Why the focus on CNP fraud?
Australia’s eCommerce market is one of the fastest-growing markets in the world, with a compound annual growth rate (CAGR) of about 6 percent. By 2023, it’s expected to be worth over AUD $37 billion. However, the Australian Payments Network (AusPayNet) last year reported that online CNP fraud accounts for 85 percent of all fraudulent transactions on Australian issued cards.
In 2017, this equated to $476 million in fraudulent transactions: $227 million from domestically acquired transactions and $249 million on transactions acquired overseas. This provided the impetus for the development of the Card Not Present (CNP) Fraud Mitigation Framework. Over the last few years, AusPayNet has been working with card issuers, merchant acquirers, card schemes, payment gateways, payment service providers, merchants, regulators and industry bodies to establish this framework.
The outcome of industry consultation, which included representatives from ACI, was that the CNP Fraud Mitigation Framework should reduce card-not-present fraud, help maintain the positive growth in Australian eCommerce, and improve consumer trust in payments. The key principles agreed upon were that the framework should:
- Leverage global standards and authentication best practice principles from other regions
- Consistently apply authentication
- Be technology-neutral to provide choice and ease of implementation
This final point is particularly important, as back in 2016 the Australian Competition & Consumer Commission (ACCC) rejected a bid by the Australian Payments Clearing Association (APCA, which is now AusPayNet) to mandate the adoption of the 3D Secure system by merchants.
Authentication types considered by the Framework include;
- Risk-Based Analysis (RBA) – assessing the characteristics of the transaction to set the level of authentication required as proportional to the risk profile of the transaction.
- Strong Customer Authentication (SCA) – two-factor or multi-factor authentication where at least two authentication methods are used to authenticate the transaction.
There are also transactions that are out of scope, which include;
- CNP transactions using a corporate, gift or prepaid cards
- CNP transactions acquired outside of Australia, and cards issued outside of Australia
The changes are not far away. From July 2019 onwards, Australian acquirers will be required to monitor and report fraud levels on all merchants. Today, ACI’s real-time fraud management solution supports merchants to meet the criteria of Risk-Based Analysis (RBA) and also supports customers using SCA. From our perspective, the cooperative, consultative and collaborative approach being taken in Australia will support merchants to achieve continued growth, security and confidence when it comes to the card not present space.