> Contactless tap is basically the same as chip, just done over radio waves instead of wires. This makes it easier to eavesdrop, but as we established already, eavesdropping on a chip payment isn't all that helpful to a thief, so we don't really care about that! > > Now, finally, the payment apps. When you install a payment app and register a card to it, what you are essentially doing is turning your phone/watch/whatever into a credit card chip. The credit card company creates a secret program that works like a chip--takes a gibberish question in, gives a gibberish answer back--and installs a copy of it to your device. So when you tap your device to the reader, it gets asked a gibberish question, it creates a gibberish answer, and radios it back to the terminal, just like a chip. This proves that you have the physical device. It doesn't prove you have the physical card, but registering the card in the app in the first place did prove that you must have had it at some point, which is good enough.

Another bit of security for tap purchases is a low limit. If I use my CC's chip I can do a transaction worth the entire limit on the card. However if I tap I can only do idk $100, $250? Somewhere in there.