EMV Chip

What Is an EMV Chip?

An EMV chip is a small integrated circuit embedded in a payment card that generates dynamic, transaction-specific authentication data. The name comes from Europay, Mastercard, and Visa: the three companies that created the standard in 1994. Today, EMVCo (the consortium that manages the specification) includes six members: American Express, Discover, JCB, Mastercard, UnionPay, and Visa.

Before EMV, payment cards relied on magnetic stripes that stored static data: the card number, expiration date, and a fixed verification code. Anyone who copied that magnetic stripe (using a skimmer, for example) could produce a perfect clone. EMV chips solve this by generating a unique cryptographic proof for each transaction, ensuring that intercepted data from one transaction cannot be replayed to authorize another.

The EMV standard is now the dominant card payment technology worldwide, with billions of chip cards in circulation. It governs not just the physical chip but also the full communication protocol between card, terminal, and issuing bank.

How It Works

The core innovation of EMV is dynamic data authentication. Instead of transmitting static card details, the chip engages in a cryptographic exchange with the payment terminal. This process has several phases:

Transaction Flow

1. The cardholder inserts (or taps) their chip card at the terminal. The terminal and chip establish a communication session.
2. The terminal sends transaction details to the chip: the amount, currency, date, and a random number called the unpredictable number.
3. The chip combines this transaction data with card-specific secrets stored in the secure element to generate an Authorization Request Cryptogram (ARQC): a unique 8-byte message authentication code.
4. The terminal forwards the ARQC along with transaction data to the acquirer, which routes it to the issuing bank for authorization.
5. The issuer validates the ARQC using its own copy of the card's cryptographic keys (stored in a hardware security module) and returns an Authorization Response Cryptogram (ARPC) to confirm the response has not been tampered with.
6. The terminal receives the authorization result and completes (or declines) the transaction.

The ARQC Cryptogram

The ARQC is what makes EMV fundamentally different from magnetic stripe technology. It is a cryptographic message authentication code derived from:

• Transaction-specific data: amount, currency code, date, terminal country code, and terminal verification results
• A random unpredictable number generated by the terminal to prevent replay attacks
• An application transaction counter (ATC) that increments with every transaction, ensuring each cryptogram is unique even if all other inputs happen to match
• Card-specific keys derived from a master key held only by the issuer

A simplified view of the data elements that feed into ARQC generation:

ARQC Input Data:
┌──────────────────────────────────────┐
│ Amount:              $42.50          │
│ Currency:            USD (0840)      │
│ Date:                2026-06-03      │
│ Terminal Country:    US (0840)       │
│ Unpredictable No:    A7 3F 9B 21    │
│ App Transaction Ctr: 00 4F          │
│ Terminal Type:       22              │
│ Terminal Verify:     00 80 00 00 00  │
└──────────────────────────────────────┘
        ↓ Card's derived key + MAC algorithm
┌──────────────────────────────────────┐
│ ARQC: 8A 2C 7E 01 F3 D9 44 B7      │
│ (8-byte MAC, unique to this txn)    │
└──────────────────────────────────────┘

Because the ARQC depends on the terminal's unpredictable number and the ever-incrementing ATC, capturing one ARQC provides zero leverage for authorizing a different transaction.

Cardholder Verification Methods

Beyond authenticating the card itself, EMV supports multiple methods for verifying the cardholder:

• Chip-and-PIN: the cardholder enters a 4 to 6 digit PIN that the chip verifies locally (offline PIN) or the issuer verifies remotely (online PIN). This is the standard method in most countries outside the United States.
• Chip-and-signature: the cardholder signs the receipt, and the merchant compares it to the signature on the card. This was the primary method in the U.S. during initial EMV rollout.
• No CVM (contactless small-value): transactions below a threshold (typically $100 in the U.S.) may skip cardholder verification entirely for speed.

Historical data shows a significant security difference: PIN-verified debit transactions accounted for only 9% of fraud losses, while signature-verified transactions accounted for 91%. This disparity exists because signatures are easily forged, whereas a stolen card is useless without the correct PIN.

The Liability Shift

The mechanism that drove EMV adoption in the United States was not a government mandate but a liability shift imposed by the card networks. On October 1, 2015, American Express, Discover, Mastercard, and Visa simultaneously changed their fraud liability rules.

Before the shift, card issuers absorbed the cost of counterfeit chargebacks. After the shift, liability falls on whichever party in the transaction is least EMV-compliant:

• If a merchant has not upgraded to an EMV terminal and processes a counterfeit chip card via magnetic stripe, the merchant bears the fraud loss.
• If a merchant has an EMV terminal but the issuer has not provided a chip card, the issuer bears the loss.
• If both parties support EMV, the issuer typically absorbs the loss (as before), but counterfeit fraud becomes near-zero because cloned chips cannot produce valid cryptograms.

Automatic fuel dispensers received an extended deadline (originally October 2017, later extended further) due to the higher cost and complexity of upgrading fuel pump terminals.

