How EMV Chip Cards Work: Dynamic Data, Liability Shifts, and Why the US Lags

The Card Standard That Took Europe 20 Years to Cross the Atlantic

By 2015, when the United States began implementing EMV chip cards, most of Europe had already been using them for a decade. The standard—named for the original developers Europay, Mastercard, and Visa—had been widely deployed in the UK by 2006 and across the European Union by 2010. Counterfeit card fraud in the UK dropped 72% in the seven years following full EMV rollout, according to UK Finance data. Meanwhile, the United States remained a magnetic stripe holdout, representing the most attractive target for fraudsters who had been pushed out of European markets: a developed economy with hundreds of millions of active payment cards, all of them readable with a $50 magnetic stripe skimmer from any electronics market.

Why Magnetic Stripes Are Inherently Insecure

A magnetic stripe stores static data—card number, expiration date, and a service code—that never changes. Every time you swipe a card, the terminal reads identical information. If a criminal installs a skimmer on an ATM or point-of-sale terminal, that device captures all the static data needed to clone your card. Criminals then encode that data onto blank cards and use them for purchases.

• Magnetic stripe data can be copied in milliseconds with a skimmer no larger than a thumb drive
• Cloned magnetic stripe cards are indistinguishable from legitimate cards to point-of-sale equipment
• The FBI estimated that magnetic stripe card skimming cost U.S. consumers and financial institutions over $1 billion annually as of 2014
• Large-scale breaches like the 2013 Target hack (40 million cards) and the 2014 Home Depot breach (56 million cards) exploited magnetic stripe data

How EMV Dynamic Authentication Works

The chip in an EMV card is a small microprocessor that executes cryptographic calculations. The key innovation: rather than transmitting static card data, the chip generates a unique cryptographic token—called an Application Transaction Cryptogram—for each individual transaction. This token is valid for exactly one transaction and cannot be replicated or reused.

When you insert your chip card, the terminal and card engage in a cryptographic handshake. The terminal sends a random challenge number; the chip performs a calculation using that challenge plus the card's private key and the transaction details, then sends back the resulting cryptogram. Visa's or Mastercard's systems verify the cryptogram is mathematically valid. No criminal who intercepts this transaction can manufacture a valid cryptogram for a future transaction, because they don't have the chip's private key.

The 2015 Liability Shift

The U.S. EMV rollout was driven not by regulation but by a liability shift implemented by the major card networks in October 2015. Before the shift, card-present counterfeit fraud losses were absorbed by issuing banks. After October 1, 2015, liability shifted to whichever party—bank or merchant—was responsible for the weaker technology in a fraudulent transaction.

• If a chip card was used at a terminal that only had a magnetic stripe reader: the merchant bears the loss
• If a chip-enabled terminal was used with a non-chip card: the issuing bank bears the loss
• If both parties had chip technology enabled: existing rules apply (generally bank liability)
• Gas station outdoor fuel pumps received an extended deadline—originally April 2021, later extended to December 2021—due to the cost and complexity of upgrading pump hardware
• ATM liability shift for Mastercard occurred in October 2016; for Visa, October 2017

The liability shift created a powerful financial incentive for merchants to upgrade terminals. Within two years, the percentage of in-person Visa transactions using chip terminals rose from 25% to over 70%.

NFC Contactless: The Next Layer

EMV chip technology also enables NFC (Near Field Communication) contactless payments—the tap-to-pay function used with Apple Pay, Google Pay, and tap-capable physical cards. NFC contactless uses the same dynamic cryptographic token generation as contact chip transactions, with the transaction data transmitted wirelessly over a range of 1–2 centimeters rather than through a physical contact.

• NFC contactless transactions generate unique tokens just like contact chip; relay attacks (where a criminal extends the transaction range) are theoretically possible but exceedingly rare
• Contactless cards in the U.S. typically have a no-CVM (cardholder verification method) limit of $100—no PIN or signature required for purchases below that threshold
• Mobile wallet transactions (Apple Pay, Google Pay) add device biometrics (Face ID, fingerprint) as an additional authentication layer

Why Chip-and-PIN Isn't Standard in the United States

In the UK and most of Europe, EMV chip cards require a PIN rather than a signature for cardholder verification—this is chip-and-PIN. In the United States, most chip cards operate on a chip-and-signature or even chip-and-no-CVM model. The discrepancy has real security implications.

U.S. card issuers largely chose signature over PIN when deploying EMV because the liability shift only required chip technology to avoid liability—not specifically PIN. Transitioning hundreds of millions of cardholders to PIN-based transactions was deemed a customer experience risk not worth taking when the liability structure didn't require it. As contactless payments grow and online fraud (which chip doesn't address at all) becomes a larger share of total fraud, that calculus continues to evolve.

This article is for informational purposes only. Payment security standards continue to evolve. Consult your card issuer for specific information about your card's security features.