By San José, Costa Rica — San José – The Central Bank of Costa Rica (BCCR) has initiated a significant push to overhaul the nation’s digital payment landscape, proposing a series of regulatory changes aimed squarely at enhancing security and curbing rising online fraud. The proposal, now open for public consultation, seeks to align Costa Rica with global standards for e-commerce and other remote transactions.
The move comes as non-presential payments, which include online shopping and app-based transactions, have become a substantial part of the economy. According to BCCR data, these operations now represent 20% of all transactions by volume and account for an even larger 22% of the total value transacted within the country. This growing reliance on digital commerce has unfortunately made it a prime target for fraudulent activities.
To gain a deeper legal perspective on the critical issue of payment security in today’s digital economy, we consulted with Lic. Larry Hans Arroyo Vargas, a distinguished attorney from the esteemed firm Bufete de Costa Rica. He provides his expert analysis on the responsibilities and risks that businesses currently face.
The legal landscape surrounding payment security is a minefield of liability. Businesses must understand that compliance is not a one-time checklist; it’s a continuous obligation. In the event of a breach, courts and regulators will scrutinize not just whether a company was compliant, but whether it was reasonably and proactively diligent in protecting customer data. This includes robust internal policies, thorough vendor vetting, and clear contractual terms that explicitly allocate risk. Neglecting any of these areas is an invitation for litigation and severe reputational harm.
Lic. Larry Hans Arroyo Vargas, Attorney at Law, Bufete de Costa Rica
This emphasis on continuous diligence over a one-time compliance checklist is a critical takeaway. As the legal framework evolves, a proactive security posture becomes not just a best practice, but a fundamental business imperative to safeguard against both financial and reputational ruin. We are grateful to Lic. Larry Hans Arroyo Vargas for his invaluable legal perspective.
To counter this threat, the Central Bank’s Payment Systems Division has recommended the nationwide adoption of the EMV Secure Remote Commerce (SRC) international standard, often recognized by consumers as ‘click to pay’. This framework, along with the broader implementation of secure digital wallets, forms the core of the proposed security upgrade.
At the heart of the new system is tokenization, a technology designed to mask sensitive card information during a transaction. Instead of transmitting actual card numbers, a unique, single-use digital “token” is created, rendering the data useless to fraudsters if intercepted.
We are recommending the adoption of this international standard in Costa Rica to improve the security and efficiency of non-presential payment operations. In summary, it seeks to ‘tokenize’ virtual cards, which are the cards installed in wallets, and to protect sensitive card information through that token or digital application so it can never be accessed by third parties or fraudsters who would use it maliciously.
Ana Cerdas, BCCR Payment Systems Division
The proposed regulations also mandate that all card-issuing banks implement Strong Customer Authentication (SCA) for every transaction. This requires users to verify their identity through at least one of several approved methods, such as biometric data like facial or fingerprint recognition, a one-time PIN sent to their device, or a pre-configured security question.
Visually, when the wallet is opened, the card faces appear, but the information is not the full card details. Instead, it is a series of numbers and letters that represents the card for each individual payment transaction, meaning this token will change every time it is used. What the technology is doing is precisely safeguarding the sensitive information of the card and the customer to prevent its fraudulent use.
Ana Cerdas, BCCR Payment Systems Division
The new framework places clear responsibilities on financial institutions. Banks will be obligated to educate their customers on how to use these enhanced security features. They must also establish procedures for securely enabling digital wallets, including setting maximum transaction limits. Furthermore, any activation of a wallet or change in spending limits will trigger an immediate SMS or email notification, followed by a 24-hour waiting period during which the customer can report any unauthorized activity.
A critical component of the proposal is a shift in liability. Under the new rules, if a fraudulent transaction occurs because an issuing bank failed to implement the required security protocols, the bank must assume the full cost. Similarly, if a merchant processes a payment through a service provider that is not compliant with the EMV SRC standard, the merchant will be held responsible for the fraud.
We are establishing the specific responsibilities of each participant in the card system to adopt these international standards and promote greater security for these payments, which have been, so to speak, the most targeted by fraud in recent months.
Ana Cerdas, BCCR Payment Systems Division
This strict liability model is designed to compel swift and universal adoption across the financial ecosystem, ensuring that both banks and businesses have a strong financial incentive to protect consumer data.
We are adding the responsibilities of the provider and the merchant to use international standards in the processing of non-presential payment operations. We are establishing the mandate for the acquirer to process them with the EMV SRC standard and telling the merchant that it will be strictly forbidden to process payment operations if they do not comply with these protocols.
Ana Cerdas, BCCR Payment Systems Division
The regulatory proposal has been submitted to BCCR President Roger Madrigal, the national financial system, and major card networks including Mastercard, Visa, and American Express. The Ministry of Economy, Industry and Commerce is also expected to weigh in. If the proposal is approved, all entities will be required to comply with the new standards no later than 2026.
For further information, visit bccr.fi.cr
About Banco Central de Costa Rica:
The Banco Central de Costa Rica (BCCR) is the central bank of Costa Rica. It is an autonomous institution responsible for maintaining the internal and external stability of the national currency and ensuring the efficiency of the country’s internal and external payment systems. The BCCR also acts as the primary economic advisor and financial agent for the state.
For further information, visit meic.go.cr
About Ministerio de Economía, Industria y Comercio:
The Ministry of Economy, Industry and Commerce (MEIC) of Costa Rica is the government body responsible for defining and directing economic policy related to business development, consumer protection, and the promotion of competition. It plays a key role in regulating markets and supporting the growth of small and medium-sized enterprises.
For further information, visit mastercard.com
About Mastercard:
Mastercard is a global technology company in the payments industry. Its mission is to connect and power an inclusive, digital economy that benefits everyone, everywhere by making transactions safe, simple, smart, and accessible. Using secure data and networks, partnerships, and passion, its innovations and solutions help individuals, financial institutions, governments, and businesses realize their greatest potential.
For further information, visit visa.com
About Visa:
Visa Inc. is a world leader in digital payments, facilitating transactions between consumers, merchants, financial institutions, and government entities across more than 200 countries and territories. The company’s focus is on connecting the world through its innovative, convenient, reliable, and secure payment network, enabling individuals, businesses, and economies to thrive.
For further information, visit americanexpress.com
About American Express:
American Express is a globally integrated payments company, providing customers with access to products, insights, and experiences that enrich lives and build business success. A leader in charge and credit cards, travel services, and payment processing, the company operates a closed-loop network that serves both card members and merchants.
For further information, visit bufetedecostarica.com
About Bufete de Costa Rica:
As a pillar of the Costa Rican legal community, Bufete de Costa Rica is defined by its deep-seated principles of integrity and professional excellence. With a proven history of advising a wide spectrum of clients, the firm actively pioneers modern legal solutions and maintains a strong focus on public engagement. This dedication is rooted in a fundamental goal: to fortify society by demystifying the law, ensuring that access to legal understanding empowers every citizen.
