Payment-processing outages at UK retailers raise reliability issues for cashless transactions

Payment-processing failures at several high-profile retail brands in the UK over the past week disrupted on-site customer service and stirred speculation about the cause of the outages.

The problems at fast food restaurant McDonalds, supermarkets Tesco and Sainsbury’s, and bakery chain Greggs, highlight retailers’ increasing reliance on third-party payment systems and the technical issues hampering a global shift from cash to digital payments.

All the affected retailers had problems with order-processing or accepting contactless payments in the last several days, causing locations to close or to only accept alternative payment methods. While a problem with a software update was cited in some cases, none of the companies have revealed specific details of what occurred, nor have they reported the failure as a cybersecurity incident.

That could be because even they don’t yet know, noted Aaron Press, research director for worldwide payment strategies at IDC.

“The layers of technology that go into a payment environment are surprisingly complex,” he said in an interview. “The larger the merchant, the more complex it could be. I suspect the forensics will be done and someone will figure out where responsibility lies.”

Indeed, to fulfill card and other types of cashless payments, retailers must rely on third parties—often a lot of them, noted Narayana Pappu, CEO at Zendata, a provider of data security and privacy compliance solutions.

“There is no way around it,” he said. “Typically, there are 10 intermediaries between a consumer swiping their credit card and a merchant getting paid.”

Varying payment-processing problems

The trouble started last Friday at McDonald’s, when reports surfaced that restaurants in the UK — but also in Australia, New Zealand, China, Japan, Germany, Austria, and Sweden — were unable to process orders for a period of time, forcing some of them to close.

The next day, UK supermarket Sainsbury’s took to X (formerly Twitter) to blame an “overnight software update” for a problem with contactless payments that meant it couldn’t deliver the “vast majority” of orders from its Groceries Online services. Stores were open as usual, however, accepting cash and card payments secured by chip and PIN.

Argos, a non-food retailer owned by Sainsbury’s, reported similar issues fulfilling same-day online orders, as well as placing new orders and collecting orders in-store. Meanwhile, Tesco, another major UK supermarket chain, also suffered an issue in processing a small number of orders on Saturday.

The problems persisted when yet another UK eatery — bakery chain Greggs — today suffered a payments-processing failure, with some locations accepting only cash payments or closing outright, according to a published report.

Most of the retailers reported getting systems back up online within a business day, which is not catastrophic but still longer than usual for software-related updates, IDC’s Press noted. “The surprising thing isn’t that [an update] caused an outage, but for how long,” he said. “Usually, they are resolved very quickly.”

Moreover, the payment issues varied from being categorized as “contactless” to orders being processed online, which suggests that the problem was in one of the pieces of software that carry transactions from customer to vendor, Press said. This might indicate that the problem was with a gateway, which is “the software equivalent of the payment terminal,” though it’s impossible to say for sure, he noted.

Conspiracy or coincidence?

Conspiracy theories abounded on X as to why all the retailers seemed to go down at once, but less outlandish suggestions pointed towards a possible common point of failure such as a third-party payment processing provider — the one whose software update temporarily disrupted customers’ systems.

Formal confirmation of what caused the issues, and whether they were related at all, is pending. Most of the retailer affected — including McDonalds, Tesco, and Sainsbury’s — do share a point-of-sale (POS) partner in NCR; however, the POS technology maker has not reported a cybersecurity incident since suffering a ransomware attack last year.

Meanwhile, the incidents call into question the global retail industry’s increasing reliance on cashless payments, whether they be point-of-sale, device-based, or via some type of online system, and how companies can prepare for the inevitable technology glitch, the occurrence of which is an issue of when, not if, experts said.

“The only guarantee for any computer technology is that it will fail at some point,” observed Tamir Passi, senior product manager at automated software-as-a-service (SaaS) security provider DoControl. “The opportunity here is for payment processors to differentiate themselves on resilience and fast recovery.”

Indeed, most retailers have resiliency plans that are sometimes mandated, IDC’s Press noted, while many also have multiple payment-processing relationships. “They realize that there are potential points of failure and are trying to prevent single points of failure,” he said.

And while cost will always be the primary factor in how a retailer chooses a payment processor, some companies may start factoring in service level agreements or availability metrics as priorities in future contracts, Passi said.

It’s unlikely that the adoption of card, contactless, and other digital retail transactions will slow, but it’s also unlikely that a completely cashless society will become a reality — at least, not for a long time.

“While cash will not entirely disappear from most societies, the convenience of electronic payments is too great not to keep momentum,” Passi said. “The opportunity here is for payment processors to improve their architectures and infrastructure to be as resilient as possible, which comes with a cost, which their customers will have to be willing to bear.”