Expressvpn Glossary
EMV chip
What is an EMV chip?
A Europay, Mastercard, and Visa (EMV) chip is a small microprocessor embedded in debit and credit cards that helps verify in-person payments. Each time the card is used, the chip generates a unique transaction code. Unlike magnetic stripes, which store static data that can be copied and reused, the code is valid only for a single transaction.
How does an EMV chip work?
When you insert or tap your card, the EMV chip runs a cryptographic check to verify the transaction. It generates the unique transaction code, technically called a cryptogram. This encrypted value is calculated from the payment details and information stored on the card.
The process starts when the card connects to a payment terminal. For inserted payments, metal contacts on the chip touch the reader directly. For tap-to-pay, the chip communicates wirelessly using near-field communication (NFC), which operates over very short distances.
Once connected, the terminal sends transaction details to the chip, including the payment amount and a randomly generated number (technically called a nonce). The chip combines this data with its stored information to calculate the cryptogram, then returns it to the terminal. The terminal forwards the cryptogram and transaction details to the card issuer through the card network.
The issuer verifies the cryptogram using its records for that card. If verification succeeds, the transaction is approved. If not, it's declined.
Where are EMV chips used?
EMV chips are used in most debit and credit cards issued today. They’re used at payment terminals that accept chip-based payments, including:
- Retail point-of-sale systems
- ATMs
- Self-service kiosks and vending machines
- Public transit fare readers
- Portable payment terminals used in restaurants and delivery
- Unattended payment points such as parking meters and fuel pumps
Why is an EMV chip important?
EMV chips reduce counterfeit card fraud at in-person payment terminals. Before chip-based cards, criminals could copy magnetic stripe data and create cloned cards that worked at point-of-sale systems. With EMV, that form of card cloning is largely ineffective at compliant terminals.
EMV adoption also changed liability rules in many regions. If a merchant doesn’t support chip transactions and counterfeit fraud occurs at their terminal, the merchant may be held responsible for the loss rather than the card issuer.
Limitations and risks of EMV chips
EMV chips protect against counterfeit fraud at in-person payment terminals, but they don’t cover every payment scenario or eliminate all risk.
Key limitations include:
- Card-not-present transactions: Online or phone payments don’t use the physical card and its EMV chip, instead relying on card details such as the card number and expiration date. If that information is exposed, it can be used without any chip verification.
- Skimming and shimming: Criminals can tamper with ATMs or payment terminals to capture card data. While chip data is difficult to clone, magnetic stripes remain vulnerable if terminals fall back to stripe processing.
- Contactless relay attacks: EMV contactless cards communicate via NFC. Rare relay attacks use two devices to extend communication between card and terminal in real time. Dynamic cryptograms prevent simple replay attacks, but theoretically, a real-time relay could trick a terminal into authorizing a transaction without the cardholder’s knowledge.
- Lost or stolen cards: Someone with physical access to a card may be able to make limited contactless payments without a PIN until the card is blocked, even if the card details themselves haven’t been compromised.
