November 9, 2018
Of the more than 60 million payment cards that have been compromised or stolen within the past 12 months, chip-enabled cards represented a staggering 93%, according to results of a study released recently by Gemini Advisory.
In 2015, the global financial industry began a massive migration to the EMV (Europay, MasterCard, Visa) standard in response to overwhelming levels of payment card fraud. The chip-enabled cards were supposed to provide end-to-end encryption during card-present transactions; and to prevent payment card counterfeiting.
Indeed, key findings of the study are alarming—among them:
- 45.8 million (or 75% of) cards were stolen or compromised at point-of-sale devices, while only 25% were compromised in online breaches;
- 90% of the cards compromised at merchants sites were EMV-enabled;
- The United States leads the rest of the world in the total amount of compromised EMV payment cards by a massive 37.3 million records;
- Financially motivated threat groups continue to exploit the lack of merchant EMV compliance; and
- An imminent shift from card-present (at-merchant sales) to card-not-present fraud is already evident— with a 14% increase in payment cards stolen through e-commerce breaches during the past 12 months.
With most large U.S. merchants fully transitioned to EMV, Gemini say that gas pump terminals and small/medium size businesses have become the victims of opportunity. Smaller businesses are only now beginning to understand the importance of EMV programs, as well as to provide a sufficient budget allocation toward them.
Because Gemini Advisory believes that criminal groups will always sway to the path of least resistance, the firm predicts that financially motivated threat groups such as Fin6 and Fin7 are likely to turn their resources toward small- to medium-size businesses with between 10 to 50 locations.
The bottom line: Until EMV implementation is more widespread among U.S. merchants, Gemini Advisory recommends the usage of mobile payment systems such as Android Pay, Google Pay, and Apple Pay. Such payment systems are not susceptible to shimming devices or POS malware—making them the most secure payment method currently available.
Research contact: @geminiadvisory