When a bank denies a debit card fraud claim and writes:
“Card present.”
“Chip verified.”
“Correct PIN entered.”
The implication is that EMV chip technology makes fraud highly unlikely.
That implication ignores a documented reality: card readers can be compromised.
What “Shimming” Is
Most people are familiar with skimming — devices that capture data from a card’s magnetic stripe.
Shimming is the evolution of skimming for chip cards.
Instead of attaching to the outside of a machine, ultra-thin electronic devices are inserted deep inside ATM or point-of-sale card slots to intercept information as the EMV chip communicates with the terminal.
Law enforcement agencies, including the U.S. Secret Service and the FBI, have issued public warnings about skimming devices placed on or inside ATMs and POS terminals that capture cardholder data and PINs - including data from the EMV chip.
See:
-
U.S. Secret Service – Skimming Awareness
https://www.secretservice.gov/investigations/skimming -
FBI – Skimming Fraud Overview
https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-frauds-and-scams/skimming
Consumer protection agencies have also specifically described shimming as a newer method targeting chip cards.
For example:
-
New Jersey Division of Consumer Affairs – Credit Card Shimming Alert
https://www.njconsumeraffairs.gov/News/Consumer%20Briefs/credit-card-shimming.pdf
Shimming is not theoretical. It is documented.
What a Compromised Terminal Means
EMV chips generate dynamic transaction data that banks validate during approval. That validation confirms the chip responded correctly.
It does not confirm that the terminal environment was secure.
If a card reader is compromised, a transaction may still process as:
-
Card present
-
Chip verified
-
PIN entered
The system log will show successful authentication. The log will not independently reveal whether a hidden device was present inside the reader.
That distinction matters.
EMV Reduced Counterfeit Cloning — Not All Fraud
EMV technology significantly reduced simple magnetic-stripe cloning. That is a real improvement.
But fraud adapts.
When magnetic stripe skimming became harder, criminals shifted to deeper terminal compromise techniques. Industry bodies like the PCI Security Standards Council publish ongoing guidance about skimming and terminal tampering risks.
Security systems evolve. So do attack methods.
No payment technology eliminates the risk of:
-
Stolen physical cards
-
Mail-intercepted replacement cards
-
PIN compromise
-
Terminal tampering
-
Coordinated ATM cash-out activity
EMV reduces certain categories of fraud. It does not eliminate unauthorized debit transactions.
Why “Chip Verified” Is Overstated in Disputes
When a denial letter relies primarily on “chip verified,” it is pointing to a successful hardware authentication event.
That confirms the chip generated valid transaction data.
It does not answer:
-
Who possessed the card
-
How the card was obtained
-
Whether the terminal was compromised
-
Whether the consumer authorized the transfer
Under federal law governing electronic fund transfers, the relevant question is authorization — not whether a cryptographic exchange occurred.
Authentication and authorization are separate concepts.
If an investigation stops at “chip verified,” it may stop at the system log rather than examining the surrounding circumstances.
The Bottom Line
Shimming is a documented form of terminal compromise.
Government agencies have warned about hidden devices inside ATMs and POS terminals that capture card data.
“Chip verified” means the chip responded as designed.
It does not prove the environment was secure.
It does not prove the cardholder was present.
It does not prove the transaction was authorized.
Technology reduces risk.
It does not convert hardware communication into consent.
To explore related EMV denial language — including “card present” and “correct PIN entered” — visit:
