New chip-enabled credit cards, which were rolled out to U.S. consumers starting in 2015, were supposed to put an end to rampant credit card fraud.
So much for that.
A new report from the research firm Gemini Advisory has found that, of more than 60 million cases of credit card theft in the last 12 months, a whopping 93% of the stolen cards had the new chip technology.
This represents a major setback for the technology, known as the EMV standard, which is named after the companies (Europay, Mastercard and Visa) that created it.
“45.8 million…records [were] likely compromised through card-sniffing and point-of-sale (POS) breaches of businesses such as Saks, Lord & Taylor, Jason’s Deli, Cheddar’s Scratch Kitchen, Forever 21, and Whole Foods. To break it down even further, 90% or 41.6 million of those records were EMV chip-enabled,” states the report.
In theory, EMV should reduce fraud because every card transaction requires an encrypted connection between the chip card and the merchant’s point-of-sale terminal. EMV is meant to replace conventional swipe transactions that rely on magnetic strips, which contain data that is relatively easy for criminals to intercept and then copy on to a new card.
But while the EMV standard is supposed to ensure the card data cannot be captured, many merchants are failing to properly configure their systems, according to a Gemini Advisory executive who spoke with Fortune. (Fortune has also reached out to the payment processors for comment and will update this article accordingly.) The upshot is that criminals have been able to insert themselves into the transaction data steam, either by hacking into merchant networks or installing skimmer devices in order to capture card information.
The stolen data is typically sold on the so-called dark web, which is where Gemini Advisory compiled the data for its report.
When it comes to using the stolen credit card data, crooks can embed it onto the magnetic strips of new plastic cards. Those cards can then be used to make purchases because the current credit card system in the U.S. allows for swiping as a fallback mechanism if no chip is present or if the chip is malfunctioning.
The report concludes by noting that big merchants have begun to tighten up their implementation of the EMV system, which will make them less of a target. Instead, criminals are likely to begin focusing on smaller businesses.
“We predict that financially motivated [criminals] will be more likely to turn their resources onto small to medium sized businesses with 10-50 locations,” the report states. “Since such businesses are less likely to have fully implemented the EMV transition, criminals would be able to rely on their current [strategies] for card data exfiltration.”