A pay station that loses power mid-transaction can lose money in three ways: the transaction in progress is left ambiguous, the captured-but-not-settled batch on the terminal can be corrupted, and the gate controller may be forced into a mode that bypasses billing entirely. None of these are hypothetical — every operator with enough hardware in the field eventually sees all three. The hardware and software design decisions that prevent those losses sit at the boundary between facilities engineering and payment engineering.

The Transaction-in-Progress Problem

A card transaction is not instantaneous. A chip insert involves several seconds of reader-to-chip dialogue, a network round-trip to the issuer, and a local print-and-receipt phase. Power loss at any point in that sequence produces an ambiguous state:

  • If power fails before the authorization request is sent, nothing happened. Safe.
  • If power fails after the authorization but before the issuer response, the issuer may have authorized and debited the card while the terminal never saw the response.
  • If power fails after the authorization response but before capture, the authorization is open and will eventually expire without a matching capture.
  • If power fails after capture but before the batch is closed, the capture is in the pending batch on the terminal — which may or may not survive a reboot depending on the terminal’s storage design.

The customer impact ranges from a harmless pending authorization that auto-releases to a charged card with no exit — a customer-service incident guaranteed to produce a chargeback.

UPS Sizing

A correctly sized uninterruptible power supply lets the pay station complete the in-progress transaction, flush the batch to the acquirer, and shut down cleanly. Sizing considerations:

  • Runtime — five to ten minutes is usually enough. The goal is not to keep running through a long outage; it is to complete in-progress work and shut down.
  • Load — include the payment terminal, the station computer, the gate controller if co-located, any network equipment, and the card reader. Receipt printer heaters can add material load during print.
  • Battery technology — lithium-iron-phosphate (LFP) batteries handle outdoor temperature ranges better than sealed lead-acid, at higher initial cost. For unconditioned enclosures the temperature rating matters more than the capacity rating.
  • Monitoring — the UPS should report state to the pay station so the software can detect “on battery” and behave accordingly.

Software Behavior on Battery

A well-designed pay station software stack treats a battery event as a signal to:

  1. Refuse new transactions. The screen should display a service-interruption message rather than accepting more cards.
  2. Complete any in-progress transaction through to a definitive outcome (approved, declined, or void).
  3. Force a batch settlement to the acquirer while connectivity lasts.
  4. Write a durable log of all pending items to persistent storage.
  5. Signal the gate controller to use a pre-defined offline policy.
  6. Shut down cleanly before battery exhaustion.

If main power returns before shutdown, the station should reconcile the on-battery log against the first post-recovery batch and confirm no duplication.

Gate Behavior During Outage

Whether the gate stays down or raises up during a power loss is a policy decision, not a technical default. Most operators configure:

  • Down during outage — revenue is protected, but the gate will not let patrons in or out.
  • Up during outage — patrons flow freely but revenue is lost for the duration.
  • Up on exit, down on entry — patrons trapped inside can leave; new arrivals cannot enter.

The third pattern is the most common for customer-experience reasons. Operators with high-value tenants sometimes maintain a backup generator that keeps the gate and pay station running through longer outages.

EMV Terminal State Recovery

EMV payment terminals maintain an internal state machine — idle, in-transaction, batch-open, batch-closed. Power interruption mid-state can leave the terminal needing a manual re-sync to the acquirer. Modern terminals recover automatically; older terminals may require a technician visit to force-close a stuck batch. The PCI Security Standards Council PIN transaction security requirements dictate that terminal state transitions must not expose card data during failure — all certified terminals meet this, but the recovery UX varies widely.

Reconciliation After a Power Event

The day after a power event, reconciliation should specifically check for:

  • Authorizations without matching captures on or around the outage time.
  • Duplicate captures from batch replays.
  • Gate counts versus transaction counts (gate up-count minus transaction-approved-count equals estimated revenue loss during outage).
  • Terminal batch totals versus processor settlement totals.

IPMI-published operational best practices, as summarized in IPMI resources, recommend logging every power event in the parking management system with a correlation to the payment-processor reconciliation report so auditors can explain any variance.

Mobile and Cloud-based Resilience

Operators running cloud-hosted payment processing (where the pay station is essentially a card-capture device posting to a cloud endpoint) gain the advantage that batch state lives in the cloud rather than on the local terminal. A pay station that loses power has no local batch to worry about — once it comes back online, it simply resumes sending captured transactions to the cloud. This is one reason cloud payment architectures have overtaken on-premise-batch designs in new parking deployments.

FAQ

Do I need a UPS on every pay station?

Yes, if the pay station accepts card payments. The alternative is to accept that every brownout or glitch produces ambiguous transactions and customer-service tickets. The UPS cost is small relative to those losses.

How long should UPS batteries last before replacement?

Lead-acid UPS batteries typically need replacement every two to three years in outdoor enclosures. LFP batteries last five years or longer. Battery monitoring from the UPS firmware should flag capacity degradation before it causes a shutdown failure.

What about total site power loss?

If the whole site goes dark, the UPS still buys time to complete in-progress transactions and shut down cleanly. Without a UPS, every in-progress transaction at the outage moment becomes an ambiguous item.

Should I allow offline approvals during a power failure?

No — power failure and network failure are different problems. Offline authorization mitigates network outage; UPS mitigates power outage. Mixing the two increases risk without adding resilience.