CMSPI - State of the Industry Report - 2025

State of the Industry Report September 2025 The Playbook for Smarter Payments

STATE OF THE INDUSTRY REPORT

Contents Chief Economists Note

7 8

State of the Industry Report 2024 Recap

Section 1: A Primer In Payments Section 2: Payments Supply Chain Section 3: Understanding Ecommerce

8 8 9 9 9

Section 4: Payment Methods Around The Globe

Section 5: Payments and Regulation

State of the Industry Report 2025 Executive Summary Section 1: Characteristics of a Successful Payment Method

11 13

Characteristics Of A Successful Payment Method

14 14 16

Introduction

1.1 Micro Factors

Security

16 18

Special Feature: Fraud and Approvals

User Experience

Cost

1.2 Macro Factors

35 35

Acceptance Governance

Section 2: Payment Method Profiles

41 43

2.1 Cash

Introduction and Brief History

45 46 48 50 50 52 54

Characteristics

Supply Chain Structure

Merchant Cost Considerations

Cost of Cash by Country

Regulation

Case Studies

STATE OF THE INDUSTRY REPORT

2.2 Card

Credit Card Debit Card

63 65 67 69 72 72 82 86

Introduction and Brief History

Characteristics

Supply Chain Structure

Merchant Cost Considerations

Analysis

Regulation

Case Studies

2.3 Digital Wallets

Digital Wallet (Pass-Through)

94 95 96 98 100 100 101 101 102 109

Digital Wallet (Staged/ Stored-Value)

Introduction and Brief History

Characteristics

Supply Chain Structure

Merchant Cost Considerations

Analysis

Regulation

Case Studies

2.4 Pay By Bank Bank Transfer

111 112 113 115 117 118 118 118 119 122 124 127

Real Time Payments

Introduction and Brief History

Charactaristics

Supply Chain Structure

Merchant Cost Considerations Cost Of Bank Transfer Analysis

Regulation

Case Studies Charactaristics

Supply Chain Structure

Merchant Cost Considerations

STATE OF THE INDUSTRY REPORT

Cost Of Real-Time Payments Analysis

127 128 128 130 132 134 135 138 138 139 140 141 143 145 150

Regulation

Case Studies

2.5 Buy Now, Pay Later

Introduction and Brief History

Characteristics

Analysis

Supply Chain Structure

Merchant Cost Considerations

Regulation

Case Studies

2.6 Stablecoin

Introduction and Brief History

Charactaristics

Analysis

Supply Chain Structure

151 151

Merchant Cost Considerations

Regulation

153 154 156

What About Central Bank Digital Currencies?

Case Studies

Section 3: Payment Method Scorecard

157

3.1 Cash Scorecard Justifications

161 161 162 163 164 165 166 166 166 167 168 169 170

Security

User Experience

Cost

Acceptance Governance

3.2 Card Scorecard Justifications

Credit Card

Security

User Experience

Cost

Acceptance Governance

STATE OF THE INDUSTRY REPORT

Debit Card

171

Security

171

User Experience

172 173 174 175 176 176 176 177 178 179 180 181

Cost

Acceptance Governance

3.3 Digital Wallet Scorecard Justifications

Digital Wallet (Pass-Through)

Security

User Experience

Cost

Acceptance Governance

Digital Wallet (Staged/Stored-Value)

Security

181

User Experience

182 183 184 185 186 186 186 187 188 189 190 191

Cost

Acceptance Governance

3.4 Pay by Bank Scorecard Justifications

Bank Transfer

Security

User Experience

Cost

Acceptance Governance

Real-Time Payments

Security

191

User Experience

192 193 194 195

Cost

Acceptance Governance

STATE OF THE INDUSTRY REPORT

3.5 Buy Now, Pay Later Scorecard Justifications

196 196 197 198 199 200 201 201 202 203 204 205 206 207

Security

User Experience

Cost

Acceptance Governance

3.6 Stablecoin Scorecard Justifications

Security

User Experience

Cost

Acceptance Governance

Conclusion

Endnotes

STATE OF THE INDUSTRY REPORT

Chief Economist Note Dear Reader,

I’m incredibly pleased and proud to present to you the second edition of CMSPI’s State of the Industry Report (SOIR), which, like last year, was produced in collaboration with our Insights Advisory Council (IAC). For those of you who aren’t familiar with us, CMSPI are the go-to payments advisors to the world’s largest merchants. The goal of the SOIR is the same this year as it was last year: to provide the merchant and consumer perspective on the payments industry, and we feel that makes us truly unique. Those of you who engaged with last year’s inaugural SOIR will notice that this year’s edition looks very different, with limited cross-over of content. We decided last year to focus on the status quo of the payments industry, which we felt was appropriate for a first edition. As a result, the report centered largely on the card industry, which is the most commonly used tender type in many parts of the world. By contrast, in this year’s report we turn our attention to innovation and the future of the payments industry, with the aim of characterizing the perfect payment method. In doing so we look at nine payment methods, ranging from more traditional payment methods such as cash and debit and credit cards, to newer payment methods such as stablecoin. We premiere a new framework for comparing payment methods, looking at how each payment method performs in terms of security, cost, user experience, acceptance and governance. I’d like to thank everyone involved in writing this report – in particular our wonderful IAC members and Emily Lincoln, who has done a fabulous job project managing a highly complex report from start to finish. I’d also like to extend a big thank you to Kathy Hanna, Perry Starr, and Lorin Young, formerly of Kroger, Target and Columbia, respectively, for their brilliant contributions to the IAC. Kathy, Perry and Lorin are true industry experts who have played a massive role in championing the merchant cause in the IAC and other forums for many decades, and it’s been my pleasure to work with them. We’re always looking for opportunities to talk to about the IAC and the SOIR, so if you have any questions about anything covered in the report, please don’t hesitate to reach out to us! Kind regards, Callum

