THE GUIDE · THE CARD MACHINE

Every place a card says yes.

The chip reader, the checkout page, the in-app tap, the QR code, the phone-as-terminal. The card can be identical — but where it is read decides the fraud, the fees, the rulebook, and sometimes whether a card is even involved.

SCROLL ↓
IN PLAIN WORDS — READ THIS FIRST

The same card can be read at a chip reader, typed into a website, tapped in an app, or scanned as a QR code. Each of those is a different "door" into the payment system. The card doesn't change. The door does.

Why care? The door decides how much proof exists that the real cardholder is there — and therefore who pays when it turns out to be fraud. A chip that computes a fresh code is strong proof. A number typed into a web form is weak proof, so the shop usually eats the loss. First the four doors, then the ways each one jams at the counter.

PART 01

Same card, four doors.

Step through the ways a payment gets captured — and watch who is left holding the fraud each time.

PART 02

The doors, up close.

Six ways to accept a payment — each with its own trust model, cost and rulebook.

CARD-PRESENT · POS

"The chip does the trusting."

A terminal reads chip, contactless tap, or (rarely now) magstripe. EMV kernels and terminal certification make the hardware trusted; the liability shift pushes fraud onto whichever party skipped the secure option.

E-COMMERCE · CNP

"Anyone can type a number."

Card-not-present checkout via a gateway with hosted fields or an API. No physical proof, so fraud risk — and usually liability — sits with the merchant, softened by AVS, CVV, 3-D Secure and network tokens.

IN-APP · TOKENS

"One tap, no number."

Payment SDKs (Apple Pay, Google Pay, in-app wallets) present a device token, not your PAN. Bound to the secure element, it is low-fraud and high-approval — the best-converting door online.

QR · PUSH vs PULL

"Scan, don't swipe."

A code encodes the merchant (you push) or the amount (they pull). EMVCo standardises interoperable QR; national rails (UPI, Pix, PromptPay) make it the default acceptance method for billions of people.

SOFTPOS · TAP-TO-PHONE

"The terminal is the phone."

SoftPOS turns any NFC phone into a contactless reader — no $300-$1,000 terminal. Tap to Pay on iPhone is in 50 countries; SoftPOS volume is forecast to leap from ~$24B (2025) toward ~$540B by 2030.

UNATTENDED · OFFLINE

"Sometimes the card decides."

Vending, transit gates and parking often can't wait for an online auth. They use offline data-authentication, floor limits and deferred / aggregated authorization — accept now, settle the risk a moment later.

The words, one at a time.

Six terms explain why the same card behaves differently at each door — and who is left holding the fraud.

Card-present
the card is physically there
A payment read by chip, tap or magstripe at a terminal, where the hardware can prove the real card is on the spot.
You dip your chip at a till. The chip computes a one-time code that proves the card is here, right now.
Why it matters: strong proof means low fraud and the cheapest risk of any door.
Card-not-present (CNP)
just the number, typed in
A payment where no chip proves the card is there — online, in-app or over the phone. Only static data is sent.
An online checkout takes your PAN (Primary Account Number), expiry and CVV — digits that could have leaked anywhere.
Why it matters: weak proof, so the merchant usually eats the fraud unless extra checks step in.
Cryptogram
a one-time code the chip makes
A unique value the chip or phone generates for each transaction. It can't be reused or replayed on the next one.
Copy the data off a single tap and it's worthless — the next payment needs a fresh cryptogram.
Why it matters: it's what makes chip and wallet payments hard to counterfeit.
Liability shift
the least-secure party pays
A network rule that moves fraud liability onto whichever side skipped the safer option.
A merchant still on magstripe-only takes counterfeit fraud on the chin; a chip-enabled one wouldn't.
Why it matters: it's how the industry rolled out chip and 3-D Secure without a legal mandate.
3-D Secure (3DS)
the issuer checks the online shopper
An authentication step, often silent, that lets the card's bank verify a card-not-present shopper.
Your bank app pings you to approve a large online order before it goes through.
Why it matters: if 3DS authenticates the shopper, fraud liability shifts from the merchant to the issuer.
Fallback
chip fails, drop to the old way
When a chip won't read and the terminal reverts to the weaker magstripe to complete the sale.
A worn chip forces a swipe. The proof is weaker, and some issuers decline fallback outright.
Why it matters: fallback is a common, quietly risky moment at the counter.
PART 03

The tap won.

Acceptance has quietly flipped from swipe-and-sign to tap-and-go — and from dedicated hardware to the phone in your hand.

