If you are a credit-card user, you might have noticed that it takes a while for your purchase history to be updated on your bank’s website. Still, your avail­able credit goes down even before you walk out of the store.

The reason for this is that there is a two step process for such purchases. The first step is a Reser­va­tion: the merchant tells the bank to reserve a certain amount for the trans­ac­tion. This call is immediate and atomic, and it affects your avail­able credit. Once the reser­va­tion is complete, the merchant can rest assured that the bank will pay him the requested amount in full once the trans­ac­tion is complete. It is the bank that now takes on the respon­si­bility for the payment.

The second step is the Settle­ment: the merchant tells the bank that the trans­ac­tion has been completed success­fully and that payment should be made for the origi­nally requested amount. The general rule is that the settle­ment request can be made once the goods are dispatched, or when the merchant is no longer the respon­sible party for delivery of the goods. The settle­ment request can actually be made several days after the original reser­va­tion, and the actual maximum period varies with the bank.

When it comes to security, this system survives not because it is partic­u­larly safe, but because the banks are willing to assume the risk (and reap the rewards as well). Of course, many customers may have acquired a false sense of security just because they’ve used it for so long. Consider, for example, the three or four digit (“CVV2”) code that is associ­ated with modern credit-cards. On the face of it, it improves security by making a portion of the secret key unavail­able through electronic means. However, this code is completely irrel­e­vant in many cases, because it is not required to autho­rize a trans­ac­tion, and many merchants simply don’t use it. All it does is provide an additional authen­ti­ca­tion mecha­nism if the merchant so wishes. Ironi­cally, this requires the merchant to put in many more strin­gent checks in place to prevent the code from being leaked or stored in the system (which would defeat its primary purpose).