STATE OF THE INDUSTRY REPORT

State of the Industry Report Recap 2024 In 2024 CMSPI’s Insights Team, alongside the Insights Advisory Council, released its inaugural State of the Industry Report. Each year the report will be updated and continue to evolve with the payments industry. From those aspiring to be payments experts to those who have years of experience, the State of the Industry Report provides actionable insights into global payment trends. Setting the stage for future editions of the Report, the inaugural edition includes five main sections:

• “A Primer in Payments,” covering fundamentals of the payments industry; • “Payments Supply Chain,” providing analysis of key players and their economics;

• “Understanding Ecommerce,” outlining the complex and unique challenges facing ecommerce retailers; • “Payment Methods Around the Globe,” profiling several of the world’s markets and their leading payment methods; and • “Payments and Regulations,” summarizing the most impactful payments regulations in key payments markets. Here follows a summary of the key findings of the first edition of the State of the Industry Report: Section 1: A Primer In Payments Payment Costs In The United States The weighted average cost of payments acceptance is increasing for U.S. merchants. CMSPI estimates that the averagecost of payments in 2022 in the U.S. has risen from 1.36% in 2009 to 1.70%. The two primary factors contributing to the increasing cost of payments include rising card fees and the changing payment mix. Merchants choose to continue accepting card payments given their ubiquitous usage amongst consumers regardless of rising costs. And while other payment methods are available, many also are proving costly for merchants. Section 2: Payments Supply Chain The key parties in the card payments ecosystem include issuers, payment networks, and acquirers. The payments industry can be highly profitable, partially the result of the competitive landscape. • The card issuing industry saw 35%+ operating margins consistently between 2019 and 2023. 1

• The average operating margin for the two largest card networks in 2023 was 60%. 2 • A general retailer in the U.S. receives an average net profit margin of 3.09%. 3

STATE OF THE INDUSTRY REPORT

Section 3: Understanding Ecommerce Ecommerce volumes have grown significantly in many countries in recent years. The expansion from in-store to online provides merchants with opportunities to engage with their customers in new ways. Online transactions also present merchants with challenges given their vastly different costs, fraud risks and approval rates relative to an in-store transaction. In an attempt to differentiate between the two, the card payments industry has created a distinction, which has created both clarity and confusion on the subject; transactions can typically be classified as either card-present (CP) or card-not-present (CNP). As of 2024, these designations continue to be determined by the global card network branded on the card. Control of these designations enables global card networks to develop rules and incentives that perpetuate cards as a dominant consumer payment method and encourage adoption of preferred network technologies, such as near field communication (NFC) digital wallets and network tokenization. • In the U.S., CMSPI has identified the average interchange and network fee cost difference between CP and CNP transactions was 21bps for credit cards and 58bps for debit cards in 2023. • Interchange and network fees paid by U.S. merchants increased an estimated $2.4 billion due to increased ecommerce spending between 2019 and 2023. 4 Section 4: Payment Methods Around The Globe The payments mix varies significantly by country and is ever-changing. Here are a few global observations from last year: • Cash is still relevant but steadily waning. • Cards continue to be dominant in many countries. • Digital Payment Methods, including Pay by Bank options, are growing rapidly where successful interventions are taking place. An updated Global Payment Mix as well as Payment Method Profiles can be found in Section 2 of this version of the Report. Section 5: Payments And Regulations The payments industry has caught the attention of policymakers and antitrust authorities since the 1970s with the introduction of the interchange fee. The intervention of governments and courts in payments has been seen globally and in various ways. Government interventions include interchange fee caps, co-badging, and surcharging. • Interchange caps are a price ceiling set by the government or voluntarily agreed to by the card network for the per transaction interchange revenues issuing banks receive. • Co-badging denotes a single payment card enabled with two or more unaffiliated payment networks, enabling transactions across multiple networks. • Surcharging is a merchant’s act of adding a charge to a transaction based on the customer’s selected payment method (such as card and other payment methods), card type, or card network.

STATE OF THE INDUSTRY REPORT

Regulatory Interventions as of July 2025

United States

European Union

Country

Australia Japan

Interchange Caps

Network Routing Requirements

Partial

Types of Intervention

Surcharging Allowed

Partial

Government Grants for Payments -Related Costs

Requirements to Publish Fee Schedules

Decreases to Some Merchant Fees

Impact

Evidence of Increased Market Share of Domestic Payment Networks Increases to Non-Regulated Fees (e.g., Network Fees, Commercial Card Interchange, Credit Interchange)

Routing Limitations by Entry Method

Limited Availability of Network Routing for Certain Channels Where the Domestic Network Could Support the Channel

Benefit Erosion Factors Observed Since Regulation

Issuance of Single-Network Cards

Partial

Partial, depending on country

Introduction of Consumer Routing Choice

Limitations to Routing When Network Tokens are Used

Limited Processor Routing Capabilities

Loss of a Domestic Network (including Consolidation)

