How Chip and PIN Works
Chip and PIN combines two independent security layers — dynamic cryptographic authentication from the EMV chip and identity verification via a cardholder-entered PIN — to protect card-present transactions. Unlike a magnetic stripe, which transmits the same static data on every swipe, the chip produces a one-time code that cannot be reused by fraudsters even if intercepted. Understanding the step-by-step flow helps merchants and developers build reliable, compliant checkout experiences.
Card Insertion
The cardholder inserts their chip card into the EMV slot of a certified terminal (POS device or ATM). The terminal powers the chip and establishes a communication session using the ISO/IEC 7816 contact interface.
Application Selection
The terminal reads the chip's directory and selects the appropriate payment application (e.g., Visa Credit, Mastercard Debit) based on the terminal's supported application list. On multi-network cards, the highest-priority mutual match is chosen.
Chip Authentication
The chip and terminal exchange cryptographic data. The chip generates an Application Cryptogram (AC) — a transaction-specific code derived from the card's private key, the transaction amount, the merchant ID, a random number, and a timestamp. This cryptogram is unique to this single transaction.
Cardholder Verification (PIN Entry)
The terminal presents the cardholder verification method configured on the chip. For Chip and PIN, the cardholder enters their 4–6 digit PIN on the keypad. PIN verification can occur offline (chip validates the PIN locally) or online (issuer validates the PIN during authorization).
Online Authorization
The terminal packages the cryptogram, PIN verification result, and transaction details into an authorization request, then sends it through the acquirer to the card network and issuing bank. The issuer verifies the cryptogram against its own keys and approves or declines.
Completion and Receipt
An approved response returns an authorization code. The terminal generates a Transaction Certificate (TC) confirming completion. A receipt is printed or sent digitally, and the cardholder removes their card. The entire process typically takes under three seconds.
Why Chip and PIN Matters
Chip and PIN is not just a technical upgrade — it is one of the most measurable fraud-reduction tools in the history of card payments. Its adoption correlates directly with dramatic declines in card-present fraud in every major market that has rolled it out at scale.
The United Kingdom pioneered Chip and PIN deployment between 2003 and 2006. According to UK Finance data, card-present fraud fell from £218.8 million in 2004 to £47.8 million in 2011 — a reduction of more than 78% — directly attributable to the rollout. In the United States, Visa reported a 76% decline in counterfeit card fraud at chip-enabled merchants between September 2015 and September 2018, the three years following the EMV liability shift. As of 2023, EMVCo confirmed more than 10.8 billion EMV cards in circulation globally, representing over 90% of all card-present transactions worldwide.
Fraud Migration Effect
Widespread Chip and PIN adoption typically drives fraud migration from card-present (in-store) channels to card-not-present (online) channels. Merchants expanding into e-commerce must invest in 3D Secure and other CNP fraud controls alongside their EMV terminal upgrades.
Beyond statistics, Chip and PIN directly affects merchant economics. Compliant merchants are shielded from EMV liability shift chargebacks on counterfeit fraud — a meaningful financial protection for businesses processing high transaction volumes at the point of sale.
Chip and PIN vs. Magnetic Stripe
Magnetic stripe technology has been the dominant card payment format since the 1970s, but its static data model makes it fundamentally insecure against modern skimming and cloning attacks. Chip and PIN was engineered to replace it for card-present transactions.
| Feature | Chip and PIN | Magnetic Stripe |
|---|---|---|
| Data per transaction | Dynamic, single-use cryptogram | Static, reusable track data |
| Cloning risk | Very low | High — data easily copied |
| Cardholder verification | PIN (encrypted, electronic) | Signature or none |
| Offline capability | Yes (offline PIN, offline auth) | Limited |
| Fraud liability (post-shift) | Issuer (if merchant is compliant) | Merchant (if chip card used on swipe terminal) |
| Skimming vulnerability | Near-zero for chip data | High |
| Global card-present standard | 80+ countries | Legacy fallback only |
| Transaction speed | ~2–3 seconds | ~1–2 seconds |
Most card networks have set deadlines for eliminating magnetic stripe from newly issued cards entirely. Mastercard began phasing out stripe issuance in 2024; Visa targets full elimination by 2033. Magnetic stripe will remain a fallback during the transition but should not be treated as a primary acceptance method.
Types of Chip and PIN
Chip and PIN is not a single monolithic implementation. Several variants exist across markets, terminal configurations, and card types, and each has different security and operational characteristics.
Online PIN Verification is the most secure form. The encrypted PIN block is transmitted to the issuing bank during the authorization request, and the issuer validates the PIN against its own records. This requires a live network connection but ensures the issuer has full visibility into cardholder authentication.
Offline Encrypted PIN Verification allows the chip itself to validate the PIN without sending it to the issuer. The terminal sends the PIN to the chip in encrypted form; the chip decrypts and checks it locally. This works in low-connectivity environments such as transit systems or parking kiosks.
Offline Plaintext PIN Verification is an older method where the terminal passes the PIN to the chip in unencrypted form for local verification. It is considered less secure than encrypted offline PIN and is being phased out of modern card profiles.
