Project XBY

Europe · GDP rank #14

Spain

ES · EUR @ 1.1595/USD

A mature euro-zone market where Bizum has delivered something most of Europe has not — mass-consumer instant payments at national scale — and where the incumbent banking system has retained durable share of the wallet battle. Card penetration is high, cash is falling faster than the euro-zone average, and the SEPA Instant mandate is pushing a second wave of change.

Tab 06

Fraud & security

Headline fraud totals and typology splits, the rollout of EMV chip, tokenisation, 3DS and biometrics, and the controlling data-protection and payments statutes.

Annual fraud losses

€172M −7% vs 2023

EUR · 2024

Loss rate

6.5bp

basis points on transaction value · 2024

CNP share of fraud

87%

% · 2024

Fraud typology

Where losses come from

Card-not-present dominates every developed-market fraud profile — counterfeit and lost/stolen have both been mechanically suppressed by EMV and tokenisation over the last decade.

Share of card fraud

  • Card-not-present (e-commerce)87%
  • Lost/stolen9%
  • Counterfeit/skimming2%

Authentication

What's deployed on cards today

EMV is the floor; tokenisation removes PAN from merchant systems; 3DS covers the CNP flow; biometric auth drives device-level wallet transactions. Adoption gaps between markets are the clearest signal of fraud-regime maturity.

EMV chip penetration

100%

% · 2024

Tokenised transactions

48%

% · 2024

3DS coverage · CNP

88%

% · 2024

PSD2 SCA has been in full force since 2022; 3DS now default across Spanish CNP acquiring.

Biometric mobile wallet txns

97%

% · 2024

Consumer protection

Framework
Ley 16/2009 de servicios de pago + PSD2 transposition (Real Decreto-ley 19/2018)
Max consumer liability
€50 pre-notification; €0 post-notification
Liability rules
Consumer liability capped at €50 for unauthorised pre-notification transactions; zero liability post-notification. Banks must refund within 1 business day after reclamation and may only chargeback the customer if fraud or gross negligence can be proven.

Source · Banco de España

Security standards

  • PSD2 SCA (in force since 14 September 2019, fully enforced 2021)
  • PCI DSS 4.0 (mandatory March 2025)
  • DORA operational-resilience (Jan 2025)
  • AEPD data-protection rules atop GDPR
  • EBA Guidelines on ICT and Security Risk Management