Partial

STATE OF THE INDUSTRY REPORT

State Of The Industry Report 2025 Executive Summary The payments landscape is full of exciting innovation and yet paradoxically, the way people pay for goods and services in some of the wealthiest parts of the world differs little from how they paid 20 years ago. In this year’s State of the Industry Report, we investigate the global payments landscape in 2025 in search of the perfect payment method. We believe this analysis will provide an analytical framework to bring industry stakeholders together so we can shape innovation around end user needs. In Section 1, we analyze five different characteristics of what we think makes a perfect payment method. Three of these are what we refer to as micro (business-level) characteristics – security, cost and user experience – and two are what we refer to as macro (market-level) characteristics – acceptance and governance. In Section 2, we profile six different payment methods: Cash, Cards (debit and credit), Digital Wallets (pass-through and staged/stored-value), Pay by Bank (bank transfer and real-time payments), Buy Now, Pay Later (BNPL), and Stablecoin; although, there is a lot of overlap between some of these payment methods. In Section 3, we bring it all together in our payment method scorecard, using our analysis in Section 2 to assign scores and provide weightings. Debit Cards Still Lead the Way in 2025 Our analysis shows that debit cards are the leading global payments method in 2025, with a score of 18.3. Debit cards score well on security, user experience and acceptance. Although debit doesn’t score as well on cost and governance, regulations in many parts of the world capping debit card fees and mandating debit card co-badging and merchant choice routing have managed to protect end users. Credit cards do not score nearly as well as debit cards on our framework, mostly because of a lack of fee caps, co- badging and merchant routing choice on credit cards. Real-time payments are the most prominent examples of Pay by Bank and they score well here, with UPI in India and Pix in Brazil two stunning examples of quick success. The major question here is whether other countries can experience similar growth - the RTP infrastructure is there in many countries, but consumer- to-business (C2B) penetration outside of Brazil and India is limited. Digital wallets made big headlines towards the end of the 2010’s with the rapid growth of WeChat and Alipay in China. Both businesses had large, loyal customer bases from their core business and were able to successfully layer payments on top, while merchants were attracted by relatively low acceptance fees. While we haven’t seen this level of success for digital wallets outside of China, there are several attractive characteristics that are reflected in our scorecard here. Cash feels like the odd-one-out in a world increasingly full of digital payments, but we would not rule it out yet. Cash scores surprisingly well on cost and although it can’t match card in terms of user experience and security infrastructure, we’ve seen the decline of cash volumes tail off and in an uncertain geopolitical world it could retain its appeal for a while yet.

STATE OF THE INDUSTRY REPORT

Our second lowest score is for BNPL - mainly because of high merchant fees necessitated by a large cost base. The BNPL industry is in need of scaling, and increased regulation may provide a headwind to growth, but a loyal, young consumer base potentially positions it well for the future. The lowest score is for stablecoin, which is nascent in the consumer-to-business space. Stablecoin’s score reflects the fact that critical infrastructure has not yet been established to accommodate the plethora of C2B use cases, but strong tailwinds exist in the form of high levels of regulatory support, a strong business case for stablecoin for merchant business-to-business (B2B) transactions, merchant appetite to reduce payment fees and strong consumer support in several countries. Watch this space. The Future of the State of the Industry Report In future editions of the State of the Industry Report, we will see how each payment method develops. As the chasing pack develops functionality in areas such as recurring payments and dispute resolution mechanisms, we fully expect to see some changes in the scores and the rankings. Based on the outcomes of our analysis discussed above, the payment methods with the most momentum appear to be real-time payments and stablecoin, but both have a long way to go if they aim to knock debit cards off their perch as the top global consumer-to-business (C2B) payment method.

SECTION 1

Characteristics of a Successful Payment Method

CMSPI STATE OF THE INDUSTRY REPORT

CHARACTERISTICS OF A SUCCESSFUL

Introduction The perfect payment system does not exist, and probably never will. The analysis in our State of the Industry Report clearly suggests that current systems leave a lot of space for improvement. In this section, we’ll look at what this hypothetical perfect payment system might look like by identifying its core characteristics. We have categorized these in terms of micro (business-level) characteristics and macro (market-level) characteristics. Our micro characteristics are security , user experience and cost . It’s vitally important that a payment system is secure and accessible, but this should not come at the expense of user experience. Additionally, a secure and user-friendly payment system is not optimal if the underlying economics are overly costly and don’t pass on system efficiencies to end users in the form of either lower prices or improved user experiences. Our macro characteristics are acceptance and governance . These macro-level characteristics are important because a secure, user friendly and cost-effective payment system does not achieve optimality if nobody uses it, and a payment method with lopsided governance is unlikely to remain secure, user friendly and cost effective in the longer term. There is a question of causality between our micro and macro factors: for example, a payment method is more likely to be ubiquitously accepted if it performs well in terms of security, user experience, and cost so it could be considered a “result” rather than a characteristic of a good payment method. Additionally, a payment method is unlikely to exhibit all of these micro characteristics if it has a lopsided governance structure.

PAYMENT METHOD

CHARACTERISTICS OF A SUCCESSFUL PAYMENT METHOD: SECURITY

SECURITY

USER EXPERIENCE

GOVERNANCE

CHARACTERISTICS OF A SUCCESSFUL PAYMENT METHOD

ACCEPTANCE

COST

MACRO CHARACTERISTICS

MICRO CHARACTERISTICS

A deeper understanding of these five characteristics - security, user experience, cost, acceptance, and governance - will create the framework for the other remaining two sections of this report. Section 2 will provide in-depth insights into each of the payment methods, while Section 3 will use those insights to assess each payment method in comparison to the characteristics shown above. This analysis will expedite thoughts about tangibles ways industry stakeholders can work together to take today’s payment systems closer to “perfect.”