Dual-Interface Chip and PIN Cards combine contact chip (inserted) and contactless payment (tapped) interfaces on a single card. For low-value taps below the contactless limit, PIN is typically bypassed; for higher values or after a cumulative tap threshold, the card prompts for PIN insertion instead.
PIN Bypass / Signature Fallback is a CVM configuration where PIN is the primary method but signature is available as a fallback. Common in markets transitioning from legacy infrastructure, though card networks are progressively restricting this option.
Best Practices
Chip and PIN appears simple to the end user, but correct implementation requires attention to terminal configuration, software hygiene, and cardholder experience design. Gaps at any layer expose merchants to fraud liability or failed transactions.
For Merchants
- Use EMV-certified terminals only. Terminals must carry Payment Card Industry (PCI) PTS approval and be certified by each card network you accept. Non-certified hardware voids your liability shift protection.
- Set PIN as the primary CVM. Review your terminal's CVM priority list and ensure offline or online PIN is ranked above signature. Many out-of-the-box terminal configurations still default to signature in US markets.
- Keep terminal firmware current. EMV kernels receive security patches and specification updates. Work with your payment provider to schedule regular firmware updates — unpatched terminals are a known attack surface.
- Enable tamper detection and inspection routines. Physically inspect PIN pads for shimming devices at opening and shift changes. Deploy terminals with tamper-evident seals and automatic key-zeroization on tampering.
- Train staff on card fallback procedures. Define a clear policy for when magnetic stripe fallback is and is not permitted. Indiscriminate fallback negates chip security and creates liability exposure.
For Developers
- Validate cryptograms server-side. Do not rely solely on the terminal's local approval. Pass the Application Cryptogram to your payment processor or issuer host for online validation.
- Implement correct CVM result handling. Parse the CVM Results data object returned by the terminal to confirm PIN verification succeeded before marking a transaction as authenticated.
- Use P2PE-certified PIN pads for integrations. If your integration routes PIN entry through software, ensure the PIN pad is Point-to-Point Encryption (P2PE) validated. Never allow plaintext PIN data to pass through application layers.
- Handle fallback flags properly. When a chip transaction falls back to magnetic stripe, the fallback flag must be present in the authorization request. Processors and networks may apply additional scrutiny or decline rules to flagged fallback transactions.
- Test against all CVM scenarios. Build test cases for online PIN success, online PIN failure, offline PIN, CVM not supported, and fallback. Edge cases in CVM handling are a common source of declined transactions and cardholder friction.
Common Mistakes
Even experienced teams make preventable errors when deploying or integrating Chip and PIN. These are the most common failure patterns seen in production environments.
Allowing magnetic stripe fallback without policy controls. Many terminals are configured to silently fall back to swipe if the chip read fails after one or two attempts. Without a policy limiting when fallback is permitted — and logging every instance — merchants cannot distinguish genuine chip failures from deliberate shimming or card tampering.
Ignoring the CVM priority list configuration. Terminals ship with default CVM lists that may prioritize signature over PIN or include no-CVM entries for amounts that should require PIN. Merchants often deploy terminals without reviewing these configurations, inadvertently weakening authentication on high-value transactions.
Skipping contactless PIN thresholds for high-value taps. Contactless transactions below a network-defined limit (typically €50 / £100 / $100 depending on region) bypass PIN for speed. Many merchants fail to configure the cumulative offline transaction limit (COTL), which should force a PIN-authenticated contact transaction after a defined number of consecutive taps.
Treating an offline-approved transaction as settled. Offline-approved transactions must be batched and submitted for clearing within the required timeframe (typically 24 hours). Delays beyond the clearing window result in reversed transactions and chargebacks, even though the terminal showed "Approved."
Neglecting PCI PIN Security compliance for PIN pads. PCI PIN Security (formerly PCI PTS) standards govern the physical and logical security of PIN entry devices. Using out-of-date or delisted devices — even if they still function — is a compliance violation that can trigger card network fines and increased audit scrutiny.
Chip and PIN and Tagada
Tagada's payment orchestration layer handles the routing and retry logic that sits above individual acquirer connections, and Chip and PIN transactions flow through this layer with the same reliability guarantees as any other payment type.
Intelligent Routing for Card-Present Flows
When a Chip and PIN authorization is submitted through Tagada, the orchestration engine evaluates acquirer performance metrics in real time — decline rates, latency, uptime — and routes to the optimal processor for that transaction. This means a chip transaction that might be declined by one acquirer due to a transient error is automatically retried through a secondary route, reducing false declines without any changes to your terminal integration or cardholder experience.
For merchants operating across multiple geographies with mixed magnetic stripe legacy and chip-enabled terminals, Tagada's unified API normalizes the authorization data regardless of the card entry method, so your reporting, reconciliation, and fraud tooling see a consistent data model. EMV liability shift flags, CVM results, and fallback indicators are all preserved and surfaced in transaction records, giving compliance and risk teams the visibility they need without custom acquirer-by-acquirer parsing.