Latin America · GDP rank #8

Brazil

BR · BRL @ 0.1990/USD

Pix has done to Brazilian retail payments in five years what took UPI ten in India and never happened at all in Europe. The Banco Central do Brasil runs the rail directly, mandates participation for every licensed PSP above the 500k-customer threshold, and built Open Finance on top — the most aggressive instant-payments programme of any G20 central bank. Cards continue to grow in absolute terms but lose share; cash has retreated into the informal economy; Drex stays a wholesale tokenisation pilot with the BCB signalling no obvious retail use case while Pix fills that space.

Tab 06

Fraud & security

Headline fraud totals and typology splits, the rollout of EMV chip, tokenisation, 3DS and biometrics, and the controlling data-protection and payments statutes.

Annual fraud losses

R$3.8B▲ +11% vs 2023

BRL · 2024

Loss rate

10bp

basis points on transaction value · 2024

CNP share of fraud

74%

% · 2024

Fraud typology

Where losses come from

Card-not-present dominates every developed-market fraud profile — counterfeit and lost/stolen have both been mechanically suppressed by EMV and tokenisation over the last decade.

Share of card fraud

Card-not-present (ecommerce)74%
Social engineering (scam)18%
Lost/stolen6%

Authentication

What's deployed on cards today

EMV is the floor; tokenisation removes PAN from merchant systems; 3DS covers the CNP flow; biometric auth drives device-level wallet transactions. Adoption gaps between markets are the clearest signal of fraud-regime maturity.

EMV chip penetration

100%

% · 2024

Tokenised transactions

38%

% · 2024

3DS coverage · CNP

58%

% · 2024

Biometric mobile wallet txns

92%

% · 2024

Consumer protection

Framework: Código de Defesa do Consumidor + BCB Resolução 4.949/2021 (complaints handling)
Max consumer liability: R$0 for unauthorised transactions where consumer has not been negligent; disputed Pix scams resolved via MED on case-by-case basis
Liability rules: For unauthorised card transactions the issuer bears the loss where the consumer did not authorise the payment. For authorised Pix transfers extracted by social engineering, the receiving PSP's KYC adequacy determines liability under the MED framework; BCB enforces PSP SLAs for reversal review.

Source · BCB

Security standards

▌PCI DSS 4.0 (in force 2024)
▌BCB Resolução 85/2021 — cybersecurity policy for PSPs and instituições de pagamento
▌LGPD (ANPD supervisory)
▌Febraban SiCNet consortium fraud-alert feed

Full reference

Pix Fraud

Estimated Pix fraud losses (reported)

BRL · 2024

R$2.5B

Pix fraud loss rate on value moved

basis points · 2024

~1bp

Dominant Vector: social-engineering (scams, account takeover of receiving party)

Mitigations

Mecanismo Especial de Devolução (MED) — coordinated reversal protocol between originating and receiving PSPs, live since 2021
Pix Scheduled Return (2024) — 24-72 hour hold on suspicious high-value transfers flagged by rule engines
Cautionary notices on alias-lookups where the recipient account has been reported
Mandatory PSP-to-PSP liability-allocation rules for scam chains, 2025

Source: