Archi-Finance Archi·Finance / Remofocus

fintech rails

What Really Happens in the 2 Seconds After You Tap Your Card

June 15, 2026 · breakdown · Archi·Finance

The tap is the start of a global relay race that finishes before you pocket your card

~500 ms NFC handshake13.56 MHz< 2 sec end-to-end

You tap your card. The terminal beeps. You walk away. And you assume — money moved. It didn't. Not yet. What actually fired in that half-second is one of the fastest coordinated events in modern finance, and almost none of it is the payment. Visa builds its network to authorize a tap and fire back a yes-or-no in under 2 seconds. The first leg — your card whispering to the terminal over a 13.56 megahertz radio field — completes in roughly 500 milliseconds. That's faster than you can blink twice. In that window, your card and the reader run a cryptographic handshake defined by the iso 14443 contactless standard. No swipe, no signature, no contact. Just a radio conversation measured in milliseconds. And here's the surprising part: at the moment the light turns green, zero dollars have actually changed hands. What you triggered is a relay race. A baton — a tiny encrypted message — gets passed across continents, through four separate companies, scored by an AI, and handed back, all before your hand leaves the counter. The money? The money is the slow part. It's hours, sometimes days, behind. So let's slow down those 2 seconds and watch the baton move, leg by leg — because the engineering packed into a single tap is genuinely absurd, and once you see it, you'll never look at a checkout terminal the same way again.

Your card never sends your real number — it generates a one-time cryptogram

1 cryptogram per tap76% drop in counterfeit fraudOct 2015 EMV shift

First leg of the race, and the cleverest. When you tap, your card does not hand over your real 16-digit number for the terminal to memorize. Instead, the chip generates a one-time cryptogram — emv calls it an Application Cryptogram, the arqc. It's a unique cryptographic signature, freshly minted for this single transaction, using a key buried inside the chip that never leaves it. Tap again tomorrow, you get a completely different cryptogram. Which means if someone intercepts that radio burst, they've captured a code that's already dead. Worthless. Replay it and the bank rejects it instantly. This is not theory — it's why card fraud collapsed. When the United States flipped its emv liability shift in October 2015, pushing merchants from magnetic stripe to chip, the results were brutal for counterfeiters. Visa reported counterfeit card fraud at chip-enabled merchants fell 76% by 2018. Seventy-six percent. The old magnetic stripe stored your static data — copy it once, clone it forever. The skimmers loved it. The cryptogram killed that business model overnight, because there's nothing static left to steal. Every tap is a new, signed, single-use token. So the very first thing that happens in your 2 seconds is your card proving it's authentic without ever revealing what it actually is. The terminal doesn't learn your secret. It just gets a sealed envelope, stamped once, that only your bank can open. That sealed envelope is now the baton — and it needs to travel.

The request hops terminal to acquirer to card network to issuing bank

4 core parties65,000 messages/seccross-border round trip

Now the baton moves, and this is where geography stops mattering. The terminal can't approve anything on its own. It hands that sealed cryptogram to the acquirer — the company that signed up the merchant. Think Stripe, think Worldpay, think Adyen. The acquirer doesn't decide either. It forwards the request into the card network — VisaNet, or Mastercard's equivalent — the actual switchboard at the center of everything. VisaNet then routes it to the one party that can say yes: your issuing bank, the bank that gave you the card. Four players, in sequence. Merchant, acquirer, network, issuer. The request runs all the way out to your bank and the answer runs all the way back — potentially across an ocean — and it still lands inside that 2-second budget. How? Raw industrial capacity. VisaNet is engineered to handle up to 65,000 transaction messages per second. Sixty-five thousand. Per second. It's not waiting in a queue behind you; it's processing the entire planet's checkout lines in parallel, on infrastructure built with multiple redundant data centers so a failure in one doesn't drop your tap. Every leg of this hop is logged, authenticated, and timestamped. The merchant doesn't know your balance. The acquirer doesn't know your secret key. The network just routes. Only the issuer holds the answer. And that division of trust — nobody knows everything — is exactly what lets four separate companies pass your money's fate between them in a single heartbeat.

Your bank runs real-time fraud scoring and a balance check before saying yes

500+ attributes scoredtens of msapprove / decline / step-up

The baton lands at your bank, and now the hardest work happens in the smallest window. Before it answers, your issuer does two things at once. One: a boring balance and limit check — do you have the funds, is the card active. Two: the interesting one — real-time fraud scoring. Your transaction gets fed into an AI risk engine. Visa calls its system Advanced Authorization; Mastercard calls theirs Decision Intelligence. And these aren't checking one or two things. Visa says its AI scores more than 500 attributes on every single transaction. Where are you. What time is it. Is this merchant category normal for you. Did a card-present tap in London just follow an online purchase in Tokyo eleven minutes ago. Is the amount weird. Is the velocity weird. Five hundred-plus signals, weighed against your behavioral history, and collapsed into a risk score — in tens of milliseconds. Out of that comes one of three verdicts. Approve. Decline. Or step-up — meaning, prove it's really you, trigger a pin or an app confirmation. This is the part most people never imagine is happening. You think tapping is dumb and mechanical. It's the opposite. In the time it takes the terminal to beep, a machine-learning model trained on billions of prior transactions has profiled this one, decided whether it smells like fraud, and committed to a decision your bank will stand behind financially. Then it signs the answer and fires the baton back along the same chain. Approved.

The risk vector — relay and skimming attacks — and why limits plus crypto cap the damage

£100 UK limit (Oct 2021)up from £45dynamic cryptogram blocks replay

So where's the weak point? It's that wireless window. The card and terminal talk over the air, and anything over the air can, in theory, be listened to or relayed. Security researchers have demonstrated relay attacks — where one device sits near your card, another sits near a terminal, and they bridge the radio gap to fake a tap from a distance. It's a real, published attack. So why don't we hear about people getting drained? Two defenses do the heavy lifting. First, the dynamic cryptogram from earlier — replay a captured tap and it's already invalid, so a recorded transaction is dead on arrival. Second, hard contactless spending limits. In the UK, the contactless cap sits at £100 per tap, raised in October 2021 from the previous £45. Hit that ceiling and the system forces a chip-and-pin, dragging the attacker back into a world where they need your physical card and your secret number. So the architecture deliberately boxes in the blast radius: small amounts move frictionlessly, anything bigger demands proof. The cryptography stops replay; the limit caps exposure; the fraud AI catches the weird patterns. Stack those three and the real-world losses from contactless attacks stay tiny — a rounding error against trillions in volume. The lesson isn't that tap is invulnerable. It's that the system assumes it'll be attacked and engineers the damage down to almost nothing by design. The convenience you feel is the product of a thousand defensive decisions you never see.

The green light is a promise, not the money — settlement happens later in batches

authorization: ~2 secsettlement: 1–3 daystwo separate systems

Here's the twist that breaks most people's mental model. That green light? It's not payment. It's a promise. What your bank just did is authorize — it reserved the funds, placed a hold, and guaranteed the merchant they'll be paid. But no money actually moved. The dollars are still sitting in your account. The real transfer — called clearing and settlement — happens completely separately, and much, much slower. At the end of the day, the merchant's terminal batches up all its approved transactions into a file. That file flows to the acquirer, into the network, and the network nets out who owes whom across millions of transactions. Then funds settle bank to bank, and the merchant typically gets paid 1 to 3 business days later. So you have two totally different clocks running. Authorization: about 2 seconds. Settlement: up to 3 business days. One is a real-time messaging system optimized for speed and fraud. The other is a slow, batched accounting system optimized for accuracy and reconciliation. They were deliberately split apart, because you can't make a customer wait three days at a checkout, and you can't safely move real money in 2 seconds across thousands of banks without errors. The genius is decoupling them — let the promise travel at the speed of light, and let the money settle at the speed of accounting. So when you walk out of that store, you haven't paid. You've been promised to. The cash catches up later, quietly, in a batch file you'll never see.

Takeaway — in 2 seconds you triggered a token, a global round-trip, and an AI fraud check

~233B Visa transactions (FY2023)2 sec authorizationmoney moves later

So replay the whole thing in your head at full speed. You tapped. In about 2 seconds, your chip minted a one-time cryptogram so your real number never moved. That sealed token raced through a terminal, an acquirer, and a global network out to your bank. Your bank scored 500-plus risk signals with an AI, checked your balance, and committed to a yes. The answer ran all the way back. And the light turned green — a promise, with the actual cash settling 1 to 3 days behind. Now multiply that. Visa processed roughly 233 billion transactions in fiscal 2023. Every one of them compressed this entire relay race — the cryptography, the four-party round trip, the machine-learning fraud check — into the time it takes you to lift your hand off the reader. That's the real story of the tap. It feels mindless. It's anything but. The fast part — the part you actually experience — is pure information: a signed message sprinting across the planet and back. The money, the boring dollars, lumbers along hours or days later. We built a financial system where trust moves at light speed and cash moves at the speed of bookkeeping, and we glued them together so seamlessly you never notice the seam. Next time that terminal beeps, remember: you didn't just pay. You fired off a token, ran a global round-trip, and passed an AI lie-detector — all before you put your card back in your pocket.

Sources

  1. Visa contactless specifications
  2. EMVCo contactless specification
  3. EMVCo
  4. Visa Chip Card fraud statistics 2018
  5. VisaNet capacity disclosures
  6. Mastercard network architecture
  7. Visa Advanced Authorization
  8. Mastercard Decision Intelligence
  9. UK Finance contactless limit
  10. academic NFC relay attack research
  11. Visa settlement process docs
  12. Mastercard clearing & settlement
  13. Visa FY2023 annual report

Watch the full breakdown and subscribe for one new explainer at a time.

Watch on YouTube
how card payments workcontactless payment explainedEMV cryptogrampayment authorization vs settlementcard network explainedtokenization paymentsreal-time fraud detectionacquirer issuer banktap to pay technologypayment processing explainedrelay attack skimminghow visa mastercard worksfintech explainedpayment railsarchi-finance