The implementation of EMV chips on credit cards is unquestionably more secure than the old crappy magnetic stripe cards. You may know this, but do you really know how EMV cards work? Taking a step back, magnetic stripe cards store card information, including the card number, name, and expiration date, on the magnetic strip on the back of the card. When the card is swiped at a terminal, that information is copied and sent to the card issuer for verification. It is important to note here that all of the information stored on the mag stripe is stored in plain text, meaning that there is no encryption or obfuscation to make the information difficult to read if a thief copies the data off of your card (easy to do). The only real piece of information not stored on that strip is the super secure </sarcasm> 3 digit security code next to the signature line. This is why some merchants ask for this, because if someone duplicated your card from a card skimmer, that code does not get copied. This acts as probably the second crappiest form of multi-factor authentication, second only to the exponentially useless signature verification that is required at the time of sale. I can't tell you the last time a merchant compared my provided signature to the signature on the back of the card for likeness. This is because it has never happened to me. Ever. To solve this problem, the smart chip/EMV chip was introduced. EMV stands for Europay, Mastercard, and Visa, and is implemented in most credit cards now around the globe. Many of these cards still contain a magnetic stripe for legacy applications, but many terminals will recognize if the card is chip-equipped and will, in turn, refuse a swipe.
EMV works by using cryptographic keys to verify and authenticate the card. An EMV chip is actually a small integrated circuit capable of storage and also performing certain processes, like hashing and other cryptographic functions. When a card is inserted into a terminal, the card initiates an Authorization Request (ARQC) and is encrypted using the card's digital certificate. The ARQC message contains various content, including details of the specific transaction. This is sent to the card issuer, who is able to decrypt the information using the shared key they have on their side (this process uses symmetric keys, meaning that the same key used to encrypt data is the same key used for the decryption process). This process is similar to a digital signature, where this encrypted data can easily be decrypted if the contents have not changed, and has been sent by the authorized party (the authentic card). If the issuer is able to decrypt the cryptogram sent with the ARQC, the transaction is generally allowed to take place.
EMV also supports offline transactions. There are several different methods in which an offline transaction can occur - SDA, DDA, and CDA. SDA is Static Data Authentication and is the weakest form of authentication. SDA cards serve a piece of data signed by the issuer's private key (card number, expiration date, etc) to validate that the card is authentic. The terminal is able to decrypt this information offline with the issuer's public key (see PKI for dummies for a primer on digital signatures). One thing to note, is that SDA does not protect against card cloning. Dynamic Data Authentication, or DDA, fixes this cloning problem. DDA also uses asymmetric cryptography to prove its identity; however DDA uses a card's private RSA key, versus a static blob signed by the issuer. In DDA, the terminal creates a Data Object List which includes various information about the transaction, as well as a 32-bit random number, and sends this to the card. The card is then able to generate a hash of this information, and sign the hash with it's specific private key (a cryptogram). The signed DOL is then sent back to the terminal, which can then use the public key to decrypt the data and verify that the card is legitimate. CDA, or Combined Data Authentication, is similar to DDA, but the card generates a second cryptogram that must be verified by the terminal at a later point in the transaction. This is done to ensure that the same cared used to authenticate the transaction is the same card performing the transaction. What about a PIN? Good question - the hashed PIN is also stored on the card, so the terminal is able to verify the PIN entered by the cardholder offline as well, adding an additional layer of security. This is a very complicated system with many variables, so see below for a simplified diagram.
Unlike mag-stripe cards, EMV chips can't simply be 'cloned'. Think of the chip as a processor, and not as a storage device. The processor can output data based on requests, but the secret key that resides on the card can't simply be directly read from an external source (skimmer). This is done so that the public and private key pairs can't be read and copied to another card. Is it impossible to clone a card? Certainly not - there are ways to dissolve some of the surface in acid and extract the internal circuit, but many card companies build physical mechanisms to destroy the internal circuit if physical tampering is employed.