They are essentially crypto chips. Basically when the card is made the bank generates a secret key (random gibberish) and your account number, the bank keeps a copy of both of these. They program these into the chip. The chip can use the contacts to talk, and it can perform some cryptographic hash function. Importantly once the chip is made by the bank, it’s designed to never tell anyone it’s secret key, it stays in the chip forever.

When you buy something the process is something like this (simplified):

1. They ask the card for your account number and tell the bank how much the order is and give the Bank you account number, and the bank gives the store a random number (a token).
2. The store asks your credit card for the hash, it gives the card the amount and the token
3. The card generates the hash, which is something like hash(key + token + amount) and gives it to the store.
4. the store sends the hash to the bank and the bank runs the same computation, if it matches they accept it

hash() is a special algorithm that can’t be reversed (you can’t figure out the key if you see the hash), since the amount and token are used to generate the hash, the hash is different for every transaction, even if it’s the same amount. Because of all of this, a person who sees everything between the card and the bank still can’t copy anything because all the data is good for only one transaction and it can’t be used to running additional transactions.

In the old days, you couldn’t even swipe a credit card. The department store would use a press to take an imprint of your card with the card number on it, and then submit their receipts to the bank for processing.

Then came cards with magnetic stripes and card readers hooked up to a telephone line. It was still just reading your cards ID number, but these could charge your account in a couple minutes! When they got connected to the internet this time was reduced to seconds.

The problem here, though, is what happens if someone behind the counter writes down your card number? What if a seller gets hacked and your card number gets stolen?

Along came chip cards. Instead of simply reading your card’s ID number every time, that little gold square generates a new, unique number every time you make a purchase that’s only good for 1 transaction. That way, if someone were to hack in and steal the number, it would already be expired since you used it to buy a cup of coffee. The mathmatical formula used to generate that number is unique to each card and your bank can tell exactly who made the purchase.

the chip contains 2 key pieces of information to identify and verify the owner. it has your account # and the something that basically you can think of as a digital signature (cryptogram). the terminal reads this info and sends a message (typically via 1 or many 3rd parties) to the networks (visa, mc, discover, amex, union pay, etc) , the networks know which bank (or third party) processes your card based on the first six digits of the account # and send the transaction there, the bank (or third party) then looks up your account #, verifies the cryptogram, and a hundred other checks and then either approves or declines the transaction