Use Cases

Retail Point-of-Sale

The primary use case for EMV is securing card-present transactions at retail terminals. When a customer inserts or taps a chip card, the terminal and chip perform mutual authentication, and the unique cryptogram prevents cloned cards from being accepted. This is the scenario where EMV has had its greatest fraud-reduction impact.

Contactless Payments

EMV also underpins contactless (tap-to-pay) transactions via NFC. Contactless EMV uses the same cryptographic principles as chip insertion but communicates wirelessly. Mobile wallets like Apple Pay and Google Pay build on EMV contactless specifications, combining chip-level cryptograms with device-level tokenization for an additional security layer.

ATM Withdrawals

ATMs use EMV chip authentication to verify cards during cash withdrawals. Chip-and-PIN verification at ATMs prevents the skimming attacks that were common with magnetic stripe cards, where criminals attached readers and cameras to capture card data and PINs.

How EMV Pushed Fraud Online

EMV's success at preventing in-person counterfeit fraud created a well-documented displacement effect. In the United States, card-present counterfeit fraud dropped approximately 87% after EMV adoption. The United Kingdom saw a 90% reduction in counterfeit card fraud since implementing EMV in 2008, and Canada saw a 76% decline over the same period.

However, EMV cannot protect transactions where the physical card is not present. Online shopping, phone orders, and other card-not-present (CNP) channels do not involve the chip, so the dynamic cryptogram is never generated. Fraudsters who can no longer clone cards for in-store use instead use stolen card numbers for online purchases. Card-not-present fraud in the United States more than doubled between 2019 and 2024, growing from $5.04 billion to $10.16 billion.

This fraud migration drove adoption of complementary security measures for online transactions:

• 3D Secure (3DS): adds an issuer authentication step during online checkout, often via a one-time passcode or biometric verification
• Tokenization: replaces card numbers with single-use or merchant-specific tokens so that stolen data cannot be reused elsewhere
• Velocity checks and risk scoring: behavioral analytics that flag suspicious online transaction patterns in real time

For a deeper analysis of fraud prevention across payment channels, see the research article on fraud prevention in digital payments.

EMV and Digital Payment Evolution

EMV represents the card network approach to transaction security: centralized issuance, hardware-based authentication, and network-mediated authorization. Every EMV transaction requires communication with the issuer (or at minimum an offline floor limit), and the security model depends on card networks and banks maintaining cryptographic key infrastructure.

Cryptocurrency and blockchain-based payment systems take a fundamentally different approach. Rather than relying on trusted intermediaries to validate each transaction, protocols like Bitcoin and Layer 2 networks use cryptographic proofs that anyone can verify independently. There is no issuer to contact, no acquirer to route through, and no liability shift to negotiate: the cryptographic proof is the settlement.

Both approaches solve the same core problem (preventing unauthorized transactions) but from opposite directions. EMV secures the existing card network infrastructure. Blockchain-based systems eliminate the need for that infrastructure entirely. For merchants evaluating payment acceptance options, the comparison between traditional card acceptance costs and newer rails is increasingly relevant.

Compliance and Standards

EMV chip technology intersects with several broader payment security standards:

• PCI DSS: the Payment Card Industry Data Security Standard governs how merchants and processors store, process, and transmit cardholder data. EMV reduces but does not eliminate PCI scope: merchants still handle card data during transaction processing.
• EMVCo specifications: published at emvco.com, these define the chip card interface, terminal requirements, contactless protocols, and security evaluation criteria. EMVCo achieved ISO/IEC 17065 accreditation for its security evaluation processes in 2024.
• Interchange fees: some card networks offer lower interchange rates for EMV-authenticated transactions, incentivizing chip acceptance beyond the liability shift

Risks and Considerations

Card-Not-Present Vulnerability

As detailed above, EMV does not protect online or phone-based transactions. The chip's cryptographic capabilities are only engaged when the card is physically present at a terminal. For businesses with significant e-commerce volume, EMV alone is insufficient: additional controls like 3D Secure, tokenization, and PCI DSS compliance are essential.

Lost and Stolen Card Fraud

EMV prevents card cloning but not physical card theft. In markets that use chip-and-signature rather than chip-and-PIN, a thief with a stolen card can still make purchases by forging the signature. Chip-and-PIN provides stronger protection, but PIN compromise (through shoulder surfing or social engineering) remains a risk.

Relay and Man-in-the-Middle Attacks

Researchers have demonstrated relay attacks where a device placed near a contactless card forwards the chip's responses to a remote terminal in real time, effectively extending the NFC range. While these attacks are technically complex and impractical at scale, they represent a theoretical limitation of the contactless EMV protocol.

Terminal and Implementation Costs

Upgrading from magnetic stripe to EMV terminals represents a significant cost for merchants, particularly small businesses. EMV-compliant terminals, certification processes, and longer transaction times (chip insertion is slower than a swipe) were common complaints during the U.S. migration. Contactless tap-to-pay has since addressed the speed concern, but the initial infrastructure investment remains a barrier in some markets.

This glossary entry is for informational purposes only and does not constitute financial or investment advice. Always do your own research before using any protocol or technology.