75%
of Mastercard transactions were contactless in 2025 — the tap is the norm now, not the exception.
94.6%
of UK in-store card payments under GBP100 are contactless. Chip-and-PIN quietly ended.
50
countries now let a plain iPhone take a contactless payment — no hardware at all.
$0
extra hardware for SoftPOS vs $300-$1,000 for a terminal — acceptance for anyone with a phone.
PART 04

Same card. Different proof.

The door decides how much evidence exists that the real cardholder is here — and therefore who pays when it turns out to be fraud.

// WHAT EACH DOOR ACTUALLY CAPTURES

CARD-PRESENT   chip cryptogram — one-time, unforgeable, proves the card is here

CARD-NOT-PRESENT   PAN + expiry + CVV + AVS + 3DS — static data anyone could replay, so it is stacked with checks

IN-APP / WALLET   device token + cryptogram — CNP that behaves like card-present

// Same $100, same card. The door decides how much proof exists — and who eats it when it is fraud.
WHEN IT BREAKS

When the door jams.

Every door has a way of failing that surprises people at the counter. Three of them, then a tree for the universal moment: the card just won't go through.

FAILURE 01 · THE FALLBACK
The chip won't read
WHAT YOU SEEThe terminal rejects the chip and asks you to swipe instead, or refuses the card entirely.
WHYA dirty or worn chip fails to talk to the reader, so the terminal falls back to the magstripe — weaker proof. That flips fraud liability toward the merchant, and some issuers now decline fallback swipes outright to block cloned cards.
THE FIXWipe the chip and re-insert, try tapping instead, or use a wallet. Merchants should keep fallback rare and monitored.
FAILURE 02 · THE LIMIT
The tap gets refused
WHAT YOU SEEA contactless tap that worked all week is suddenly declined, and the terminal asks for chip and PIN.
WHYEvery country sets a contactless limit, and banks also force a periodic chip-and-PIN check to re-verify you. At unattended machines, exceeding the offline floor limit forces an online authorization the device can't always get.
THE FIXInsert the chip and enter the PIN when asked. It's an authentication checkpoint, not a broken card.
FAILURE 03 · THE CNP CHARGEBACK
Approved online, then clawed back
WHAT YOU SEEAn online order was approved and shipped, then weeks later the money is pulled back as fraud.
WHYCard-not-present has no cryptogram to prove the shopper was real. If 3-D Secure wasn't invoked, the merchant carries the fraud. In Europe, a missing SCA step can even soft-decline the sale before it completes.
THE FIXRoute risky online orders through 3DS to shift liability, and treat approval as "funds held", not "fraud cleared".
A CARD WON'T GO THROUGH. WHICH DOOR IS THE PROBLEM?
1 · Was it a contactless tap that got refused?
LIKELY OVER THE LIMITYou're above the country's contactless cap, or the bank wants a periodic re-check. Insert the chip and enter the PIN — the tap isn't broken, it's being verified.
NOT A TAP — KEEP GOINGChip or online? Go to step 2.
2 · Is it the chip that won't read at a terminal?
DIRTY / WORN CHIPThe terminal may fall back to magstripe, which some issuers block as a fraud risk. Clean the chip, re-insert, tap instead, or pay with a wallet.
NOT AT A TERMINAL — KEEP GOINGOnline checkout? Go to step 3.
3 · Did an online "pay" button decline the card?
3DS / SCA STEPA 3-D Secure challenge failed or was abandoned, or in Europe the issuer soft-declined for Strong Customer Authentication. Complete the bank's approval and retry.
STILL STUCKIf none of these fit, it's an issuer risk decline. The decline-code tool reads the exact reason the bank sent back.
COMMON QUESTIONS — ASKED PLAINLY

The things everyone wonders.

Five questions about the moment you actually pay.

