[lxgr]

EMV chip cards still contain your card number and expiry date.

Skimmers would need a way to also learn the CVC2 from the back of the card to use it at most (but not all!) online merchants, but that's feasible using a small camera or a waiter/cashier accomplice doing the skimming.

With Google Pay and Apple Pay, and similar mobile wallets, that number is never shared during payments (and in fact not even stored on the device).

[jjmarr]

They do, but you can't get the card number from reading the chip. The protocol is a challenge-response one based on a private key stored within the chip.

https://en.wikipedia.org/wiki/Chip_Authentication_Program

You need to read the entire card number + cvc2 + expiry date with your camera. That's not skimming, that's just taking a photo of the card.

[lxgr]

No, you can most certainly get the card number and expiry via the chip and even over contactless, as it’s a vital part of transaction routing/processing. There are Android apps that can do it.

[jjmarr]

If I could I'd delete my original comment since I did more research and you're right.

https://stackoverflow.com/questions/14861908/apdu-command-to...

[worewood]

Yeah, and it's easily solvable with a sticker or a dremel to scrape the number off

[lxgr]

You can't dremel it out of the chip, though.

[justinclift]

Well technically you can. The card won't be so usable after that though. ;)

[lxgr]

Destroying the chip is easy, actually chiseling away the correct trapped electrons making up the PAN in the EEPROM is the challenge ;)

[M95D]

Any responsible user will learn the CVC, like any other password, and then erase it from the card.

[didntcheck]

I can certainly remember mine from repeated use, but I can't say I've ever heard of someone erasing it

[catlikesshrimp]

I have done it since many years ago

[justsid]

You can always tell what part of the HN regularly goes outside and interacts with normal people. I’m sorry but “just memorize the CVV and erase it from the card” isn’t something anyone really does. The comment that Google Wallet is more secure is a generally applicable comment.

[M95D]

You can always tell which part of HN does things right and which part does things easy.

[lxgr]

That seems like a lot of extra effort for something that's arguably not your opsec problem, but that of the card payment industry.

In the end, you'll always have to enter it on payment websites anyway.