BACK

Research and Statistics

Despite EMV, most stolen card numbers come from chip-card-present transactions

Summary

A new study shows that the majority of stolen card numbers for sale on the dark web are still coming from “card-present” transactions, and almost all of them involve chip cards.

The editorial content below is based solely on the objective assessment of our writers and is not driven by advertising dollars. However, we may receive compensation when you click on links to products from our partners. Learn more about our advertising policy.

The content on this page is accurate as of the posting date; however, some of the offers mentioned may have expired. Please see the bank’s website for the most current version of card offers; and please review our list of best credit cards, or use our CardMatch™ tool to find cards matched to your needs.

You’ve heard it before: Now that we all have chip cards, credit card thieves have had to shift their nefarious efforts to targeting online transactions. But not so fast.

True, the theft of card numbers from “card-not-present” transactions is on the rise. Those are the purchases we make by providing our card number online or via mail or telephone orders, where we never have to present, tap, swipe or insert our actual plastic card.

But new data from Gemini Advisory shows that the majority of stolen card numbers for sale on the dark web are still coming from “card-present” transactions, and almost all of them involve chip cards.

In fact, over a 12-month period from November 2017 to October 2018, Gemini found 6 in 10 card numbers for sale globally were acquired from in-person chip card transactions, and of those, 91 percent were American chip cards. In total, almost 46 million chip card numbers were found on the dark web.

If virtually all U.S. cards are now chip-enabled, why are card-present transactions still so vulnerable? The answer lies not in the cards themselves, but the other half of the transaction equation: the terminals where these cards are used.

See related: Credit card losses from synthetic identity fraud jump

Some merchants have not yet installed a chip-enabled terminal. These are mostly gas stations, which have until 2020 to completely move from swiping cards to inserting chip cards, and other small to medium businesses, for which the investment can be a tough hurdle.

But even among merchants that have installed a chip-enabled terminal, some have failed to activate all of the chip security features, which is equivalent to letting customers insert their chip card, but then not closing and locking all the gates that would keep that number from reaching the dark web.

One thing is obvious: the U.S. market is the No. 1 target for credit card thieves, accounting for 79 percent of the stolen numbers. That’s 60 million American card numbers out of the 75.9 million that were for sale globally during the 12-month period.

And though thieves’ shift to card-not-present transactions is underway, the chip card transition – and the protections it can provide – is still a work in progress.

Gemini’s research is based on proprietary telemetry data collected from various dark web sources over several years. It released this analysis of card data from the past 12 months on Nov. 5.

What’s up next?

In Research and Statistics

How to slay your credit card debt with ‘small wins’

Researchers have proposed a financial intervention that can make paying off debt feel less painful and motivate you to pay more over time. It’s all about small wins.

Published: November 15, 2018

See more stories
Credit Card Rate Report Updated: June 12th, 2019
Business
15.61%
Airline
17.54%
Cash Back
17.68%
Reward
17.57%
Student
17.79%

Questions or comments?

Contact us

Editorial corrections policies

Learn more

Join the Discussion

We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, do not disclose confidential or personal information such as bank account numbers or social security numbers. Anything you post may be disclosed, published, transmitted or reused.

The editorial content on CreditCards.com is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company’s business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.