A lot of the people here are talking a bit about cryptography but without the background, some of it will go over your head. So I’m going to add some info at a high-level about the cryptography in use.

So there’s this method of encrypting data, like a string of characters or a photograph or whatever where you have a key to encrypt it, like a password. But, there’s a complementary key, which is a different password, to decrypt it. This system is one of several “asymmetric” encryption schemes that are around. This system is widely known as public key encryption.

The thing with these keys, you cannot figure out one of the keys by looking at the other. They appear to be completely random and unrelated to each other.

Data encrypted by one key can ONLY be decrypted by the other key. But… the corollary is also true. Data which can be decrypted by a given key could ONLY have been encrypted by the other key.

So… what they do is store a key on the chip card. The data is stored in ROM and can be written to the card once ever, during manufacturing, and cannot be changed. Also, the chip does not offer a way to figure out what that key is.

There’s supposed to be a second key, right? Well that’s readily available to the payment processor company. So what happens is that the terminal will create a manifest of data — the date and time, transaction amount, a unique “number used once” (known as a nonce), and a bit of other data identifying the retailer. This data is then sent to the chip which then encrypts it using the internal key and sends the encrypted version back to the terminal and on to the payment processor vendor. They recieve this and use the known key assigned to the card to attempt to decrypt the transaction. If the decryption succeeds, then the transaction is treated as legitimate.

I’m intentionally skipping the part involving processing the PIN.