EMV

EMV defines how chip cards communicate with terminals: the card, terminal, and issuer participate in a cryptographic exchange that produces a transaction-specific authorization cryptogram. Because this cryptogram cannot be reused, intercepting EMV transaction data does not yield exploitable card credentials — unlike magnetic stripe skimming, which captures reusable static data.

How EMV Works

At the point of sale, an EMV transaction proceeds in two modes:

Online authorization (most common): The card and terminal perform a cryptographic exchange. The terminal sends the resulting Authorization Request Cryptogram (ARQC) to the issuer via the acquirer. The issuer validates the cryptogram against the card’s key material held in its issuer security domain. If valid, the issuer returns an Authorization Response Cryptogram (ARPC) approving the transaction. The card verifies the issuer’s response, completing mutual authentication.

Offline authorization (less common): For low-value or low-risk transactions (transit, parking), the terminal can approve using data stored in the card chip — no real-time issuer connection required. Offline authorization uses accumulated offline spend limits to cap risk.

EMV and Liability Shift

The liability shift is the commercial mechanism that drove EMV adoption. Before EMV, counterfeit card fraud losses were typically borne by issuers. After the liability shift (Visa and Mastercard moved the US shift to October 2015), liability for counterfeit card-present fraud shifts to whichever party in the transaction has the lower technology:

• If a chip card is used at a magnetic stripe-only terminal: the acquirer/merchant bears the fraud loss.
• If a magnetic stripe card is used at a chip terminal: the issuer bears the fraud loss (as before).
• If both are EMV-capable: the issuer bears the loss (standard liability allocation).

This asymmetry created strong financial incentives for merchants to upgrade terminals.

EMV and CNP Fraud

EMV’s success at point of sale has a structural side effect: it displaces fraud toward card-not-present channels. Counterfeit card fraud at POS dropped significantly in the US post-EMV rollout, while CNP fraud increased in parallel. PANs stolen in data breaches remain useful for CNP transactions regardless of chip status.

3DS2 is the CNP equivalent of EMV — a cryptographic authentication protocol applied to online transactions to achieve similar fraud reduction. The two standards are complementary: EMV secures card-present; 3DS2 targets card-not-present.

EMV Contactless (NFC)

EMV Contactless (tap-to-pay) uses NFC to transmit the same EMV cryptographic exchange wirelessly. The security model is identical to contact chip transactions. Most contactless implementations impose transaction limits (typically £100 in the UK, €50 in the EU) above which a PIN is required, preventing unlimited losses from a lost card.

Contactless transaction volumes now exceed contact chip at many retailers in developed markets. The COVID-19 pandemic accelerated adoption by several years.

EMV in Southeast Asia

EMV adoption across Southeast Asia is advanced in Singapore and Malaysia but uneven in Vietnam, Indonesia, and the Philippines where merchant terminal infrastructure upgrades lag. Markets with incomplete EMV rollout continue to experience higher counterfeit card fraud rates at domestic card-present points of sale.