Project XBY

North America · GDP rank #10

Canada

CA · CAD @ 0.7250/USD

Canada runs one of the higher-cost G7 card-payment stacks alongside a near-monopoly domestic debit scheme. Interac Debit handles essentially all card-present debit and Interac e-Transfer cleared roughly 1.6 billion transactions in 2025 — the country's de facto real-time retail rail. Payments Canada's Real-Time Rail (RTR) ended Q1 2026 in performance, security and resilience testing, with first participant access slipping to Q4 2026. Consumer-driven banking implementation is now sequenced under the Bank of Canada following the 2025 Budget reassignment from FCAC.

Tab 06

Fraud & security

Headline fraud totals and typology splits, the rollout of EMV chip, tokenisation, 3DS and biometrics, and the controlling data-protection and payments statutes.

Annual fraud losses

C$1.29B +14% vs 2023

CAD · 2024

Loss rate

12bp

basis points on transaction value · 2024

CNP share of fraud

89%

% · 2024

Fraud typology

Where losses come from

Card-not-present dominates every developed-market fraud profile — counterfeit and lost/stolen have both been mechanically suppressed by EMV and tokenisation over the last decade.

Share of card fraud

  • Card-not-present (ecommerce)89%
  • Lost/stolen6%
  • Counterfeit/skimming2%

Authentication

What's deployed on cards today

EMV is the floor; tokenisation removes PAN from merchant systems; 3DS covers the CNP flow; biometric auth drives device-level wallet transactions. Adoption gaps between markets are the clearest signal of fraud-regime maturity.

EMV chip penetration

100%

% · 2024

Tokenised transactions

43%

% · 2024

3DS coverage · CNP

61%

% · 2024

Biometric mobile wallet txns

94%

% · 2024

Consumer protection

Framework
Financial Consumer Agency of Canada (FCAC) — Financial Consumer Protection Framework
Max consumer liability
C$50 maximum for unauthorised credit card transactions where not negligent; C$0 after block reported
Liability rules
Credit card issuer bears loss for unauthorised transactions where cardholder has not been grossly negligent. Interac e-Transfer limits: no statutory right to reimbursement for authorised push-payment fraud, though the big five banks voluntarily reimburse under published policies. Federal Ombudsman for Banking Services (OBSI) provides dispute resolution.

Source · FCAC

Security standards

  • PCI DSS 4.0 (mandatory March 2025)
  • Interac Confidence Verification for Interac e-Transfer
  • Retail Payment Activities Act — Operational Risk rules
  • OSFI B-13 Technology and Cyber Risk Management Guideline