On Friday, Visa’s payment network suffered outages across Europe, limiting transactions for both businesses and individuals. Banks and commerce groups began advising customers to use cash or other payment cards if possible, and reports indicated that online and contactless transactions were having more success than chip cards.
Though some Visa transactions still went through, the failure appeared widespread. The Financial Times even reported that some ATMs in the United Kingdom were already out of cash within a couple of hours of the first outage reports. Some observers saw in the outage a stark reminder of the fragility of payment networks, and the weaknesses in global economic platforms.
There were no immediate signs that the outages were a result of a cyberattack or other foul play, but Visa was quiet for hours about the source of the failure—reinforcing how complex these massive payment systems are and how difficult it is to recover from problems once they cascade out of control.
“The world’s payment networks are incredibly centralized, a small number of actors control a large percent of all money flows,” says Emin Gün Sirer, a distributed systems researcher at Cornell University. “This not only has implications for all of us regular people, but it also has implications for national security. These networks have implicitly become part of our critical infrastructure.”
A Visa spokesperson said in a statement that, “Visa is currently experiencing a service disruption. This incident is preventing some Visa transactions in Europe from being processed. We are investigating the cause and working as quickly as possible to resolve the situation.” Rival payment network MasterCard said on Friday that it was not experiencing outages.
‘These networks have implicitly become part of our critical infrastructure.’
Emin Gün Sirer, Cornell University
The commerce platform Paymentsense, one of the first organizations to speak publicly about the outage on Friday, offered an update less than two hours after its initial outage warning. “We have been informed that VISA has corrected the outage and transactions are now starting to go through,” the company wrote. “There is still some intermittency however, we believe this is due to a backlog of transactions.”
Similarly, HSBC bank told a customer on Twitter that, “From what we understand there are still intermittent issues but services are slowly recovering.”
Visa’s only update about the incident was a statement hours after it began that said, “Our goal is to ensure all Visa cards work reliably 24 hours a day, 365 days a year. We fell well short of this goal today.” The compny added, “We are currently operating at close to normal levels.”
Analysts were hesitant to speculate about a specific cause of the incident, given the complexity of Visa’s networks and the potential for problems at any step—from connectivity, to data flow management that keeps transactions from backing up, to database checks and syncing to keep track of merchants, balances, spending limits, and things like whether a card should be declined. “It’s probably just an IT service issue,” says Kevin Beaumont, a UK-based security architect who has been monitoring the incident. At this scale, though, an IT issue can have global implications.
The outage also once again raises the question of how to build more resilient payment networks. “It’s impossible to know what exactly happened at Visa, but this outage shows that Visa’s internal architecture is, evidently, not sufficiently fault tolerant,” Cornell’s Gün Sirer says. “In a world where everyone accepts Visa and Mastercard and has come to rely solely on those two, there is no preparedness when disaster inevitably strikes.”
Updated 6/1/18 at 5:45pm ET to include an additional statement by Visa