It doesn’t. I’m convinced it was for two main reasons. A mass beta test of the tech, and a scheme to sell new (mandatory) card readers across entire nations. That’s a lot of money.

Criminals can use devices to steal the data off of your card while it’s still in your wallet.

The chip only stores data – it doesn’t have any on-board power.

The chip is not just data storage, though – it’s also an antenna.

Data can be read off the chip either by physically inserting it into a chip-reader, or by broadcasting the data over a very weak, short-range radio. But since the chip doesn’t have any on-board power, it needs to get off-board power in order to send radio signals. This is done by stimulating the chip with magnetic fields, which happens when you tap it against an induction pad (same principle as wirelessly charging a phone, but with way less juice). That magnetic energy is passively converted into a tiny amount of electrical power which is then used to broadcast the data on the chip via the integrated antenna.

I just today had to get gas. I normally go inside, pay cash and pump my gas. I had a few minutes to spare today so I see that the pump had one of those tap to pay emblems. I tapped my card on it filled up with gas, got my receipt and was on my way. So now my question is this, suppose I dropped my card on the ground and drove away. Someone found my card, what’s to keep them from doing the exact same thing that I just did? And how could I get my money back that they just used off of my card?

“More and more?”

Is it 2010 again? Everyone’s had tap for the last decade lol wtf

A lot of the people here are talking a bit about cryptography but without the background, some of it will go over your head. So I’m going to add some info at a high-level about the cryptography in use.

So there’s this method of encrypting data, like a string of characters or a photograph or whatever where you have a key to encrypt it, like a password. But, there’s a complementary key, which is a different password, to decrypt it. This system is one of several “asymmetric” encryption schemes that are around. This system is widely known as public key encryption.

The thing with these keys, you cannot figure out one of the keys by looking at the other. They appear to be completely random and unrelated to each other.

Data encrypted by one key can ONLY be decrypted by the other key. But… the corollary is also true. Data which can be decrypted by a given key could ONLY have been encrypted by the other key.

So… what they do is store a key on the chip card. The data is stored in ROM and can be written to the card once ever, during manufacturing, and cannot be changed. Also, the chip does not offer a way to figure out what that key is.

There’s supposed to be a second key, right? Well that’s readily available to the payment processor company. So what happens is that the terminal will create a manifest of data — the date and time, transaction amount, a unique “number used once” (known as a nonce), and a bit of other data identifying the retailer. This data is then sent to the chip which then encrypts it using the internal key and sends the encrypted version back to the terminal and on to the payment processor vendor. They recieve this and use the known key assigned to the card to attempt to decrypt the transaction. If the decryption succeeds, then the transaction is treated as legitimate.

I’m intentionally skipping the part involving processing the PIN.

That is true when using contactless/tap to pay. If you insert the card it’s a physical power connection, similar to a USB plug – both power and data are sent through the little gold chip connection.