US banks risk security own goal at 2026 FIFA World Cup

In a little over a year, North America will play host to the 2026 FIFA World Cup. And, with concerns already mounting around the red tape surrounding the 5.5 million fans expected to descend on 11 US cities, banks have been warned that they should beef up their fraud protection for the hundreds of millions of additional transactions ahead of and during the tournament.
The FIFA World Cup (the most watched sporting event in the world) will take place from June 11 to July 19 across 16 cities in three North American countries, with the majority of matches taking place in the United States.
Businesses are gearing up to handle the significant increase in activity before, during, and after the tournament. But it’s not just the volume of transactions that will increase. Banks, payment processors, and merchants must ensure they are adequately prepared for the influx of international payments as well as the inevitable increase in fraud that comes with these mega-events. Questions must be asked about how to identify fraudulent activity while still allowing legitimate payments to be rapidly processed. Expecting visitors wanting to transact to endure a poor experience with declined transactions is not acceptable. But nor is asking your merchants to accept the costs that come with inadequate fraud protection.

Lessons from Qatar

Mega-events, like the FIFA World Cup, are a prime target for fraudsters and cybercriminals. During the 2022 FIFA World Cup in Qatar the volume of malicious emails with the aim of committing financial fraud doubled across the Gulf countries. Despite Qatar’s investment of $1.1bn in cybersecurity, hackers were still able to set up fraudulent websites for hotel bookings and other services, diverting funds from legitimate local businesses and leaving visitors stranded without their intended accommodations.

Fraudulent transactions in the form of “carding” — where stolen credit card details are sold on dark web marketplaces — also soared. These stolen card credentials, which may also be collected from fake, FIFA-themed websites, were used to make unauthorised transactions and book flight tickets and accommodation. The syndicates were so sophisticated they even provided services to cash out money from the stolen cards, using prepaid gift cards to cover their tracks.

US banks face real challenges

One of the major hurdles to preventing these crime spikes will be the current state of e-commerce fraud detection systems. In particular, the adoption of 3-D Secure (3DS) authentication has been slower in the U.S., leaving banks with limited data on card transactions to identify potential card-not-present (CNP) fraud. This could allow fraud to go undetected, leaving merchants vulnerable to costly chargebacks and lost sales due to false declines.
What’s more, in many regions, including Europe and parts of Asia, 3DS is mandatory, and consumers are accustomed to its protection. When a foreign cardholder from a region where 3DS is mandated tries to make a purchase at a non-participating U.S. merchant, their issuing bank may have a higher likelihood of declining when there is no authentication code included with the authorisation request, leading to frustration for both the customer and the merchant.
The lack of consistent payment experience could lead to foreign visitors mistrusting the process and even distrusting the merchants. Additional queries on false declines could also flood bank call centers with frustrated cardholder queries, all of which will put a real dent on what should be a business bonanza.

Secure, frictionless payments are crucial

To mitigate these challenges, US banks, payment processors and merchants must take proactive steps to ensure a smooth and secure payment experience for both domestic and international customers. One way to achieve this is by adopting frictionless authentication systems that seamlessly verify the cardholder’s identity while reducing the customer’s involvement in the process.
Innovative technologies, such as silent authenticators, and extensive risk data can provide secure authentication without the need for additional actions from customers. By utilising real-time, context-aware authentication, banks can assess the risk of a transaction based on factors like location, device, and historical behaviour.
Personalised authentication experiences that tailor the most appropriate authentication method to each customer (while taking into consideration risk levels and customer-preferred authentication methods), will help ensure that transactions are processed securely while minimising the friction often associated with traditional authentication methods.
US banks should also urgently consider adopting more secure methods than traditional one-time passcodes (OTPs), which are increasingly vulnerable to social engineering attacks. Biometrics, FIDO passkeys, and in-app notifications with transaction details are becoming the gold standard for secure authentication. By investing in these technologies, banks can significantly reduce fraud risks while enhancing the overall user experience for cardholders.

Collaboration will be key

While there is not much time before the world descends on US businesses, there is still time to take action. Merchants should, at the very least, take advantage of 3DS, to gain access to more advanced risk insights from the bank’s data and move the liability for fraud from themselves to banks.
Issuing banks, meanwhile, should be taking advantage of advanced risk-based authentication solutions that draw on data insights from global consortia with billions of transactions, providing insights into transactions, devices and cardholders.
The 2026 FIFA World Cup presents a unique opportunity for the US financial sector to demonstrate its readiness and ability to safeguard payments during one of the largest global events. By embracing advanced fraud detection technologies and adopting secure payment practices, banks can ensure that the millions of international visitors experience a seamless and secure payment journey. Now is the time to ensure that “The Beautiful Game” isn’t marred by an explosion of fraud, lost revenue and frustrated visitors that could have been prevented.