Ah sorry, I mean how the machine verifies the validity of the card.

It's asymmetric key cryptography.

Every vending machine can verify signatures using a CA certificate. Charging stations and a vending machines also have a signing key signed by that central certificate. Whatever is written on the card is signed by whoever wrote it.

Charging a card goes like this: - Read everything from the card (data + signature) - Verify signature + expiration dates, etc - Extract amount on card - Decrement said amount - Write new amount to card - Sign data on card using local signing key

It's a bit more complicated than that, but you get the idea. In some systems the logs of all transactions are reconciled asynchronously (if and when internet connection is available) so if a card is cloned it can eventually be detected and blocked.

The "local signing key" is the interesting part to me. I guess only vending machines in certain areas can get IC card support. I wonder how often those local keys need to be rotated.

That's a great answer though, thanks for writing it up!