cash. I use a credit card and automatically pay the entire balance every month so I don't pay any interest but get 2% cash back. I pay rent using a app on my phone and a checking account.
> but cash is often considered to be dirty and criminal, to the point that most don't have any at all.
Is it because it's considered dirty and criminal, or is it because it's a pain in the ass to deal with, and most people have no reason to bother with regularly withdrawing it, and then carrying it around?
it's really visa lobbying to destroy the (somehow worse than visa) easy credit new players. they give credit like candy because being online and low value only it's easier to avoid (or swallow) fraud.
forcing their hand to accept offline sales mean they can't decide on the spot, and now those 5k credit lines which they only allow transactions for sub 100 purchases at a time will be wide open for offline fraud they can't detect, and which visa already know how to handle/sustain.
this will probably be lobbied elsewhere soon. i predict Netherlands is next.
So credit card benefits suck, because the consumers can't be exploited to create a large profit surplus that can partially be used to benefit a small subset of consumers.
There are no benefits for any of the credit cards I could get since roughly Corona - I was using them before but all cards which had positive benefits were removed/discontinued since.
Hence I'm back using a debit, because it works the same (no benefits either way) and doesn't come with a monthly bill.
> That’s because credit card benefits suck in Europe and there’s no point to using them.
Theres still a very good reason to use them - buyer protection.
I use a Virgin Atlantic reward card and have it set to pay off automatically, never running up debt. It both protects me as a buyer, and has the benefit of taking ~£500 off annual family holidays, and gives me a free companion seat in the process, effectively halving the price for one of the passengers.
If you purchase an item on credit, it's the bank that makes the purchase. You then pay them back, 30 or 60 (or more) days later.
If there's a problem with the item, you can "return" it to the bank — after all, they own it! So in practise you can ask the shop for a refund, or you can ask the bank.
It is a stronger protection than a debit card chargeback.
As an example, I bought flight tickets from an obscure budget airline on a credit card. Months later, beyond the usual debit chargeback time limit, the airline went bankrupt — but my bank purchased that service, and isn't going to provide it! They refund immediately.
>has the benefit of taking ~£500 off annual family holidays, and gives me a free companion seat in the process, effectively halving the price for one of the passengers.
You know you're paying higher sticker prices to finance that, right?
If I am then so is every other traveler with every single airline in the world.
Go on Virgin Atlantics site, search for any flight, you can then apply points to that, or redeem a companion voucher. That doesn't bump the price up prior to redemption.
I dont "pay" for the points I get, as I'm not spending any extra day to day. The credit card is free.
I don't know that I'd call not paying an extra 5% just to receive 1% back "sucking". It seems like a win-win to me. If you need something, pay for it (with that extra 4% saving) instead of jumping through a million hoops to pretend it's free.
When everybody in the industry decided the implementation was more trouble than it’s worth. (Offline-capable chips, that is; embossers were 80% solemnization ceremony and 20% data entry aid, just like signatures as "cardholder verification", and are a non-starter from a security perspective.)
The mindset was one of ubiquitous Internet connectivity, which is cheaper than maintaining a complex stored-value or offline limit based solution.
Of course, this assumption does not include some externalities in case of large scale outages, maybe due to cyberattacks…
There's a term I saw all over someone's Google calendar schedule, pre-pandemic "DNS without asking". Now I realize it means "Do not schedule without asking" but my mind thought "Domain Name Service without asking" ... how in the hell would you do that?
I guess this is similar: how do you make trustworthy decisions that seem to inherently depend on the network, in the absence of a network? Before the internet, we had phonebooks instead of DNS, and we had cash instead of cards. Did the phonebook have every number? No. Was every piece of cash not counterfeit? No. But it's "good enough". Portable reference sources and tokens. The references are issued periodically and the tokens have evidence of exhaustion, their decay over time. A dog-eared dollar with a bunch of phone numbers on it, half-torn ... the merchant doesn't have to accept it.
How do you do these things digitally? Periodic issue seems pretty straightforward ... if you have a network. Token issuance, similarly, needs at least occasional communication with other nodes in the network.
So there's a local dwell capability.
Is this part of the same reaction we saw with Denmark starting to have emergency stores within 50 km of every Dane? Is this motivated by a need to prepare for war?
>The possibility to pay by card when the internet is not working – ‘so-called offline payments’ – is an area that ‘the Riksbank believes needs to be improved considerably, particularly in light of the geopolitical unease in the world,’ according to the announcement
We know exactly how to do these things digitally. Many European countries have had stored-value payment schemes in the 90s. Japan still does today.
It's a completely solved problem, but it's a more complex (and as such more expensive) solution than just assuming ubiquitous connectivity and a backend that never goes down, which is how we got to where we are.
> Is this motivated by a need to prepare for war?
Preparing for cyberattacks seems like a prudent move, no matter the adversaries' motivation. But yes, the context here is pretty obvious in Europe.
> We know exactly how to do these things digitally. Many European countries have had stored-value payment schemes in the 90s. Japan still does today.
But how do they prevent people double spending the same amount? Say someone has 100$ and boards on a plane. During the trip, this person buys a bag of potato chips sold for 90$. At the same time, his bank account is automatically charged 90$ for a bill.
With credit cards, handling this case is baked into the system. As far as I am aware, direct debt has no equivalent.
> But how do they prevent people double spending the same amount?
Both payment cards and merchant terminals (essentially also using embedded or removable smartcards) are tamper-resistant and hold symmetric keys only known to the payment scheme or issuer.
The terminal essentially creates a cryptographic secure channel between two smartcards, and they transactionally agree to decrement the balance on one, and increment the one on the other correspondingly.
The really neat thing is that this theoretically even works without the need for central accounts, and is as such very privacy friendly. (Practically, even just one key leaking would have catastrophic consequences though, and to detect whether that has happened, systems usually aggregate all transactions asynchronously and check money movements for plausibility.)
Iiuc, you have to "transfer" the funds from your bank account to the card device (wallet, in a way) from where you can then spend these funds without interaction with the bank? That would work.
Otherwise, without the initial withdrawal from your bank account, you could spend the money twice.
there's already some fraud, waste, loss, inefficiencies, accidents (packages lost, chargebacks by mistake, package arrives weeks later)
....
that said the chips have some physical protection, it's not trivial to clone them
and the chip has a variable where it stores how much more you can use without online confirmation
of course, these are cheap protective measures, but to crack it you would need more effort probably than the total credit that's assigned for offline spending
What's the information theory connection in your view?
> these are cheap protective measures,
They're holding up extremely well. I'm not aware of any cryptographic or physical key extraction compromise in EMV, for example. All known bugs are protocol design oopsies, as far as I'm aware.
I'm not sure what they have in mind for supporting offline payments, but I think that Japan's FeliCa-based [1] electronic money systems (Suica, iD, etc) are pretty impressive. They are most typically used to pay for transportation, but also widely accepted at stores, vending machines, etc. Balances are stored on the card, and it's very fast to use and seems secure for the most part. Recently it's also available on any smartphone or smartwatch with NFC. Japan was pretty slow to adopt touch payment for credit cards, so for a while it was my favorite form of payment.
Transit cards have a pretty low charge limit compared to credit cards - Suica balance is limited to ¥20,000 for example (although for cards that are backed by a credit card, I think the limit is higher). And now that Japan has fully embraced credit card touch payments, FeliCa-based systems are losing market share to Visa, Mastercard, etc.
But it really shines for applications requiring speed (i.e. a turnstile in Tokyo station) or offline payments (a vending machine in a park somewhere).
In Germany, there is the Electronic Cash (or newer versions called Girocard) which is similarly smartcard-based for the offline use case, but pairs with a regular debit card for online use [1]. Apparently, not that many people use the offline functionality.. it also has a somewhat low daily limit (though I think those are in place for some online transactions such as getting cash as well).
>although for cards that are backed by a credit card, I think the limit is higher
I have a Suica thats integrated into a credit card, and it still has a ¥20,000 limit - the Suica balance is separate from the card balance, it just has a configurable auto top-up setting.
Interestingly, if I'm out of the Suica zone, sometimes auto top-up won't trigger. If I recall correctly this happened to me once in Fukuoka, presumably because there's some level of integration above just accepting payments that Hayakaken hasn't achieved. Never had a problem with Passmo interop though.
I've never heard of a suica with a higher limit, but it's possible they exist or that other compatible cards have higher limits.
I was actually thinking of other non-transit e-money cards like iD and WAON (my fault that wasn't clear from my comment). For an iD card linked to an SMBC credit card, your iD spending limit is the same as your credit limit [1] - which can be upwards of ¥10M. I don't know how or why anybody would spend that much in iD transactions, but I bring it up because it shows that SMBC seemingly has as much trust in iD security as they do for Visa's online transaction processing.
Tourist in Japan here. Suica is great. I prefer it over my Visa tap 'n pay just for speed. It's instant vs. a few seconds which isn't much, but it's nice.
Topping up a Suica every now and then vs. having many international transactions might also work out better for some. My bank (ING) gives me those fees back so it makes no difference to me.
At one point my US credit card categorized Suica top ups as travel expenses, which earned double points. So basically just tried to do all of my spending on my suica card, and racked up a ton of points in the process. Eventually they fixed that - but I had a good run for a couple of years.
Taiwan's EasyCard and iCash are their local equivalents. Seems to be common in that part of East Asia to have public transport cards that can also work for small expenses.
I wish other governments would take note as its a nice way to avoid the Visa/MC/Amex fees for at least some expenses.
> The online function shall apply to physical payment cards and accompanying PIN code when purchasing essential goods such as food, medicine and fuel.
Is this a typo where they meant to say “the offline function”?
If I’m reading this right, the goal is to allow food, fuel, and medicine purchases with card + PIN in offline mode.
Seems like a reasonable goal. I wonder what the technical details will look like. Will there be a periodically updated list of cancelled cards/accounts distributed to endpoints? Even a hashed list of all cards cancelled before their expiration date within a country is a reasonable amount of data for modern storage systems.
Or would they simply rely on the ability to track down account owners by their originally registered contact info in the event that someone gets an invalid transaction through during an offline period?
> I wonder what the technical details will look like
It’s already a thing, the EMVCo standard predates ubiquitous internet connectivity. Mass transit systems typically use it, airlines used to for in-flight purchases before the advent of reliable WiFi.
It is somewhat common to maintain a denylist of known fraudulent cards, but as you note the main mitigation is on the bank to track the card down. One of the key things you need to figure out with an offline payment system - and what I imagine is needed here - is a consensus on who has the liability for offline transactions and what the dollar limits are.
The card itself knows its balance and is authorised to approve transactions up to a limit fully offline.
The UK already does this in some shops for low value items for NFC payments. You can tell the offline transactions because they immediately say 'approved' rather than taking a few seconds.
If it turns out the card approved something 'wrongly', for example because you had previously reported the card lost to the bank, then the bank refunds the transaction and claims the value back from the merchant. That's why many merchants have their terminals set to require online payments.
Your card doesn't know the balance, it doesn't work like that.
Offline transactions mostly died off when the limit in the UK for contactless was raised to £100. At £20/30 (the original limits) issuers/merchants risk accept some payments not being valid (and the total limit before you had to chip and pin was fairly low top).
And worth saying, the merchant has some control on the terminal but mostly the decision of offline/online is down to the issuer and configured on the card.
Some debit cards don't allow offline transactions, usually when the cardholder isn't allowed to be in debt.
In the olden days, you'd get a Visa Electron or Solo debit card in the UK if you were under 18 or had a poor credit history.
Visa Electron and Solo were online authorisation-only card brands (also known as "immediate authorisation").
If you didn't have enough money in your account, the transaction would be declined. Visa Electron cards didn't have embossed numbers on the front, so couldn't be used with the old-fashioned card imprinters.
Visa Electron and Solo have been discontinued now, so people with poor credit can get a Visa Debit or MasterCard debit card, but with offline authorisation disabled.
That does mean those cards can't work in some places (e.g. on aeroplanes or trains).
Credit Cards generally always support offline authorisation.
When you set up the POS you can choose whether to allow offline auth or not. It makes transactions a little faster, but you’re the one who takes the hit if the card bounces later. Just comes down to whether you value speed over the extra risk.
EMV (chip cards) can have a small amount of local smarts, so it is typical for example to insist on going online for a large transaction or if the card has performed too many offline transactions since last going online. The card maker decides these rules, so the bank gets to ensure the cards it issues to customers meet whatever requirements it has decided upon, balancing fraud risk against problems with loss of connectivity or services being down.
So I doubt they'd bother doing some sort of ad hoc revocation technique.
Back in the day, we used these machines to take a paper imprint of the card. You would get a copy and give it to the bank. There was a phone number you could ring to check if the card was valid. I never phoned the number.
This was before my time, but older folks have told me that in the early days of credit cards here in Australia (70s and 80s), for larger purchases at department stores (which were virtually the only merchants who accepted credit cards back then), it was common for the checkout person to phone your bank to get authorisation for the transaction, before you could walk out the door with the merchandise.
Similarly in the UK we had the concept of a 'cheque guarantee card'. Present your Barclays plastic card along with a paper cheque up to some value (£50 rings a bell; I was too young, it was my mam doing the transacting) and that cheque is guaranteed by the bank.
> Charitable donations because charities maximize every penny, and electronic contributions eat into that
Charities in Europe very much want an electronic donation, since the cost is far less than handling either cash or cheques. More importantly (I think), it also gives them much more opportunity to get a recurring donation.
Example UK prices (since cheques still exist there)
In Finland, and I imagine in most of Europe in general, people just make bank transfers for most of those things. Unlike in USA you cannot just pull cash from someone's account if you know their bank account number, you need to setup SEPA Direct Debit to do that and it requires explicit authorization from the account owner. It isn't even really used much in Finland, most companies just send electronic invoices that you can setup autopay for in your bank. They aren't free for companies but the cost is negligible (likely less than the postage stamp would cost).
Unlike in USA you cannot just pull cash from someone's account if you know their bank account number
People say things like this as if the money taken in a fraudulent transaction just disappears and is untraceable, and unrecoverable. That is false.
It's one of those scare tactics that the middlemen use to sell a vision of financial-techno-secure-utopianism in order to collect a percentage of the money. Don't fall for the marketing.
The money has to go somewhere: Into another bank account, usually, which is easily traceable since banks by law have to know who they're dealing with.
Even if a check gets cashed at a check cashing store, the store requires ID, the person getting the money is on video, sometimes they have their fingerprints taken by the store, and if something still goes wrong, the store is on the hook for the money when the transaction is reported as fraudulent and reversed.
These are all problems that were largely solved last century.
> The money has to go somewhere: Into another bank account, usually, which is easily traceable since banks by law have to know who they're dealing with.
Yes but you actually need to notice that it happened which requires them to actively monitor their transactions on all of their accounts. They then need to use their own time to report these transactions and wait for banks to resolve it. And that's just in the good case where bank doesn't dispute it. If they do, you now need to file official complaint with regulators or sue them. Former can probably be done by highly educated people by themselves (others likely need some legal help), in latter case you are going to need a lawyer. I'm not even sure if you are eligible to recover costs for those.
Why is this better than just not allowing pulls without explicit authorization by the consumer (SEPA Direct Debit) or just asking consumer to actually send the funds (bank transfer)?
One of the many surprising things on that list is that paperboys still exist!
I thought printed papers were all but dead even in the US and can't recall the last time I saw a stand or store where I could buy one. They faded away unceremoniously, like phone booths.
That there is enough money in it to motivate kids to get up in the morning still today I would never have guessed.
Also astonishing are the size and presence of the various fees! Around here a 5 dollar fee for invoicing is the highest I've seen, and it raises eyebrows even among the Mercedes/BMW crowd because everyone knows it doesn't cover any actual additional costs, so it's basically a scam. A way for companies to say "interest free" while still collecting interest.
I thought printed papers were all but dead even in the US
In its last financial statement, the New York Times reported 600,000 print subscribers. (Plus something like 20 million paid online subs.)
Newsstands are mostly gone (though there are a few), but my experience over the last few years is that outside of tourist areas, print newspapers are available at most chain drug stores, book stores, and some gas stations. The more urban you are, the more likely you are to find them. They also remain popular in ethnic communities. I recently picked up a monthly printed newspaper in Japanese that is distributed in the DC area.
I can think of five places with six blocks of me that sell newspapers (two drug stores, two bodegas, and a bookstore).
The latest Superman movie even did a PR stunt where the movie company printed up thousands of Gotham newspapers with Superman headlines and distributed them to newspaper racks. I saw them at Walgreens.
- ? You pay your employer what you were paid for jury service? Bank transfer I guess, but also probably illegal
- would likely be deducted on payslip (because tax & accounting implications of below market value gift) or via a third-party that would most likely accept card
> ? You pay your employer what you were paid for jury service? Bank transfer I guess, but also probably illegal
That happens when you are salaried and your company pays you your normal salary for the time you are in jury duty. They already paid for your time, they are entitled to the (generally much lower) compensation that the state pays you.
most of these are related to the high credit card fees we have in the US to support the card points programs. in EU for example, the fees are 10% of ours.
I'm in Sweden and the only time I've ever come in contact with a check was when an American company sent me one as a refund.
Most of these reasons just sound like fee-issues to me. I use a debit card (or Swish) to pay for everything and there's never a cheaper payment option. The fact that checks somehow cost less to use than debit/credit cards sounds ridiculous tbh, especially with all the added handling that must go into dealing with them (it just seems so inefficient).
The state made me forego the (grand - for a month) jury duty pay due to being on salary.
However, I still got compensated for daily public transport to the courthouse - which wasn't taxable.
My company claims that allowing me to have both my regular pay and the government pay would be considered an over-payment, and the accountants say it triggers all kinds of messy things.
However, at the same time, it is illegal to do this in some American states where we have offices. So it must somehow be possible for the accountants to allow it.
Given how badly jury duty pays, it seems a wasted effort.
It seems to vary from county to county. When I served, we were given a pamphlet stating that the rate had recently been raised.
I don't remember the exact figure, but it was well above minimum wage. Something like $80 for the first and last day, plus $120 for each day between, plus transportation costs.
Far less than what I make as a super cool tech dev bro, but I can see it taking a lot of the pain away for the average person.
I served on a jury for a week a few years ago and my check at the end was $22. It seems like it wouldn't be worth the company's time to handle and process that check.
I'm sure some jurors got more. My county's jury pay/reimbursement is primarily mileage based and I live 2 miles from the court house.
If the "check"/offline payment bounces, I wonder if it's the merchant that is out the money? Or is there any assurance from anyone else, like maybe the network would go halfsies?
Edit: on second thought, that doesn't really make sense and would be a great way to defraud the network of a ton of guaranteed money
I would love it if this were the solution, embossed card imprinters can work without internet and power and are both fast and intuitive. It worked as a primary method in the past, it can work as a backup method in the future.
atleast with cheques tho there was a way to safeguard the payments of a cheques by crossing of cheques and when I had learnt about cheques there were a lot of things that can be done via cheques like endorsing etc.
But there was always a risk of cheques being unsafe so that's why there is bank drafts. It seems that this is more similar to bank drafts than cheques.
If you really try to sum it up, I know I am going to do a grave misjustice but even a cash could be thought of a cheque from the govt. (well a cheque is meant to be unconditional but its based on the banking laws of a govt. and cash is a promissory note which is a promise made by the govt. so yeah....)
As another HN commenter pointed out here,this decision might be partially due to swedish culture of how they view cash which you can find here.
The idea of there being some "government approved" list of things people can buy with this is horrifying and exactly why cash should continue to exist.
And there's a solution to that that lets them value what they want appropriately and not have to choose it from a government list. I think unfortunately the temptation is too high for governments to also try and tell people what their priorities should be, which is why having an exchange medium that doesn't involve government control is important.
I don't think it's going to be a list of things, but rather a list of vendor types (grocery stores, pharmacies, gas stations) that have to accept offline payments, and that banks must accept offline payments from. You can live without a new iPhone if the terminal is down, but you can't live without food.
Every time I see posts like these related to fiat, my heart sinks. Despite pro privacy sentiments across the site, there is a concerning amount of people who have not only fallen to the trap of convenience, but even consider cash use suspicious or criminal (the morality of tax evasion is a whole different subject, the places where it's most popular often coincides with a corrupt, inefficient government). Soon, cash use will be made impractical due to digital currencies and growing government control, but cryptocurrency will take its place, it has already to a limited extent.
These past couple of years I've gotten into plenty of trouble on multiple occasions, as a result of what I would describe as a cascade of misfortune initiated by a single unfortunate event (for which I will take some responsibility, but nevertheless...).
These "cascades of misfortune" I've run into happen largely because of how we've placed certain institutions at the center of our lives and our society, or perhaps more precisely because of the "convenient" solutions of theirs that we've all been coralled into adopting.
I'm thinking of social media networks, smartphone companies and their app stores, banks and their electronic payments, etc. Everyone's opted in, and we don't realise how much we've given up as a result, with all these "convenient" alternatives, now made mandatory to replace the old and inconvenient solution.
We don't realize, that is, until you're standing at the bank teller in a city away from home, passport in hand but otherwise robbed of phone and wallet, hoping to withdraw some cash to keep you alive while you sort this mess out - only to learn that the bank is no longer able to do that for you. You can't just get your own money. You could withdraw at the ATM, but with a card of course, and that for a fee with a pretty low upper limit. But banks don't serve that purpose anymore. They're now software institutions that we are forced to have a relationship with and operate through in order to make monetary transactions.
Suddenly society has shut down. You can't log into anything without your phone and 2FA, so you're stuck without access to your favorite online services until you get a new SIM card and a fresh device. But even then, there's no riding public transit, because you don't have access to the apps they all operate through. Not that you'd be able to pay in those apps anyway, after cancelling your payment cards. And besides, you don't have anywhere you'd like to go anyway, because, aside from having basically no money to spend on food or events, there's no way to learn what's happening in this city without access to Facebook and all the company pages and events published there.
I forget now all the myriad ways that life grinds to a halt, but I do vividly remember feeling like nothing was possible. And that only because I lost one or two things which should be entirely optional in life! You shouldn't be required as a human, nor even as a member of society, to have a Facebook account, or a smartphone, or even a bank account (that last one is perhaps my most extreme take, but I stand by it).
The bank will probably let you order a new card to their offices instead of your home address, so all you need to do is survive for a week or so. In my case, that was very easy thanks to the friends I was visiting.
As for the meantime: I still did have my bank's ID chip with me as a backup, so I could have used online banking to make a transfer to myself with something like Western Union, and crossed my fingers that my bank wouldn't require verification by phone for this suspicious transfer. That would have gotten me some cash at least within the course of the next day, but my friend helped me out, so it didn't come to that.
Without friends around, though, and one or two more unfortunate circumstances piled on, I really don't know. It's unsettling to realize how little it takes to be forced to sleep in the streets.
