On 1 July, a significant new framework to curb online card fraud by the Australian Payments Network (AusPayNet) came into effect.
The Australian Payments Network Card-Not-Present Fraud Mitigation Framework introduced mandatory quarterly reporting of breaches to fraudulent thresholds, and outlines thresholds that banks and merchants are required to stay below.
The framework is designed in response to the proliferation of Card-Not-Present (CNP) fraud, an activity that now represents 85 per cent of all fraud on Australia-issued cards, costing retailers nearly $500 million every year.
The new counter-fraud initiative has been years in the making. It’s the first time Australia has taken a regulated stance against payments fraud, following in the footsteps of similar but stricter legislation rolled out across Europe.
Adyen has broken down three key aspects of the AusPayNet CNP Fraud Mitigation Framework to help retailers understand the role they play in this new era of fraud management.
AusPayNet is tackling CNP fraud with new industry regulation
A CNP transaction is one where a shopper isn’t physically present, which means all online transactions fall under this definition. As ecommerce continues to grow, it is increasingly difficult for merchants to verify whether payments are authorised by cardholders, the reason behind CNP becoming the main source of card fraud.
With CNP fraud in Australia growing at approximately 15 per cent a year, AusPayNet initiated an industry-wide consultation designed to improve fraud detection, while ensuring that online transactions continue to grow. The Framework defines the minimum requirements for an issuer or merchant to authenticate CNP transactions online, establishing authentication as best practise to reduce fraud in online CNP channels. The legislation calls for mandatory quarterly reporting and the use of 3D Secure 2.0 or equivalent program authentication software.
Strong customer authentication will be mandatory above certain thresholds
As a retailer affected by this framework, you’re likely thinking what this means for your business. Strong Customer Authentication (SCA)―also known as two-factor or multi-factor authentication―will be mandatory for merchants operating above thresholds of $50,000 in fraud losses, and a fraud-to-sales ratio of 0.2 per cent in reported fraud for two consecutive quarters.
While SCA methods are still new to many Australian retailers, merchants operating above the recommended industry fraud rate will be directed towards implementing risk-based analysis and SCA for all online CNP transactions on Australian issued and acquired cards.
If merchant thresholds are breached for two consecutive quarters, the acquirer will require the merchant to perform SCA on all transactions until their fraud rate falls. This also means that transactions deemed riskier will require two-factor authentication and/or biometrics to get the green light at checkout. This caveat should be welcomed by retailers looking to enable more secure payments and higher card authorisation rates.
SCA solutions like 3DS2.0 shares data between banks and merchants silently in the background and is designed around the habits of the modern Australian consumer. It is not just an answer to CNP fraud, but a bridge to better experiences and higher sales conversions.
There will be penalties but we don’t know how severe yet
Now that the framework itself is clearer, it’s likely you’re wondering what the consequences will be if your fraud rate persists. The level of punitive damages is yet to be announced, but what is known is that after three consecutive quarters of breaches, the framework recommends that merchants pass all transactions through to issuers for authentication. If a merchant continues to exceed the thresholds for four or more consecutive quarters, sanctions and fines may apply.
The extent of these penalties is yet to be seen but is likely to trigger concern among online retailers and merchants who are frequently targeted by fraudsters using stolen cards.
The framework is the first significant attempt to use technology and processes in a way that supports vendors and protects consumers. Technologies like 3DS 2.0 are improving shopper authentication, with frameworks like AusPayNet driving the evolution of Australian retail.
You may want to consider implementing SCA sooner rather than later. Why wait to enjoy the benefits when you can take advantage of it now to secure payment flows and higher authorisation rates.
Michel van Aalten, country manager Australia & New Zealand, Adyen