The chip reader, the checkout page, the in-app tap, the QR code, the phone-as-terminal. The card can be identical - but where it is read decides the fraud, the fees, the rulebook, and sometimes whether a card is even involved.
The same card can be read at a chip reader, typed into a website, tapped in an app, or scanned as a QR code. Each of those is a different "door" into the payment system. The card doesn't change. The door does.
Why care? The door decides how much proof exists that the real cardholder is there — and therefore who pays when it turns out to be fraud. A chip that computes a fresh code is strong proof. A number typed into a web form is weak proof, so the shop usually eats the loss. First the four doors, then the ways each one jams at the counter.
Step through the ways a payment gets captured - and watch who is left holding the fraud each time.
Six ways to accept a payment - each with its own trust model, cost and rulebook.
"The chip does the trusting."
A terminal reads chip, contactless tap, or (rarely now) magstripe. EMV kernels and terminal certification make the hardware trusted; the liability shift pushes fraud onto whichever party skipped the secure option.
"Anyone can type a number."
Card-not-present checkout via a gateway with hosted fields or an API. No physical proof, so fraud risk - and usually liability - sits with the merchant, softened by AVS, CVV, 3-D Secure and network tokens.
"One tap, no number."
Payment SDKs (Apple Pay, Google Pay, in-app wallets) present a device token, not your PAN. Bound to the secure element, it is low-fraud and high-approval - the best-converting door online.
"Scan, don't swipe."
A code encodes the merchant (you push) or the amount (they pull). EMVCo standardises interoperable QR; national rails (UPI, Pix, PromptPay) make it the default acceptance method for billions of people.
"The terminal is the phone."
SoftPOS turns any NFC phone into a contactless reader - no $300-$1,000 terminal. Tap to Pay on iPhone is in 50 countries; SoftPOS volume is forecast to leap from ~$24B (2025) toward ~$540B by 2030.
"Sometimes the card decides."
Vending, transit gates and parking often can't wait for an online auth. They use offline data-authentication, floor limits and deferred / aggregated authorization - accept now, settle the risk a moment later.
Six terms explain why the same card behaves differently at each door — and who is left holding the fraud.
Acceptance has quietly flipped from swipe-and-sign to tap-and-go - and from dedicated hardware to the phone in your hand.
The door decides how much evidence exists that the real cardholder is here - and therefore who pays when it turns out to be fraud.
Every door has a way of failing that surprises people at the counter. Three of them, then a tree for the universal moment: the card just won't go through.
Five questions about the moment you actually pay.
The doors up close - SoftPOS, the EMV liability shift, 3DS/SCA, QR standards, and the offline edge cases.