I don't know about US, but over here with my Polish bank I have 100% control over the limits for each type of transaction possible with my card, I can set them myself through the web portal of my bank - the types are:
1) transactions with card present(chip+pin or signature)
2) transactions with card not present(someone types in your card number into the terminal)
3) internet transactions(card number + CVV from the back).
I can set any of them to zero, effectively blocking the transaction type completely. So yes, while you can read the card number and exp date from the chip, you can't get the CVV number from the back of the card, which means it's only useful for the second type of transactions - and I don't see any reason to ever change the limit on that to anything other than zero - so any information gained from just skimming the chip/magstripe is effectively useless without the CVV written on the back.
Setting limits to zero is kind of defeating the purpose of having a card in the first place.
The better solution is to have a bank with good reputation that expends effort in making your transactions safer.
My bank:
- has their cards well issued (and I know this since I have worked as credit card terminal developer for many years and I know every detail of how cards are personalized and designed actual security systems),
- sends me a code to verify my internet transactions (remember not to use your phone to do internet transactions!),
- processes chargebacks without fuss unless there is a reason to suspect cardholder is trying to defraud the merchant.
You should never use the same device to perform transactions and receive your codes. The security of the scheme lies on using two separate devices under your control.
If you were to enter your credit card details on the same device you use to receive codes (most likely your only mobile phone), the attacker having some kind of malware code could first steal your card information and then use your phone to receive the codes to complete the transaction.
This requires infecting just one device, so basically as a fraudster you create a malware and wait for people to have their phones infected. Then you defraud those that use phones for credit card transactions and either don't need separate codes to complete the transaction or use the phone for this.
It is much more difficult to get two devices infected that are used by the same user. This only typically happens in case of targeted attacks and is rarely seen.
My colleague at one of the companies I worked for lost the money he saved to buy a flat this way. He got his phone infected with malware and then over few days he got all his money sucked out of his account in a series of increasing transactions.
1) transactions with card present(chip+pin or signature)
2) transactions with card not present(someone types in your card number into the terminal)
3) internet transactions(card number + CVV from the back).
I can set any of them to zero, effectively blocking the transaction type completely. So yes, while you can read the card number and exp date from the chip, you can't get the CVV number from the back of the card, which means it's only useful for the second type of transactions - and I don't see any reason to ever change the limit on that to anything other than zero - so any information gained from just skimming the chip/magstripe is effectively useless without the CVV written on the back.