CHARACTERISTICS OF A SUCCESSFUL PAYMENT METHOD: SECURITY

1.1 Micro Characteristics Security It is clear that a payment system needs to be as secure as possible from fraudulent activity to be trusted by users and to drive volume. However, the security of a payment method cannot simply be measured by looking at fraudulent activity. There are several nuances that determine the worthiness of a payment method’s security, including: 1. Approvals Considerations The easiest way to create a payments system completely devoid of fraud is to ensure all transactions are declined and there is no money flowing through the system to steal. This, however, is clearly ludicrous because payments exist to facilitate commerce. There is a trade-off between preventing fraud and maximizing sales and customer experience. Clearly, merchants who have the right tools at their disposal to analyze transaction characteristics can minimize the pain of this trade-off. However, data can be limited and there are still important strategic decisions for merchants to make, both in back-end operations and the front-end customer side. Whether or not to employ EMV 3D Secure – and if so, where in the transaction flow - is an example of this trade-off. To this end, it is just as important to analyze authorization (or approval) rates as it is to analyze fraud patterns. Merchants can work with their industry partners, including fraud management firms, merchant acquirers and issuing banks, to ensure authorization rates are maximized while fraud is minimized. 2. Error Resolution Framework System Any payment method needs to ensure there are error resolution frameworks for merchants, consumers and other industry stakeholders to engage with to investigate the source of fraudulent activity, mediate fraud liability disputes between stakeholders, and set/apply liability rules fairly. These systems can require significant resource to develop and maintain for several stakeholder groups, including merchants, issuing and receiving banks, processors and networks. This may in large part explain why nascent payment methods struggle to manage fraud, and convince participants they have the necessary infrastructure (i.e., there is the chicken-or-egg dilemma whereby participants fund the infrastructure, but the infrastructure is required to attract participants). 3. Liability Rules (i.e., Network Rules) A good payment system needs effective governance, which allocates the liability for fraudulent behavior on the party responsible. In a card environment, this is typically the merchant, issuing bank or the consumer. A merchant will likely be considered responsible if they fail to authenticate a consumer, for example. An issuing bank will likely be considered responsible if they issue payment products lacking security features such as a chip. A consumer will likely be considered responsible if they directly handed payment credentials to a fraudster. In order to efficiently allocate liability, effective fraud liability rules need to be established. Fraud

CHARACTERISTICS OF A SUCCESSFUL PAYMENT METHOD: SECURITY

liability rules ought to be established as part of a framework of payment method rules, which should be designed to treat all stakeholders within the payments ecosystem fairly within its governance structure. Additionally, clear incentives are needed for all stakeholders to equally focus on fraud reduction; if one party can easily pass off fraud liability then there is more incentive for them to shift the blame than there is to solve the problem. 4. Push or Pull Environment Considerations Payment card systems are typically “pull” transactions whereby the merchant pulls funds from the cardholder’s bank account using information contained within the payment card to pay for goods and services. This opens the card system up to certain types of fraud, including counterfeit cards, lost or stolen card fraud and card on file/data breaches. However, many payment systems around the world work via “push” transactions, whereby the payer (i.e., the consumer) pushes funds to the payee (i.e., the merchant) by sharing the bank account credentials from which they’ll be originating the funds. Push transactions therefore tend towards fraud considerations, including identity theft and phishing attacks/scams, and can also be Fraud is not static, as both fraudsters and fraud fighters change their patterns and become more sophisticated over time. Therefore, a payment method that handles fraud well today may not do so as effectively tomorrow. This means error resolution framework mechanisms, refund mechanism and liability rules need to be constantly monitored and changed to ensure they remain relevant for a rapidly changing world. 6 6. Brand Risk If a payment method has received negative press for its poor security or is perceived as a money laundering front for example, then acceptance of the payment method could create brand concerns for merchants that tender those payments. Additionally, the issuers and processors of payment methods should be financially stable with good credit ratings, and not be loss making institutions propped up by investors. This kind of volatility can result in payment methods exiting markets or becoming bankrupt at short notice, which can cause merchants issues including customer dissatisfaction and irretrievable lost revenue. Therefore, a perfect payment method will be financially stable, secure from data breaches, provide flexible termination and should not have any negative brand associations. irrevocable (as envisioned in the U.S. RTP® framework). 5 5. The Changing Face of Fraud – i.e., Future Proofing

CHARACTERISTICS OF A SUCCESSFUL PAYMENT METHOD: SECURITY

Special Feature: Fraud And Approvals The digitization of payments and commerce has grown exponentially over the last several years. This has increased convenience for consumers and sales for merchants but has also made fraud a more serious consideration for merchants. Section 2 provides profiles of the various payment methods in commerce today; each payment method presents merchants with fraud risks and requires different solutions to consider. In this section we will review the most prevalent fraud affecting merchants today. Given cards’ dominance in the global payments mix – 66% for POS and 64% for ecommerce (including card-backed digital wallets) – card-present (CP) and card- not-present (CNP) card fraud will be a main focus. 7 8 Card-Present (CP) Fraud Card-present (CP) fraud has decreased since the liability shift to the merchants and issuers who do not support EMV. 9 This shift happened for most environments – with some exclusions like Automated Fuel Dispensers (AFDs) – in the U.S. in 2015 and in Europe in 2005. 10 The success of the EMV chip in decreasing card- present counterfeit fraud 11 could be attributed to the difficulty, if not an impossibility, of cloning a physical chip card due to the technology utilized by the EMV itself.. By contrast, reprogramming a magstripe on a non- EMV chip card is significantly easier for a fraudster. 12 While on the decline, fraudulent activity still commonly takes place in CP transactions taking the form of gift card fraud, card testing, and trying to force payments to fallback transactions. Gift Card Fraud Gift cards are undeniably an important revenue source for many merchants. The global gift card market reached $984.3 billion in 2023 with the U.S. representing 28% of the market. 13 In addition to gift card sales themselves, consumers are more likely to spend more during a single shopping experience when redeeming a gift card, averaging around $32 more than the gift card value. 14 Gift cards also build brand awareness, bring in new customers, and provide flexibility for consumers during holiday seasons. While overall gift cards are an added value to merchants, they – like all payment methods – present merchants with fraud risks. Ease of access, assurance of purchase and flexible usage all contribute to gift cards being an attractive opportunity for fraudsters to take advantage. Gift card fraud may entail fraudsters removing gift cards off the shelf, documenting the card information, resealing the gift cards and replacing them on the shelves of the merchants. With the documented information, the fraudster can set up an automation which runs through the gift card details and alerts them when one is activated. Once a consumer activates the card, the fraudster will be able to redeem the funds before the consumer can use/gift the card. Gift card utilization of magstripe instead of chips continues to make them vulnerable to this type of hacking by bad actors. Merchants are actively searching for solutions and attempting to limit the loss they are incurring because of gift card fraud. Regulators in the U.S. are also beginning to pass laws related to gift card fraud; Maryland is the first state to pass a law to enforce tamper-proof packaging for gift cards. State-by-state enforcement could lead to further costs for merchants including wasted gift card inventory and multiple processes for gift card packaging. The packaging of gift cards has proven to be a vulnerability for merchants, but it is important to consider the underlying credentials of the gift card as a concern. A solution one merchant has actioned to increase security for gift cards involves decoupling the access code from the gift card; the access codes are added to the gift card at the register. 15 Another potential solution is to implement EMV chip technology to gift cards, but given it costs around $2 per card to create, this also could lead to further wasted inventory and financial investment in a disposable card. 16

CHARACTERISTICS OF A SUCCESSFUL PAYMENT METHOD: SECURITY

Pig butchering scams, which involve a scammer earning a victim’s trust to take advantage of them financially, can be a major manifestation of gift card fraud. Considering many of these schemes involve gift cards purchased in-store, it is arguably a form of in-store gift card fraud. This type of fraud is further discussed in the card-not-present section below.

How many victims are involved in gift card fraud? If a fraudster “brute forces” a gift card balance checker on Merchant A’s website and finds an active gift card, they can then load those physical gift card funds into a digital Merchant A wallet/account ($25) and then sell it to someone for $10. Assuming Merchant A detects or is made aware of the fraudulent activity, they zero out the remaining balance on the stolen card. In this example, the total losses from gift card fraud (closed loop, bought from the merchant) are much larger than the initial cost of the card.

VICTIM ONE The first victim is the person who is the true gift card holder; they don’t have their funds on the physical card anymore and they need to be compensated.

VICTIM TWO The second victim is the person who bought the digital account for $10 expecting to be able to buy $25 worth of goods or services from Merchant A.

VICTIM THREE The third victim is Merchant A who may also be out the goods, and possibly also receive a chargeback from the original gift card holder, plus having to refund one or both consumer victims.

Lost/Stolen Fraud While counterfeit fraud is less common today lost and stolen fraud has continued to increase over the last decade. Looking at the share of transaction value, card-present fraud loss in the form of lost and stolen fraud has increased 3.18 basis points from 2009 to 2021 in the U.S. according to a Federal Reserve Report. 17

U.S. Debit Card Fraud Loss As Share Of Transaction Value 18 YEAR Lost/Stolen Counterfeit

Card-Not- Present

2009

1.45 bps

4.29 bps

1.84 bps

2021

4.63 bps

3.39 bps

8.58 bps

Delta

3.18 bps

- 0.90 bps

6.74 bps

Table 1.1

Once a fraudster has stolen a card, the credentials have the potential to be utilized in both card-present and card-not-present environments. When a physical card is stolen, a fraudster can utilize the fallback transaction option at in-store terminals to commit card-present fraud.