Pedantically speaking, offline card payments are already possible _now_. E.g. see the Square documentation about that.[1]
However, it requires that all the parties involved (issuer, acquirer, payment network, merchant) allow it, and there are certain limits. One of the linked documents[2] in the riksbank press release has more details about what they expect from these parties.
Fundamentally it's all extensions of credit, right? The question is who is taking on credit risk in these transactions and how is everything settled when the power comes back. Presumably, everything is somewhat reversible and there is some dispute resolution process.
In the Netherlands we had an extra chip on our cards a while back called "chipknip" for offline payments. Didn't work because you had to charge it separately.
Chipknip (a portmanteau of chip card and knip, Dutch for purse) was a stored-value payment card system used in the Netherlands. Based on the Belgian Proton system, it was started by Interpay on 26 October 1995, as a pilot project in the city of Arnhem and a year later rolled out countrywide. Chipknip was taken over by Currence due to a restructuring on 17 May 2005, who managed it with their licensees until its discontinuation on 1 January 2015. The Chipknip was primarily used for small retail transactions, as the card could contain a maximum value of 500 euros. The money needed to be transferred from a card holders main bank account using a loading station which were generally located next to ATMs.
Sweden had a similar system in the late 90's-early 00's called the "cash card", also developed by Proton. It was a huge failure with basically zero uptake, there was no benefit over just using your debit card https://sv.wikipedia.org/wiki/Cash_%28betalsystem%29
Speaking about payment methods, I wonder what's the sentiment on HN about the new Digital Euro thing.
I've seen people claim it's the worst thing to ever happen and that governments will lock money and things like that.
But personally, after looking at their objectives (offline cash-like payments for example, where only the sender and the recipient know about the transaction) I'm pretty happy about this coming out (even though it still seems early in development)
There's no technical breakthrough, but it might seem novel to people in countries like the USA where offline authorisation hasn't been widely allowed on credit and debit cards for some time.
In many countries in Europe, offline authorisation is more common. Cards have had a chip as standard for over two decades in European countries, and a PIN is often used for cardholder verification.
Combined, these make the risks of accepting a transaction for a small amount of money offline very low.
The limit of what can be accepted offline is known as a "floor limit" in the UK.
This is just reenabling existing technology. Card chip already has everything required to verify the card and PIN[0], the only thing internet access is required is checking if account is not empty/over limit.
[0] That also means that after changing PIN on bank site, you have to visit ATM, so new PIN is actually stored on card - but that it only required for that offline mode.
> Mondex was a smart card electronic cash system, implemented as a stored-value card and owned by Mastercard.
> Mondex allowed users to use its electronic card as they would with cash, enabling peer-to-peer offline transfers between cards, which did not need any authorization, via Mondex ATMs, computer card readers, personal 'wallets' and specialized telephones. This offline nature of the system and other unique features made Mondex stand out from leading competitors at the time, such as Visa Cash, which was a closed system and was much closer in concept to a traditional payment cards' transactional operation.
EMV chip & pin cards have always been capable of offline payments.
In the UK this has definitely worked in the past - I remember many years ago there being occasions when something was wrong with the network connection(?) at my local supermarket, but still being able to make a payment in offline mode. This works because the payment terminal authenticates the PIN directly with the chip on the card. They just can't check your balance is sufficient to pay for what you're purchasing.
TfL also accepts your contactless card in offline mode: their buses operate in tunnels and other areas with a poor mobile data signal, but cards are still accepted at all times.
A lot of people don't realize that our entire financial system is eventually consistent. They think that when they go to an ATM and withdraw money, it's instantly gone from their account.
The reality is that in most cases the convergence is so quick it looks like it's instantly gone, but it's not. For example, if the ATM is unable to get your current balance, it will still complete the transaction.
That's why your card has a daily limit -- that's basically the risk tolerance of the bank on how much they are willing to lose if the transactions don't get converge quickly enough.
In a few places, you can see traces of this aspect of the system. For example, some gas pumps put a $150 "hold" on your card, and on your bank's web site, you may be able to see "pending" transactions that are in some not-quite-final state.
That’s a different thing: pre-authorization. It’s used for when you want to authorize some purchase before delivering the goods (that you later confirm once it’s delivered). The pre-auth is still done online for amounts above the card-offline limit.
The nicer feature of preauth is that you can confirm a lower amount. So in the case of a gas pump, they first have to make sure you have the money, without knowing how much, because you haven’t pumped it yet. Once you finish, then they know the amount, and confirm the transaction at a lower amount.
1yr timeline is ambitious if it means fully deployed.
Clearly the right thing for Sweden and others to do. Also worrying that even 3yrs into the Russian invasion, bordering countries are urgently increasing their preparedness for future conflicts.
I believe most of those POS systems can operate in offline mode, in Europe at least. I have friends who work for large event organizers, and they have spoken about how if the system is offline the bars can continue to take payments, but there is a risk as a person's account may not have sufficient balance to make the charge when the system comes back online.
Most people here pay by card and I would say the vast majority use debit cards. A lot of people don't even have credit cards, unlike the US.
I'm no expert so may be wrong about some of this, and maybe huge events like these have these systems in place due to the risk of having to shut down bars etc. Many events are completely cash less these days.
> I believe most of those POS systems can operate in offline mode, in Europe at least.
I was able to pay "offline" for my groceries at corner store nearby when their terminal had really bad or no connection at all - and that did happen a lot. They were just gathering all payments and when the "computer guy" was around he'd upload these to the Internet. The only caveat was that for some reasons these payments would be stuck for more than a week on transactions list
Right, basically all EMV cards are ready. You just need one that has some offline tolerance, as there are limits on both the amount and number of consecutive offline transactions. I believe these settings can be updated on the chip, i.e. your bank will tell you to go to an ATM perform any operation to make sure it's up to date.
Payment terminals might be trickier as we've observed during outages that they currently don't fall back to offline transactions. But their software and business rules can obviously be updated.
This is also partially due to hacking incidents in recent years. In 2021, all 800 Coop grocery stores were closed for a few days due to the Kaseya VSA ransomware attack [1].
Would be interesting how they work technically. The linked pdf mentions an EMV chip, which I assume is some sort of TEE. Other than creating recipient-specific one-time vouchers online, I can't think of a way to do offline payments without a TEE.
Yes EMV chips and the EMV standard are secure elements that were spec’d and have been manufactured since the 80s. The EU has been using these thing pretty much universally since the late 90s.
They’ve also supported offline transactions that entire time. Indeed offline transactions was the norm for a long time because internet connections were expensive. So payment terminals did offline transactions, then literally phoned home at the end of the day to upload all of the day’s transactions.
The transactions themselves are just signed by the cards, and stored by the payment terminals. Interestingly using symmetric encryption, because asymmetric encryption was two expensive to put into debit/credit cards when the EMV spec was originally created.
Card transactions being online by default in the EU is pretty recent phenomenon that only really happens in the past 5-10 years, as internet connections and cheap mobile data plans have become ubiquitous.
EMV has been using asymmetric cryptography for a long time now, even though it's strictly optional in the specs.
Older cards indeed didn't have it for cost reasons, and online-only cards theoretically have no strict need for it even today, but practically, a symmetric-only card is a non-starter these days for several reasons. You won't be able to ride the Tube in London or Subway in NYC with a card that does not support it, for example.
> You won't be able to ride the Tube in London or Subway in NYC with a card that does not support it, for example.
Those systems all perform online auths at the gate, they don’t rely on offline transactions at all.
Asymmetric encryption is used to prove the identity of the card itself, I.e. prove it’s a real card owned by a real issuer. But it’s not used to sign the transaction itself.
Transaction cryptograms, the cryptographic blob that’s built using data like transaction amounts, method of customer authentication etc only use symmetric encryption. The produced cryptogram itself is then also signed using an asymmetric key, but the asymmetric and symmetric blobs are distinct entities and processes separately by the card network.
Now this is the really important, and completely non-obvious part. Only the symmetrically encrypted transaction cryptogram is sent over the card network to the issuer. All of the asymmetric parts are only used locally by the terminal for validation, then thrown away. So the data produced by the card that is actually stored and eventually sent to the issuer can’t be used for cryptographic non-repudiation, because there’s no mechanism for the merchant to prove using only the transaction cryptogram, and public keys, that a specific transaction was signed by a specific card issued by a specific issuer.
This may seem very strange from a technical perspective, but only because people think that the technical elements of card networks is what prevents fraud. In reality fraud, at least between network participants, is entirely prevented using legal contracts, escrow accounts, and the simple fact that the benefit of abusing the technical measures to commit fraud is simply not worth the consequences. Being a network participant requires you to put millions of dollars in escrow, and be a large enough company that you can realistically move millions of dollars in transactions everyday. Fraud between companies at that level is solved using very expensive lawyers, the technical measures only need to provide enough evidence of tampering to stand up in a court of law, where everyone is under oath, and at risk of personal repercussions for perjury. There is no need for them to be completely fool proof, it’s much easier to just depose the engineers who were ordered to circumvent the technical controls, under threat of prison time, than it is to get every network participant to adopt some complex cryptographic non-repudiation scheme to protect against scenarios that don’t actually occur in reality.
That is partially why the banks/government in Sweden have been happy to phase it out. Companies also don't like dealing with cash because it requires extra accounting, security, and transportation. In the early 2000s there were about 50 cash transport robberies per year in Sweden, in 2018 there was 1.
> Companies also don't like dealing with cash because it requires extra accounting, security, and transportation.
At least in the US, individual businesses don't like dealing with credit because of the transaction fees but are kind of forced to thanks to everybody else taking credit everywhere.
Of course, the big chains love credit and are happy to pay the transaction cost because it lets them audit all the transactions and increase their control over local managers and employees. Presumably, the big chains also negotiate lower fees.
You mean ATMs ?
It is still harder to prove where the cash you took out of the ATM went to in comparison to card payments, but yeah, if you take a big amount of cash out of the ATM then it would be easy to flag you
Credit card companies have been doing stand-ins to support offline transactions for ages. Mainly the reason why you pay a high interest rate on your credit card.
How many days was your glorious war in Ukraine supposed to last, Boris? Maybe wrap that one up and breed some more cannon fodder before starting another.
Ah yes, that old Russian chestnut that any moves to make Western civil society more resilient are portrayed as an omen of military aggression against them. Sorry Boris, not everything is about you.
This is how it used to be before, they would slide your card through that machine thingy, it would copy it's digits and they would process this sometime in the future.
Extracting keys from a modern SIM card is very difficult. The cost is way above 10K USD. So a payment card in offline mode is absolutely possible as long as one limits the payments to few hundreds USD.
The bigger challenge is an offline terminal that can easy accumulate tenths of USD in case of a long outage. But then compared with cards the terminal may have better protection.
In addition to the issue of microchips being inherently difficult to tamper with, smartcards have various hardware and software based anti-tampering measures, that are designed to destroy the chip, if someone attempts to extract the keys from the chip. That kind of security measures are never totally impermeable, but defeating them requires advanced equipment and skilled labour, and the R&D costs of the cracking devices need to be offset, too.
Personally, I dream of an open-hardware, FLOSS wallet, also usable on POS like a bank smart card, confirming crypto transactions like legacy/traditional ones on its own display.
Internally, the signature part isolated like a smart-card, "embedded signature" hardware as a measure against double (multiple) spending, and reasonable limits on offline transactions with both parties offline (e.g., €10k/month).
The "embedded signature" hardware part is a bit vague because technologically it's not clear how to do something like that in a "secure enough" way, but it's a necessary part and the limit somewhat lowers the risk.
For use: mounted as a smartwatch or a pendant with a retractable lanyard, like ski-pass holders.
> “In Sweden, we pay digitally to a large degree and the use of cash is low. The general public being able to pay by card for example for food and medicines even in the event of a serious breakdown in data communication, that is offline, is a milestone in our intensified efforts to strengthen emergency preparedness”, says Governor Erik Thedéen.
I understand that it's very normal to use a CC in Sweden (and many places), but it feels grim to me that the thought towards major telecommunications breakdown is, "oh no, how will we make sure that people can keep credit card companies and banks informed that they need food and medicine if the internet is down?" I feel like "reversion" to the solved problem of offline transactions - cash payments - would be a more reasonable default assumption, and in the case of catastrophic infrastructure breakdown, simple expropriation.
Riksbanken have been pushing for cash payments too. Personally I think its too little too late. The culture in Sweden has already changed to purely digital
Sweden has also done multiple pilots of a digital currency pressed by the state. This might be an interesting alternative to not give up control of our currency and privacy to banks and cc companies. Also supposed to work offline. https://www.riksbank.se/globalassets/media/rapporter/e-krona...
Cash would be a reasonable assumption, but not a practical one unfortunately.
The only place really to get cash in Sweden is at an ATM, of which there are very few these days - most have been removed in the past years, and some might be very far away due to the large distances in Sweden.
It should also be assumed that in the event of a critical infrastructure breakdown, the ATMs would not work either.
A lot of people asking here in comments how the implementation would look like, given this is HN and the crowd here is technical inclined. No idea how they will do it but I can tell you how I did it in 2008.
See, in 2008 one of my projects had a client that had a lot of venues around continental US and Mexico and those venues were having sparse internet connection (think sky resort venue, remote and internet delivered by antennas that weather could affect it). Meaning when internet was not available any card transaction was a no go. This was a problem to be solved so my client asked if there is a way to make offline credit payments. So here is my implementation: -read credit card details and deliver the goods -> store card details in a local database, encrypted -> check online connectivity -> when internet was a go try to charge the card. If it was good then all was done, details were erased from local storage, everybody happy. If it failed then retry, 5 times per day, for 5 different days. After 25 tries, blacklist the credit card. Forward the information to legal department and mark that credit card as not acceptable from now on. So if you screwed the client with a bad credit card, you screw it only for 5 days maximum. And you also had a legal department on your ass. Meaning you got a fake card, good for you, keep it up cause now you are also on Secret Service radar (most people don't know but Secret Service, not FBI, gets involved in this). In the years I got involved in this project, 8 years, the number of times this was an issue raised to legal department was like under 5. So most folks actually pay and the few that got retried had probably a temporary problem with their funds and eventually they got it back on track. For those under 5 I think all of them eventually cut a deal with legal without raising the issue further up. Sorry guys, no juicy story involving Secret Service here.
Probably this worked because the goods were kinda under $50 as price. So maximum you'd screw the company I worked for like $500. And most likely this would not work with a big retailer like Amazon where you can purchase for thousand of $ in a single transaction.
But it had the advantage that it worked with all credit cards, debit or otherwise, Visa/MasterCard or whatever. If I would be on the implementation side nowadays from the Sweden bank in this article, I would probably do it like somebody else already proposed here in comments. Get the card to also contain an electronic signature which means a lot more scrutiny to get it released, which means yeah!, your privacy is fucked to Alpha Centauri and back if you try anything shady.
offline mode has been the limiting factor in almost all electronic payments. there was a convention where the single use keys became limited use keys so that cards could make offline payments in low amounts that could be reconciled later. it created a risk and a vulnerability to be managed, and there was at least one exploit against it if I remember correctly.
imo, the mandate creates an interesting technical constraint on any CBDC standard, where the offline mode limits the effectiveness of a "turn off" of someone's money, as there will always be some feature where they can use their money to buy food and fuel. For now I am interpreting this mandate as constructive to civil liberties.
I'm not following this as closely as I probably should, but it seems to me to be more of a data collection and retention scheme than something that'd actually be useful to me and my neighbours in a crisis.
In part because cash is common in my part of Sweden, which is likely annoying to the bureaucrats and oligarchs. Cash is nice because a transaction does not involve a measure of creditworthiness while only leaving an indirect trail, and this 'offline' thingie they're going for probably does and besides keeping personal data available 'offline' for performing such stratifications of people it also (theoretically) allows for a phasing out of cash also in crisis and armed conflict.
offline key signing and broadcasting later should be a simple thing
although heavily misunderstood, this is built into cryptocurrencies since day 1 (many critics have long thought crypto requires power and internet access, many proponents also don't know otherwise)
with card networks learning from competition and functionally being public-only keys, this should be even simpler to implement
Those transactions simply won't be accepted. Sucks for the seller, but how to deal with that mess is an issue that has to be solved on an upper layer by ToS or laws.
Yes, but the merchant has to have a way to check for double-spending, or otherwise verify that the signed txn they have been given represents money that can be "taken to the bank".
Checking the signature on some blob that says "this be money" is not enough.
True. But if the system is implemented by a country this could be implemented using the law system and insurances.
For example, when each transaction is done, both parties might keep a cryptographic proof which they are required to submit once they are online again.
Failing to submit could result in a small fine (to encourage submission) and double spending which can then be detected could result in a large fine (or even a prison sentence), for example.
There is, perhaps, a privacy issue, just like with blockchain. But it's not more of an issue than online transactions.
I didn't say you need a blockchain.
I just said a cryptographic protocol (mostly offline and unrelated to blockchain) would help to automatically and quickly detect and proof fraud.
The offline credit card system does not proof fraud but just has insurance.
I figure you can ‘solve’ it socially and legally by treating double spend while offline the same as writing a bad check. Recipients of offline transactions knowing the risk would limit it to small amounts and or emergencies.
It's not about paying by cash but paying by card offline. How is this going to be implemented I wonder.
On planes they often accept credit cards even when there's no internet. I assume this is a trust in-credit-based system because they don't accept debit cards, i.e. if you are worth being trusted with a card you can have your sandwich now and we will take care of the bank processing once we are on the ground. So maybe this will be like we trust you enough with basic goods that once we get a connection things will be sorted out situation?
The EMV standard has long supported an offline transaction flow. AFAIK it was the default almost everywhere in Finland circa 2011, contactless there was almost always instantaneous. Digging into why that was compared to the invariable wait when using contactless in the UK revealed this flow.
The card has a variety of risk counters on it that allow it to securely decide whether an offline transaction can proceed, at least some of which are also exposed to the terminal which can have its own separate policy. I imagine internally the banks and payment gateways have a huge variety of internal related tuneables.
Yes the EMV standard has offline card payments baked into it, and most banks in the EU and UK used to use offline transactions for contactless.
Your experiences in the UK are almost certainly linked to the card issuer you were using (was it a Monzo card by any chance), and nothing to do with it being the UK. The vast majority of the legacy banks have always used offline transactions for contactless.
However there has been a bit of shift towards online transactions, driven by EU rules likes strong customer authentication, which requires regular pin entries determined by cumulative spending and duration limits (which ever is hit first). It’s a lot easier to reliably meet the requirements of SCA using online transactions.
As for how offline transactions work. It’s reasonable simply. The terminal asks the card to sign the transaction using the cards private key. Now there is an extremely complicated set of rules around how liability shifts in the event of a fraud claim, depending on many factors like the type of transaction, if a pin was entered and validated by the card, if the card ask to go online and the terminal ignored the request, they type of merchant, the exact region your in etc etc.
But regardless of all that nonsense. The technical process is very simple. The terminal has the transaction cryptographically signed using symmetric encryption with a private key that is only known to the card and the issuer of the card. That signed transaction can later be presented to the issuer so the merchant gets paid.
Given it’s a symmetric key, you may wonder what happens in the event of a dispute between the issuer and the merchant, where the issuer claims they received a forged transaction. To which the answer is, the issuer sends a signed and sealed letter to card network operator saying they have double checked the transaction signature, and believe it to be forged. And if anyone doesn’t believe them, they can sue em (this is not at all a joke, it’s literally the documented and contractual process used by the major banks and card networks).
> However there has been a bit of shift towards online transactions
Not just a bit of a shift: Offline-preferred transactions are basically a thing of the past. EU rules have nothing to do with it (offline EMV is fully SCA compliant as well, as the chip can keep count, although it's a bit annoying to keep counters in sync if there's more than one); it's mostly for risk management and simplification reasons, I believe.
> The terminal has the transaction cryptographically signed using symmetric encryption with a private key
Offline transactions essentially always require card authentication as well, which requires asymmetric cryptography. (Otherwise, you could trivially forge valid-looking cards and offline terminals would be none the wise since they obviously don't hold the symmetric keys for every card issued; that would be way too risky).
> EU rules have nothing to do with it (offline EMV is fully SCA compliant as well, as the chip can keep count, although it's a bit annoying to keep counters in sync if there's more than one);
EU rules have everything to do with it. Meeting EMV with offline counters is tricky to get right. The reason I can confidently claim the SCA drove the migration of online transactions is because I was responsible for the technical implementation of SCA for a bank, and was part of the industry wide conversations that happened as banks figured out who they would comply with the rules, and tried to figure out what wiggle room existed. So I know SCA was a driver, because I talked to the people making this decisions.
> which requires asymmetric cryptography. (Otherwise, you could trivially forge valid-looking cards and offline terminals would be none the wise since they obviously don't hold the symmetric keys for every card issued; that would be way too risky).
This is where you are simply wrong. Again speaking as someone with actual experience working on this stuff, and having dealt with actual forged offline transactions as well. I can tell you the card uses symmetric encryption, the terminals themselves have zero ability to validate the signature a card produces. The terminals include some data that allows them to validate if a card number is routable, and also a hot list of card numbers to always reject, and thus reject transactions that can never be fulfilled, but they have no way of validating that a specific card or transaction hasn’t been forged.
The entire system depends on the physical security of the chips in cards to make key extraction extremely hard, and to also make the correct mimicking of cards extremely hard. But it’s hardly impossible, and there’s plenty of demonstrated EMV attacks out there in the wild. It’s just that they all hard to replicate, require special equipment, and generally make you look very dodge in the moment because you have to have a weird card with wires running your shelves so you can intercept the card comms. The manufacturer and distribution of the chips in cards is extremely tightly controlled, so you can’t just buy them. In theory anyone with a million dollars and ASIC contract could manufacture their own ICs, but there simply easier ways to steal money.
Ultimately EMV only needs provide enough security to make other methods of stealing more palatable. Cards are used for pretty low value transactions, so breaking EMV isn’t a very scalable way to steal money. You would be better off stealing products from merchants using decent pair of running shoes, rather than creating crazy ways to trick their payment terminals. Running shoes are cheaper and much more accessible than ASIC production.
> The reason I can confidently claim the SCA drove the migration of online transactions is because I was responsible for the technical implementation of SCA for a bank
Ok, "nothing to do with it" was too strong: I don't doubt that SCA was the death knell for many offline implementations. However, I've seen online-only cards in the field by many banks well before SCA became effective.
And on the other hand, I also know SCA-compliant EMV implementations that do still support offline transactions. As you say it's tricky, but it's possible. Europe is large, and you probably haven't talked to every single bank/processor :)
> This is where you are simply wrong. Again speaking as someone with actual experience working on this stuff, [...] they have no way of validating that a specific card or transaction hasn’t been forged.
Huh? If you have worked on this stuff, surely DDA and CDA ring a bell? They're both based on asymmetric cryptography, and they absolutely allow the terminal to dynamically verify whether a given card is authentic or cloned, without having to go online.