WHY DID THE SHOP ASK ME TO INSERT MY CARD AFTER I TAPPED?
Two likely reasons. Either the total was above your country's contactless limit, which requires the extra security of chip and PIN, or your bank triggered a periodic re-check. Contactless taps are convenient because they skip the PIN, so banks force an occasional chip-and-PIN to confirm it's really you and reset the running count. It's an authentication checkpoint, not a sign anything is wrong with the card.
WHY IS PAYING ONLINE RISKIER FOR THE SHOP THAN IN PERSON?
In a store, the chip or tap produces a one-time cryptogram that proves the genuine card is physically present. Online, the shop only gets the card number, expiry and security code — static digits that could have been stolen. With no proof the real cardholder is there, the merchant usually carries the fraud loss unless a tool like 3-D Secure authenticates the shopper and passes that liability back to the bank. Same card, very different exposure.
HOW CAN A PHONE BE A CARD MACHINE NOW?
Modern phones already have the contactless antenna a card reader uses. SoftPOS ("tap to phone") adds software, governed by the PCI MPoC (Mobile Payments on Commercial off-the-shelf) security standard, that turns that antenna into a certified terminal. So a market stall or a plumber can take a tap with no extra hardware. Apple's Tap to Pay on iPhone is now live in 50 countries, which pushes the cost of accepting cards toward zero.
WHY DO APPLE PAY AND GOOGLE PAY GET DECLINED LESS?
Because a wallet doesn't hand over your real card number. It presents a device token bound to your phone's secure chip, plus a fresh cryptogram each time — the same strong proof a physical chip gives in a store. To the bank, an online wallet payment looks about as safe as an in-person one, so it approves more of them. A typed-in card number can't offer that, which is why it's declined more often.
WHAT'S THE DIFFERENCE BETWEEN TAPPING A CARD AND SCANNING A QR CODE?
Tapping a card pulls money through the card networks: the merchant asks your bank for the funds, and interchange and chargeback rights come along for the ride. Scanning a QR on a rail like UPI or Pix usually pushes money straight from your bank app to theirs, with no card network in the middle. That means no interchange and no chargeback — cheaper for the merchant, but with different protection for you.
FIELD NOTES — THE PRO LAYER

For the professionals.

The doors up close — SoftPOS, the EMV liability shift, 3DS/SCA, QR standards, and the offline edge cases.

SOFTPOS — THE TERMINAL DISAPPEARS INTO THE PHONE
SoftPOS ('tap to phone') turns a commodity NFC smartphone into a contactless reader with no extra hardware. It's governed by the PCI MPoC (Mobile Payments on COTS) standard, which handles the security a sealed terminal used to. Apple's Tap to Pay on iPhone is live in 50 countries; Visa reports ~200% year-on-year growth in tap-to-phone. The strategic point: acceptance cost drops toward zero, so the addressable merchant base expands to every freelancer, market stall and side hustle.
EMV & THE LIABILITY SHIFT
EMV chip cards compute a unique cryptogram per transaction, so a stolen magstripe clone fails. The networks used a liability shift to force adoption: after the cutover dates, whichever party is less secure (merchant with a magstripe-only terminal, or issuer with a chipless card) eats counterfeit-fraud losses. It's the reason the US finally moved to chip around 2015 — not a mandate, but a reallocation of who pays.
3-D SECURE 2 & PSD2 SCA
In e-commerce, 3-D Secure 2 lets the issuer authenticate the shopper (often silently, via risk data) and, if it does, liability for fraud shifts from merchant to issuer. In Europe, PSD2 Strong Customer Authentication makes this mandatory — with carve-outs: low-value (under EUR30, capped by count/amount), contactless (under EUR50), and transaction-risk-analysis exemptions tiered at EUR100/250/500. The art is authenticating enough to stay compliant and shift liability, without adding checkout friction that kills conversion.
QR & THE PUSH DOOR
QR acceptance comes in two flavours: merchant-presented (you scan the store's code and push funds) and consumer-presented (the store scans your code and pulls). EMVCo publishes an interoperable QR spec, but the volume lives on national rails — UPI, Pix, PromptPay, Alipay/WeChat — where the payment is a bank-to-bank push. No card network sits in the middle, which means no interchange and no chargeback: a fundamentally different acceptance economics that card incumbents are still reckoning with.
UNATTENDED & OFFLINE AUTHORIZATION
Transit gates, vending machines and toll roads can't wait for a round-trip online authorization — riders would queue. They use offline data authentication and deferred/aggregated auth: tap now, let a small amount ride, then authorize and settle the accumulated total later. It trades a sliver of credit risk for speed. Transit's 'tap and ride' open-loop rollouts (London, New York, Sydney) are the highest-profile version, and a major driver of contactless habit worldwide.
PART 05

Remember three things.

1
The card can be the same; the door changes everything — the fraud risk, the fees, the rulebook, and who is liable when it goes wrong.
2
Proof decides liability. Card-present shifts fraud by security (EMV); card-not-present dumps it on the merchant unless 3DS/SCA authenticates the shopper; in-app tokens quietly give online the safety of card-present.
3
The newest doors are erasing the old ones. SoftPOS deletes the terminal, and QR/push rails can delete the card, the chargeback and the interchange with it — which is why the whole industry is watching UPI and Pix.