CHARACTERISTICS OF A SUCCESSFUL PAYMENT METHOD: SECURITY

Fallback Transactions Fallback transactions occur when there is an issue with the chip at the terminal in a card-present transaction and the user has to fallback to using either the magstripe or manual entry of the card information. This can be considered a fraudster workaround to EMV chip cards, which are very challenging to counterfeit because of their use of encryption technology and unique cryptograms associated with transactions. While not very common, there are ways the fallback option for cardholders leaves room for bad actors. For example, fraudsters can “break” the EMV chip on a fake credit card so the card reader doesn’t accept the chip and hope the merchant accepts magstripe and then will swipe the card with reprogrammed card credentials they bought or stole – this could be categorized as Visa Chargeback Reason Code 10.3 fraud. Fallback transactions can be risky for merchants because they can fly under the radar, but disabling magstripe transactions or preventing consumers from accessing the fallback option can also risk merchants losing legitimate sales, too. There are many non-fraud reasons why a chip may malfunction, including exposure to liquids and other substances. 19 Given this situation happens to innocent users with a damaged chip, the fallback option is not necessarily the issue. If merchants can provide the correct data proving they followed the technical requirements regarding the fallback transactions to the network, they are potentially not held liable. However, there is a fallback threshold which merchants must consider. A U.S. Payments Forum publication on EMV Implementation states, “According to the payment networks, a fallback rate of over 2% at one particular merchant or merchant chain is indicative of a problem. The problem may be procedural or related to incorrectly configured POS terminals.” 20 Additionally, Mastercard has announced its intention to end magnetic stripe on its cards by 2030, which may help reduce fallback transaction fraud. 21 However, this will not prevent manual entry of card details so at this stage its impact on overall fraud is unknown.

CHARACTERISTICS OF A SUCCESSFUL PAYMENT METHOD: SECURITY

Card-Not-Present (CNP) Fraud

As discussed in the previous section, truly stolen credit cards (stealing someone’s physical wallet or purse) can still be used in-store to commit card-present fraud. However, card-present fraud is now less about cloning a card and making a purchase with credentials added to a fake card, and more about skimming credentials from card readers to be then used online. According to the Federal Reserve Report, CNP debit card fraud fraud has increased 6.74 basis points from 2009 to 2021. 22 Given the security measures that have been implemented in the CP environment and the inherent risks associated with digital commerce, the path of least resistance for fraudsters has more commonly been found through CNP transactions. CMSPI estimates using Merchant Risk Council (MRC) and Worldpay data suggest more than $200 billion of merchant ecommerce revenue was lost to payments fraud globally in 2024. 23, 24 Ecommerce Revenue Lost to Payments Fraud by Region

$0 $10 $20 $30 $40 $50 $60 $70 $80 $90

Latin America

Europe

North America

Asia-Pacific

Graph 1.1 First-Party Misuse

First-party misuse fraud occurs when a customer claims a legitimate transaction is fraudulent. It is often referred to as “friendly fraud” because customers engage in this activity – either intentionally or unintentionally – without necessarily understanding it is fraudulent. An example of intentional first-party misuse fraud would be a customer regretting a product purchase and contacting the bank directly to initiate a chargeback. An example of unintentional first-party misuse fraud could be a situation where a customer does not recognize a transaction on their statement, even though they made the purchase, and initiating a chargeback. According to the MRC, two emerging reasons for why first-party misuse fraud is increasing is because of “consumers learning how to ‘game the system’” and “due to emergence of ‘fraud-as-a-service.’” 25 Practical examples of these are social media “hacks” and fraudsters selling scripts on how to easily navigate the refund option of a customer service call. Both are evident of a cultural shift of customers believing it is permissible to engage with merchants and banks in this way.

CHARACTERISTICS OF A SUCCESSFUL PAYMENT METHOD: SECURITY

This puts merchants in a difficult position, because they are often concerned about making sales and focused on giving the consumers a good experience. That being said, merchants having the right data allows them to better assess if the questionable transaction or chargeback request is legitimate. Without customers’ wider spending habits, merchants are dependent on their internal purchase history, which can vary depending on the type of merchant (i.e., a customer may have more frequent purchases at a grocery store compared to an electronic retailer). However, card networks are bridging the gap and assisting merchants in disputing customers’ uncertain chargeback requests with programs like Visa’s Compelling Evidence and Mastercard’s First-Party Trust. These programs allow merchants to provide historical data to the networks that potentially prove the cardholder did authorize the disputed transaction and allow the transaction to be settled instead of processing the chargeback. 26, 27 Refund/Policy Abuse Refund/policy abuse can present itself in various ways including false claims of goods not received, returns of used or damaged goods, and returns of incorrect items to name a few. 28 In a similar manner to first-party misuse, there has been a cultural shift in the relationship between merchants and consumers. Refunds are expected from merchants, no questions asked for the most part. In a situation where a customer reports never receiving an item or it being damaged, the consequences of merchant (i.e., a customer may have more frequent purchases at a grocery store compared to an electronic retailer). if the customer is telling the truth and the merchant refusing to resend the item or refund the money may outweigh the costs of doing so.

“Merchants have seen it all, from salami being returned in place of the original good and sweating through the box at a warehouse to fraudsters returning the appropriate item but stealing identifiable credentials and applying them to counterfeit goods.”

JUSTIN STASKIEWICZ | DIRECTOR OF CONSULTING, FRAUD SOLUTIONS, CMSPI

Account Takeover As can be gathered from the name, account takeover involves a fraudster stealing card credentials via phishing, social engineering or purchasing them online, and making fraudulent transactions. This can include either bank accounts or customer account takeovers. When it comes to the latter, merchants want to create a seamless experience for their customers, but often this involves login credentials that may be compromised given the propensity to use the same password for various accounts. 29 Merchants may step up authentication during the checkout process if customer account takeover is suspected, but many will seek to limit unnecessary customer friction so this is often reserved for only high-risk transactions. For example, a new shipping address could raise a red flag, and the merchant may prompt a user to re-enter some attributes of the card on file, such as the full PAN, CVV code, and/or the expiry date to ensure the transaction is not fraudulent. The recent increased use of passkeys could be a solution to reduce fraud via account takeovers. According to a survey conducted by FIDO Alliance, most consumers believe passkeys are more secure and convenient than passwords. 30

CHARACTERISTICS OF A SUCCESSFUL PAYMENT METHOD: SECURITY

Promotional Abuse Merchants offer promotions with the intention of encouraging consumers to make purchases. The types of promotions are dependent on the type of merchant and can range from receiving a gift card when a certain amount is spent to a discounted menu item for a limited time at your favorite restaurant. While incentives do matter and promotions bring in new and returning customers, fraudsters also flock to the scene. Many streaming services offer deals like one month free for new users, but this can be abused by users creating multiple fake emails to open new accounts and reuse the promotional offer. Merchants sometimes offer promotions where a customer will receive a gift card when a certain dollar amount is spent or item bought; if not executed properly, fraudsters are able to make the purchase, receive the gift card, and return the item while keeping the gift card. In general, merchants need to be aware of the balance between offering enticing promotions with the amount of abuse they are willing to tolerate within the program. Merchants may wish to set measures for acceptable performance: a business should not be scared to run promotions, but they should be mindful of exploitation. Marketplace Fraud Merchants who do not engage in a marketplace environment are concerned only with fraudulent consumer behavior. When a merchant chooses to operate as a marketplace – whether as the main service or an additional branch to increase traffic on their domain – the risk of fraud increases. Fraudsters can now present themselves as either a buyer or a seller. Posing as a seller, a fraudster can convince a buyer to pay using a platform outside of the marketplace, claiming there would be reduced or fewer fees involved, and never send the promised good.

Fraud Education “Fraud educational conferences, institutions and the like have expanded from historically focusing on traditional fraud schemes like accounting or check fraud to now include all of the categories we’ve outlined in this document, and the number of methods seems to only grow with time. Fraud prevention professionals are also very eager to innovate and evaluate new and emerging technologies. With the sophistication of artificial intelligence and machine learning technologies, we see fraud prevention itself evolving at a rapid rate. This means companies and teams that work in fraud prevention also need to be willing to move at a rapid pace to meet the bad actors where they are with the sophistication and technologies that they employ to gain even footing.”

JUSTIN STASKIEWICZ | DIRECTOR OF CONSULTING, FRAUD SOLUTIONS, CMSPI

CHARACTERISTICS OF A SUCCESSFUL PAYMENT METHOD: SECURITY

Card Testing Card testing occurrence can vary depending on the type of merchant. By card testing, fraudsters are attempting to make small or even $0 transactions to confirm the stolen credentials are useable. i Often, fraudsters will test stolen cards at merchants with lower average transactions before moving on to larger fraudulent purchases with the cards that are still active. While merchants are not able to catch all card testing activity, it is important for them to look out for red flags like increased failed authorizations or increased purchases with low transaction value. In an ecommerce environment, merchants may also want to work with their payment partners to verify the account credentials when a customer stores a credential-on-file for payment at a later date. There is a reputational risk involved when card testing isn’t monitored properly as well as financial risks like disputes, higher decline rates, and additional fees. 31 i Adding a card to a wallet sometimes checks the credentials and the card won’t be added to the wallet unless the credentials match, meaning card testing can occur without even making a purchase and the victim is never made aware

“Recent changes have upped the card testing stakes for merchants. The Visa Acquirer Monitoring Program (VAMP) that entered into force from June 1st 2025 contains an enumeration ratio of 2,000bps (i.e., 20% of sales). 32 This means that if a merchant has 2,000,000 attempted transactions in a month and over 400,000 of those are assessed to be card testing, they woul be in breach of the enumeration ratio threshold, regardless of fraud or chargeback volumes.”

JUSTIN STASKIEWICZ | DIRECTOR OF CONSULTING, FRAUD SOLUTIONS, CMSPI

Pig Butchering Scams Pig butchering scams, including romance and elderly scams, involve scammers using social media to open communication with someone and convince them to send money. For romance scams, the victim is convinced they are in love, and for elderly scams, the victim is usually convinced they must send the money or else they, or someone close to them, will be in trouble. While not direct fraud to merchants, fraudsters are using merchants’ gift cards as a mechanism to receive funds easily from their victims. In 2022 $1.3 billion was reported in losses to romance scams in the U.S. according to the Federal Trade Commission. 33 Gift cards were the most frequently reported way of transferring money – 24% of total reported scams, – while the costliest losses reported were completed using cryptocurrency and wire transfers – 34% and 27% of reported losses respectively. 34 Some organizations, like the United States Secret Service, have made efforts to try and protect their citizens from this type of fraudulent activity. 35 Merchants often utilize awareness and educational resources from these organizations to try to prevent these types of scams. These resources advise, for example, government authorities will never ask for a gift card payment, or to verify the identity of the person requesting they send them funds via gift card.

CHARACTERISTICS OF A SUCCESSFUL PAYMENT METHOD: SECURITY

Approvals Alongside the increased fraud risk in card-not-present environments, ecommerce transactions face another challenge: high false decline rates. Lower conversion rates and decreased revenue are both consequences of declined authorizations when left unresolved. 36 Merchants can monitor their approval rate to gain insight into how effective they are processing transactions. 37 The approval rate can be calculated by dividing the number of approved transactions by the total number of attempted transactions. ii In this section, we will review what types of transactions merchants are accepting and assess the inherent challenges online merchants face when balancing between approval rates and fraud. First, there are two ways a merchant can charge a customer – a merchant-initiated transaction (MIT) or a customer-initiated transaction (CIT). MITs include most subscription services where a merchant can initiate the transaction based on previous customer consent. CITs include most other transactions where the customer initiates the transaction and provides payment details to complete the transaction including entering new payment method details or selecting to make a purchase through a credential- on-file. 38 Next, let’s consider why CNP environments are more susceptible to higher decline rates. The separation of a buyer from a merchant’s physical location has a couple of implications here.

ii Calculating approval rates can become complicated when accounting for retry strategies and dropped authorizations, for example

“CMSPI generally sees better approval rate performance for CIT stored credentials versus manual key entry, which makes sense because the credentials have worked before, so barring an incident between then and now, they will work again. For MIT, we see some more variation. Some merchants can have really aggressive retry strategies, which would make the gross approval rate for these stored credentials appear lower (even if the strategy itself is ultimately helping revenue). Other merchants have well developed life cycle management and other mechanisms for customer engagement that result in strong MIT auth rates.”

CJ BROWN | DIRECTOR OF CONSULTING, ECOMMERCE & DIGITAL SOLUTIONS, CMSPI

CHARACTERISTICS OF A SUCCESSFUL PAYMENT METHOD: SECURITY

Increased Fraud Risk -> Increased Security As discussed in the previous section, ecommerce has become more susceptible to fraud given the ability for a fraudster to hide behind a computer instead of the pressure of defrauding a merchant in person. This has increased the need for merchants to be more cautious when accepting transactions online and to ensure security checks are in place to prevent fraud when possible. Increased Accessibility -> Increased Leniency However, creating too many hoops to jump through can prevent legitimate transactions from being approved or result in an inconvenient customer experience. Consumer demand is more elastic online. The possibility of losing an in-store transaction because of an inconvenient checkout experience is relatively low considering the time it would take a consumer to find and travel to a similar store with a similar product in stock. Ecommerce merchants have the opportunity to reach consumers far and wide, which also means the alternatives are endless and easy to access, making the potential for customer cart abandonment a key consideration for merchants. Online merchants are clearly at a crossroads when it comes to approving transactions. Optimizing acceptance becomes the goal and the path isn’t necessarily clear, but rather a balancing act between reducing both fraud and false declines. Merchants may take various routes to find the one that works for them; however, online-only merchants seem to be more focused on revenue compared to merchants operating both online and in-store who may prioritize cost reduction. Online-only merchants have the additional challenge of ensuring legitimate customers are able to easily checkout when there isn’t someone readily available to help them with their paying experience if an error occurs.

“Fraud follows the path of least resistance, which today is online. I also think phenomena like friendly fraud are harder for consumers to rationalize in an in-store environment, where you are purchasing from an individual (represented by the cashier) versus an online platform.”

CJ BROWN | DIRECTOR OF CONSULTING, ECOMMERCE & DIGITAL SOLUTIONS, CMSPI

Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7 Page 8 Page 9 Page 10 Page 11 Page 12 Page 13 Page 14 Page 15 Page 16 Page 17 Page 18 Page 19 Page 20 Page 21 Page 22 Page 23 Page 24 Page 25 Page 26 Page 27 Page 28 Page 29 Page 30 Page 31 Page 32 Page 33 Page 34 Page 35 Page 36 Page 37 Page 38 Page 39 Page 40 Page 41 Page 42 Page 43 Page 44 Page 45 Page 46 Page 47 Page 48 Page 49 Page 50 Page 51 Page 52 Page 53 Page 54 Page 55 Page 56 Page 57 Page 58 Page 59 Page 60 Page 61 Page 62 Page 63 Page 64 Page 65 Page 66 Page 67 Page 68 Page 69 Page 70 Page 71 Page 72 Page 73 Page 74 Page 75 Page 76 Page 77 Page 78 Page 79 Page 80 Page 81 Page 82 Page 83 Page 84 Page 85 Page 86 Page 87 Page 88 Page 89 Page 90 Page 91 Page 92 Page 93 Page 94 Page 95 Page 96 Page 97 Page 98 Page 99 Page 100 Page 101 Page 102 Page 103 Page 104 Page 105 Page 106 Page 107 Page 108 Page 109 Page 110 Page 111 Page 112 Page 113 Page 114 Page 115 Page 116 Page 117 Page 118 Page 119 Page 120 Page 121 Page 122 Page 123 Page 124 Page 125 Page 126 Page 127 Page 128 Page 129 Page 130 Page 131 Page 132 Page 133 Page 134 Page 135 Page 136 Page 137 Page 138 Page 139 Page 140 Page 141 Page 142 Page 143 Page 144 Page 145 Page 146 Page 147 Page 148 Page 149 Page 150 Page 151 Page 152 Page 153 Page 154 Page 155 Page 156 Page 157 Page 158 Page 159 Page 160 Page 161 Page 162 Page 163 Page 164 Page 165 Page 166 Page 167 Page 168 Page 169 Page 170 Page 171 Page 172 Page 173 Page 174 Page 175 Page 176 Page 177 Page 178 Page 179 Page 180 Page 181 Page 182 Page 183 Page 184 Page 185 Page 186 Page 187 Page 188 Page 189 Page 190 Page 191 Page 192 Page 193 Page 194 Page 195 Page 196 Page 197 Page 198 Page 199 Page 200