Project XBY

Asia-Pacific · GDP rank #15

Indonesia

ID · IDR @ 0.0000566/USD

South East Asia's largest payments market continues to move from cash to QR faster than any G20 economy. QRIS transactions reached 7.83 billion year-to-date by May 2026 with 45 million merchants and 63 million users; Bank Indonesia opened the QRIS-China corridor on 30 April 2026, connecting 40 million Indonesian merchants to Alipay/UnionPay travellers. BI-FAST is the mature inter-bank rail; the wallet war between GoPay, OVO, DANA and ShopeePay continues to compress.

Tab 06

Fraud & security

Headline fraud totals and typology splits, the rollout of EMV chip, tokenisation, 3DS and biometrics, and the controlling data-protection and payments statutes.

Annual fraud losses

Rp470B +12% vs 2023

IDR · 2024

Loss rate

11.2bp

basis points on transaction value · 2024

CNP share of fraud

72%

% · 2024

Fraud typology

Where losses come from

Card-not-present dominates every developed-market fraud profile — counterfeit and lost/stolen have both been mechanically suppressed by EMV and tokenisation over the last decade.

Share of card fraud

  • Card-not-present (e-commerce)72%
  • Social engineering / phishing16%
  • Account takeover (e-money)9%

Authentication

What's deployed on cards today

EMV is the floor; tokenisation removes PAN from merchant systems; 3DS covers the CNP flow; biometric auth drives device-level wallet transactions. Adoption gaps between markets are the clearest signal of fraud-regime maturity.

EMV chip penetration

100%

% · 2024

Tokenised transactions

22%

% · 2024

3DS coverage · CNP

58%

% · 2024

Biometric mobile wallet txns

94%

% · 2024

Consumer protection

Framework
OJK Consumer Protection Rules (POJK 22/2023) + UU Perlindungan Konsumen 8/1999
Max consumer liability
Zero where promptly notified; deferred exposure where there is delayed notification
Liability rules
Consumer liability zero for unauthorised transactions where fraud or negligence by the consumer cannot be proven; issuer bears loss. OJK Satgas PASTI task force coordinates consumer complaint handling across Bank Indonesia and OJK.

Source · Otoritas Jasa Keuangan

Security standards

  • PCI DSS 4.0 (BI-mandated for acquirers and processors)
  • SNAP security standard for PSP APIs
  • UU PDP (data protection, full enforcement Oct 2024)
  • OJK POJK 11/2022 on IT and Cyber Risk
  • BI Circular Letter on Anti-Fraud Management