Strong Customer Authentication in Australia: AusPayNet Card Not Present framework

With Australia’s growing ecommerce market, Strong Customer Authentication (SCA) has become increasingly important. Read on to learn about AusPayNet’s framework that offers businesses and shoppers greater peace of mind.

Australia’s ecommerce market is one of the fastest growing markets in the world, with a compound annual growth rate (CAGR) of about 6%. By 2023, it’s expected to be worth over AUD $37 billion. At the same time, Card Not Present (CNP) fraud, which represents about 85% of all card fraud on Australian cards, diminishes this number – costing retailers nearly half a billion dollars every year.

What is a Card Not Present (CNP) transaction?

A CNP transaction is one where a shopper is not physically present at the time of a transaction. This means all online and ecommerce transactions are CNP transactions.

Authentication is not new – Australia was an early adopter of the EMV chip-and-PIN authentication when it was first introduced. EMV chip technology has provided strong protection globally on Australian issued cards against in-person or Card Present fraud, with counterfeit and skimming fraud reducing by 47.8%, from AUD $59.25 million in 2016 to AUD $30.91million in 2017*.

Strong authentication to support ecommerce growth

EMV chip-and-PIN authentication is a common authentication method at point-of-sale in Australia, and is effective against Card Present fraud. However, stronger authentication is needed for CNP transactions. It’s difficult for merchants to verify whether payments are indeed authorized by the actual card holders, which is why CNP has become the main source of card fraud – not just in Australia, but also in many key ecommerce markets around the world.

Regulatory boards, issuers, schemes, acquirers, and payment service providers worldwide have been actively looking at solutions to counter CNP fraud. Several tools like CVV checks, Address Verification System (AVS) and 3D Secure have been introduced and improved upon.

Adyen has already introduced global enablement of 3D Secure 2.0 (3DS 2.0), the new standard in SCA. This solution embeds the latest requirements for PSD2 to ensure secure payments for shoppers globally. PSD2 or the Revised Payment Services Directive is a European directive that further simplified payment processing between shoppers, merchants, payment service providers, and non-bank payment institutions – with the use of SCA – while curbing CNP fraud in Europe.   

With CNP fraud in Australia growing at approximately 15% year on year*, the Australian Payments Network or AusPayNet has initiated an industry-wide consultation to derive at the CNP Fraud Mitigation Framework.

AusPayNet is the payments self-regulatory body in Australia, established to manage the day-to-day operation of the payments clearing systems. With members ranging from suppliers of goods and services, card issuers, acquirers, and schemes to commercial operators of payments systems and organizations that participate directly in the payments system, AusPayNet enables innovation, promotes efficiency, and manages risk to deliver a better payments system.

Card Not Present (CNP) Fraud Mitigation Framework

The framework aims to reduce fraud in CNP channels for merchants, consumers, issuers, acquirers, card schemes, payment gateways, payment system providers, and regulators.

While SCA methods are not compulsory in Australia yet, merchants operating above the recommended industry fraud rate are now encouraged to implement risk based authentication for online CNP transactions using locally issued cards via local acquiring.

Under the framework, SCA will be required for merchants operating above fraud thresholds of AUD $50,000 in fraud losses and fraud-to-sales ratio of 0.2% in reported fraud for two consecutive quarters.

If merchant thresholds are breached for two consecutive quarters, the Acquirer will require the merchant to perform SCA on all transactions until their fraud rate falls below the threshold for a quarter. This would apply to all transactions with the following exceptions:

After three consecutive quarters of breaches, the framework recommends that merchants pass all transactions through to the issuers for authentication. In a case where a merchant continues to exceed the thresholds after four (or more) consecutive quarters, sanctions and fines may apply.

Obligatory Strong Customer Authentication (SCA) in Australia may take effect as early as from Q4 2019.

Reporting of the merchant data will begin from Q2 2019 and the obligatory SCA may take effect as early as from Q4 2019, if the merchants are in breach for the two consecutive quarters of Q2 and Q3 2019.

We recommend implementing SCA sooner rather than later not only because it may soon be a global standard, but also for its multifold benefits. Stronger shopper authentication enables more secure payment flows, and thus higher card authorization rates.

Merchants can easily leverage SCA such as 3DS 2.0 with Adyen for authentication that’s built around the habits of the modern Australian consumer. With the option of intuitive 2-factor and biometric authentication flows for in-app, online and mobile shopping, businesses can create better experiences that translate to higher sales conversion and great business results.

SCA has long been misunderstood as a sales conversion blocker as it is deemed to add friction along the shopper journey – no thanks to static passwords, multiple redirects, and such, of past solutions. Next-gen solutions like 3DS 2.0, however, have changed the way we know shopper authentication. Various use cases with global brands have also shown that SCA has helped to drive business results and secure revenue.

Contact us now to find out more about SCA in Australia or anywhere around the world. Discover just how it benefits your business by helping to increase card authorization rates, fraud prevention and regulatory compliance.

*Source: AusPayNet data


Sign up for the newsletter

By submitting this form, you acknowledge that you have reviewed the terms of our Privacy Statement and consent to the use of data in accordance therewith.


Are you looking for test card numbers?

Would you like to contact support?