Let me glue together some of the comments here.

There are currently a few kinds of transaction that can happen at the reader, and a PIN may or may not be collected.

The first kind of transaction involves just a card number. The person making this transaction may not need your expiration date, security code, or any other kinds of information. Obviously, this isn’t very safe. These are very commonly involved in fraud.

Another kind involves the card number plus some other information like the expiration date, the security code. These things are harder for a skimmer to scan (and often not possible) so they are less commonly involved in fraud.

Another kind involves the “chip” on modern cards. That kind of transaction involves some fancy math and encryption that skimmers can’t break yet.

Then there’s your PIN, which may have to be entered at the reader.

The swipey kind of reader uses the magnetic strip on your card. That strip has your card number on it. That’s it. A skimmer hides a second reader inside the main reader. That secondary reader simply records every card number it sees and doesn’t interfere with your purchase.

If you happen to have to enter a PIN, the sophisticated skimmers might have a camera pointed at the PIN pad to try and capture that PIN. Then they have your card number and your PIN.

This means someone who skims your card can make a “card number only” transaction with your card. They can have a higher chance of success if they also steal your PIN. Let’s come back to this.

The “chip” readers require you to insert the card so the metal “chip” comes into contact with some things inside the reader. Ultimately the chip is a tiny computer that gets powered by the reader. Your bank sends some numbers to the chip. The chip sends some numbers back to the bank. There is some math that involves secret numbers inside the chip that ONLY the bank knows, and if the numbers the bank gets back check out it accepts the transaction. In theory a skimmer could intercept this traffic. HOWEVER, the bank sends your chip different numbers every time, and encryption math is made so knowing the “answer” to one number doesn’t make it easier to guess the “answer” to another. The skimmer would have to see *billions* of transactions to “break” a chip card. So basically, it’s not feasible to break this encryption yet. The chip is built in a way you can’t really get the secret numbers off it.

HOWEVER, sometimes the magnetic strip has enough of your card number the chip reader STILL has room for a skimmer that can get your number off it. I see this more at gas stations, where they have a combo reader that can handle chip cards OR swipe cards in the same reader. So even though your chip transaction is safe, they can still steal your number and maybe your pin.

## Why’s all this matter?

Well, when it comes to fraud prevention and liability, the card companies have a sliding scale. They don’t like “number only” transactions, even if they have PINs. They tend to scrutinize these a little more and if fraud happens with them it’s more likely the vendor is going to be responsible for making it up. Still, a lot of businesses use them so someone with a skimmer can get away with a lot.

They also don’t really like magnetic swipe transactions so much anymore. Those are technically still “number only”. It’s cheap and easy to make a device that puts a number on a magnetic strip. So someone with a skimmer can make a “fake” version of your card and try it at a store. Especially if they have your PIN.

Card companies as of a few years ago do not offer much mercy if fraud happens with these readers. They want stores to upgrade to chip readers. But that costs money, and using the chip service incurs more fees. Lots of small businesses don’t want to deal with that. So they buy the stripe-only readers and risk more fraud liability.

Right now card companies give the best “deal” to fraud cases where a chip reader was used. They have an investigation, and if they find out there was an equipment failure or some other condition the store might get some or all of the money back. In practice this only really happens if cards are *stolen* because the chips can’t really be duplicated or “broken”.

## So to summarize:

Skimmers work because of capitalism. A lot of stores do not want to pay the extra fees or spend the extra money for chip readers. So they use a kind of card reader that is susceptible to helping people steal cards and also helping people use stolen cards. If the card companies made it cost the same to operate chip cards as swipe readers more people would use them. But they get the best of both worlds: they get more money for chip cards *and* don’t have to foot the bill when stores that don’t pay extra get fraudulent swipes. Some countries moved 100% to chip readers.