Project XBY

Middle East · GDP rank #28

Israel

IL · ILS @ 0.3460/USD

Israel runs a card-mature, bank-dominated retail payments market with one wholesale rail (ZAHAV, the BOI-operated RTGS, fully on ISO 20022 since November 2025) and one retail-instant rail (MASAV Faster Payments) underneath the consumer-facing Bit (Bank Hapoalim) and Pay (Bank Leumi) wallets. Bit alone holds roughly half of P2P value across ~3.3m active users. The Capital Markets Authority issued the country's first shekel-pegged stablecoin authorisation in 2024 and the Bank of Israel's digital-shekel design work hands a launch recommendation to the Governor at end-2026.

Tab 06

Fraud & security

Headline fraud totals and typology splits, the rollout of EMV chip, tokenisation, 3DS and biometrics, and the controlling data-protection and payments statutes.

Annual fraud losses

ILS 1.1B +14% vs 2023

ILS · 2024

Loss rate

~6bp

basis points on transaction value · 2024

CNP share of fraud

71%

% · 2024

Fraud typology

Where losses come from

Card-not-present dominates every developed-market fraud profile — counterfeit and lost/stolen have both been mechanically suppressed by EMV and tokenisation over the last decade.

Share of card fraud

  • Card-not-present (e-commerce)71%
  • Authorised push payment (Bit / wallet)+32%
  • Account takeover+21%

Authentication

What's deployed on cards today

EMV is the floor; tokenisation removes PAN from merchant systems; 3DS covers the CNP flow; biometric auth drives device-level wallet transactions. Adoption gaps between markets are the clearest signal of fraud-regime maturity.

EMV chip penetration

100%

% · 2024

Tokenised transactions

~55%

% · 2024

3DS coverage · CNP

96%

% · 2024

Biometric mobile wallet txns

~92%

% · 2024

Consumer protection

Framework
Banking (Service to Customer) Law 1981; Banking Supervision Department oversight
Max consumer liability
ILS 75 for unauthorised card transactions
Liability rules
Unauthorised card transaction liability capped at ILS 75 for prompt-reported loss; bank carries residual unless gross negligence proven. APP fraud reimbursement subject to BOI-encouraged voluntary codes; no statutory mandate equivalent to the UK PSR rules.

Source · Bank of Israel

Security standards

  • PCI DSS 4.0 mandated by BOI Banking Supervision
  • 3D Secure 2.0 mandatory on CNP
  • Confirmation of Payee (IBAN+name) live on MASAV
  • ISO 27001 standard for licensed PSPs
  • BOI cybersecurity directive 361 — operational resilience framework