Project XBY

Asia-Pacific · GDP rank #11

South Korea

KR · KRW @ 0.0006580/USD

South Korea has the most card-intense consumer economy in the G20: credit-card spending alone runs at roughly 90% of nominal GDP, supported by a three-decade policy stack of tax credits for card use, mandatory acceptance and subsidised merchant pricing. Super-app wallets (KakaoPay, Naver Pay, Toss) sit on top of cards as their settlement backbone rather than displacing them. Project Han-gang's Phase 2 went live in March 2026 with nine banks testing won-pegged deposit tokens, while the new BOK governor has publicly prioritised CBDC and bank tokens over stablecoins.

Tab 06

Fraud & security

Headline fraud totals and typology splits, the rollout of EMV chip, tokenisation, 3DS and biometrics, and the controlling data-protection and payments statutes.

Annual fraud losses

₩135B +8% vs 2023

KRW · 2024

Loss rate

1.0bp

basis points on transaction value · 2024

Among the lowest G20 rates on-card; heavy 3DS enforcement and scheme-level controls.

CNP share of fraud

82%

% · 2024

Fraud typology

Where losses come from

Card-not-present dominates every developed-market fraud profile — counterfeit and lost/stolen have both been mechanically suppressed by EMV and tokenisation over the last decade.

Share of card fraud

  • Card-not-present (ecommerce)82%
  • Voice phishing (보이스피싱)11%
  • Lost/stolen5%

Authentication

What's deployed on cards today

EMV is the floor; tokenisation removes PAN from merchant systems; 3DS covers the CNP flow; biometric auth drives device-level wallet transactions. Adoption gaps between markets are the clearest signal of fraud-regime maturity.

EMV chip penetration

100%

% · 2024

Tokenised transactions

42%

% · 2024

3DS coverage · CNP

78%

% · 2024

Biometric mobile wallet txns

95%

% · 2024

Consumer protection

Framework
Electronic Financial Transactions Act (EFTA) — FSC-administered
Max consumer liability
₩0 for unauthorised transactions where customer has not been negligent
Liability rules
Issuer bears loss for unauthorised transactions where customer has not caused the loss by intentional or gross negligence. For voice-phishing-driven authorised transfers, FSS operates a dedicated dispute-resolution track; reimbursement depends on bank's KYC adequacy and communications record.

Source · FSC

Security standards

  • PCI DSS 4.0 (mandatory March 2025)
  • Electronic Financial Supervisory Regulation (EFSR) — FSS mandatory for PSPs
  • Personal Information Protection Act (revised 2023)
  • K-ISMS-P (Korean ISMS-Privacy) — certification mandatory for major fintechs