| There are two separate transactions for payment cards. Authorization and Settlement. Only Authorization involves all this clever technology like encryption and PINs, only Settlement actually moves any money anywhere. For some debit cards, the situation is that they only allow Authorization to occur online, and it will validate your balance before authorizing the transaction AND it will respond to Settlements which are unauthorised by always reversing them. Most people don't want this, because it's annoying, but it can be an option for people who have (some) money but can't be trusted with debt, for example some problem gamblers. It would never be reasonable to give them a card they can spend more than they have on, because they will spend uncontrollably. The distinction between Authorization and Settlement has a variety of weird consequences. For example: If you lose a card and it has to be blocked by the issuer, transactions you Authorized with that card can still be Settled hours, days or even very occasionally weeks later despite the block. Some merchants who determine their exposure to fraud is very low just don't bother with Authorization at all. They only do Settlement, and it Just Works™ because none of their customers were trying to defraud them or queries the bill. This is a really nice user experience, super low friction. Modern Authorization has anti-replay features, because it's built out of technologies where that was essentially free. So you can't execute any Authorization more than once (but Light Blue Touchpaper has an example incident where bad RNG allowed bad guys to attack this). But Settlement still acts like reel-to-reel tape is exciting new technology so it has no anti-replay, and periodically a batch of Settlements will accidentally be executed twice, taking money from customers and giving it to merchants until enough related complaints happen for somebody to realise the mistake and fix it. |