The US credit card industry was a very late adopter of security chips, lagging the EU by a decade or so; when they did roll out chips, it was a shambolic affair, with many payment terminals still not using the chips, and almost no terminals requiring a PIN (and some require a PIN and a signature, giving rise to the curiously American security protocol of chip-and-PIN-and-swipe-and-sign).
The adoption of security chips has not slowed credit card fraud, either. 60,000,000 US credit cards were compromised in the past 12 months and 90% of those were chip-enabled. The majority of compromised cards were stolen by infected point-of-sale terminals. The US has the worst credit card security in the world.
The findings come from a Gemini Advisory report, which blames a "lack of chip compliance" in merchants for the rise.
Based on the proprietary Gemini Advisory telemetry data collected from various dark-web sources over several years, we have determined that in the past 12 months at least 60 million US cards were compromised. Of those, 75% or 45.8 million were CP records, likely compromised through card-sniffing and point-of-sale (POS) breaches of businesses such as Saks, Lord & Taylor, Jason's Deli, Cheddar's Scratch Kitchen, Forever 21, and Whole Foods. To break it down even further, 90% or 41.6 million of those records were EMV chip-enabled.
Furthermore, the shift in Card-Not-Present (CNP) fraud is becoming more evident with a 14% increase in payment cards compromised through e-commerce breaches in the past 12 months. Payment card data that that was stolen from Orbitz, Ticketmaster, City of Goodyear, and British Airways represented only a small part of the 14.2 million CNP records posted for sale in the past 12 months.
Card Fraud on the Rise, Despite National EMV Adoption [Gemini Advisory]
Credit Card Chips Fail to Halt Fraud, Survey Says [Jeff John Roberts/Fortune]