In brief: After being the standard in Europe for around a decade, chip-enabled credit cards finally came to the US in 2015. They were supposed to help prevent the fraud problem that had reached huge levels, but a new report shows that’s been far from the case.

Research firm Gemini Advisory revealed that three years after chip-enabled cards were rolled out in the US, they have done little to combat fraud. Out of the 60 million cases of credit card theft in the last 12 months, 93 percent were equipped with the new chips.

The majority of these compromised cards—75 percent—were stolen at the point-of-sale devices, while only 25 percent came from online breaches.

The EMV standard, which is named after the Europay, Mastercard, and Visa companies that created it, was designed to reduce fraud by creating an encrypted handshake between the card and the merchant’s POS terminal. It is meant to replace traditional magnetic-strip cards, which contain data that criminals can easily intercept.

Gemini says the biggest problem is that merchants are failing to properly configure their POS systems, thereby allowing criminals to install data-stealing malware or skimmer devices. The information is then sold on the dark web in large bundles to other criminals, who embed it onto the magnetic strips of plastic cards. Because the fallback mechanism for a malfunctioning chip in the US is swiping, these fake credit cards can be used to make purchases.

The report explains that larger merchants are starting to increase security around their POS networks, forcing criminals to focus on medium and small companies. But the US continues to have the worst credit card security in the world.