What is Timeout (TIME OUT) in Virtual POS Systems?
What is a timeout in Virtual POS payments, why does it occur, and how should merchants manage this risk? All the details — including critical scenarios where the cardholder is charged despite receiving an error — are covered in this article.
In the world of Virtual POS payment systems, there are two main players involved in every card-based transaction. One is the card-issuing bank (Card Issuer) and the other is the POS bank (Acquirer Bank) — the bank through which the payment is processed. The connection between these two players is provided by payment networks such as Visa, Mastercard and American Express.
In a Virtual POS integration, businesses do not integrate directly with payment networks (Visa/Mastercard). There are essentially two options:
- Integrating directly with the banks' Virtual POS systems,
- Integrating with a single gateway that handles payment system integration with banks.
In Virtual POS systems, there are specific protocols and rules that banks must adhere to in their communication with each other or with payment networks. In addition to PCI-DSS, Visa/Mastercard certifications and various security scans; in a card payment — which begins with the cardholder's action and continues through the merchant's integration — all three parties involved are expected to respond, positively or negatively, within a defined time frame.
What Is the Timeout Period?
In Virtual POS systems, this period varies depending on the bank, gateway or payment network, but a response must be returned to the merchant within 60 or 90 seconds (this can be adjusted through various configurations). If no response is received within the set time, the Acquirer Bank returns a message to the system that triggered it indicating "Timeout, inter-bank messaging error, payment network error, etc."
Any situation where the responseCode / approvedCode / returnCode value is not "00" is considered a failure. Depending on the bank integration, error codes such as TO, 91, 99, 96 may indicate a timeout condition. (For detailed information, please refer to the technical documentation of your Virtual POS integration provider.)
Timeout Causes
- The card-issuing bank's system may be unavailable, either planned or unplanned.
- The Virtual POS bank's system may be unavailable, either planned or unplanned.
- In 3D Secure payments, the 3D Secure ACS system may be unavailable, either planned or unplanned.
- Payment networks such as Visa, Mastercard and American Express may be unavailable, either planned or unplanned.
The Two Most Critical Issues in Timeout Situations
- The seller and buyer failing to complete the payment and the service not being delivered.
- And perhaps more critically: the cardholder who triggered the transaction having their card charged despite receiving a timeout response.
Unfortunately, the second issue can also arise during timeout incidents. Although gateway systems have scenarios such as automatic cancellation for these situations, in some cases even these automatic cancellation flows may also time out — entirely due to systemic issues.
The More Integration Points, the Higher the Risk
The longer the integration chain:
Merchant → Payment service provider → Virtual POS bank integration → Visa/Mastercard → Card-issuing bank
…the greater the likelihood of such situations occurring. Banks and Virtual POS service providers aim to actively develop their applications to address this.
Merchants with Virtual POS integrations should absolutely ask their Virtual POS integration system about the additional integration points for timeout scenarios. By integrating with services such as callback, notification, querytransaction and queryorder — especially for timeout situations — they should query and retrieve the status of transactions. The end user who is the cardholder will experience the merchant's (website's) responses and actions, not the bank integration itself.