The card reader is a time-dependent hashing device. With chip and PIN, your PIN is already on the card (I know, I know) so it can use that to validate you. It then creates a hash of the current time, challenge code and details of the transaction, providing you with a response code to give the Internet Bank for certain transactions - generally setting up a new bill payment.
This has two security benefits:
1) you need a card and card reader as well as the passnumber and memorable data, so Igor in Lithuania will find it harder to use your phished account details;
2) the response code can't be re-used later, nor can the transaction be intercepted* and the amount or destination changed, because the response code incorporates all those variables.
*very hard with SSL anyway, but there could be a trojan on your PC capturing keystrokes.