Project XBY

Europe · GDP rank #4

Germany

DE · EUR @ 1.1595/USD

The largest economy in Europe and the most cash-resilient. Cash still clears roughly half of consumer transactions by volume, the domestic girocard scheme dominates debit, and credit-card penetration is among the lowest in the G10. The slow shifts are real — SEPA Instant is finally free at most banks, Wero is building out — but a story of rapid card displacement is wrong for Germany in 2026.

Tab 06

Fraud & security

Headline fraud totals and typology splits, the rollout of EMV chip, tokenisation, 3DS and biometrics, and the controlling data-protection and payments statutes.

Annual fraud losses

€171M −4% vs 2022

EUR · 2023

Loss rate

3.4bp

basis points on transaction value · 2023

CNP share of fraud

71%

% · 2023

Fraud typology

Where losses come from

Card-not-present dominates every developed-market fraud profile — counterfeit and lost/stolen have both been mechanically suppressed by EMV and tokenisation over the last decade.

Share of card fraud

  • Card-not-present (e-commerce)71%
  • Lost/stolen17%
  • Counterfeit/skimming4%

Authentication

What's deployed on cards today

EMV is the floor; tokenisation removes PAN from merchant systems; 3DS covers the CNP flow; biometric auth drives device-level wallet transactions. Adoption gaps between markets are the clearest signal of fraud-regime maturity.

EMV chip penetration

100%

% · 2024

Tokenised transactions

40%

% · 2024

3DS coverage · CNP

95%

% · 2024

Mandatory under PSD2 RTS; rare exemptions only.

Biometric mobile wallet txns

96%

% · 2024

Consumer protection

Framework
BGB / ZAG / BaFin supervision under PSD2
Max consumer liability
€50 (PSD2) for unauthorised transactions
Liability rules
Consumer liability for unauthorised card or SEPA transactions is capped at €50 under PSD2 unless gross negligence is proven. Push-payment fraud (authorised) is not automatically reimbursed — unlike the UK — but BaFin-supervised complaint procedures and banking ombudsman (Bankenverband Schlichtungsstelle) apply.

Source · BaFin

Security standards

  • PCI DSS 4.0 (mandatory March 2025)
  • PSD2 Strong Customer Authentication (in force)
  • Verification of Payee (IBAN+name) mandatory October 2025
  • BaFin / BSI critical-infrastructure rules for large PSPs