What is stored on a banking card and how is it protected?

“Chip and PIN” banking cards have a chip, as the name indicates. The chip performs cryptographic operations and stores secret keys. The chip isn't just storage, it's a processor and the storage is not directly accessible from the outside.

The chip is physically protected against duplication — it's embedded in a protective layer and designed to self-destruct if someone tries to peel off the protection. There are software and hardware countermeasures to protect against side channel attacks such as electromagnetic emissions measurements. For more information about protection against physical attacks, see

• Smartcard security on Wikipedia
• chapter 16 of Ross Anderson's book Security Engineering (a recommended read in any case)
• EMV Security? How is it possible that it's secure?
• What physical, electronic, and software characteristics are important in a smart card?

The card stores the card number and other identifying information. It stores secret keys that it uses to communicate with the bank. It also stores the card number and a hash of the PIN. It also stores a PIN attempt counter: after three successive incorrect attempts, the card refuses to validate PINs anymore.

Smartcards used in corporate settings use the same basic technology, but banking cards are usually a grade above, incorporating the latest countermeasure technology when corporate smartcards often have previous-generation security (but sometimes higher performance, if they need to do asymmetric cryptography to sign messages). Smartcards used in access control are often several grades lower in terms of security (“cost-conscious”).