Without that, you could indeed copy the static signature data from any EMV card and replay it to an offline terminal and get away with it. That's why SDA has long been deprecated for offline transactions.
> The manufacturer and distribution of the chips in cards is extremely tightly controlled, so you can’t just buy them. [...] In theory anyone with a million dollars and ASIC contract could manufacture their own ICs
You can absolutely get them on Aliexpress straight from the manufacturer for a few bucks each, cheaper in bulk. They run Java, so you can just write your own software – the EMV specs are public!
What you can't get there is the cryptographic private key specific to the card number that the issuing bank embeds into it at personalization time.
EMV is a cryptographically sound (if dated and very complex) scheme, and secrecy of implementation is actually much less of a security factor than you seem to claim, despite the industry's (largely historical) obsession with secrecy.
> Huh? If you have worked on this stuff, surely DDA and CDA ring a bell? They're both based on asymmetric cryptography, and they absolutely allow the terminal to dynamically verify whether a given card is authentic or cloned, without having to go online.
Yes I was a little wrong here. My most recent experience in this area is dealing with messages on the issuer side. It’s been a while since I’ve done anything serious at the card config level, and don’t have a huge amount of experience with the handshakes that occur between card and terminal.
The missing nuance is that the transaction cryptogram is symmetrical encrypted, and that’s the only cryptographic blob sent over the card network to the issuer. As the asymmetric stuff only happens locally between card and terminal, and isn’t included in any data transmitted from terminal to issuer.
So the terminal can check that the card is a real card using asymmetric encryption, and that the produced transaction cryptogram was produced by that card. But none of that evidence is passed on to the issuer, only the symmetric cryptogram, which can’t be used for non-repudiation is sent to the issuer later.
Hence the experience dealing with forged transaction cryptograms, which were forged by an acquirer in a systematic manner to try and gain stronger chargeback protection because their sloppy transaction processing resulted in them processing a lot of fraudulent transactions, and then being hit with a lot of chargebacks. The process of “proving” to the network that this acquirer was forging cryptograms was sending a letter signed by legal team attesting to fact we had evidence of forgery, plus a much nastier letter sent to the acquirer in question to knock it off, and stop doing obviously illegal things. Ultimately it’s the acquirers legal counsel that acts as the enforcement mechanism here, and the obvious threat of lawsuit they’re clearly can’t win tends to be a very strong motivator for companies to tidy up their act.
> EMV is a cryptographically sound (if dated and very complex) scheme, and secrecy of implementation is actually much less of a security factor than you seem to claim, despite the industry's (largely historical) obsession with secrecy.
I may have overstated it a little. Bad habits from spending too much time dealing with PCI rubbish. The difficult thing to get across in these threads about payment networks is how much of the systems “security” really comes from clever legal contracts, and smart distribution of liability and risk. Effectively making in everyone’s interests to not do anything really silly, but the actual technical security is almost secondary to legal mechanisms that exist to ensure that participants are highly motivated to make sure that fraudulent transactions are kept to a minimum.
I used to have an online maestro card (was solo and now known as debit mastercard) and an offline card (was switch, now also known as debit mastercard) from a UK bank, due to having two current accounts there.
The offline card was from a current account with an overdraft and also worked as a cheque guarantee card, for cheques up to £250 under the (discontinued ~2011) cheque guarantee scheme[0] and had a special hologram on the back. The retailer would watch you sign the cheque and write details about you, the card and any CCTV etc. on the back of the cheque. I imagine the offline behavior of the card was similar, and was a carry over from that.
The online card was from a basic account with no overdraft facility and acted a bit like a prepaid debit card.
[0] https://en.wikipedia.org/wiki/Cheque_guarantee_card
The tech is fundamentally fine - where the problem arises is human behaviour.
When offline contactless payments first emerged in the U.K., there was a significant spike in unplanned overdraft usage and disputed transactions, as people rapidly realised it essentially worked as a free line of credit, up to £100 or £250 depending on your issuer.
This quite quickly caused issuers to push up prices on offline transactions, which made them less appealing to merchants - add to that that people were talking about them being a hotbed of fraud, and merchants err away from offering them, PCNs start dropping the capability due to lack of demand, and here we are today.
I think metro trains in countries like The Netherlands and Singapore use this approach where in you tap your cards and entry and exit and you are billed usually somewhere at the end of the day.
It's more complex than that: The card actually has some nonvolatile storage with your current balance, which gets decremented each time you use it.
Yes, stored value cards are a very mature technology.
For various reasons, they're mostly used in closed-loop systems these days (think laundromats, transit systems etc.), but historically there were open-loop deployments in many European countries, and in some countries, stored-value POS payments are still very popular, e.g. in Japan.
It's a real shame that the entire world moved to online-only. Sure, it's much easier and there's less opportunity for various kinds of fraud as a result, but in terms of availability during outages or cyber attacks, it was a big unforced step backwards.
> historically there were open-loop deployments in many European countries
Indeed, there used to be things like "Moneo". The problem is that banks never trusted really these systems, so you were limited to, say, 50E of stored value. Also for some reason in Europe the readers of such cards have never been great, I guess because most devices were built on the cheap, so even if the transaction is offline and supposedly fast, you would have to wiggle your cards all around most readers for 2s until it's picked up.
In Hong Kong there is the Octopus card, which started as a closed loop subway card, but ended up being so loved that now you can pay litterally anything with it. It can store up to $500, and you can set it up to automatically top-up to $500 more per day linked to your bank account. Also accepting payments from octopus cards is very easy, you don't need a physical device and small businesses can just have the customer card tapped on their phone with a merchant app.
Stored values cards were the way French public phone booths worked when they first moved away from coins in the 80s.
There were single-use chip cards that you bought and kept in your wallet. Plain eeprom.
I remember I built a reader for them as a teenager...
These were storage only though, right? Such systems are trivial to compromise.
Stored-value payment cards usually contain at least a secret key and some logic that allows them to establish a secure channel to another trusted entity, such as a merchant smartcard (which can be embedded in a terminal) or a backend server (and a corresponding HSM).
There's stored value and then there's "account based ticketing" where your card is just an ID and the final amount will be debited daily.
> The card actually has some nonvolatile storage with your current balance.
I'm not trying to find a gotcha, but wonder how that works with paying by phone nfc and then by card?
Not in the Netherlands, no. The card can be a bank card, and you can be billed at the end of the month automatically through direct debit.
It also wouldn't work as you describe, as the terminal at the point of entry doesn't know how much to charge you since it doesn't know where your journey ends.
It will bill your 4 EUR (on a tram/bus) or the whole 20 (or something on a train) instead of the actual journey price if you forget to checkout. Pretty sure it can decline cards for insufficient balance too. Not sure the entry gate blocks the amount.
Actual chipcards don't bill you at the end of the month either -- they reload a fixed amount through direct debit (which takes a few days) the moment your balance crosses zero. If the direct debit isn't setup for a card (because it's not a personalized card) or the debit was rejected, the card is blocked.
For business chipcards cards it works somewhat the way you described.
Some transit systems work by putting a hold on your card for a nominal amount. When you finish your journey it then only claims the cost of your journey
Thankfully that’s not the system GVB uses, it’s incredibly annoying to have these transactions and reversals when trying to do your own accounting.
It definitely exists in Amsterdam, no? When I visit I just tap my card/phone on NFC enabled card checking machines (which exist in and out of the stations)
in the Netherlands you can now pay with your normal credit or debit card instead of a special train card. Was a thing in Kyiv metro for a decade too.
A lot of internet payments work this way already anyways, not many gateways require auth before capture, processors/payfacs just do it because it gives lower interchange and reduces risk.
That depends on where you are. But all the major networks expect auths before capture, even if it isn’t technically enforced, and will punish gateways and merchants who have low auth rates.
Auth before capture doesn’t generally reduce interchange. What it primarily does is shift liability in the event of a dispute. If a chargeback is raised, and no auth happened, then the merchant simply looses immediately. They have no mechanism for fighting the chargeback. If they auth first, and got an approval, then it’s the banks problem in the event of a customer dispute. The merchant can reply to the chargeback by pointing out the valid auth they received from the bank, and the bank has to go pound sand.
You may see this as different “interchange” rates from a specific gateway. But that’s simply not true at the network level. The difference in pricing just exists so the gateways themselves can price in the additional risk associated with auth less captures, given the gateways are always on the hook, even if a merchant goes bust. The major networks force gateways to have funds kept in escrow that are guaranteed to cover any shortfall that might occur due to individual merchant failure, or failure of the gateway itself. That how networks make sure that zero real risk every accrues with them, they make everyone else put up huge stacks of cash to ensure that every virtual cent that’s in flight at any moment, is backed by a real cent in escrow somewhere.
I always wondered how come that some online merchants where I record the card do not ask for auth or 2 factor and some other does. For example, I have recorded my card info in a webapp that I use to pay the bills, and it never asks for anything, which is good, as I have many bills to pay, and I wouldn't want spam of 2FAs. Can you provide some technical terminology on this behavior or links, since you seem to be in the knows. Thanks.
Amazon as well seems to never do proper auth (at least here in the UK). When using an existing card where the delivery address matches the billing address, card transactions go through instantly
In my experience, they do the auth immediately before shipping, instead of at order time like almost every other online merchant.
I find that super annoying, as it's bitten me more than once in the past when I used the wrong card for a given order without instant feedback.
There is no rule that there has to be a single payment per authorization, if you read for example mastercard API https://in.gateway.mastercard.com/api/documentation/integrat... it says you can partially capture, you can extend authorization. So for all you know when you buy at amazon it just updates the authorization and charges you later but keeps authorization going and amazon might just check if they have auth token for your card and if they do system allows you to continue and to you it seems instant.
It’s a lot more complicated and nuanced than that. The API docs you link too are for an API that covers a tiny fraction of what can be expressed in the actual ISO 8583 messages which are the real “API” of the card networks. The docs for those are hundreds of pages long.
Plus you need to analyse how the different messages types and sequence of messages interact with the transaction processing rules, which are also hundreds of pages long.
Suffice to say, the entire system is insanely complicated, and just about everyone out there implements it all incorrectly, with the whole system on working because partners are only allowed to complain about the insanity if they actually loose money. Until that point they’re expected to just handle everything as best they can.
That would make sense, and I guess if you tried something suspicious (larger order to a new address), you would get the full auth flow
Ultimately all this stuff comes down to risk and risk management. The card networks themselves don’t provide any technical enforcement of most of their rules, beyond low level technical rules around message format and structure (and even that enforcement is pretty small).
Instead they effectively make all the parties that connect to the network responsible for rule enforcement. If a merchant follows all the rules correctly then they receive extremely strong chargeback protection, I.e. if an issuer sends a chargeback, and the merchant has plenty of grounds to dispute the chargeback and win.
If merchants don’t follow all the rules, then issuers can send chargebacks, and it’s much harder for the merchants to defend themselves.
In all scenarios it up to the issuers and merchants to explain in the chargeback what rules have been broken, by which party, and thus who should win based on network transaction rules. The networks themselves don’t even make a ruling directly, instead the issuer and merchant decide who wins via a back and forth process that includes escalating fees paid to each other, until one side gives up. The networks only get involved the two sides can’t resolve the issue themselves, and will charge the looser a significant fee for the privilege, so there’s a strong incentive for the parties to resolve the issue themselves.
How does of this interact with 2FA, auths etc etc. Basically 2FA, and ordinary auths are all just things a merchant can do, or trigger, to reduce their liability and get better chargeback protection. If the merchant performed a full 3DS auth, where the issuer is asked to perform 2FA, then they have pretty complete chargeback protection in the event of fraud, because they’ve basically asked issuer to make absolutely 100% that this transaction has been approved by the issuer’s customer, so there’s zero grounds later to claim that a stolen card was used or something similar. If the issuer’s customer wants to dispute the transaction, that’s the issuers problem.
But all of these mechanisms reduce checkout rates, and thus merchant revenue. As a result some extremely large merchants make a trade off of basically accepting all the risk of fraudulent transactions, and give up chargeback protection, but not following all the rules. The merchant does this because they’ve basically asked believe they have enough data to prevent fraudulent transactions, without using any of the tools the card networks provide.
For merchants that can do this (like Amazon), they build in-house fraud detection systems, and payment systems that evaluate the risk of each transaction, then change the exact way they perform the transaction to either reduce friction (because the transaction is very low risk) or increase friction (because the transaction is higher risk), thus allowing them to capture more revenue, without taking on more risk (because they have confidence their ability to detect fraud, and thus don’t need help from the issuers).
But there are very few merchants that can even do this, as it generally requires either a very collaborative payment gateway (who are ultimately on the hook for merchant misbehaviour), or a direct connection to the card networks (who aren’t interested in talking to people not moving millions of dollars every day). Which is why it tends to pretty rare.
Kudos for this great explanation, everything is now clear.
A lot of the time, that's still API smoke and mirrors.
The API call is labelled "sale", but it performs an auth and at the end of the day the system still generates a capture or settlement-style message.
To an extent, yes. But functionally it doesn’t matter to the client of the gateway (or their downstream users, the cardholders).
If the gateway allows you to complete a sale request at 7am that doesn’t start an auth until 9pm, you have an offline payment by any other name.
What gateways are you thinking of? Effectively all international card networks require online authorizations for almost everything.
The way gateways and networks handle auth are not the same thing and it gets really muddy and confusing, honestly.
If you’ve already tokenized the card on a gateway for a particular merchant, for example, they may allow you to keep pushing multiple charges while on their end still using the original network auth from the first tokenization - which ends up being entirely opaque to you, the client of the gateway.
Essentially you don’t have to care what the card network rules are, just how your gateway presents functionality to you.
Exactly like that most likely, I am old enough to remember those machines where credit cards left their mark on the receipt, that is why their numbers are higher than the card.
Here,
https://en.m.wikipedia.org/wiki/Credit_card_imprinter
What’s fascinating (apart from the sound those things made is still in my head) is that the very nature of the technology meant who could and could not get credit varied. At first (1950 diners card onwards) only well off could use it at limited establishments (ie restaurants) and they would postal deliver lists of cars - initially white lists of valid card owners and later hot lists of delinquent card owners. Stick your privacy issues in the restaurant food bin there!
Calling a call centre to verify every transaction is too expensive so only purchases over certain limits came in following BofA/Visa - and that stated that way till the late eighties when larger stores started using back office to talk to Visa network etc. but even so the ability to do live updates and verification was too much and there were weird cacheing tricks
So banks could easily approve or be liable for transactions they would prefer not to approve - so they only gave credit to the rich at first, and then to those who paid back regularly. This info was shared and became credit reference agencies - because the credit card companies shared it initially like casinos but the abuse and mistakes brought legislation
I think what i am saying is our consumer credit culture was not designed, it just grew.
I think it was normal that you had to show ID that matched the card name, and compare the signatures too. Now the signatures are just a spot to draw something funny.
In the 80s and 90s in the UK you just signed. The card imprint was embossed by the machine which put it onto the carbon, and that was sent off to the bank for payment later in the week, like cheques.
I last used a carbon credit card in the early 00s. Electronic swipe and sign for a credit card had gone pretty much everywhere I went except the US by about 2010
I was charmed to have my US credit card read by an imprinter at a corner shop in the UK, circa 2014.
I last used a carbon imprinter in the UK in 2013. We hired out car roof boxes / cycle carriers at a summer job I had.
I am not sure how valid it was, though they would take a deposit and a card imprint until we got the car accessories back.
My employer in the UK had a machine in around 2014, but it was only used for sales of their own products to employees.
It put all the transaction risk onto the employer, and had a high fee per-use, but since they only had these 'stock clearance' sales to employees once a year it was fine.
When I was working retail (almost 20 years ago :[ ) we imprinted more often because of a failed magstripe, than a computer outage. In the event the card couldn't be swiped, you could key the number in, but the printer would create an extra-long signature slip instead of the normal kind, and we'd imprint the card onto it, as proof the actual card was there. This was I assume to prevent us from having to pay a higher 'card not present' interchange fee, and in terms of fraud, made it really obvious if someone was doing something shady like typing in card numbers without the card or cardholder being present.
We did sailing charters growing up and had one of these on the boat, I was in charge of it and the sound & feel of the CH-CHUNK is seared into my memories like nothing else. We never got any declines, but I always wondered how that reconciliation process actually worked out.
We never got any declines, but I always wondered how that reconciliation process actually worked out.
IIRC, the merchant gets paid if hitting a credit limit or similar decline reason. The card holder then gets hit with a financial penalty (usurious interest rates, or extra charges). If the card has been stolen, it ends up in a big phonebook-like book for offline use (otherwise the merchant just called it in for big purchases).
I remember buying books at a shop in Denver in the late 80s and watching the proprietor look to see if my card was in the big book of stolen credit cards numbers before he ran my card through the kachunka machine.
You didn't get any declines because you didn't ask for any approvals :)
If you mean chargebacks: I believe imprinters had card issuer liability for the longest time, at least as long as the transaction was under the (network-defined) "floor limit".
So if these were relatively low value transactions, the bank would simply not have any standing to decline payment.
When I got my first account to accept credit cards in the 90s, they sent me a kachunka machine along with a bunch of window stickers, all of which were kind of silly since it was for a magazine and I almost never took payments in person (it was also a challenge to persuade banks that the fraud risk was low since magazine subscriptions required a stable mailing address over the course of a year—as it turned out, the only instance of fraud I ever had was a subscription plus back issue order sent to Hungary—still kind of weird to think someone would engage in crime to get issues of a magazine about typography).
In the 90s through political turmoil in the Balkans (former Yugoslavia, so perhaps Hungary which borders it to the North was similar), it was impossible for young adults to acquire a payment instrument that worked online (even my dad had a tough job getting a Visa card: you had to deposit something like 500 Deutsche Marks for a limit of 200 DMs, which was like 50x monthly salary, and only one or two banks issued them). Thus, lists of stolen credit cards were circulating online after 1995 when we got dial-up internet into homes (it was only in Unis before that).
If you had any interest in any topic you read about on the web or in a book, that was the only way to get things even if you had the money otherwise.
Btw, what typography magazine was it?
Serif. Publishing it was a great way for me to lose a lot of money I didn’t have.
Just because an imprinter was used doesn't mean the transaction was necessarily "offline". Depending on merchant's policy, the cashier would call their processor, give them some transaction details and receive an auth code for the transaction which would be written on the imprinted ticket, thus authorizing the transaction at the POS just the same way it's done today (except with humans and phones, instead of an electronic handshake).
Given that GP was the one doing the imprinting, I believe they'd have remembered having done a phone call to a processor or card network on a sailboat :)
Had a taxi driver in Melbourne who used one of those to take me to the airport in 2009
Gave me a bit of a surprise when he cashed in the paper copy two years later and I hadn't been to Australia since...
They where supposed to do it quicker.
I think there was a limit of something like 60 days. At least my bank apparently refused all transactions that were settled too late.
I had a job which involved a lot of taxi trips, and when I cross checked 30% of the trips where never charged my account. I suppose they just filled up the glove box with old slips until they couldn't shut it. Hotels never failed.
In Canada, taxi drivers could be charged horrendous fees for these transactions so sometimes you’d see the charge coming through some random convenience store
Yup exactly this, I had to look it up because I don't even remember what they were called but I vaguely remember seeing them in the 90s.
Wikipedia claims they aren’t being used in the 2020’s, but I’ve still seen stores in the past year pull them out when the internet is down.
My company had them on-hand until around 2021, when I told everyone to throw them out. They'd last been used - at one location, during a complete POS meltdown (I don't miss Aloha at all) - in maybe 2018? No one could remember a previous time.
I'm trying to think the last time I saw one in use, last year or a couple years ago when there were large scale power outages. Of course the newer cards lack raised digits so I'm not sure how well they worked for keeping business moving. I had cash.
As I recall, the slips do have a spot where you can just write the numbers down. But widespread lack of raised numbers makes them hard to use. I think all my cards have been reissued flat by now.
Yeah, I've had the cashier just hand-write in the numbers on the sheet when it's a flat card.
Good luck still finding an embossed card in 2025, though.
I used those machines to charge cc’s at a major ski resort in California in 2004. At the end of the day I would enter all the details in an online terminal and process the charges for real.
this is what first came to mind for me too. I'm in my 40s and still saw them used semi-frequently during my life. In ~2015 I actually paid using one in a taxi, that was the last time.
Heh, in 2014 I remember taking a taxi that only accepted card using an imprinter, which was unfortunate because I had just gotten a new card and the numbers weren't embossed. He had to drive me to a gas station to get cash from an ATM.
Very interesting, never heard of these. Thank you.
I imagine there is a clear and distinct line between "I've never seen one of those" and "I can remember exactly how those sound". The sound of sliding that handle over the card is ... distinctive. I can discuss it with someone, slide my hand left and right, and say "shunk, shunk" and lots of people will very clearly remember them.
“Never heard of these”, meanwhile I was remembering a credit card that I used so often that I wore the coloring off the raised numbers.
And I guess if one has never seen these, I need to explain. In order to leave an impression on the carbon paper (I should probably explain that, too, huh?), a fair amount of pressure was needed (those old card imprinters didn’t require a gym membership, but a child could not operate one). That rolling pressure would eventually wear on the surface of the card, and turn the numbers white when the outer layer wore through.
If I remember correctly, this sound is part of Pink Floyd's song "Money"... part of the background rhythm. I wonder how many of the "Never heard of these" crowd would recognize it if they hard it in person... smile
I suddenly feel very old.
That’s how it happens.
> It's not about paying by cash but paying by card offline. How is this going to be implemented I wonder.
Considering that the card has memory on it, you can store there how much balance you have when you do an online payment. The bank can send back your available balance, so you cannot spend offline more than you have.
I can't think about anything simpler than this.
Unless money has been withdrawn from the account connected to the card after the card was last online.
A brief history goes like this:
In the past embossed credit and debit cards were both accepted on planes. That's why they were embossed in the first place: for offline processing which in even more distant path was the only option. Later CC machines and offline chip/stripe transactions co-existed with online transactions.
Normally (at least in Europe) you couldn't get an embossed card, even a debit one, without proving your credit worthiness. The possibility of offline transactions assumes overdraft — the same as with check books.
When online transactions appeared, banks started to issue Visa Electron and Maestro cards which didn't work offline, could explicitly prohibit overdraft and were easier to get.
But nowadays all boundaries gradually disappeared. Nothing is embossed, Visa Electron doesn't exist, bank issue debit cards with credit codes. It's all much simpler and more confusing at the same time.
Ironically, the few embossed cards I still have are from debit or prepaid issuers, presumably in a plot to make them look more "official", so at this point we've looped around completely and I've started associating it with a dated/tacky look. (They also take up twice the space in my card wallet and often lose their cheap metallic paint over time, annoyingly spreading glitter across my pockets.)
I experimented a bit, and with a hot air station it's possible to de-emboss them, exactly for the purpose of fitting more cards in my card wallet..
I didn't try it on an active card, though, and I suppose the problem solves itself by time.
Debit cards are most definitely accepted on planes.
complicated.
star/plus/cirrus etc - pure debit-only networks - aren't accepted on a plane
debit cards that are on one of the credit card rails (visa, mastercard, etc) are very common. those work because they're just a normal visa transaction
> those work because they're just a normal visa transaction
I wouldn’t be so sure about that. In some payment situations you’re asked whether you’d like to have the transaction go through as debit or as credit—so those two must be different somewhere. And probably in more than just a bit in a packet, as, for example, paying with debit Visas or MasterCards (normal ones, not Electron resp. Maestro) in the Netherlands (where locals almost universally have credit cards) is something of a crapshoot.
They use largely the same rails/network (for example Mastercard). The only meaningful difference is on how and when funds are reconciled.
Some payment providers ask up front to simplify the flows as it's not totally trivial to determine what sort of card it is, and also because different fees apply - historically some merchants added specific fees to basket etc. (less so nowadays but the UI convention sticks)
> Some payment providers ask up front to simplify the flows as it's not totally trivial to determine what sort of card it is
And because the same card can be both. At least here in Brazil, most bank cards have multiple uses (credit, debit, ATM) in the same card. AFAIK, they're separate applications within the same chip, and the terminal has to select which one to use before starting.
Interesting! Did not know that offhand but just looked it up in the technical docs and this is part of the standard. Interesting to hear how other countries have adopted different approaches.
From memory, online and offline transactions are usually split out by BIN number (first six digits)
The BIN will tell you which bank was the issuer and which class of card you have, like standard or premium, though most readers probably don't take that into account beyond the card scheme and card type associated with the range that the individual BIN is in. Many banks will have multiple BINs for the same card type if they are large.
Credit / online debit / offline debit usually get different ranges. The reader gets a list of the ranges when it updates and they don't change super often. Offline readers can be configured to reject cards with a number in an online only range.
It's usually based on the chip settings. Rules aren't as simple as "always online" or "never offline"; an issuer can e.g. convey that they'd prefer online transactions for certain types of payments, while offline is ok for others, via relatively complex configurations of the code of the chip application.
Before that, there was the service code on the magnetic stripe, which also can convey things like "online only" or "domestic use only".
The BIN is only involved in risk management on the terminal's side: Many of these in-flight terminal accept deferred online transactions, which means that, even though they're completely offline, they take the risk of accepting an online-only card. (For truly offline capable cards, the risk is often with the issuing bank.)
That type of risk management can benefit from knowing what type of card it is, and prepaid cards are often seen as riskier (because customers might intentionally drain them before a flight). Of course, debit and credit cards can also be empty/marked as stolen, but these are marginally harder to get and replace.
Yep you are completely correct; people don't realise how complex the chip is - it has what you'd legitimately recognise as an operating system! It can also be reprogrammed over the wire, if your chip and pin is taking a bit toooo long that might be what's happening.
Your correct on the risk spread. I wasn't confident last night (I'm not totally versed on the terminals) but looked it up. As I understand if you choose to accept offline only payments then you accept the risk of the transaction failing. If it's the issuers choice they own the risk.
> The only meaningful difference is on how and when funds are reconciled.
Nope, even this is identical. These days the difference between a debit/credit card is pretty much aesthetic, from a transaction processing perspective there generally isn’t any actual differences. Differences that people see today are most artificial for the purpose of justifying extra fees, or higher interchange based an entirely arbitrary factor that has zero correlation to any risks that appear in the transaction processing and clearing mechanisms.
Basically the only reason anyone really bothers keeping the difference between credit/debit cards around, is as a technical excuse for discrimination and abusive fees. Notably in the EU nobody cares if a debit or credit card is used, because the EU outlawed all the crazy fees and other bullshit, so now there’s no commercial reason to differentiate between the two 99% of the time.
There are a few differences for sure. All entirely technical in how the money moves or clears. The most obvious point here is debit card moves your money from your account, credit moves the issuers money from their account.
But to your wider point; from a transaction fee point of view you are dead right. Of course a credit card has other attractions; for example it's credit :D but also things like section 75 protection.
> There are a few differences for sure. All entirely technical in how the money moves or clears. The most obvious point here is debit card moves your money from your account, credit moves the issuers money from their account.
From the perspective of the card network and the merchant, there is no difference here. The card network has a contract with the issuer, so all transactions, in all scenarios, are always first paid by the issuer. It’s then the issuers problem to figure out where they get the money from.
It’s entirely possible to perform transactions on debit card that will place the account attached to it in a negative balance, and for the person owning that account to vanish. The card issuer is still on the hook for the money, neither the card network, nor the merchant, care if the issuer recovers the funds or not, they always get paid.
Fortunately, Maestro is being phased out in Europe.
Even without internet connection?
Edit: OK maybe there's different level of trust and some take a leap of faith :) In my experience debit didn't work but it appears that its not the same everywhere.
I don’t see why not, they can be run just like a credit card through the same network.
When a debit card prompts for a PIN, don’t enter it, press submit, and it runs as credit instead of debit, but functionally works the same as far as the card-holder is concerned. It might take slightly longer to settle, and the merchant likely gets charged higher fees, but it works just fine. When I got my first debit card 20+ years ago my bank specifically told me to select credit and using it, instead of using it with the PIN as a debit card.
These days I’ve noticed the systems tend to auto-prompt for the PIN instead of asking credit or debit. But skipping it functionally works the same as pressing credit used to.
Having a credit card requires some amount of trustworthiness. Anyone can get a debit card, they even sell it in supermarkets.
Normally in supermarkets they sell prepaid cards which are distinct from both credit and debit ones. Visa and Mastercard support all three types.
This is not the case of debit cards in Europe. Debit cards are tied to bank accounts. Most people only have a debit card or don’t even know what a credit card is (or what the difference is). We just call them “cards”.
You can buy debit (or more accurately prepaid) cards in supermarkets in Europe too (which is a big and relatively diverse place, so just because that is/was not a thing in the countries you're familiar with doesn't mean it didn't exist).
Prepaid cards are a separate category of cards to debit cards.
Plenty of places allow debit cards that don’t allow prepaid cards.
They’ll give a credit card to just about anyone. It will just have a low credit limit and extra high interest.
Most people who have terrible credit have still have credit cards.
Debit cards are from banks, not supermarkets. A debit card is backed by a checking account, typically.
You're confusing debit with prepaid; they are classified differently and merchants can determine one from the other.
I have no idea how the terminals operate, but I was on a flight two days ago and paid with a debit card. The flight otherwise required devices to be in airplane mode. Though there are flights that offer wifi, so there's a good chance the terminal can communicate with the ground, but they just don't allow anything else.
Yep, but IIRC only if they are credit, not debit. I guess they also have certain special conditions with the processor...
Edit: I've also seen it when paying on the cafe car while on train trips in Spain. Even without any cellphone/internet coverage they'll let you pay, but only with credit.
It’s definitely not that simple. It’s totally random. I have only European debit cards, and I can pay everywhere. The same was true with my cards from other countries. Sometimes only Apple Pay/other NFC based system worked for some reason, which is connected to the same cards, when on the same airline I could pay with my physical cards in any other instances. Sometimes I can pay only with my physical cards. Sometimes one of my card doesn’t work. However, I didn’t have problems with them in the US in the past few years. It was more complicated over there before COVID.
Yeah. They just accept some loss on bounced payments. Got a free meal (well it was a sandwich, nothing fancy) like that.
Can’t debit account go negative where you live? It’s definitely possible. Even when you don’t have an account credit, or what it’s called. Of course, this is possible only in strange circumstances, but still, I had a debit account with negative statement once. If I remember well, it was because similarly delayed offline transactions. It probably depends on country and/or bank.
Yes, and if your account goes negative, they just fine you and/or send the police to your house to arrest you.
> paying by card offline. How is this going to be implemented I wonder.
Paying offline used to be the norm for credit cards, from their introduction in the 1960s until some two decades ago.
Wikipedia: [...] until always-connected payment terminals became ubiquitous at the beginning of the 21st century, many merchants accepted all charges, especially those below a threshold value or from known and trusted customers, without verifying them by phone. Books with lists of stolen card numbers were distributed to merchants who were expected in any case to check cards against the list before accepting them, as well as verifying the signature on the charge slip against that on the card.
These things used to be ubiquitous:
https://fragrant.mobiletransaction.org/wp-content/uploads/20...
Often this is indeed trust-based, but the trust isn't due to you having a card issued by a trusted bank (most airlines accept debit cards too), but rather due to passengers being extremely visible and well-identified:
In-flight credit card fraud is an incredibly bad idea, given that most countries check your ID at least at some point during getting on the plane, and seats are usually assigned as well. (Doesn't mean that nobody tries, of course [1]).
Sometimes airlines also use ACARS (basically airline-specific telex over VHF, HF, or satellite) to send the card number to their backoffice for authorizations of large amounts, such as business class upgrades.
These days, of course, Internet connectivity is getting more common, and with that the problem will likely go away.
[1] https://www.sunderlandecho.com/news/pair-spared-jail-after-a...
Not that I disagree, but it does make me wonder if this would be one rare instance where American Express which I know is notorious for siding with their customers (at least for a time? - my father worked as an accounts payable accountant at a big hotel in Orlando near Disney World and he said American Express was notorious at not paying even with signature if their customer claimed it was fraud) would still side with their customers. Leaves one to wonder if they even take Amex on flights.
I still remember them taking my card which I think was a debit card on a flight and shoving it into carbon copy paper and basically billing me whenever we landed. This was late 2000s. From Puerto Rico to Florida.
I doubt you'll see any bank not siding with the cardholder in an offline or deferred-online scenario, since they're usually not liable for any ensuing fraud and accordingly can just charge the transaction back from the merchant.
In Norway, the card terminals usually go into an "accept with signature" mode if they are temporarily offline. So they print a receipt that the customer has to sign. (This is for BankAxept debit cards, which are standard in Norway.)
In a grocery store line once, I remember a distraught customer whose card was declined due to insufficient funds. The store manager came over, yanked the ethernet cable from the payment terminal, and told the customer to try again. "Accepted with signature."
This is why I don’t snitch on anyone stealing food. Skip the line.
I’m a millennial and even I remember when all card payments were offline.
I remember a bar I worked at had trouble because some customers had begun writing wrong signatures and the receipt had been rejected by the bank the following week.
Restaurant POCs have an offline mode. They had to ask my zip code so I suppose it just counts as a "card not present" transaction that goes through later. Does present the question of whether that data is temporarily stored unencrypted or if it's immediately encrypted to be sent to the bank when it comes online
I, for my sins, have had to read PCI certification standards, and they're required to be encrypted, or not stored at all. Not that every implementation follows that, of course, but that's the expectation.
I work for a POS company and we support offline payments. The SDK(s) we use for our card readers give us an encrypted block of data that we can store and retry when back online. We don’t support “Card Not Present” when offline, we always tokenize cards if we enter them manually (HPP) which we can’t do when offline.
That sounds like security theater.
What would asking for the ZIP code help if it can't be validated on the spot? If the terminal submits the transaction in batch later, it's too late for that to catch a stolen card.
Providing an incorrect ZIP code also makes the transaction more likely to be declined than not providing one at all for card-not-present transactions (and is also allowed), so it really makes no sense for a merchant to do that.
On every flight I've been on recently, Internet was available to passengers. Surely a few KiB (I assume that this is what a credit or debit transaction requires) could go over this system?
US domestic? I've found it's somewhat rare to see here in the EU, but there are a few airlines that offer it.
That said, just because there is no passenger connectivity doesn't mean the airline doesn't have some, for operational reasons. Even if that's just a narrowband satellite or VHF (ACARS) link, credit card transactions take very little data (POS terminals are 80s technology, after all).
That said, I still don't think that that's too common – building out cabin Wi-Fi for card authorizations only is probably not worth it, given how hard it is to get away with fraud in an environment where every seat has a passenger name to it, and that name is often verified by the airline or government at the airport or at boarding time.
Well while seats do have a passenger name to them, people end up in interesting places on underbooked long flights like over the Atlantic. Cabin crew sometimes gets excited if people move too much. But this is rare.
Especially when expensive in-flight shopping is involved, I'd expect cabin crews to become even more interested in wandering passengers.
I've once seen the cabin crew ask to see a passenger's boarding pass while they were paying.
The novelty was more that this was the first time I'd seen anyone buy the expensive perfume, I don't remember any more.
In addition, there were commonly seatback airphones on big planes in the 80s and 90s.
Yes, most of my flying experience is US domestic. While I expected differences, I didn't expect this one
Most EU flights I’ve been on offer Internet to travelers for a fee. Even if they don’t offer it to travelers, it doesn’t mean they themselves do not have Internet connection… I’m sure most of the time, they have access to the internet and paying by card is not more complicated than paying in any other store.
On one of my recent Ryanair flights, the transaction reached my bank about 30 minutes after landing. On another, it took two days.
> Even if they don’t offer it to travelers, it doesn’t mean they themselves do not have Internet connection
It usually does, it requires quite a bit of equipment and it doesn’t make economical sense to install it and not sell it to passengers. Airplanes have other means communicating with the ground and airline offices though.
all the US domestic majors have either viasat or starlink these days.
I took a Spirit about a year or two and accidentally gave them an old card for payment. They didn’t bill til a day after landing and it got denied. I settled it on a later flight but they definitely lose some money from this.
Credit cards were originally an offline payment method. The merchant would create a receipt that included a contact paper imprint of the card (which is why the card has raised lettering) and would present it to the bank for reimbursement.
I got my first Credit Card in 2000 (I think that was 2000 or may be 2001). Credit Card swiping devices were rare and many a store just use that Imprinter thingy, and I sign on the carbon papers. That was an offline process. This was in Bombay (INDIA).
I think something similar to this https://en.wikipedia.org/wiki/Credit_card_imprinter
We used to have something like this in Belgium where you could load money on your debit card:
https://en.m.wikipedia.org/wiki/Proton_(debit_card)
I would not assume the central bank of Sweden would mean credit cards only. Debit cards are extremely common for card payments.
Credit card transactions were only done offline in the 80s. So it’s very doable.
They physically imprinted your card numbers on some special paper with a mechanical device. Wild.
On European airlines I'm pretty sure you can buy with debit cards too.
This is funny to me, because I'm old enough to remember when card payments all used to be offline...
And even paper based.
Using a card-to-card transfer of some sort of credits/units, with eventual online settlement. Using chip cards, obviously. The tech for this existed since at least mid '00s.
the original credit cards were entirely offline via paperslips
phone auth was added later for "online" auth, then machines that automated it
I mean that is what mondex was and oystercard is today. Closest we can get on the us is a prepaid refillable gift card. I Keep hoping for digital cash, no dice so far
I have grown up seeing my parents write physical paper cheques.
It's basic life goods and everything is still signed for, tracked and registered. Besides, banks love to collect interest.
To this very day I have several (older) relatives that use paper checks sent via snail mail to pay all their bills.
Re paying on the plane: yes, that's how credit cards work. The question of the solvency of the customer becomes the problem of the payment processor.
My Garmin watch has Garmin Pay, which works even if I don't have my phone with me. I think I just presumed that there is a bank balance cached somewhere in the app so that an attempt to spend up to a hard limit or that amount will work.
Mobile/wearable wallets are usually online-only, since you can add one card to many devices, so offline limits would be really painful to synchronize (or alternatively banks would be taking a big risk by allowing more than one or two devices and duplicating limits).
There used to be a few relatively large scale stored-value card systems (https://en.wikipedia.org/wiki/Stored-value_card) for general-purpose payments in the past.
Airlines typically are already in possession of your credit card, so most likely it's just "if he stiffs us, we can always find the carrier they registered with"
So it's not _just_ blind trust.
It's a trust thing yes.
Essentially, you (the merchant) just write down their card number, and how much they paid you, and then later you send that list to your bank who sends it to the credit card network.
There is no big technical hurdle. There is a big social hurdle in convincing your bank and the network that you should be allowed to do this. Also the card number gets copied by a little pressing machine onto carbon paper or something like that, not just written down.
Being able to spend money you don't have is not a new thing, and poses no technical problems. American readers will know you can easily do that with a cheque. It's your responsibility not to do that, and that's one reason why the bank wants so much personal information to open an account, so they can send the police over to break your kneecaps.
Eh? I’ve always used a debit card with those without issue. Transaction usually posts the next day.
Possibly related?
"Starbucks does not use two phase commit":
https://www.enterpriseintegrationpatterns.com/ramblings/18_s...
on planes they link your purchase to your seat, so they have your ID info in case you’re not solvent
I don't think they do, people move around and swap seats. I expect they just find the losses small enough to write off. I was once travelling shortly after being issued a new debit card, but still had the old one in my wallet and used it by mistake and I wasn't charged. They never tracked me down for the cost of that packet of crisps!
Cryptocurrency could also solve this problem.
A "debit" card could have 1000 crypto wallets, each with $10 in them. If you want to pay $90, it forks over keys to 9 of the wallets, and they get drained by the merchant as soon as they have a connection.
> Cryptocurrency could also solve this problem.
Offline, without double spending risk? Absolutely not, or at least not without a lot of extra headaches.
For that, you'll need at least some trusted hardware (generally an antithesis to trustless crypto schemes) and/or a clever incentive system (e.g. with senders staking a multiple of their balance as collateral, and never being quite sure if receivers are really offline, or only pretending to be, ready to claim their stake once they get publicly verifiable proof of double spending).
This would be vulnerable to a double spending attack. Pretty trivially too unless I’m missing something.
If it became common I imagine it would stop being so quickly as fraud would rapidly catch up.
Some context might be useful here. I spent some time living Sweden not too long ago and Swedes practically don't use cash. It's usually not said out loud, but cash is often considered to be dirty and criminal, to the point that most don't have any at all. Digital payments are very convenient and deeply integrated, so long as you have a local ID which allows you use the local payment system Swish etc.
This worked nicely until the tensions in Europe lead to more cyberattacks rolling in and suddenly you have people not being able to buy food, medicine, and so forth. Not too long after, there was a government advisory urging people to keep some cash reserves in case a larger cyberattack happens, but cultural habits at large are hard to change. This is of course a coarse simplification of the context, but might help understand this incentive a bit better.
> "It's usually not said out loud, but cash is often considered to be dirty and criminal ..."
Are you sure this isn't impression you've gotten from isolated reactions involving a small number of individuals, perhaps just a single individual? I can't relate to the sentiment at all, having lived here for just over three decades and experiencing the popularity shift from cash to debit card. I can, in fact, not recall a single time ever that someone has divulged the opinion that they consider cash "dirty and criminal".
More than anything else the Swede's favor of debit card is the convenience. Second to that I would say is the security of not immediately losing funds if you misplace the card or it being stolen - it feels less risky carrying a debit card, in particular if you're the type who prefers having more than a few "tens" on you in case you'd need or want to buy something.
I'm Swedish and if someone insists on doing a transaction using cash when Swish or card is available, I'd immediately start to wonder if it's for some kind of more or less shady reason, probably tax evasion at the very least.
You have to differentiate common purchases from "large" purchases in this discussion. I'm certain you don't think there's something shady going on, or tax evasion happening, if someone uses cash in the grocery store or at Pressbyrån, or to pay for some little gadget or whatever at Kjell&Co.
This is what people think of when someone "uses cash". Not hauling tens of thousands to buy a used car or to settle the bill for having your bathroom tiled, which would be cases I too would raise an eyebrow over.
I think they're talking about when merchants insist that you give them cash ("cash only"), not when buyers insist on giving cash. The usual assumption is that if e.g. a street-food cart is cash-only, it's not because they can't accept cards (it's rather trivial nowadays) but rather that 1. they don't want to pay the interchange fees, and more importantly, 2. they want to be able to cook their books when reporting revenue.
There are businesses that attract people that use cards fraudulently and the business gets flagged demand eventually dropped. Gas stations in less desirable neighborhoods in the US have this issue and some only take cash.
Credit card fraud is not nearly as common in Europe as it is in the US.
Additionally, and specifically in Sweden, the fees that banks charge businesses for handling cash (picking it up and depositing it at the end of each business day) have increased significantly in the last decade or two. This has been a significant factor in driving businesses away from cash - it's just expensive for them to deal with.
As were discussing here, swedes almost exclusively use online card transactions. Don't see much card fraud because of this.
>they don’t want to pay interchange fees
That seems totally fair if they can’t pass that cost on to you for using a card. Why should they have to pay to accept your patronage?
A cheaper alternative to cards here is app payment via Swish (approximately like Venmo). Goes straight to the vendor's bank account at a flat rate of the equivalent of USD ~$0.15 per transaction.
Why don’t you pay the transaction fee every time you use your card or whatever then? Why should the merchant foot the bill?
That used to be semi-common for smaller transactions in Sweden but was made illegal. Not sure why, probably to fight tax avoidance.
At this point the cost of handling cash is way higher than handling cards and as no one in Sweden ever uses cash its no longer relevant at all anyway. Now many (maybe even most?) dont accept cash to avoid the cost of handling cash instead.
Having a cash register and handling cash costs money too, doesn't it? It's just a cost of doing business.
No, it really doesn't, besides the fixed investment of buying a cash register. The idea of being forced to hand over a percentage of all my earnings to private company is abominable. I pay taxes to the elected government, not to some bank. It's why I only accept checks, ACH transfers or cash as payment, and it saves me 3% of my income a year over taking credit cards.
In the EU fees are capped at around 0.3 % I believe.
And you're mistaken if you think cash is cheaper for most stores. You risk theft (so need to pay for measures against that), you have straight losses from mistakes, have to spend time handling and counting cash, spend time depositing, spend time buying change, etc etc
I’m pretty sure there are fees involved with running a cash register, aren’t there? At least in Sweden, the machine has to be certified, registers with the tax authority and then inspected for re-certification regularly.
Regarding cash, does your bank not charge a fee for depositing cash?
No one has to pay a transaction fee to accept cash.
And you didn’t answer why you shouldn’t pay that fee.
What do you think happens to the cash at the end of the day?
Managing cash has costs too, they're just harder to quantify: you have to ferry it to a bank, you have increased risk of theft, fraud, and robberies, you need extra time to actually check the register etc.
And then you risk losing business if you don't offer card payments because it's just more convenient for most customers (you may like wise lose some if you don't take cash, but that's a vanishing market).
One big difference is that there's competition between cash handling providers, while there's essentially zero wiggle room for interchange fees.
That's what makes interchange and network fees so much more problematic than acquiring fees. There's very healthy competition between credit card acquirers and payment service providers on both features and price, but in the end, you have to accept whatever card your customer has or there won't be a transaction.
In the EU the authorities have recognized the power of the card networks and introduced price controls on interchange fees in 2015, capping them at 0.2% for debit cards and 0.3% for credit cards.
Note that Europe passed a law that limits interchange fees to something very low by US standards, like $0.20 or 0.05%, so it's not a reasonable excuse.
