Contactless checkout has a different security scope for card issuers. Magstripe + Pin is reusable, contactless auth has protections that bind the key exchange to that specific merchant and multiple pay auth attempts from a merchant get throttled.

I haven't looked into it, but I would guess that there's a key exchange with the reader that binds the contactless payment to that reader in such a way that the card produces a signed unique identity that proves it is the card without leaking the actual card numbers to the reader. Just a guess, but that's how I would want to build something like this. You don't have that much room on a chip but way more than a magstripe. (Security pattern: something you have that is time/merchant delimited)

I believe that in magstripe they just have a strip magnetized to produce some digits + your pin (Security pattern: something you know + something you have).

I figured there was likely a cryptographic aspect, but I don't know the details.

Contactless uses a cryptographic operation to secure the transaction, both reader and chip are active participants. Compare with magstripes which are passively read and thus trivially subject to replay attacks.

Thanks, I figured this was likely the case, but I didn't know the details.