The assumption that network connectivity is always available is one of the most expensive assumptions in POS system design.
It's easy to understand why the assumption gets made. Cloud-based architectures depend on it. Most payment processor APIs assume it. Development and testing happen in environments where it's always true. So it gets baked into the architecture, and the failure mode — what happens when the network goes down — becomes an edge case that's handled, if at all, as an afterthought.
In retail environments, this is backwards. Connectivity failures are not rare edge cases. They are a normal part of operations. A restaurant processing transactions on a Saturday evening doesn't stop because the internet is temporarily unavailable. A busy retail store doesn't close its registers because the router needs a reboot. The system needs to work regardless of network state, and the architecture needs to be designed for that from the beginning.
Defining offline capability
"Offline capable" can mean several things, and the definition matters for the architecture.
At the minimal end, it means the system degrades gracefully: it tells the operator clearly that it's offline, prevents attempts to process transactions that will fail, and recovers cleanly when connectivity is restored. This is better than crashing, but it's not truly offline capable — the system just stops accepting payments.
A more useful definition is that the system continues to accept payments during a network outage, within defined risk parameters, and reconciles correctly once connectivity is restored. This requires the system to make authorization decisions locally, queue transactions for later processing, and handle the outcome when those queued transactions are eventually submitted to the processor.
The hardest version of this problem includes handling declined transactions after the fact — when a customer has already left with their goods and the queued authorization comes back declined hours later.
The local authorization model
When a payment processor is unreachable, the POS must decide locally whether to accept a transaction. This is called an offline authorization, and it requires the system to make a risk assessment without access to the processor's fraud detection systems, card network authorization databases, or real-time balance information.
The standard approach is floor limits: a maximum transaction amount below which the system will approve offline without a live authorization. Floor limits are a decades-old concept from the pre-network era of payment processing, and they're still the basis of most offline authorization models.
EMV cards support offline authorization natively. The card chip performs a risk assessment using parameters configured by the card issuer during personalization. If the transaction meets the offline criteria (amount below the card's floor limit, no accumulation of offline transactions above threshold), the card approves the transaction without a network round trip. The POS records the offline authorization and queues it for later clearing.
For a POS system, implementing this correctly requires:
Terminal configuration. The payment terminal must be configured with appropriate floor limits. These limits are set per-merchant category and represent a risk tradeoff — higher limits allow more transactions to proceed offline but increase exposure to fraud.
Transaction queuing. Offline transactions must be queued in a persistent local store. The queue needs to survive process restarts, power cycles, and any other failure mode that might occur before connectivity is restored.
Sequence management. Transactions must be submitted to the processor in sequence order once connectivity is restored. Out-of-order submission can cause issues with some processors and complicates reconciliation.
Conflict detection. The system must detect cases where a transaction was submitted while the device was believed to be offline but actually reached the processor — a scenario that can occur with intermittent connectivity and must be handled to prevent duplicates.
Offline authorization decision flow
Queue architecture
The transaction queue is the most critical component in an offline-capable POS system. Its correctness determines whether offline transactions are processed reliably or lost.
The queue needs to satisfy several properties:
Durability. Entries must be persisted to durable storage before the transaction is considered accepted. Writing to memory and syncing later is not sufficient — a power failure between acceptance and persistence means a lost transaction.
Ordering. Entries must be retrievable in the order they were accepted. Some processors are sensitive to out-of-order submission, and maintaining order is important for reconciliation.
Idempotency. The sync process that submits queued transactions must be idempotent. If a submission attempt fails mid-way — after some transactions have been submitted but before the queue entries are marked as processed — the process must be able to resume without creating duplicates.
Visibility. The queue must expose enough state for operators to understand what's pending. How many offline transactions are queued? How long have they been waiting? Are there any that have failed submission after multiple retries?
A practical implementation typically uses a local SQLite database (for embedded deployments) or a local Postgres instance (for larger installations), with a background sync worker that processes the queue when connectivity is available. The sync worker should use an exponential backoff strategy for retry and should surface persistent failures for manual intervention.
Transaction queue state machine
Handling post-authorization declines
The hardest problem in offline payment processing is what to do when a queued transaction comes back declined after the fact.
This happens. A card that looked valid offline might be declined when the processor checks it — because it was reported stolen after the offline transaction was accepted, because the cardholder has exceeded their limit, or because the issuer's fraud systems flag the transaction. When this happens, the customer has typically already left.
There is no perfect solution to this problem. The offline authorization was a risk decision, and sometimes the risk materializes. But there are things the system can do to minimize the problem and handle it gracefully when it occurs.
Clear operator notification. When a queued transaction is declined post-authorization, the operator needs to know immediately and in clear terms. The notification should include enough information to identify the transaction, the customer (if known), and the amount.
Receipt handling. Some operators contact customers when a post-authorization decline occurs. Having the customer's contact information — either from a loyalty program or from a digital receipt consent — makes this possible.
Configurable limits. Allowing merchants to configure their offline transaction limits and volume thresholds gives them control over their risk exposure. A merchant with a high average ticket might want lower offline limits than one with small, frequent transactions.
Reporting. Post-authorization decline rates should be tracked and surfaced in merchant reporting. A rising decline rate might indicate that the floor limits need adjustment or that fraud targeting is occurring.
Sync correctness
When connectivity is restored, the POS needs to submit queued transactions to the processor and reconcile the results. This sync process has several failure modes that must be handled correctly.
Partial sync. If the sync worker fails mid-process, some transactions will have been submitted and some will not. The worker needs to resume from the correct position. This requires persisting the sync state as it progresses, not just at completion.
Network intermittency. Connectivity restored doesn't always mean connectivity stable. The sync worker should treat each submission as potentially the last one and ensure that state is durable at each step.
Clock drift. Timestamps on offline transactions are generated by the local device, which may have drifted from the processor's clock. This can cause issues with processors that validate transaction timestamps. The sync submission should include both the local authorization time and the sync submission time.
Duplicate detection. If a transaction was submitted during a brief window of connectivity and then queued locally due to a timeout — the sync worker might attempt to submit it again. The worker should check for existing authorizations before submitting queued entries, using the processor's idempotency mechanisms where available.
Sync sequence: submitting queued offline transactions with duplicate-safe retry
Testing offline behavior
Offline behavior is notoriously undertested because development environments almost always have connectivity. Building offline tests requires explicitly simulating network failure, which most test setups don't do.
Effective offline testing requires:
- Automated tests that cut network access mid-transaction and verify correct queuing behavior
- Tests that simulate power failure at various points in the queue persistence process
- Tests that simulate out-of-order sync and duplicate submission scenarios
- Load tests that verify the sync worker processes large queues correctly after a long outage
This is not glamorous work, but it's the difference between an offline mode that works reliably and one that appears to work until it actually needs to be used.
The architecture that makes this feasible
Offline capability is much easier to implement correctly when it's a first-class architectural concern rather than a feature added later. An architecture that treats the local device as a legitimate node in a distributed system — capable of making decisions and holding state — leads naturally to the patterns described above.
An architecture that treats the local device as a thin client that simply relays requests to the cloud tends to produce offline handling that is fragile and incomplete, because the assumptions are wrong at the foundation.
The difference isn't just technical. It's a decision about what kind of system you're building, and it needs to be made early.
The final article in this series examines the design of a unified payment orchestration layer — a system architecture that addresses processor fragmentation and offline handling in a single coherent design.