(The fact that credit card networks continue doing business in Europe proves they're still profitable and the US is getting ripped off by these fees)
Huh, interesting cultural difference. I couldn't give a flying fuck whether or not merchants I buy things from do their taxes correctly.
Definitely cultural: Italy has a big tradition of merchants evading taxes, and there have been multiple steps over the year to mandate card payments cause those imply the merchant will pay taxes.
So if you are a law abiding citizen you can easily be pissed off that you get to pay taxes and they don't.
For a few years "we don't take card" was widely interpreted as a strong indicator the merchant would evade taxes, and "I won't go there anymore" was a common reaction from some people. These days it's technically illegal and yet you will still find _some_ shops that only want cash.
Yeah there's that cash only bar in central Stockholm that's cash only. Everyone just "knows" they launder money there. I forget the name of the bar, it's on a barge near Tantolunden. it's the shadiest place I know where you can't barely find any shade!
FWIW I am Australian and we have a similar adoption rate of cashless payments.
If a merchant tries to promote cash options I immediately think they’re doing it for tax evasion reasons - not because of the touted reason that “card payments cost more to process” (they don’t once you factor in the cost of handling cash).
I think the same thing in the US about small businesses that only take cash, but it's still pretty normal to use cash in the US.
People forget that the credit card companies charge businesses to process transactions. Some stores/restaurants even give discounts for paying in cash because of this.
I know its not uncommon at small business to ad a surcharge for using cards on purchases below a certain dollar value rather than a discount for cash.
This is explicitly forbidden by almost all card processing networks (and by the government, in many countries). If you report a business who is doing this to the card processor, they'll likely get their card processing privileges suspended.
What's the difference between giving discounts for cash and adding surcharges for cards?
On the other hand, cash has its costs. You need to have a register, more training, more insurance, processing of cash at the bank, having it deposit cash at the end of every day, etc.
With credit cards you pay a fee, but you don't have to deal with all of those other things that people often don't consider.
But they already have all this, there are very few merchants that don't actually accept cash at all.
If a significant amount of your business is cash based then the risk is much higher. If you're doing $100 worth of cash transactions per day then your registers and safe probably don't have much and you can probably get away with weekly or even monthly deposits. Whereas if you're dealing with $1000s in cash then you probably want to deposit daily, need a lot more security around your register and safe, and probably have a much higher quality safe too.
I've lived in Seattle for decades, and have -never- found a business that would not accept cash. If I -had- I would have set down my prospective purchase and walked out the door with a promise never to return.
Apart from a transit card (all the mass transit also takes cash ... no fee added), I'm not going to pay to feed the surveillance machine.
There have been a number of food trucks in the Seattle area that don't accept cash for the past 5 years. A popular food truck might have >$5k in cash sitting there by the end of the lunch rush - it puts an awfully tempting target on your back.
This is a function of geography.
Where I live in Seattle, a lot of businesses simply don't handle cash at all, because break-ins for the cash register are quite expensive to deal with, and they circumvent that problem by simply posting outside the business that there is no cash.
One of the few businesses near me that must take cash, a dispensary, recently had an issue where somebody tried to break in using a stolen pickup truck to crash into the building. They didn't get the cash because they didn't get past the interior bollard system, but they did cause enough structural damage that the roof partially collapsed into the street.
It's pretty much required to accept cash in Seattle:
https://www.seattletimes.com/seattle-news/politics/king-coun...
This link 404s for me.
I mean sure, US is special in this case, especially since you don't actually persecute small time thieves...
But i've paid with cash all over europe, and except for some vending machines, i've never been turned down, be it london, paris, berlin, belgrade or athens... from large supermarkets and museums, to local corner newsstands with a small fridge and cold drinks and local fast food joints. On the other hand, the most unsafe I ever felt as a traveller was in chicago, supposedly in a "nicer/safe area", and I've been through the balkans in the 1990s.
In my country if you pay with credit card at a grocery store (or anywhere) you get 3.5% tacked on to your bill. Merchants don't eat the cost, and don't hide it in the listed price of goods; it's explicitly passed on.
IME (in Canada), the cash discount is surprisingly close to 15%, which is approximately the sales tax in most provinces.
Here in the deep (American) South, small businesses give discounts for cash because those global elites are trying to take away our cash and want to track us or whatever. To that mindset, cash is a way to resist a theoretical oppression.
This is the reason I try to pay everything I reasonably can with cash. I’m about as northern as you get.
I’m definitely looked as crazy in my friend group from time to time, but over the years I’ve just become known as the guy who will always have cash on him if necessary so I guess the walking ATM bit helped with acceptance of it?
I figure that if folks don’t take a stand and use cash even if they don’t need to now, we will lose the ability to later. I don’t want to live in a world where all my purchases are mineable, because that eventually turns into monitored and then authorized.
The inconvenience is a small price to pay for freedom from surveillance.
It has amused me though over the years how bad cash handling skills have become. When I was a cashier as a teenager 25+ years ago, myself and all my fellow coworkers could break change at relative light speed and often just from mental math/memory. Now it’s amusing watching a young cashier give change back on a $48.31 order after handing them a $100 bill. Sometimes takes longer than the proverbial grandma writing a check back in my day.
They're right :) even if it isn't a conspiracy, that's what will happen because it will be convenient and easy.
Here in the Pacific Northwest, businesses give discounts for cash just because it saves them money. In Portland, we still have a fair number of bars that are cash only. And yeah, liberals here also consider it an invasion of privacy to have to use a card, but they couch it in terms of it being unfair to people without credit or bank accounts (which, tbh, is also a fair argument).
Same here in Argentina
It's been 10 years since I lived in Argentina, but at that point having a credit card (not a debit card) was still reserved mostly for the folks in Barrio Norte. Has that changed now, or is it still mostly debit?
It's mostly debit and digital wallets such as MercadoPago. MercadoPago will launch a credit card though, so that may change things.
It's the tax evasion. Nobody ever pilfered an interchange account.
I know that this is true (I used to work in card payment infrastructure), but I've also talked to people who run cash businesses and deliberately under report their income. So I think it's not so uncommon.
Yes, mostly to avoid paying taxes on their revenue.
In the UK this was banned in 2018. The cash price has to be the same as the debit/credit card price, which is not exactly 'freedom'.
In the US a recent change was made in the other direction. Credit card surcharges are much more common now.
I believe it was part of an agreement with the card companies over anti-competitive behavior.
And lets hope that never changes
If a tradie offers me a better price when I pay by cash, of course they're doing it to dodge tax. I'm still gonna take that discount.
Here is likely not that much handling cost for an independent hairdresser just earning their own (quite meager) salary.
In the EU you can not charge a card fee on consumer transactions, so the merchant has the eat the cost.
If your revenue is - 2-3000 Eur a month, payment fees (and terminal subscription fees) can have a big impact.
I, as a private individual, can accept card payments for 1.69%. I have a physical chip and pin reader (that pairs with my phone), it cost me £25, but I can take contactless payments using just my phone. If I didn't want to use my phone, I'd need the £75 reader that comes with a 4G connection (at no extra transaction or subscription cost).
If I were charging £3k/month, I'd be just above the threshold where paying £19.99/month to get a transaction fee of 0.99% saves money overall.
0.2% of 3000€ is 6€. I’m not sure how big of an impact that is, considering the non-negligible costs of handling this much money in cash. If a business earns more money after accepting cash, it’s probably because they don’t pay taxes.
I get the terminal directly from my bank here in Spain, it's something like €5/month + 0.02% of transaction. Is it much higher in other parts of the EU?
> "FWIW I am Australian and we have a similar adoption rate of cashless payments. If a merchant tries to promote cash options I immediately think they’re doing it for tax evasion reasons"
I don't know about Australia, but in New Zealand many small retailers and restaurants add a card payment surcharge (typically 1.5%-2.5%) automatically when you pay by card. So you are somewhat penalised for the convenience of using a card. This never happens in Europe.
1.5%-2.5% card surcharges (both, debit and credit) are a commonplace in Australia as well.
Visa and Mastercard have successfully lobbied and conspired with local banks in both countries to bury EFTPOS, which were national debit card payment systems with a flat transaction fee ranging between 10 and 50 cents per transaction (depending on the bank).
A while back, Visa/MC realised that debit card transactions, being on the rise, were a highly lucrative market to tap into that they had been missing out on, so they set out on a war of attrition and conspired with the local big banks to phase out EFTPOS cards in favour of Visa/MC debit cards, where the cost of transaction was to be passed on to the card user. Tiered debit cards quickly followed (Platinum, etc.), that attracted higher fee percentages for Visa/MC – payment network commission fees are published on the respective payment network websites. Other than consumers, all parties involved (big banks, payment networks) became moist with excitement at getting a huge slice of the card transactions pie.
But there is the light at the end of the tunnel (other than the light of the oncoming train) – the RBA has moved to ban all card surcharges from July 2026.
>I immediately think they’re doing it for tax evasion reasons
What's your opinion on that? In NA, for small businesses it's common to offer to pay in cash to avoid paying sales tax.
Where is NA?
Mexico + USA + Canada.. North America
It's also not common (and illegal).. this account posts a lot of vague platitudes.
It’s quite common in the US everywhere I’ve lived. Every tradesman I’ve used outside of large companies will offer a large discount for cash if you ask about it. They will likely not be the first to initiate though at a certain level of customer, since the social expectations change at a certain level of wealth.
This is almost always in a portion of the invoice written up at around half the agreed amount, and the rest in cash. Or for smaller jobs just on the side with no paperwork involved outside of a firm handshake.
This is the norm for the lower end of the trades. If you’re dealing with a single owner company with a few employees I’d be very surprised if they would not be willing.
Yeah, once you get into “real companies” that are charging upper middle class rates on million dollar properties it changes.
I haven’t had trades work done in Mexico, but considering all my visits were effectively cash only transactions I’d be pretty surprised if it wasn’t at least as common as in the US.
It's very common for small and independent businesses. You've likely never interacted with one.
When you say "buying a used car"... do you mean from a dealership, or from a private party? In America, I almost can't imagine buying a used car from an individual without paying them in cash. Indeed, it's one of the few situations where a large amount of cash is almost always required. It's a pain to go to the bank and get that cash. However, this is not because of tax evasion or something ... it's to avoid any sort of dispute or reversal once the sale is final. I would take Bitcoin for a car, or a check I could cash before signing over the vehicle, but I'd never take paypal or some other method where the buyer could contest the charges.
We usually use an app for that (Swish, it's kind of like Venmo I guess, developed in collaboration between the six largest banks). We don't really do transaction reversals in the same way or as commonly as in the US.
Paying for a used car in cash would actually be difficult because handling an amount greater than the equivalent of around USD $1k immediately starts tripping KYC/AML flags at any bank if you try to deposit it, and it's hard to use in day to day life because few places other than grocery stores even accept cash anymore.
Wow... depositing more than $1k would trigger AML. That's incredible. In the US it's not uncommon for contractors to pull $10k cash at the end of a week to pay their workers. Some of that may be due to tax evasion or, just as likely, the workers being in the country illegally. I suppose this is another major reason cash is still "tolerated" in the US, because the casual labor market depends so heavily on undocumented workers. No one besides a few ultra-nationalists would really want to enforce such a thing, as it would drive up construction costs. And the nationalists are paranoid and stock up on cash and gold themselves.
Honestly, that system sounds a bit Orwellian. But also, does that mean that you have to pay a bank transfer fee every time you buy anything?
Generally there are never any transfer fees for private individuals doing domestic transfers. The banks just provide that service for free and eat the cost. Businesses wanting to accept payments via the Swish app usually pay a flat rate of the equivalent of approximately USD $0.15 per transaction (exact terms depends on which bank you use).
It's also worth noting that credit card interchange fees are price controlled in Europe; there's a EU directive that caps the interchange fees at 0.2% for debit cards and 0.3% for credit cards. Because of this, cashback on credit cards is pitiful in the EU; you can get 0.5% cashback but not much more than that.
> But also, does that mean that you have to pay a bank transfer fee every time you buy anything?
No, not at all. The Swish rails are free to users. But I've never had to pay any transfer fees for domestic transfers anyway. They are just much slower than using Swish (instant transfers) and much more clunky (bank account number etc. vs. phone number/QR-code).
Not every time, very certainly less than on 5% of all normal transactions, and the actual fraction will depend more on whether you count currency conversion fees and how frequently the person you are asking is buying from outside the EES.
I am danish so not quite as anti-cash as Sweden but if people use cash in grocery stores or just stores in general the general sentiment will be that its either because they are old , the cash they have is undeclared income or that it is income from illegal activities.
Not specifically shady, but I still react and wonder. Only a few weeks ago it happened when someone paid with bills at Lidl
Same. If I see reasonably young person using cash I would assume they've bought drugs and had some cash left over.
Swish uses the proprietary "BankID" system, and the company behind it has let frauds go on for years and blaming the victims. Therefore I have chosen not to support them.
It didn't have proper two-factor authentication when you just had to tap a button on the smartphone to approve a log-in or a bank transfer (and users didn't always tell which was which). Now it requires reading a QR code — which it should have done all the time.
AFAIK it still does not use any secure key storage on the smartphone, so if your phone gets rooted by an attacker, the attacker could gain access to your bank accounts. So far, frauds have been much easier to pull off, so criminals have not bothered to hack it. (that we know of)
I’d say he’s correct, people under 60 that uses cash are considered, if not criminal, at least suspicious, like they have something to hide. Or simply wackos. I haven’t used cash for the last 15 years or so. Except for when I had carpenters at home who wanted to get paid in cash (to avoid taxes, so called black money).
> people under 60 that uses cash are considered, if not criminal, at least suspicious, like they have something to hide. Or simply wackos
I feel sorry for you and those people.
>"people under 60 that uses cash are considered, if not criminal, at least suspicious, like they have something to hide. Or simply wackos."
I have barely used cash in 25 years. This doesn't mean anything at all. You're probably putting this solely in the context of using cash for significantly large purchases, e.g. higher 4 digit sum or above, or as in your example a craftsman who want to exempt it from his or her accounting. Nobody bats an eye at a person buying groceries, or some gadget for a couple of hundred, with cash.
no we use cards for everything, even for just buying an icecream or something. most older people use cards too actually, but sometimes you can see one struggling with their coins and notes when buying groceries yes.
Yeah, that's kind of my default assumption as well. If someone is insisting on cash I'd assume it's for tax evasion purposes.
> people under 60 that uses cash are considered, if not criminal, at least suspicious, like they have something to hide
You are spewing complete nonsense.
Here's some perfectly normal stuff I use cash for in sweden on the regular:
- flea markets
- strawberry stand by the road
- unmanned vegetable shop has a cash bin and a pay-for-what-you-take sign
Denmark would do all that with MobilePay.
But I do see people paying with cash in supermarkets etc, and I don't judge them as criminals. Some people just prefer to manage their money that way.
all those prefer swish payments instead of cash!
So do you like always take split bills for everything? Like when eg. 4 coworkers go to eat together (ie. not a situation where one person pays everything)? Over here in the balkans/mitteleuropa you just put some approximate amount of cash on the table. Same for kids, you're not giving a kid your credit card when you send him to a bakery to get bread, you give him a couple of euros in cash.
> Same for kids, you're not giving a kid your credit card when you send him to a bakery to get bread, you give him a couple of euros in cash.
I got caught out by a thing like this, recently. (I'm on the east coast of the US.)
My kids had a day off from school, and it was a nice day to ride bikes. There's a small municipal park around 5 miles (8 km) away, with a nice mini-golf course and a grill/cafe next to it. They were eager to go by themselves, so I told them they could ride their bikes there and gave each kid enough cash for a round of mini-golf, a cold drink and some lunch.
The park was card only! While that has been happening more and more, I was not expecting that from a city park. Thankfully, they're not shy kids, and they persuaded one of the park employees to use a personal card in exchange for cash. But I was shocked. They're 10 and 13 years old... it had not previously occurred to me that I should give them cards of any kind.
In that situation either (1) someone will pay for everyone at the table and then everyone else will “Swish” (the name of the local money transfer app) them their respective share of the total bill; or (2) they’ll just ask the server to split the bill and each person pays for their part. Both are actually quite common, and having lived many years in Sweden, I’ve never eaten at a restaurant where asking the server to split the bill was a problem.
Or, if it's a group that goes out together often and doesn't vary their orders much (in terms of order-of-magnitude of spend), then this will sometimes evolve into a rotation on one person picking up the tab each time.
In Denmark someone will pay, and the others will use MobilePay to pay back their share.
But you've reminded me of a case I still use cash: on business trips abroad with a mixed group of people from several countries, most people put money on the table to pay their share.
Reporting for Hungary and Italy here: at the restaurant you ask for split bills or someone pays and the others will just pay back. It's been a few years since this was a problem, shops have adapted.
But yeah you still give cash to kids.
quite often we pay separate by cards, that is so common the personell even asks if that is how we like to pay. otherwise one pay using his card and we swish (tranfer money instantly using the swish app) him the money.
I think it's a pretty common impression.
Tradespeople sometimes request cash payment or provide a good discount for cash payments (well above any fee they would be charged). I guess where you are no one considers this dubious (really???) but at least in discussions with family the feeling is that the request for cash only payment is dubious.
We also have a local retail establishment that is cash only. I think it's looked at dubiously.
I personally have experienced it. Someone wanted to split payment on something between cash and a check so they could report the value of the item was lower because it would save them taxes every year. Again, the use of cash was I think a bit dubious.
Note: Cash allows you to avoid all sorts of obligations (tax / family support / debt collection and garnishment etc etc), ineligiblity for banking (europe is pretty strict in some cases for example with folks with no legal status with banking) and is still used in things like the drug trade. Even if everyone around you considers large cash transactions reasonable that might be naivety or they may simply not have been exposed to larger cash transaction activity.
I do like and carry cash.
I come from the UK where not accepting cash is only ok in hipster areas of London (or, was at the time).
When I joined my gamedev studio I had colleagues asking me why I had cash, and many of them didn’t even recognise what it looked like (there was a switchover of the notes a year or two prior).
There was an insinuation that I would use it for drugs. So, I suspect that the parent is right here.
Natives asking why someone has cash, and not even recognizing bank notes...? It sounds so absurd that I'm certain you're exaggerating wildly. If not, you've had an outlier experience during a limited window of time in the country. Just like the parent. This isn't really representative.
Add.: another poster suggested that someone had a bit of a laugh with you by saying it, which is also entirely possible. Basic joke.
I've had young (ish, 25 say) Danes say they'd never seen the most recent design of 500DKK notes before. Many more hadn't seen the 1000DKK, though that's since been withdrawn from use.
I believe them. Cash machines dispense(d) them, but usually only if you withdraw 1000DKK or more in a single transaction. That's unusual for people that rarely use cash.
I had them as I was following the official advice to keep some cash around in case the banking system is hacked etc, but I spent them and withdrew 100DKK notes when the advice was updated to point out that if everyone had only 500DKKs at home it wasn't very flexible.
I am slightly ashamed to realise that my banking app shows I haven't made a cash withdrawal in Denmark for more than 12 months — the second part of the official advice is to use cash occasionally to keep that system working.
I am Swedish and have lived here all my life and I have no idea what the current banknotes look like. I have literally never used them. I remember what they used to look like 20 years ago, but I know they have changed since then.
...and you would immediately know a Swedish bank note two seconds after seeing one.
I'm Swedish I honestly havent seen the new banknotes (other than on images on the internet).
I carry a few in my wallet, just in case, but I could honestly not tell what color the different notes are or what portrait is on each without looking. Bad forgeries would easily trick me.
I'm in the UK and I have friends who will tell you hand on heart that they have never handled a £50 note. They know they exist but they haven't had one.
That's completely unrelated to the popularity of card payments though. It's a denomination that's never given out as change or by ATMs
See also: https://www.bbc.com/news/business-48993008
which as well as explaining the background to the note and debates over whether it should be taken out of circulation also points out the context the average British adult was making about 20 cash transactions a month as of 2018 (none of them involving £50 notes)
I've never handled a £50 note. (I am young enough that if you gave me £1 for every year I've never handled one, I wouldn't be able to afford one. But I am old enough that I could dip into my lifetime of savings to make up the difference.)
A friend's dad showed me one when I was at school - that's it. He seemed amused I hadn't seen one before, then after making a minor show of it, as if it was some precious, rare item, said he'd never previously seen one either. They've been uncommon my whole life, and apparently could/can be difficult to actually use, shop assistants being unfamiliar with them and not confident in their legitimacy.
I expect today most people would use bank transfers for the sort of sum where the sheer number of notes would make a £50 one useful.
I saw them every day when I worked in central London. The shop staff were no more discerning than with smaller notes.
But when the bill is £45, there's no problem anyway.
Is that just because it's an unpopular bill? Most Americans have probably never used a $50 bill either.
I would very much disagree with the latter assertion. I work as a cashier, and I get 50s and 100s _all the time_. I wish they'd stop because it drains my till very fast. Lol.
This used to be true, but the last few years I’ve noticed many more ATMs and even people handing out $50 bills.
They are effectively becoming the new $20 with inflation continuing upwards, and I expect their popularity to continue to increase.
> Is that just because it's an unpopular bill?
Let me introduce you to a $2 note.
Not once in their entire lives?
I'm not even sure if that I knew there was a $50 bill. And that's as an American of 30+ years that uses cash routinely. Multiple times I've cashed checks and gotten it all in 2's, but honestly can't ever remember a $50 bill. I always have at least one $100 bill in my wallet and don't ever recall getting a $50 in change, has to be the least common note. But now I'm thinking waaaaay back and does the President on it have a big mustache? Time to see what a $50 looks like.
Well, I suspect the notes larger than $100 (which are no longer being printed!) are even rarer.
https://en.wikipedia.org/wiki/United_States_five-hundred-dol...
https://en.wikipedia.org/wiki/United_States_one-thousand-dol...
https://en.wikipedia.org/wiki/United_States_five-thousand-do...
https://en.wikipedia.org/wiki/United_States_ten-thousand-dol...
It would be a "unique" situation. Most AMTs (not all, but most) only dispense $20 bills, the rarer ones will dispense $5s or $10s, and they're rare enough that I make a note of them. I have never encountered an ATM that gives a $50.
Your best bet of happening into a $50 is if you go to a bank for an in-person withdraw and they ask you for preferred denominations. Generally the money is dispensed in $20s even there unless specified.
Your second best bet would be if you're selling something "on the side" and the purchaser uses a $50 in a transaction, which I would say is also rare these days, most people use Venmo or equiv.
Your best bet of handling a $50 is probably as a bartender, or of course as a bank teller.
I have held $50s a few times in my life, and even my reaction is "huh, a $50, don't see those often"
Someone receiving cash from tourists (tourist city restaurant or attraction) would probably see $50 and $100 bills very often.
Nowadays that's less common from tourists from Europe, but tourists from Asia are still likely to bring cash.
