The companies, however, argue that testing just 20 cards does not provide an accurate picture of the card market, which generally uses higher security standards than the cards that were tested. “It’s a small sample,” said Art Kranzley, an executive with MasterCard. “This is almost akin to somebody standing up in the theater and yelling, ‘Fire!’ because somebody lit a cigarette.”

Chips like those used by the credit card companies can encrypt the data they send, but that can slow down transactions and make building and maintaining the payment networks more expensive. Other systems, including the Speedpass keychain device offered by Exxon Mobil, encrypt the transmission — though Exxon came under fire for using encryption that experts said was weak.

Though information on the cards may be transmitted in plain text, the company representatives argued, the process of making purchases with the cards involves verification procedures based on powerful encryption that make each transaction unique. Most cards, they said, actually transmit a dummy number that does not match the number embossed on the card, and that number can be used only in connection with the verification “token,” or a small bit of code, that is encrypted before being sent.

“It’s basically useless information,” said David Bonalle, vice president and general manager for advanced payments at American Express. “You can’t steal that data and just play it back and expect that transaction to work.”

While the researchers found that these claims were true for some of the cards they tested, other cards gave up the actual credit card number and did not use a token or change data from one transaction to another. They also took data in from some cards and transmitted it to a card-reader in the lab and tricked it into accepting the transaction. Mr. Heydt-Benjamin, in fact, was able to purchase electronic equipment online using a number skimmed from a card he ordered for himself and which was sealed in an envelope.

(None of the cards transmits the additional number on the front or back, known as the card validation code, that some businesses require for online purchases; Mr. Heydt-Benjamin chose a store that does not require the code.)

Mr. Kranzley said the MasterCard-issuing banks decided how much security they wanted to implement, but said that with 10 million of the company’s chip-bearing cards on the market, some 98 percent of them used the highest standards.