Andy White, the CEO of Australian Payments Network, describes the way CNP Mitigation Framework, an AusPayNet initiative, differs from Europe’s PSD2, yet having the same goal: to secure transactions.
While Europe has been implementing PSD2, Australian Payments Network (AusPayNet) has been working with the Australian ecommerce industry over the last 18 months to design a framework to reduce card-not-present (CNP) fraud. Australia’s industry CNP Mitigation Framework took effect on 1 July 2019.
How does PSD2 compare to the work we have been doing as an industry in Australia?
In developing the CNP Mitigation Framework, we leveraged global standards and best practice from other jurisdictions, including work being done on PSD2. Of particular interest were the recommendations agreed at the European Payment Institutions Federation (EPIF) workshop held in Brussels on May 2019. Jointly supported by Ecommerce Europe, EuroCommerce, Visa, and EPIF, these were:
Australia’s CNP Mitigation Framework
As a result of consultation and collaboration with the ecommerce industry, these recommendations had already been incorporated into the CNP Fraud Mitigation Framework during the drafting process in mid-2018. The Framework parallels PSD2, in that both endorse SCA as a best practice to authenticate transactions.
However, there are some key differences:
1. While PSD2 mandates SCA for all transactions and considers certain exceptions, AusPayNet’s Framework only requires SCA for those merchants and issuers whose fraud rate is consistently in breach of agreed thresholds. Participants with fraud rates under the defined thresholds are not required to take additional steps to identify and reduce fraud, and there are exceptions for low-risk transactions, such as recurring payments, trusted customers, and wallet transactions.
2. The Framework’s thresholds were collaboratively set to ensure a targeted approach to minimising fraud whilst minimising the impact on smaller merchants. As a result, SCA is only required for:
Combining this approach with a comprehensive communications strategy and phased lead times for implementation, the Framework provides a clear runway to readiness for the wider payments community for reducing CNP fraud. This ameliorates the issues currently being witnessed in Europe in terms of readiness, which have resulted in calls for implementation to be delayed.
CNP fraud on Australian cards
On 7 August 2019, a month after the Framework took effect, we released new card fraud data covering the year 2018. The data shows a decline in the rate of fraud on Australian cards for the first time since reporting became public in 2006. In 2018, the rate dropped from 75.0 cents to 72.8 cents per AUD 1,000 of card spending.
Card payments grew by 5.4%, reaching a total value of AUD 789 billion, whereas card fraud increased by 2.3% to AUD 574 million; in 2017, both had increased by 5%.
CNP fraud – on both domestic and overseas transactions – accounted for 84.9% of all card fraud, steady on 2017. But the rate of increase is declining; CNP fraud increased by 2.4% in 2018 compared to 13.9% in 2017.
Moreover, domestically, the overall growth of ecommerce transactions (27%) outstripped the growth of CNP fraud (13.4%). These figures suggest that industry work on the Framework over the last 18 months has helped create awareness of protecting against CNP fraud.
Adopting the CNP Fraud Mitigation Framework
While we are seeing an encouraging trend in CNP fraud, the overall numbers are still large. Reducing the space for fraudsters to operate is an industry priority, and the Framework is a major step in further stimulating the uptake of CNP fraud countermeasures across the ecommerce community.
To support the adoption of the Framework, AusPayNet is working with the industry on a phased implementation. Issuers and acquirers are required to provide quarterly reports to AusPayNet outlining their Fraud Rates and Fraud Threshold breaches. The first reports, covering Q2 (April to June 2019) were submitted on 15 July, with Q3 reports (July to September 2019) due on 15 October 2019. We are also tracking the overall volume of ecommerce transactions to ensure growth in the channel continues. The Framework is enforced through inclusion in AusPayNet’s Issuers and Acquirers Community code set (rules).
As an industry, we need to continue to collaborate and be vigilant in adopting digital security measures. Further effort is required to respond to changing trends in fraud and we need to continue to adopt best practice. The Framework goes a long way in providing a unified approach to shrinking CNP fraud in the Australian market.
This editorial was first published in the The Fraud Prevention and Online Authentication Report 2019/2020, which depicts valuable insights into fraud detection, risk management, data intelligence and machine learning, and ways to tackle into where is fraud heading to after PSD2’s Strong Customer Authentication.
About Andy White
Andy White is the CEO of Australian Payments Network. Prior to AusPayNet he worked at ASX, LCH.Clearnet and the Bank of England. Andy is also a Member of the Advisory Committee to Australia’s Data Standards Body, a Member of the Board of Advisors to the Payment Card Industry Security Standards Council, and Deputy Chair of Emerging Payments Association Asia.
About Australian Payments Network
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now