Huh, the Wells Fargo ATMs here in San Francisco actively offer me $50 bills on a regular basis! I wonder how much this various by bank, by region, or by ATM manufacturer.
In San Francisco, $50 is the new $20
Is that really true? I've had more than a few $50 bills (and I've never sought any out).
And if you do get one somehow, it's really hard to spend. Many places won't accept them.
I use them regularly and have never had anyone not accept them.
I have had many places reject $100 bills though.
I’m that weirdo that tries to pay cash for most everything, so sample size is large and across a diverse set of businesses.
Due to what I tend to pay cash for these days (lunches, drinks with a friend, etc.) and prices being what they are, they are rapidly becoming my “go-to” denomination.
Sounds like they were pulling your leg.
I’m British and definitely not. I only saw the new notes because I went out of my way to find them
this is definitely more widepsread than you imagine in the UK. Most major cities are heading in the cashless direction - the only time I use cash is for my window cleaner.
Your suspicion is wrong.
what a fantastically useless comment.
No insight provided nor sources.
Just an opinion, a strong assertion, confidently stated with a tone of superiority.
Swedish banks (even the Riksbank linked above) regularly refuse to turn cash into digital money unless you can ”prove” where you got it from. It’s not sufficient to say (with immense credibility) that you worked hard all your life and saved it. Entire inheritances are regularly wiped out due to this, when high denomination bills are obsoleted by the Riksbank. So I’d say it’s not only a common sentiment but also government policy.
Sweden has introduced civil asset forfeiture where the mere possession of cash can make you a suspect [1]. It's coming from the very top.
https://archive.ph/v7TRe
I fully understand why the Swedish government wants to get rid of cash. What I'm saying is that the people simply don't feel that cash is in any way dirty.
Its a way to control the population if you control the transactions. It amazed me that people don't understand what they give up by not using cash.
Cash is the ultimate privacy payment.
That article does not at all make the assertion you are claiming it does: "The new law allows police to seize expensive goods even from people who are not under investigation for a crime, if they cannot prove they acquired them lawfully."
I don't love the law, but having cash on its own is not grounds for seizure. Having expensive goods that you cannot explain how you managed to pay for is what they are targeting, according to your source.
This is basically a law that takes your expensive shit away if you are too stupid to launder your ill-gotten cash.
You can put lipstick on a pig all you want, but if you reverse the burden of proof from "we have to prove your money is dirty" to "you have to prove your money is clean", that is a very clear cut case of "possessing cash is grounds for seizure" to me.
By the way, have you ever wondered what the definition of "expensive goods" is? Of course, the powers that be want to make it all about the Rolexes and Lamborghinis, but a cursory peek at the actual law reveals [1]:
> Section 4 If the property has been seized and the value of what may be confiscated does not exceed one tenth of the price base amount according to Chapter 2, Sections 6 and 7 of the Social Insurance Code, a question about confiscation of the property may be examined by 1. a police officer, or 2. another employee of the Police Authority or the Security Service appointed by the respective authority.
Which effectively means that using the "price base amount" value of ~59k SEK in 2025, you are subject to asset forfeiture at the whims of any police officer once you have more than 600 bucks in your wallet or under the mattress.
But I'm sure they will only use it on brown gang bangers or knife wielding foreign drunks and not law abiding citizens such as myself, so it's fine!
[1] https://www.riksdagen.se/sv/dokument-och-lagar/dokument/sven...
That's a goalpost shift.
You said: "Sweden has introduced civil asset forfeiture where the mere possession of cash can make you a suspect." in a conversation about cash in Sweden, and posted an article about how there is a law that allows police to seize goods in certain circumstance.
I pointed out that cash != luxury goods.
I already said it was a law I don't agree with. But it also isn't a law that says that police can just take cash from you according to your sources . The section that you quoted doesn't seem to support your assertion about cash either, but I need the rest of the context.
In reading the law it is allowed to seize cash under very specific circumstances, but simply possessing cash is not enough evidence to seize it.
Cash seizure ("penningbeslag") can be used in an investigation concerning independent forfeiture ("utredning om självständigt förverkande").
The initiation of an investigation and the use of "penningbeslag" are contingent on the "reason to assume that property originates from criminal activity." This implies that merely possessing cash, without any connection or suspicion of it being linked to criminal activity, would not be sufficient grounds for seizure under this law. There needs to be an antecedent suspicion that the cash is proceeds of crime.
An investigation for independent forfeiture should be initiated "if there is reason to assume that property originates from criminal activity" (2 kap. 2 §). The purpose of such an investigation is to "investigate whether the property originates from criminal activity" (2 kap. 1 §).
Therefore, the primary circumstance for cash seizure is when there is reason to believe that the cash originates from criminal activity.
> You can put lipstick on a pig all you want, but if you reverse the burden of proof from "we have to prove your money is dirty" to "you have to prove your money is clean", that is a very clear cut case of "possessing cash is grounds for seizure" to me.
Swedish law does not describe such a reversal for the initial act of seizure or investigation. As previously discussed, the law states: "En utredning om självständigt förverkande ska inledas om det finns anledning att anta att egendom härrör från brottslig verksamhet" (2 kap. 2 §). This means there must first be a "reason to assume" that the property (including cash) originates from criminal activity before an investigation is initiated and seizure measures like "penningbeslag" (cash seizure) are applied.
> Section 4 If the property has been seized and the value of what may be confiscated does not exceed one tenth of the price base amount according to Chapter 2, Sections 6 and 7 of the Social Insurance Code, a question about confiscation of the property may be examined by 1. a police officer, or 2. another employee of the Police Authority or the Security Service appointed by the respective authority.
This section, "Beslut om förverkande" (Decisions on forfeiture), discusses who can decide on the forfeiture of already seized property (beslag or penningbeslag) if its value is below a certain threshold. It pertains to the administrative decision to forfeit after the property has already been seized based on the criteria in 2 kap., not the criteria for the initial seizure itself.
You are right I think. I lived in Finland and rarely used cash. Even people selling their clothes at pop up second hand markets seemed to be able to take card. It has nothing to do with criminality, just culture. Germans use cash a lot and it's harder for me now I live outside the eurozone to go there.
Most Swedes have Swish (mobile payments) so fleamarkets etc. mostly require that. Before I had my Swedish bank account set up (so six years ago) and thus BankId & Swish I often had to get my partner to pay for things even though I had a Visa card and Swedish cash.
> Are you sure this isn't impression you've gotten from isolated reactions involving a small number of individuals, perhaps just a single individual?
Swedish here. The impression is common. Sweden is a small country and has long had a fairly cohesive culture. The culture has decided that digital payments are the way. Deviation from the collective way is always suspect.
> Swedish here. The impression is common.
Swedish here, too.
Your impression is misguided. Maybe it's the norm in Stockholm, but 80% of the population live elsewhere. We do use cash and nobody thinks its suspicious to pay with cash, stop making stuff up.
> The impression is common.
No.
Not sure its considered criminal and dirty. I agree its more a convenience thing. There is no need ever to have cash (other than when payments systems are down but then lots of stores systems in general are down). I don't even think I have seen any cash for many years.
This is something I've heard from multiple locals, not something I inferred myself. As you can see, even here in the comment section you have people both for and against the idea. The notion definitely exists, how widely it's held exactly, hard to say. In my experience, that explanation came up often enough to catch my attention.
Same in Denmark with cash: anybody below 60 using cash in a supermarket is very likely having dirty money.
Cash is simply not used anymore by normal people.
Electronic payment (including between friends) just works here. It is easier and faster to pay with mobilepay than to use cash.
> Murder is actually really frowned in Japan. It goes against the traditional concept of 生きる, which means "to live"
Thank you, this comment made me chuckle.
> it feels less risky carrying a debit card
Depends. Very long time ago I was approached by a group of seemingly friendly people asking for direction, then I felt sharp object to my belly and they told me to walk slowly towards cash point. They said they'll stab me if I don't withdraw all money I can. So I did. When cards were not popular, I would have small amount of cash in the wallet and anything more substantial hidden in a sock or elsewhere. Thieves would take what would be comfortable for me to lose. I guess it can be the same with cards - have a card with small amount and actual card hidden, but it is not as easy to hide as cash. Then you have whole other kettle of fish - banking apps. There's been instances of people being forced to do transfer at knifepoint. For that reason I don't use any apps, apart from throwaway bank account - again with small balance just in case. Shame more banks are restricting web access, which I think is most secure.
> then I felt sharp object to my belly and they told me to walk slowly towards cash point.
Wow. What country is/was that?
Any country that could get away with it? "Your money or your life" isn't exactly a novel threat.
London, UK
We hardly use cash in New Zealand, over 85% of transactions are electronic. There’s a lot of places that don’t accept cash anymore because cash handling is annoying and risky.
That said, nobody thinks of cash as dirty, just annoying. Also our payment system has always been able to work offline, because it started rolling out in the 80s.
Since when does EFTPOS work offline? It works off the internet, but not "offline", if the phones are down, EFTPOS is down. It happens with relative frequency, given the weather. Or trucks hitting boxes, or diggers cutting cables. Shit happens.
Regarding places not accepting cash: NZ First (political party) is proposing to protect the right to use cash and make all businesses accept cash for up to $500 items.
> The Cash Transactions Protection Bill would mandate businesses in trade accept cash payment for goods valued up to $500.
Since always. EFTPOS was designed with offline support (signed receipts) as an emergency fallback when the network is down. It’s been like that since the 90s, I know because I’ve been using EFTPOS since then and experienced many outages.
It is capped at $300 per card used and 200 transactions stored (I believe some large merchants can vary this, but not by much), it’s only for temporary failures not multi-hour outages.
You can quickly find information with your favourite search engine.
I've visited New Zealand a few times en route to Antarctica. The only time I've ever needed to take out cash was for the Christchurch bus service. I was in MIQ on the way in, but they gave us free reign on the way out because Antarctica was considered virus-free (and according to immigration NZ, it counts as the Ross Dependency). There was obviously a lot of push for contactless payments in 2021. I get the impression that the pandemic helped really cement it, although it sounds like the UK where we've had widespread contactless for almost 20 years.
The pandemic helped the banks push contactless which they love, because it’s not EFTPOS.
EFTPOS is our national post of sale system, it has very low or no fees for any party involved. Merchants pay a fixed machine rental per month which can include unlimited transactions, or may have a per transaction fee of up to $0.20. Most individuals do not pay a fee for using EFTPOS and there’s normally no card fee, though some banks have accounts with fees that have other benefits (eg higher deposit interest rates to encourage saving).
Contactless goes via the standard card network extortion. Since 2022 the interchange rate has been capped by legislation which has helped merchants a lot, but the per transaction fee over the card network is still far higher than EFTPOS.
Contactless EFTPOS does exist in Australia - we share a lot of the underlying tech - but the banks won’t activate it here because they’d lose the interchange fees.
Online EFTPOS is starting to gain market share though, which is nice.
> Swedes practically don't use cash
It is interesting how the European cash culture is so very different between the countries. In Austria I struggled to find places that would take any kind of digital payments. Germany wasn't as bad, but was pretty bad. My experience is about 3 years old.
It's funny. I live in rural USA and I overheard a girl say she wouldn't date a guy who uses a card as it wasn't very manly. He needs to use cash apparently. Where I live cards are seen as controlled by "them" and allow the government to spy on you and come after you for taxes.
High trust vs low trust society differences.
To add some more context to your comment. One of the big attacks was in 2021 with the Kaseya ransomware attack that caused one of the larger grocers (coop) to essentially be unable to operate. Made national news as they had to give away product for free in some places.
source in swedish: https://www.aftonbladet.se/minekonomi/a/aPrJWL/hackergruppen...
And yes, we use cash so seldom that most people cannot from memory recall what the bills/coins look like!
> And yes, we use cash so seldom that most people cannot from memory recall what the bills/coins look like!
It didn't help that the Riskbank replaced all bills and coins during a relatively short time period, and did it badly. People used up/deposited their old and didn't get new.
The new coins and bills have unnecessary denominations and bad design that made cash bothersome to use. They introduced an unnecessary 2 SEK coin, that is almost indistinguishable from the 1 SEK coin — especially if you are unused to them. They also introduced an unnecessary 200 SEK bill, that was just too big to be useful for small purchases. Several times I've seen people at ATMs withdrawing 100 SEK over and over again, just because they wanted the more useful 100 SEK bills.
> Digital payments are very convenient and deeply integrated, so long as you have a local ID which allows you use the local payment system Swish etc.
Just to reiterate how ubiquitous Swish and BankID are here: 99.9% of Swedish residents age 18-67 have BankID (8.6M users), while Swish has 8.7M private users, and 93% of those users send or receive money via Swish at least once per month.
Physical attacks are also possible, this site focuses on software so much of the time, while acts occur in the physical world. Cyberattacks are grey areas, but based on some of the undersea cable cutting and factory fires Russia has been performing, physical attacks are very much on the table if you can obscure the source.
Physical attack is localized. Cash is more decentralized. Maybe this offline card-payment will help with that but I wold not bet on it.
It's funny how these attitudes vary across the EU. Here in Spain the government is trying to move everyone to digital payments so they can keep an eye on the flow of money, but normal folks are transacting as much as possible in cash to hide from the tax man...
How do you pay for things that are just one or two euros? In my local boulangerie they don't accept cards for less than 5€, so if I just want a baguette I need to have cash.
That was a thing in Sweden as well, but it's illegal to charge an extra fee when using cards since 2010. So to answer the question, everyone just uses cards even for small purchases, and often those "cards" aren't physical cards but Apple or Google Pay on the phone.
https://www.riksdagen.se/sv/dokument-och-lagar/dokument/sven...
If you ignore supermarkets, basically no place sells stuff in that low of an amount. Using Stripe as an example, transaction fees are 1.5%+1.8kr. I’m hard pressed to find a place that sells items with a price below 20kr, and even cheap crap from china costs at least that when buying online. So unless your business has an unexpectedly large amount of low price transactions, it’s not a big issue.
You're not going to find a baguette for less than 5 euros anyway
Not sure what you are talking about. A baguette is ~1€, same for a croissant or a chocolatine. Maybe 1.10 or 1.20 depending on the place. I do it all the time. It forces me to have the cash otherwise I need to take another random item I don't really need.
At least in Denmark, people are fine paying and shops are fine receiving 10DKK (cheap loaf of bread) or whatever on a card.
I have paid 0.5DKK on a card when I've forgotten to ask beforehand for a plastic bag, and the shopkeeper cares to make me pay after.
I assume there's no minimum there (as I haven't encountered such a requirement in Hungary for some time, nor in Spain)
We just use our cards.
In the UK most small shops had this same 'minimum spend' requirement for card. It disappeared a few years ago (maybe during Covid) and now I haven't come across minimum spend in a long time. That was one of the last things that made me always keep some cash on hand. Now, I genuinely cannot remember the last time I used cash - it's been at least 2-3 years, probably longer.
Oh it's easy: they don't use Visa / Mastercard, but their own domestic system called Swish, which is much cheaper for businesses and of course completely free for individuals.
Similar instant payment systems have really blossomed across the world, especially in recent years. One by one, countries are finally figuring out that there's no reason to rely on American brands for all of the payment processing.
A lot of stores have minimums if you want to pay with Swish, the more common answer to how we pay for small amounts like that is... we just use our cards like any other purchase.
> Oh it's easy
Can you use it without local ID/phone and with foreign bank account?
No because you need BankID which is issued by your bank and to get BankID you need a Swedish bank and a personnummer. You can use a foreign phone number with Swish but some banks don't allow it (or only allow some countries, e.g. finland).
How do kids get pocket money in Sweden? I can't imagine grandparents handing over prepaid debit cards to 8 years old to go buy candy at the neighborhood store?
Swedbank offers debit cards to kids as young as seven [1]. Depending on the kid's age (and what the parents configure), there will be different limits on how much the kid can spend.
Swish is the de facto standard for sending money between individuals [2], and that's what grandparents tend to use to send money to their grandchildren. It's fee-less (for person-to-person transfers use at least) and it connects your bank account with your phone number. So if anyone wants to send you money, they can just open Swish and enter your phone number (or scan a QR code) and send you some. You also have to sign the payment with the BankID app, which is the de facto standard for authentication [3].
And when I write de facto standard I really mean it. 99.9% of Swedish residents age 18-67 have BankID (8.6M users), while Swish has 8.7M private users (93% of which use Swish at least once per month).
[1] https://www.swedbank.se/privat/kort/bankkort/bankkort-master...
[2] https://en.wikipedia.org/wiki/Swish_(payment)
[3] https://en.wikipedia.org/wiki/BankID_(Sweden)
My 9 year old has a debit card in her own name. She gets her allowance on that, and can use it for candy, Robux, or whatever she wants.
In Canada there's MyDoh, which is specifically a debit card you can give to kids including in that age range. One of the major Canadian banks runs this. Can only imagine that it's more advanced in Sweden.
That may be practical, but many kids I observe in my family etc like to collect the money and see it and are proud of their collection and about what they saved. That goes away with a card ... and I wonder how that impacts the "feeling" for it. Counting and making likes and plans about what to buy is a big part of learning to deal with it.
Like or not the world is a digital currency world for the most part these days. I want my kids to understand that those numbers on a computer screen have real world value. How many young adults get into trouble with their first credit card or debit card because the money isn't "real" to them? In the US it's quite a few.
I don't have a final answer to this. However in m observation with different families and kids is that some start relatively early, before the kid can do arithmetics or such, they can count till a pile got enough money for the sweets or toy they want and then count the other pile to see how much is left and if they can buy the other.
Doing this in a digital system requires first some computing device (be it phone or laptop or whatever) then check the account value, read it correctly, then do some arithmetics and then interpret the result. That's a year or two older.
More or less exactly so. There is another downside to it: When money is just a piece of plastic which you touch the cash register with and get what you want, how to you learn to appreciate money? Coins and paper money is also excellent for counting, as they naturally come in different valuations.
When counting money is just arithmetics and never cash, something is missing, and it's very clear in many young kids. Money is just points in a game, suddenly you're out, and then you can't get what you want anymore.
Kids have their own debit cards with their own bank accounts. Others can transfer money to the kid's account.
I don’t know the answer, but Swish is very common.
https://en.m.wikipedia.org/wiki/Swish_(payment)
Where I grew up, (sadly) it's not been common since at least 50 years for 8 year olds to go buy candy at a neighborhood store by themselves. Parents had to drive us everywhere.
They just have their own bank account and card, or if they're a bit younger, cash is still somewhat commonly used
> It's usually not said out loud, but cash is often considered to be dirty and criminal
As a swede, your statement is outlandish and false.
We use cash all of the time.
As a swede, your statement is false.
Most of us don't use cash all the time unless you're a kid or >60. I can't even remember the last time I used cash.
If your local hairdresser gives you a cheaper price when paying cash, wouldn't you assume tax evasion? (criminal).
Someone selling a used bike, or other items of similar value, on second hand market and not accepting Swish would maybe not directly be considered criminal, but would for sure raise an extra eyebrow about the origins of the goods.
Otherwise correct, nobody would blink if you use cash for other daily purchases like ice cream or groceries, even if unusual.
That is just not true. To quote the Swedish riksbank. "The Swedish payment market is almost entirely digital"
https://www.riksbank.se/en-gb/payments--cash/payments-in-swe...
Wouldn't say it's dirty or criminal, it's just convenient to use card, but if you buy a car it would be a bit weird if you insist on cash. It's mostly old people paying with cash these days.
It's true that cash is rarely used in Sweden but it's out of convenience not because it's "dirty and criminal".
How does one give money to the needy on the streets?
For a while it was seen as an excellent excuse not to. Not joking.
These days, the needy on the streets accept our local app based payment system called Swish. Still not joking.
I live in the US and never use cash. I use a credit card and automatically pay the entire balance every month so I don't pay any interest but get 2% cash back. I pay rent using a app on my phone and a checking account.
> but cash is often considered to be dirty and criminal, to the point that most don't have any at all.
Is it because it's considered dirty and criminal, or is it because it's a pain in the ass to deal with, and most people have no reason to bother with regularly withdrawing it, and then carrying it around?
> cash is often considered to be dirty and criminal
Sounds like GrapheneOS.
that's the excuse.
it's really visa lobbying to destroy the (somehow worse than visa) easy credit new players. they give credit like candy because being online and low value only it's easier to avoid (or swallow) fraud.
forcing their hand to accept offline sales mean they can't decide on the spot, and now those 5k credit lines which they only allow transactions for sub 100 purchases at a time will be wide open for offline fraud they can't detect, and which visa already know how to handle/sustain.
this will probably be lobbied elsewhere soon. i predict Netherlands is next.
We've come full circle.
Credit cards were offline-only in the beginning. When have we lost this ability?
See https://www.google.com/search?num=10&sca_esv=5e043526353aa70...
Offline credit card transactions are still supported, and Square even supports it in the US.
Europe use of debit cards instead of credit cards is much higher than the US.
That’s because credit card benefits suck in Europe and there’s no point to using them.
If you need credit, there are credit options with much lower rates than what credit cards offer.
And the reason credit card benefits suck is due to european interchange fee caps and regulation.
So credit card benefits suck, because the consumers can't be exploited to create a large profit surplus that can partially be used to benefit a small subset of consumers.
Multiple reports have shown merchants are raising the costs for all consumers to cover the credit card accepting costs.
I really hope you're getting paid to pretend to be this gullible to the most basic of the credit-card companies schemes.
Well that’s why we need the digital euro, so we can stop sending billions overseas to Mastercard and Visa
As a European consumer, it sounds on point to me?
There are no benefits for any of the credit cards I could get since roughly Corona - I was using them before but all cards which had positive benefits were removed/discontinued since.
Hence I'm back using a debit, because it works the same (no benefits either way) and doesn't come with a monthly bill.
> That’s because credit card benefits suck in Europe and there’s no point to using them.
Theres still a very good reason to use them - buyer protection.
I use a Virgin Atlantic reward card and have it set to pay off automatically, never running up debt. It both protects me as a buyer, and has the benefit of taking ~£500 off annual family holidays, and gives me a free companion seat in the process, effectively halving the price for one of the passengers.
Sorry, meant to say the EU. No clue how it works in the UK
I am not sure what you mean by "buyer protection" but if it's chargeback then it's doable on debit cards too.
If you purchase an item on credit, it's the bank that makes the purchase. You then pay them back, 30 or 60 (or more) days later.
If there's a problem with the item, you can "return" it to the bank — after all, they own it! So in practise you can ask the shop for a refund, or you can ask the bank.
It is a stronger protection than a debit card chargeback.
As an example, I bought flight tickets from an obscure budget airline on a credit card. Months later, beyond the usual debit chargeback time limit, the airline went bankrupt — but my bank purchased that service, and isn't going to provide it! They refund immediately.
https://www.ukfinance.org.uk/our-expertise/cards/chargeback-...
>has the benefit of taking ~£500 off annual family holidays, and gives me a free companion seat in the process, effectively halving the price for one of the passengers.
You know you're paying higher sticker prices to finance that, right?
If I am then so is every other traveler with every single airline in the world.
Go on Virgin Atlantics site, search for any flight, you can then apply points to that, or redeem a companion voucher. That doesn't bump the price up prior to redemption.
I dont "pay" for the points I get, as I'm not spending any extra day to day. The credit card is free.
Co-branded (eg Amex KLM) and business cards were/are exempt from the interchange fee cap regulation.
Though Amex are currently in dispute with the Netherlands who believe the caps do apply to them. I don't think a final judgement has been made yet.
Good luck with Amex in Europe - few places take it and after the 5-6 try, you just give up and get a normal card.
They are still useful for buyer protection.
I don't know that I'd call not paying an extra 5% just to receive 1% back "sucking". It seems like a win-win to me. If you need something, pay for it (with that extra 4% saving) instead of jumping through a million hoops to pretend it's free.
Credit card benefits suck in the US now too, no?
There’s still plenty of options to get cashback and miles and stuff, though?
Best cashback in my country is 1% back, capped at 500€ a year, after you do 33000€ worth of purchases a year.
When everybody in the industry decided the implementation was more trouble than it’s worth. (Offline-capable chips, that is; embossers were 80% solemnization ceremony and 20% data entry aid, just like signatures as "cardholder verification", and are a non-starter from a security perspective.)
The mindset was one of ubiquitous Internet connectivity, which is cheaper than maintaining a complex stored-value or offline limit based solution.
Of course, this assumption does not include some externalities in case of large scale outages, maybe due to cyberattacks…
You can always do a forced capture without an auth if you have a real payment processor. That’s how offline works. There’s no auth.
Only half circle?
There's a term I saw all over someone's Google calendar schedule, pre-pandemic "DNS without asking". Now I realize it means "Do not schedule without asking" but my mind thought "Domain Name Service without asking" ... how in the hell would you do that?
I guess this is similar: how do you make trustworthy decisions that seem to inherently depend on the network, in the absence of a network? Before the internet, we had phonebooks instead of DNS, and we had cash instead of cards. Did the phonebook have every number? No. Was every piece of cash not counterfeit? No. But it's "good enough". Portable reference sources and tokens. The references are issued periodically and the tokens have evidence of exhaustion, their decay over time. A dog-eared dollar with a bunch of phone numbers on it, half-torn ... the merchant doesn't have to accept it.
How do you do these things digitally? Periodic issue seems pretty straightforward ... if you have a network. Token issuance, similarly, needs at least occasional communication with other nodes in the network.
So there's a local dwell capability.
Is this part of the same reaction we saw with Denmark starting to have emergency stores within 50 km of every Dane? Is this motivated by a need to prepare for war?
>Is this motivated by a need to prepare for war?
In short, yes.
>The possibility to pay by card when the internet is not working – ‘so-called offline payments’ – is an area that ‘the Riksbank believes needs to be improved considerably, particularly in light of the geopolitical unease in the world,’ according to the announcement
https://www.riksbank.se/en-gb/press-and-published/notices-an...
We know exactly how to do these things digitally. Many European countries have had stored-value payment schemes in the 90s. Japan still does today.
It's a completely solved problem, but it's a more complex (and as such more expensive) solution than just assuming ubiquitous connectivity and a backend that never goes down, which is how we got to where we are.
> Is this motivated by a need to prepare for war?
Preparing for cyberattacks seems like a prudent move, no matter the adversaries' motivation. But yes, the context here is pretty obvious in Europe.
> We know exactly how to do these things digitally. Many European countries have had stored-value payment schemes in the 90s. Japan still does today.
But how do they prevent people double spending the same amount? Say someone has 100$ and boards on a plane. During the trip, this person buys a bag of potato chips sold for 90$. At the same time, his bank account is automatically charged 90$ for a bill.
With credit cards, handling this case is baked into the system. As far as I am aware, direct debt has no equivalent.
> But how do they prevent people double spending the same amount?
Both payment cards and merchant terminals (essentially also using embedded or removable smartcards) are tamper-resistant and hold symmetric keys only known to the payment scheme or issuer.
The terminal essentially creates a cryptographic secure channel between two smartcards, and they transactionally agree to decrement the balance on one, and increment the one on the other correspondingly.
The really neat thing is that this theoretically even works without the need for central accounts, and is as such very privacy friendly. (Practically, even just one key leaking would have catastrophic consequences though, and to detect whether that has happened, systems usually aggregate all transactions asynchronously and check money movements for plausibility.)
Iiuc, you have to "transfer" the funds from your bank account to the card device (wallet, in a way) from where you can then spend these funds without interaction with the bank? That would work.
Otherwise, without the initial withdrawal from your bank account, you could spend the money twice.
Yes, only the issuer of the stored-value system can “create” funds, and they need to ensure that they do get paid for it without double spending.
That can be done using cash at a machine, with an online-authorized card transaction etc.
That works with a network. But as the period of disconnection grows, the uncertainty grows.
Yes, you’ll definitely want to avoid running such a system completely offline without bounds.
... information theoretically... you can't
it's okay
there's already some fraud, waste, loss, inefficiencies, accidents (packages lost, chargebacks by mistake, package arrives weeks later)
....
that said the chips have some physical protection, it's not trivial to clone them
and the chip has a variable where it stores how much more you can use without online confirmation
of course, these are cheap protective measures, but to crack it you would need more effort probably than the total credit that's assigned for offline spending
What's the information theory connection in your view?
> these are cheap protective measures,
They're holding up extremely well. I'm not aware of any cryptographic or physical key extraction compromise in EMV, for example. All known bugs are protocol design oopsies, as far as I'm aware.
I'm not sure what they have in mind for supporting offline payments, but I think that Japan's FeliCa-based [1] electronic money systems (Suica, iD, etc) are pretty impressive. They are most typically used to pay for transportation, but also widely accepted at stores, vending machines, etc. Balances are stored on the card, and it's very fast to use and seems secure for the most part. Recently it's also available on any smartphone or smartwatch with NFC. Japan was pretty slow to adopt touch payment for credit cards, so for a while it was my favorite form of payment.
Transit cards have a pretty low charge limit compared to credit cards - Suica balance is limited to ¥20,000 for example (although for cards that are backed by a credit card, I think the limit is higher). And now that Japan has fully embraced credit card touch payments, FeliCa-based systems are losing market share to Visa, Mastercard, etc.
But it really shines for applications requiring speed (i.e. a turnstile in Tokyo station) or offline payments (a vending machine in a park somewhere).
[1] https://en.wikipedia.org/wiki/FeliCa
In Germany, there is the Electronic Cash (or newer versions called Girocard) which is similarly smartcard-based for the offline use case, but pairs with a regular debit card for online use [1]. Apparently, not that many people use the offline functionality.. it also has a somewhat low daily limit (though I think those are in place for some online transactions such as getting cash as well).
[1] https://en.wikipedia.org/wiki/Electronic_cash
>although for cards that are backed by a credit card, I think the limit is higher
I have a Suica thats integrated into a credit card, and it still has a ¥20,000 limit - the Suica balance is separate from the card balance, it just has a configurable auto top-up setting.
Interestingly, if I'm out of the Suica zone, sometimes auto top-up won't trigger. If I recall correctly this happened to me once in Fukuoka, presumably because there's some level of integration above just accepting payments that Hayakaken hasn't achieved. Never had a problem with Passmo interop though.
I've never heard of a suica with a higher limit, but it's possible they exist or that other compatible cards have higher limits.
I was actually thinking of other non-transit e-money cards like iD and WAON (my fault that wasn't clear from my comment). For an iD card linked to an SMBC credit card, your iD spending limit is the same as your credit limit [1] - which can be upwards of ¥10M. I don't know how or why anybody would spend that much in iD transactions, but I bring it up because it shows that SMBC seemingly has as much trust in iD security as they do for Visa's online transaction processing.
[1] https://qa.smbc-card.com/mem/detail?site=4H4A00IO&category=1...
Tourist in Japan here. Suica is great. I prefer it over my Visa tap 'n pay just for speed. It's instant vs. a few seconds which isn't much, but it's nice.
Topping up a Suica every now and then vs. having many international transactions might also work out better for some. My bank (ING) gives me those fees back so it makes no difference to me.
At one point my US credit card categorized Suica top ups as travel expenses, which earned double points. So basically just tried to do all of my spending on my suica card, and racked up a ton of points in the process. Eventually they fixed that - but I had a good run for a couple of years.
Taiwan's EasyCard and iCash are their local equivalents. Seems to be common in that part of East Asia to have public transport cards that can also work for small expenses.
I wish other governments would take note as its a nice way to avoid the Visa/MC/Amex fees for at least some expenses.
Hong Kong octopus is also great
> The online function shall apply to physical payment cards and accompanying PIN code when purchasing essential goods such as food, medicine and fuel.
Is this a typo where they meant to say “the offline function”?
If I’m reading this right, the goal is to allow food, fuel, and medicine purchases with card + PIN in offline mode.
Seems like a reasonable goal. I wonder what the technical details will look like. Will there be a periodically updated list of cancelled cards/accounts distributed to endpoints? Even a hashed list of all cards cancelled before their expiration date within a country is a reasonable amount of data for modern storage systems.
Or would they simply rely on the ability to track down account owners by their originally registered contact info in the event that someone gets an invalid transaction through during an offline period?
> I wonder what the technical details will look like
It’s already a thing, the EMVCo standard predates ubiquitous internet connectivity. Mass transit systems typically use it, airlines used to for in-flight purchases before the advent of reliable WiFi.
https://en.m.wikipedia.org/wiki/EMV#Offline_data_authenticat...
It is somewhat common to maintain a denylist of known fraudulent cards, but as you note the main mitigation is on the bank to track the card down. One of the key things you need to figure out with an offline payment system - and what I imagine is needed here - is a consensus on who has the liability for offline transactions and what the dollar limits are.
The card itself knows its balance and is authorised to approve transactions up to a limit fully offline.
The UK already does this in some shops for low value items for NFC payments. You can tell the offline transactions because they immediately say 'approved' rather than taking a few seconds.
If it turns out the card approved something 'wrongly', for example because you had previously reported the card lost to the bank, then the bank refunds the transaction and claims the value back from the merchant. That's why many merchants have their terminals set to require online payments.
Your card doesn't know the balance, it doesn't work like that.
Offline transactions mostly died off when the limit in the UK for contactless was raised to £100. At £20/30 (the original limits) issuers/merchants risk accept some payments not being valid (and the total limit before you had to chip and pin was fairly low top).
And worth saying, the merchant has some control on the terminal but mostly the decision of offline/online is down to the issuer and configured on the card.
Out of interest is this both debit and credit cards, or just debit?
Some debit cards don't allow offline transactions, usually when the cardholder isn't allowed to be in debt.
In the olden days, you'd get a Visa Electron or Solo debit card in the UK if you were under 18 or had a poor credit history.
Visa Electron and Solo were online authorisation-only card brands (also known as "immediate authorisation").
If you didn't have enough money in your account, the transaction would be declined. Visa Electron cards didn't have embossed numbers on the front, so couldn't be used with the old-fashioned card imprinters.
Visa Electron and Solo have been discontinued now, so people with poor credit can get a Visa Debit or MasterCard debit card, but with offline authorisation disabled.
That does mean those cards can't work in some places (e.g. on aeroplanes or trains).
Credit Cards generally always support offline authorisation.
Mostly identical. Credit cards will probably have different risk rules though - after all it's their money not yours :)
It's incredible how the banks refuse to lose here; they will screw over the merchants before taking on any liability in this matter.
When you set up the POS you can choose whether to allow offline auth or not. It makes transactions a little faster, but you’re the one who takes the hit if the card bounces later. Just comes down to whether you value speed over the extra risk.
I assume it's a typo or equivalent mistake.
EMV (chip cards) can have a small amount of local smarts, so it is typical for example to insist on going online for a large transaction or if the card has performed too many offline transactions since last going online. The card maker decides these rules, so the bank gets to ensure the cards it issues to customers meet whatever requirements it has decided upon, balancing fraud risk against problems with loss of connectivity or services being down.
So I doubt they'd bother doing some sort of ad hoc revocation technique.
Back in the day, we used these machines to take a paper imprint of the card. You would get a copy and give it to the bank. There was a phone number you could ring to check if the card was valid. I never phoned the number.
https://en.wikipedia.org/wiki/Credit_card_imprinter
This was before my time, but older folks have told me that in the early days of credit cards here in Australia (70s and 80s), for larger purchases at department stores (which were virtually the only merchants who accepted credit cards back then), it was common for the checkout person to phone your bank to get authorisation for the transaction, before you could walk out the door with the merchandise.
Similarly in the UK we had the concept of a 'cheque guarantee card'. Present your Barclays plastic card along with a paper cheque up to some value (£50 rings a bell; I was too young, it was my mam doing the transacting) and that cheque is guaranteed by the bank.
https://en.wikipedia.org/wiki/Cheque_guarantee_card
Ka-chunk.
It's why the letters are raised on the cards!
My latest Swedish credit card doesn't have raised letters...
It's a check, they have invented checks.
Are there people that like cheques? They are no longer a thing in New Zealand. It seems like something no-one would miss.
Are there people that like cheques?
For no good reason, I keep a list of why I use checks (in the U.S.):
- Charitable donations because charities maximize every penny, and electronic contributions eat into that
- Paying the accountant - Good accountants make every penny count, and aren't interested in paying credit card overhead.
- Tipping the paperboy at Christmas
- Tipping the doorman at Christmas
- Business license renewal in certain cities
- IRS payments without a fee
- Gas bill. Gas company charges $5+ to pay by credit or debit card.
- Rent. Building charges $50+ to pay by debit card, $200+ to pay by credit card.
- Electric bill. Electric company charges $5+ to pay by credit or debit card.
- Passport renewal fee (Though I believe this is finally possible with a credit card, I haven't had the opportunity to see yet.)
- My company requires me to send it a check for the amount I receive from the government for jury duty.
- My company allows me to buy computers and other equipment it no longer needs. Checks only. (And an M2 MacBook Pro for $200 woot!)
- Fee to pay for a new car title. No credit cards accepted in my jurisdiction.
> Charitable donations because charities maximize every penny, and electronic contributions eat into that
Charities in Europe very much want an electronic donation, since the cost is far less than handling either cash or cheques. More importantly (I think), it also gives them much more opportunity to get a recurring donation.
Example UK prices (since cheques still exist there)
- Depositing cash, 70p per £100 deposited.
- Depositing cheque, 60p per cheque.
- Receiving one-off electronic payment, 10p.
- Receiving a recurring electronic payment, 4p.
In Finland, and I imagine in most of Europe in general, people just make bank transfers for most of those things. Unlike in USA you cannot just pull cash from someone's account if you know their bank account number, you need to setup SEPA Direct Debit to do that and it requires explicit authorization from the account owner. It isn't even really used much in Finland, most companies just send electronic invoices that you can setup autopay for in your bank. They aren't free for companies but the cost is negligible (likely less than the postage stamp would cost).
Unlike in USA you cannot just pull cash from someone's account if you know their bank account number
People say things like this as if the money taken in a fraudulent transaction just disappears and is untraceable, and unrecoverable. That is false.
It's one of those scare tactics that the middlemen use to sell a vision of financial-techno-secure-utopianism in order to collect a percentage of the money. Don't fall for the marketing.
The money has to go somewhere: Into another bank account, usually, which is easily traceable since banks by law have to know who they're dealing with.
Even if a check gets cashed at a check cashing store, the store requires ID, the person getting the money is on video, sometimes they have their fingerprints taken by the store, and if something still goes wrong, the store is on the hook for the money when the transaction is reported as fraudulent and reversed.
These are all problems that were largely solved last century.
> The money has to go somewhere: Into another bank account, usually, which is easily traceable since banks by law have to know who they're dealing with.
Yes but you actually need to notice that it happened which requires them to actively monitor their transactions on all of their accounts. They then need to use their own time to report these transactions and wait for banks to resolve it. And that's just in the good case where bank doesn't dispute it. If they do, you now need to file official complaint with regulators or sue them. Former can probably be done by highly educated people by themselves (others likely need some legal help), in latter case you are going to need a lawyer. I'm not even sure if you are eligible to recover costs for those.
Why is this better than just not allowing pulls without explicit authorization by the consumer (SEPA Direct Debit) or just asking consumer to actually send the funds (bank transfer)?
One of the many surprising things on that list is that paperboys still exist!
I thought printed papers were all but dead even in the US and can't recall the last time I saw a stand or store where I could buy one. They faded away unceremoniously, like phone booths.
That there is enough money in it to motivate kids to get up in the morning still today I would never have guessed.
Also astonishing are the size and presence of the various fees! Around here a 5 dollar fee for invoicing is the highest I've seen, and it raises eyebrows even among the Mercedes/BMW crowd because everyone knows it doesn't cover any actual additional costs, so it's basically a scam. A way for companies to say "interest free" while still collecting interest.
I thought printed papers were all but dead even in the US
In its last financial statement, the New York Times reported 600,000 print subscribers. (Plus something like 20 million paid online subs.)
Newsstands are mostly gone (though there are a few), but my experience over the last few years is that outside of tourist areas, print newspapers are available at most chain drug stores, book stores, and some gas stations. The more urban you are, the more likely you are to find them. They also remain popular in ethnic communities. I recently picked up a monthly printed newspaper in Japanese that is distributed in the DC area.
I can think of five places with six blocks of me that sell newspapers (two drug stores, two bodegas, and a bookstore).
The latest Superman movie even did a PR stunt where the movie company printed up thousands of Gotham newspapers with Superman headlines and distributed them to newspaper racks. I saw them at Walgreens.
UK perspective:
- bank transfer
- bank transfer
- cash
- cash
- direct debit
- bank transfer or PAYE
- direct debit
- standing order (recurring bank transfer)
- direct debit
- card
- ? You pay your employer what you were paid for jury service? Bank transfer I guess, but also probably illegal
- would likely be deducted on payslip (because tax & accounting implications of below market value gift) or via a third-party that would most likely accept card
- free
> ? You pay your employer what you were paid for jury service? Bank transfer I guess, but also probably illegal
That happens when you are salaried and your company pays you your normal salary for the time you are in jury duty. They already paid for your time, they are entitled to the (generally much lower) compensation that the state pays you.
most of these are related to the high credit card fees we have in the US to support the card points programs. in EU for example, the fees are 10% of ours.
My list is similar except I'm using ACH for about 50% of your list.
I'm in Sweden and the only time I've ever come in contact with a check was when an American company sent me one as a refund.
Most of these reasons just sound like fee-issues to me. I use a debit card (or Swish) to pay for everything and there's never a cheaper payment option. The fact that checks somehow cost less to use than debit/credit cards sounds ridiculous tbh, especially with all the added handling that must go into dealing with them (it just seems so inefficient).
Not really your point, but this sounds crazy.
> My company requires me to send it a check for the amount I receive from the government for jury duty
That just sounds like something that shouldn't be allowed. I don't know the rules.
The state made me forego the (grand - for a month) jury duty pay due to being on salary. However, I still got compensated for daily public transport to the courthouse - which wasn't taxable.
Some states permit it, some do not.
My company claims that allowing me to have both my regular pay and the government pay would be considered an over-payment, and the accountants say it triggers all kinds of messy things.
However, at the same time, it is illegal to do this in some American states where we have offices. So it must somehow be possible for the accountants to allow it.
I'd assume they would pay wages, minus the court pay. Given how badly jury duty pays, it seems a wasted effort.
Given how badly jury duty pays, it seems a wasted effort.
It seems to vary from county to county. When I served, we were given a pamphlet stating that the rate had recently been raised.
I don't remember the exact figure, but it was well above minimum wage. Something like $80 for the first and last day, plus $120 for each day between, plus transportation costs.
Far less than what I make as a super cool tech dev bro, but I can see it taking a lot of the pain away for the average person.
> Something like $80 for the first and last day, plus $120 for each day between, plus transportation costs
Was this recent? The highest daily rate there is $15 per hour.
I’m in New Zealand and that’s fractionally more than minimum wage.
I served on a jury for a week a few years ago and my check at the end was $22. It seems like it wouldn't be worth the company's time to handle and process that check.
I'm sure some jurors got more. My county's jury pay/reimbursement is primarily mileage based and I live 2 miles from the court house.
If the "check"/offline payment bounces, I wonder if it's the merchant that is out the money? Or is there any assurance from anyone else, like maybe the network would go halfsies?
Edit: on second thought, that doesn't really make sense and would be a great way to defraud the network of a ton of guaranteed money
You nailed it. Or those old *KU-CHUNK* machines that I remember from my childhood.
I would love it if this were the solution, embossed card imprinters can work without internet and power and are both fast and intuitive. It worked as a primary method in the past, it can work as a backup method in the future.
atleast with cheques tho there was a way to safeguard the payments of a cheques by crossing of cheques and when I had learnt about cheques there were a lot of things that can be done via cheques like endorsing etc.
But there was always a risk of cheques being unsafe so that's why there is bank drafts. It seems that this is more similar to bank drafts than cheques.
If you really try to sum it up, I know I am going to do a grave misjustice but even a cash could be thought of a cheque from the govt. (well a cheque is meant to be unconditional but its based on the banking laws of a govt. and cash is a promissory note which is a promise made by the govt. so yeah....)
As another HN commenter pointed out here,this decision might be partially due to swedish culture of how they view cash which you can find here.
The idea of there being some "government approved" list of things people can buy with this is horrifying and exactly why cash should continue to exist.
People should still be able to buy food and essentials even during cyberattacks from Russia. That's what Sweden is preparing for.
And there's a solution to that that lets them value what they want appropriately and not have to choose it from a government list. I think unfortunately the temptation is too high for governments to also try and tell people what their priorities should be, which is why having an exchange medium that doesn't involve government control is important.
I don't think it's going to be a list of things, but rather a list of vendor types (grocery stores, pharmacies, gas stations) that have to accept offline payments, and that banks must accept offline payments from. You can live without a new iPhone if the terminal is down, but you can't live without food.
Every time I see posts like these related to fiat, my heart sinks. Despite pro privacy sentiments across the site, there is a concerning amount of people who have not only fallen to the trap of convenience, but even consider cash use suspicious or criminal (the morality of tax evasion is a whole different subject, the places where it's most popular often coincides with a corrupt, inefficient government). Soon, cash use will be made impractical due to digital currencies and growing government control, but cryptocurrency will take its place, it has already to a limited extent.
These past couple of years I've gotten into plenty of trouble on multiple occasions, as a result of what I would describe as a cascade of misfortune initiated by a single unfortunate event (for which I will take some responsibility, but nevertheless...).
These "cascades of misfortune" I've run into happen largely because of how we've placed certain institutions at the center of our lives and our society, or perhaps more precisely because of the "convenient" solutions of theirs that we've all been coralled into adopting.
