Project XBY

North America · GDP rank #1

United States

US · USD @ 1.0000/USD

The world's largest card market remains stubbornly fragmented on rails: FedNow, RTP, Zelle and Nacha ACH compete where most peers run a single national instant scheme. Interchange revenue underwrites a rewards arms race that is now at structural risk from the 2024 CFPB §1033 open-banking rule and the GENIUS Act stablecoin framework, which entered OCC and Treasury rule-making during early 2026.

Tab 06

Fraud & security

Headline fraud totals and typology splits, the rollout of EMV chip, tokenisation, 3DS and biometrics, and the controlling data-protection and payments statutes.

Annual fraud losses

US$13.1B +10% vs 2022

USD · 2023

Loss rate

7.3bp

basis points on transaction value · 2023

CNP share of fraud

76%

% · 2023

Fraud typology

Where losses come from

Card-not-present dominates every developed-market fraud profile — counterfeit and lost/stolen have both been mechanically suppressed by EMV and tokenisation over the last decade.

Share of card fraud

  • Card-not-present (online)76%
  • Counterfeit/skimming3%
  • Lost/stolen8%

Authentication

What's deployed on cards today

EMV is the floor; tokenisation removes PAN from merchant systems; 3DS covers the CNP flow; biometric auth drives device-level wallet transactions. Adoption gaps between markets are the clearest signal of fraud-regime maturity.

EMV chip penetration

99%

% · 2024

Tokenised transactions

38%

% · 2025

3DS coverage · CNP

~28%

% · 2024

US 3DS adoption remains well below EU (mandatory under PSD2).

Biometric mobile wallet txns

98%

% · 2024

Consumer protection

Framework
Regulation E (EFTA) / Regulation Z (TILA)
Max consumer liability
US$50 on credit; up to unlimited on debit (timing-based)
Liability rules
Credit cards: US$50 cap on unauthorised transactions (Reg Z), de-facto zero by issuer policy. Debit cards: timing-dependent — US$50 if reported within 2 business days, US$500 within 60 days, unlimited thereafter (Reg E). Scams (authorised push payments) largely uncovered until 2024 state attorney general actions against Zelle banks pushed voluntary reimbursement frameworks.

Source · CFPB

Security standards

  • PCI DSS 4.0 (mandatory March 2025)
  • NIST Cybersecurity Framework 2.0 (adopted 2024 for financial sector)
  • FFIEC IT Examination Handbook
  • State data-breach notification patchwork (50+ jurisdictions)