Project XBY

Europe · GDP rank #25

Belgium

BE · EUR @ 1.1595/USD

Belgium runs on a single domestic debit scheme. Bancontact carried 2.5 billion transactions in 2024 — roughly nine in ten POS card swipes — and Payconiq sits on top of it for mobile. SEPA Instant adoption is among the highest in the euro area on the back of the EU Instant Payments Regulation, and the EPI/Wero retail rollout reached Belgium in March 2026. The interesting questions are about acquirer economics and Wero acceptance, not about whether cards or instant will win.

Tab 06

Fraud & security

Headline fraud totals and typology splits, the rollout of EMV chip, tokenisation, 3DS and biometrics, and the controlling data-protection and payments statutes.

Annual fraud losses

€48M −6% vs 2023

EUR · 2024

Loss rate

3.1bp

basis points on transaction value · 2024

CNP share of fraud

74%

% · 2024

Fraud typology

Where losses come from

Card-not-present dominates every developed-market fraud profile — counterfeit and lost/stolen have both been mechanically suppressed by EMV and tokenisation over the last decade.

Share of card fraud

  • Phishing / authorised push payment€49M
  • Card-not-present (e-commerce)74%
  • Lost/stolen16%

Authentication

What's deployed on cards today

EMV is the floor; tokenisation removes PAN from merchant systems; 3DS covers the CNP flow; biometric auth drives device-level wallet transactions. Adoption gaps between markets are the clearest signal of fraud-regime maturity.

EMV chip penetration

100%

% · 2024

Tokenised transactions

~40%

% · 2024

3DS coverage · CNP

96%

% · 2024

Mandatory under PSD2 RTS.

Biometric mobile wallet txns

95%

% · 2024

Consumer protection

Framework
Code of Economic Law (Book VII) implementing PSD2; NBB and FSMA dual supervision
Max consumer liability
€50 (PSD2) for unauthorised transactions
Liability rules
Consumer liability for unauthorised card or SEPA transactions capped at €50 under PSD2 unless gross negligence is proven. Push-payment fraud (authorised) reimbursement is on a case-by-case basis under Febelfin code of conduct; no statutory reimbursement comparable to the UK PSR rules.

Source · FSMA

Security standards

  • PCI DSS 4.0 (mandatory March 2025)
  • PSD2 Strong Customer Authentication (in force)
  • Verification of Payee (IBAN+name) mandatory October 2025
  • NIS2 transposition supervised by Centre for Cybersecurity Belgium (CCB)