I'm thinking of social media networks, smartphone companies and their app stores, banks and their electronic payments, etc. Everyone's opted in, and we don't realise how much we've given up as a result, with all these "convenient" alternatives, now made mandatory to replace the old and inconvenient solution.
We don't realize, that is, until you're standing at the bank teller in a city away from home, passport in hand but otherwise robbed of phone and wallet, hoping to withdraw some cash to keep you alive while you sort this mess out - only to learn that the bank is no longer able to do that for you. You can't just get your own money. You could withdraw at the ATM, but with a card of course, and that for a fee with a pretty low upper limit. But banks don't serve that purpose anymore. They're now software institutions that we are forced to have a relationship with and operate through in order to make monetary transactions.
Suddenly society has shut down. You can't log into anything without your phone and 2FA, so you're stuck without access to your favorite online services until you get a new SIM card and a fresh device. But even then, there's no riding public transit, because you don't have access to the apps they all operate through. Not that you'd be able to pay in those apps anyway, after cancelling your payment cards. And besides, you don't have anywhere you'd like to go anyway, because, aside from having basically no money to spend on food or events, there's no way to learn what's happening in this city without access to Facebook and all the company pages and events published there.
I forget now all the myriad ways that life grinds to a halt, but I do vividly remember feeling like nothing was possible. And that only because I lost one or two things which should be entirely optional in life! You shouldn't be required as a human, nor even as a member of society, to have a Facebook account, or a smartphone, or even a bank account (that last one is perhaps my most extreme take, but I stand by it).
Out of interest, how does one get out of that scenario?
The bank will probably let you order a new card to their offices instead of your home address, so all you need to do is survive for a week or so. In my case, that was very easy thanks to the friends I was visiting.
As for the meantime: I still did have my bank's ID chip with me as a backup, so I could have used online banking to make a transfer to myself with something like Western Union, and crossed my fingers that my bank wouldn't require verification by phone for this suspicious transfer. That would have gotten me some cash at least within the course of the next day, but my friend helped me out, so it didn't come to that.
Without friends around, though, and one or two more unfortunate circumstances piled on, I really don't know. It's unsettling to realize how little it takes to be forced to sleep in the streets.
How are you going to make offline crypto payments?
> Cryptocurrency will take its place.
It won't. Look at China. Cash is impossible to use and crypto is banned.
How do people pay for drugs, bribes, prostitutes, etc.?
Do they just accept the risk the government can see every payment?
> but cryptocurrency will take its place, it has already to a limited extent.
No. No, it won't. Although labeling regular electronic payments as "cryptocurrency" might become more popular.
Pedantically speaking, offline card payments are already possible _now_. E.g. see the Square documentation about that.[1]
However, it requires that all the parties involved (issuer, acquirer, payment network, merchant) allow it, and there are certain limits. One of the linked documents[2] in the riksbank press release has more details about what they expect from these parties.
[1] https://squareup.com/help/us/en/article/7777-process-card-pa...
[2] https://www.riksbank.se/globalassets/media/nyheter--pressmed...
Fundamentally it's all extensions of credit, right? The question is who is taking on credit risk in these transactions and how is everything settled when the power comes back. Presumably, everything is somewhat reversible and there is some dispute resolution process.
Credit cards used to be used for offline payments - the cashier would take an imprint of the card and it would all be processed later.
https://en.m.wikipedia.org/wiki/Credit_card_imprinter
In the Netherlands we had an extra chip on our cards a while back called "chipknip" for offline payments. Didn't work because you had to charge it separately.
Chipknip (a portmanteau of chip card and knip, Dutch for purse) was a stored-value payment card system used in the Netherlands. Based on the Belgian Proton system, it was started by Interpay on 26 October 1995, as a pilot project in the city of Arnhem and a year later rolled out countrywide. Chipknip was taken over by Currence due to a restructuring on 17 May 2005, who managed it with their licensees until its discontinuation on 1 January 2015. The Chipknip was primarily used for small retail transactions, as the card could contain a maximum value of 500 euros. The money needed to be transferred from a card holders main bank account using a loading station which were generally located next to ATMs.
Sweden had a similar system in the late 90's-early 00's called the "cash card", also developed by Proton. It was a huge failure with basically zero uptake, there was no benefit over just using your debit card https://sv.wikipedia.org/wiki/Cash_%28betalsystem%29
And it was also before stores started not accepting cash.
Speaking about payment methods, I wonder what's the sentiment on HN about the new Digital Euro thing.
I've seen people claim it's the worst thing to ever happen and that governments will lock money and things like that.
But personally, after looking at their objectives (offline cash-like payments for example, where only the sender and the recipient know about the transaction) I'm pretty happy about this coming out (even though it still seems early in development)
Are they talking about something like this: https://en.m.wikipedia.org/wiki/Credit_card_imprinter
Or is there some sort of technological breakthrough?
There's no technical breakthrough, but it might seem novel to people in countries like the USA where offline authorisation hasn't been widely allowed on credit and debit cards for some time.
https://en.wikipedia.org/wiki/Online_authorisation
In many countries in Europe, offline authorisation is more common. Cards have had a chip as standard for over two decades in European countries, and a PIN is often used for cardholder verification.
Combined, these make the risks of accepting a transaction for a small amount of money offline very low.
The limit of what can be accepted offline is known as a "floor limit" in the UK.
This is just reenabling existing technology. Card chip already has everything required to verify the card and PIN[0], the only thing internet access is required is checking if account is not empty/over limit.
[0] That also means that after changing PIN on bank site, you have to visit ATM, so new PIN is actually stored on card - but that it only required for that offline mode.
This reminds me of Mondex:
> Mondex was a smart card electronic cash system, implemented as a stored-value card and owned by Mastercard.
> Mondex allowed users to use its electronic card as they would with cash, enabling peer-to-peer offline transfers between cards, which did not need any authorization, via Mondex ATMs, computer card readers, personal 'wallets' and specialized telephones. This offline nature of the system and other unique features made Mondex stand out from leading competitors at the time, such as Visa Cash, which was a closed system and was much closer in concept to a traditional payment cards' transactional operation.
https://en.wikipedia.org/wiki/Mondex
EMV chip & pin cards have always been capable of offline payments.
In the UK this has definitely worked in the past - I remember many years ago there being occasions when something was wrong with the network connection(?) at my local supermarket, but still being able to make a payment in offline mode. This works because the payment terminal authenticates the PIN directly with the chip on the card. They just can't check your balance is sufficient to pay for what you're purchasing.
TfL also accepts your contactless card in offline mode: their buses operate in tunnels and other areas with a poor mobile data signal, but cards are still accepted at all times.
This is to put an end to Visa Electron and Mastercard's Maestro.
This cards are often given to underage (< 20 year) customers, to prevent them to overspend.
A lot of people don't realize that our entire financial system is eventually consistent. They think that when they go to an ATM and withdraw money, it's instantly gone from their account.
The reality is that in most cases the convergence is so quick it looks like it's instantly gone, but it's not. For example, if the ATM is unable to get your current balance, it will still complete the transaction.
That's why your card has a daily limit -- that's basically the risk tolerance of the bank on how much they are willing to lose if the transactions don't get converge quickly enough.
In a few places, you can see traces of this aspect of the system. For example, some gas pumps put a $150 "hold" on your card, and on your bank's web site, you may be able to see "pending" transactions that are in some not-quite-final state.
That’s a different thing: pre-authorization. It’s used for when you want to authorize some purchase before delivering the goods (that you later confirm once it’s delivered). The pre-auth is still done online for amounts above the card-offline limit.
The nicer feature of preauth is that you can confirm a lower amount. So in the case of a gas pump, they first have to make sure you have the money, without knowing how much, because you haven’t pumped it yet. Once you finish, then they know the amount, and confirm the transaction at a lower amount.
1yr timeline is ambitious if it means fully deployed.
Clearly the right thing for Sweden and others to do. Also worrying that even 3yrs into the Russian invasion, bordering countries are urgently increasing their preparedness for future conflicts.
I believe most of those POS systems can operate in offline mode, in Europe at least. I have friends who work for large event organizers, and they have spoken about how if the system is offline the bars can continue to take payments, but there is a risk as a person's account may not have sufficient balance to make the charge when the system comes back online.
Most people here pay by card and I would say the vast majority use debit cards. A lot of people don't even have credit cards, unlike the US.
I'm no expert so may be wrong about some of this, and maybe huge events like these have these systems in place due to the risk of having to shut down bars etc. Many events are completely cash less these days.
> I believe most of those POS systems can operate in offline mode, in Europe at least.
I was able to pay "offline" for my groceries at corner store nearby when their terminal had really bad or no connection at all - and that did happen a lot. They were just gathering all payments and when the "computer guy" was around he'd upload these to the Internet. The only caveat was that for some reasons these payments would be stuck for more than a week on transactions list
The standards are already designed and widely implemented in Europe and a smallish percentage of transactions are already fully offline.
I suspect this could be implemented with just policy and config changes, with no need to reissue cards or deploy new readers.
Right, basically all EMV cards are ready. You just need one that has some offline tolerance, as there are limits on both the amount and number of consecutive offline transactions. I believe these settings can be updated on the chip, i.e. your bank will tell you to go to an ATM perform any operation to make sure it's up to date.
Payment terminals might be trickier as we've observed during outages that they currently don't fall back to offline transactions. But their software and business rules can obviously be updated.
This is also partially due to hacking incidents in recent years. In 2021, all 800 Coop grocery stores were closed for a few days due to the Kaseya VSA ransomware attack [1].
[1]: https://en.wikipedia.org/wiki/Kaseya_VSA_ransomware_attack
I don’t wanna freak anybody out, but we had offline card payments decades ago. Especially back before online payments existed.
Cash is the best offline card
Would be interesting how they work technically. The linked pdf mentions an EMV chip, which I assume is some sort of TEE. Other than creating recipient-specific one-time vouchers online, I can't think of a way to do offline payments without a TEE.
Yes EMV chips and the EMV standard are secure elements that were spec’d and have been manufactured since the 80s. The EU has been using these thing pretty much universally since the late 90s.
They’ve also supported offline transactions that entire time. Indeed offline transactions was the norm for a long time because internet connections were expensive. So payment terminals did offline transactions, then literally phoned home at the end of the day to upload all of the day’s transactions.
The transactions themselves are just signed by the cards, and stored by the payment terminals. Interestingly using symmetric encryption, because asymmetric encryption was two expensive to put into debit/credit cards when the EMV spec was originally created.
Card transactions being online by default in the EU is pretty recent phenomenon that only really happens in the past 5-10 years, as internet connections and cheap mobile data plans have become ubiquitous.
EMV has been using asymmetric cryptography for a long time now, even though it's strictly optional in the specs.
Older cards indeed didn't have it for cost reasons, and online-only cards theoretically have no strict need for it even today, but practically, a symmetric-only card is a non-starter these days for several reasons. You won't be able to ride the Tube in London or Subway in NYC with a card that does not support it, for example.
> You won't be able to ride the Tube in London or Subway in NYC with a card that does not support it, for example.
Those systems all perform online auths at the gate, they don’t rely on offline transactions at all.
Asymmetric encryption is used to prove the identity of the card itself, I.e. prove it’s a real card owned by a real issuer. But it’s not used to sign the transaction itself.
Transaction cryptograms, the cryptographic blob that’s built using data like transaction amounts, method of customer authentication etc only use symmetric encryption. The produced cryptogram itself is then also signed using an asymmetric key, but the asymmetric and symmetric blobs are distinct entities and processes separately by the card network.
Now this is the really important, and completely non-obvious part. Only the symmetrically encrypted transaction cryptogram is sent over the card network to the issuer. All of the asymmetric parts are only used locally by the terminal for validation, then thrown away. So the data produced by the card that is actually stored and eventually sent to the issuer can’t be used for cryptographic non-repudiation, because there’s no mechanism for the merchant to prove using only the transaction cryptogram, and public keys, that a specific transaction was signed by a specific card issued by a specific issuer.
This may seem very strange from a technical perspective, but only because people think that the technical elements of card networks is what prevents fraud. In reality fraud, at least between network participants, is entirely prevented using legal contracts, escrow accounts, and the simple fact that the benefit of abusing the technical measures to commit fraud is simply not worth the consequences. Being a network participant requires you to put millions of dollars in escrow, and be a large enough company that you can realistically move millions of dollars in transactions everyday. Fraud between companies at that level is solved using very expensive lawyers, the technical measures only need to provide enough evidence of tampering to stand up in a court of law, where everyone is under oath, and at risk of personal repercussions for perjury. There is no need for them to be completely fool proof, it’s much easier to just depose the engineers who were ordered to circumvent the technical controls, under threat of prison time, than it is to get every network participant to adopt some complex cryptographic non-repudiation scheme to protect against scenarios that don’t actually occur in reality.
Here in southern Europe on the other hand, cash is a crucial part of the tax evasion economy
That is partially why the banks/government in Sweden have been happy to phase it out. Companies also don't like dealing with cash because it requires extra accounting, security, and transportation. In the early 2000s there were about 50 cash transport robberies per year in Sweden, in 2018 there was 1.
> Companies also don't like dealing with cash because it requires extra accounting, security, and transportation.
At least in the US, individual businesses don't like dealing with credit because of the transaction fees but are kind of forced to thanks to everybody else taking credit everywhere.
Of course, the big chains love credit and are happy to pay the transaction cost because it lets them audit all the transactions and increase their control over local managers and employees. Presumably, the big chains also negotiate lower fees.
Somewhat tangential (sorry), but in my part of southern Europe, cash change machines seem to be getting close to ubiquitous.
I wonder if that hinders tax evasion at all since there's presumably a pretty reliable paper trail of cash transactions.
You mean ATMs ? It is still harder to prove where the cash you took out of the ATM went to in comparison to card payments, but yeah, if you take a big amount of cash out of the ATM then it would be easy to flag you
No, I mean the machines that now handle cash payments at many businesses, accepting cash and returning change.
They're increasingly common here in Portugal, at least.
ah got it. these are mostly mechanical I think and are offline / dumb device as far as I know
Credit card companies have been doing stand-ins to support offline transactions for ages. Mainly the reason why you pay a high interest rate on your credit card.
Almost no one has credit cards here. It is almost only debit.
I guess if you have a card with no credit limit then this is possible but other than that how can you guarantee the funds, or credit, is there?
I read this as "new fraud mechanism should be possible no later than 1 July 2026"
Looks like summer 2026 is when the war will start
How many days was your glorious war in Ukraine supposed to last, Boris? Maybe wrap that one up and breed some more cannon fodder before starting another.
Ah yes, that old Russian chestnut that any moves to make Western civil society more resilient are portrayed as an omen of military aggression against them. Sorry Boris, not everything is about you.
This is how it used to be before, they would slide your card through that machine thingy, it would copy it's digits and they would process this sometime in the future.
Is this something they've been planning? Or is this a reaction to the saber rattling over in Russia?
Extracting keys from a modern SIM card is very difficult. The cost is way above 10K USD. So a payment card in offline mode is absolutely possible as long as one limits the payments to few hundreds USD.
The bigger challenge is an offline terminal that can easy accumulate tenths of USD in case of a long outage. But then compared with cards the terminal may have better protection.
What makes it over 10K USD?
In addition to the issue of microchips being inherently difficult to tamper with, smartcards have various hardware and software based anti-tampering measures, that are designed to destroy the chip, if someone attempts to extract the keys from the chip. That kind of security measures are never totally impermeable, but defeating them requires advanced equipment and skilled labour, and the R&D costs of the cracking devices need to be offset, too.
Make card payment available to local AI agents. How would this sound?
This sounds worse than cash in almost every dimension.
Kind of concerning when you see governments hardening themselves to massive AI cyber attacks.
Personally, I dream of an open-hardware, FLOSS wallet, also usable on POS like a bank smart card, confirming crypto transactions like legacy/traditional ones on its own display.
Internally, the signature part isolated like a smart-card, "embedded signature" hardware as a measure against double (multiple) spending, and reasonable limits on offline transactions with both parties offline (e.g., €10k/month).
The "embedded signature" hardware part is a bit vague because technologically it's not clear how to do something like that in a "secure enough" way, but it's a necessary part and the limit somewhat lowers the risk.
For use: mounted as a smartwatch or a pendant with a retractable lanyard, like ski-pass holders.
> “In Sweden, we pay digitally to a large degree and the use of cash is low. The general public being able to pay by card for example for food and medicines even in the event of a serious breakdown in data communication, that is offline, is a milestone in our intensified efforts to strengthen emergency preparedness”, says Governor Erik Thedéen.
I understand that it's very normal to use a CC in Sweden (and many places), but it feels grim to me that the thought towards major telecommunications breakdown is, "oh no, how will we make sure that people can keep credit card companies and banks informed that they need food and medicine if the internet is down?" I feel like "reversion" to the solved problem of offline transactions - cash payments - would be a more reasonable default assumption, and in the case of catastrophic infrastructure breakdown, simple expropriation.
Riksbanken have been pushing for cash payments too. Personally I think its too little too late. The culture in Sweden has already changed to purely digital
https://www.riksbank.se/sv/press-och-publicerat/nyheter-och-...
Sweden has also done multiple pilots of a digital currency pressed by the state. This might be an interesting alternative to not give up control of our currency and privacy to banks and cc companies. Also supposed to work offline. https://www.riksbank.se/globalassets/media/rapporter/e-krona...
Cash would be a reasonable assumption, but not a practical one unfortunately.
The only place really to get cash in Sweden is at an ATM, of which there are very few these days - most have been removed in the past years, and some might be very far away due to the large distances in Sweden. It should also be assumed that in the event of a critical infrastructure breakdown, the ATMs would not work either.
huh how is that possible
A lot of people asking here in comments how the implementation would look like, given this is HN and the crowd here is technical inclined. No idea how they will do it but I can tell you how I did it in 2008.
See, in 2008 one of my projects had a client that had a lot of venues around continental US and Mexico and those venues were having sparse internet connection (think sky resort venue, remote and internet delivered by antennas that weather could affect it). Meaning when internet was not available any card transaction was a no go. This was a problem to be solved so my client asked if there is a way to make offline credit payments. So here is my implementation: -read credit card details and deliver the goods -> store card details in a local database, encrypted -> check online connectivity -> when internet was a go try to charge the card. If it was good then all was done, details were erased from local storage, everybody happy. If it failed then retry, 5 times per day, for 5 different days. After 25 tries, blacklist the credit card. Forward the information to legal department and mark that credit card as not acceptable from now on. So if you screwed the client with a bad credit card, you screw it only for 5 days maximum. And you also had a legal department on your ass. Meaning you got a fake card, good for you, keep it up cause now you are also on Secret Service radar (most people don't know but Secret Service, not FBI, gets involved in this). In the years I got involved in this project, 8 years, the number of times this was an issue raised to legal department was like under 5. So most folks actually pay and the few that got retried had probably a temporary problem with their funds and eventually they got it back on track. For those under 5 I think all of them eventually cut a deal with legal without raising the issue further up. Sorry guys, no juicy story involving Secret Service here.
Probably this worked because the goods were kinda under $50 as price. So maximum you'd screw the company I worked for like $500. And most likely this would not work with a big retailer like Amazon where you can purchase for thousand of $ in a single transaction. But it had the advantage that it worked with all credit cards, debit or otherwise, Visa/MasterCard or whatever. If I would be on the implementation side nowadays from the Sweden bank in this article, I would probably do it like somebody else already proposed here in comments. Get the card to also contain an electronic signature which means a lot more scrutiny to get it released, which means yeah!, your privacy is fucked to Alpha Centauri and back if you try anything shady.
offline mode has been the limiting factor in almost all electronic payments. there was a convention where the single use keys became limited use keys so that cards could make offline payments in low amounts that could be reconciled later. it created a risk and a vulnerability to be managed, and there was at least one exploit against it if I remember correctly.
imo, the mandate creates an interesting technical constraint on any CBDC standard, where the offline mode limits the effectiveness of a "turn off" of someone's money, as there will always be some feature where they can use their money to buy food and fuel. For now I am interpreting this mandate as constructive to civil liberties.
I'm not following this as closely as I probably should, but it seems to me to be more of a data collection and retention scheme than something that'd actually be useful to me and my neighbours in a crisis.
In part because cash is common in my part of Sweden, which is likely annoying to the bureaucrats and oligarchs. Cash is nice because a transaction does not involve a measure of creditworthiness while only leaving an indirect trail, and this 'offline' thingie they're going for probably does and besides keeping personal data available 'offline' for performing such stratifications of people it also (theoretically) allows for a phasing out of cash also in crisis and armed conflict.
offline key signing and broadcasting later should be a simple thing
although heavily misunderstood, this is built into cryptocurrencies since day 1 (many critics have long thought crypto requires power and internet access, many proponents also don't know otherwise)
with card networks learning from competition and functionally being public-only keys, this should be even simpler to implement
Card networks have supported this mode of operation for a long time.
What is Sweden’s issue then? Why is the central bank involved in this at all?
card networks can do a lot of things, doesn't mean issuers and merchants are using it.
What cryptocurrencies work offline without Internet access to the ledger?
All of them? As long as eventually the connection is restored and the transaction can propagate over the network.
Also, "all of them"-- as in, when you pay multiple parties offline with the same exact crypto-dollar, all of them will get paid.
Even better, when you're back online the network will run a sanity check to protect against the evils of inflation.
(Note: inflation-check fees will vary between 0 and 100% per payee.)
The point of the ledger is to prevent double-spending.
Offline payment specifically allows double-spending. If you have offline payment, you don't need a ledger at all; you can just use PGP.
Those transactions simply won't be accepted. Sucks for the seller, but how to deal with that mess is an issue that has to be solved on an upper layer by ToS or laws.
Doesn't Solana require the hash of a recent (~ 1 minute) block before signing?
They do, but the payee accepts risk.
Yes, but the merchant has to have a way to check for double-spending, or otherwise verify that the signed txn they have been given represents money that can be "taken to the bank".
Checking the signature on some blob that says "this be money" is not enough.
True. But if the system is implemented by a country this could be implemented using the law system and insurances.
For example, when each transaction is done, both parties might keep a cryptographic proof which they are required to submit once they are online again.
Failing to submit could result in a small fine (to encourage submission) and double spending which can then be detected could result in a large fine (or even a prison sentence), for example.
There is, perhaps, a privacy issue, just like with blockchain. But it's not more of an issue than online transactions.
You don't need a blockchain for that, see how old credit cards worked without network access.
I didn't say you need a blockchain. I just said a cryptographic protocol (mostly offline and unrelated to blockchain) would help to automatically and quickly detect and proof fraud.
The offline credit card system does not proof fraud but just has insurance.
I figure you can ‘solve’ it socially and legally by treating double spend while offline the same as writing a bad check. Recipients of offline transactions knowing the risk would limit it to small amounts and or emergencies.