Keeping Pace in the Fraud Race
The Australian payment industry has seen a seismic shift in the past few years from traditional retail store purchases to online shopping. This migration coupled with the strong fraud protection provided by EMV chip technology for in-person transactions has unfortunately prompted an adverse mirrored trend – an increase of fraud in card-not-present (CNP) channels. CNP fraud now accounts for almost 85% of all card payment fraud in Australia and further to this, CNP fraud seems to be growing 13% year on year at an industry level.
To combat this increased threat, AusPayNet in conjunction with key industry stakeholders have initiated an industry-wide collaboration program entitled the ‘Card Not Present Fraud Mitigation Framework’. This Framework sets out the industry approach to mitigate CNP payments fraud for all members across the payment value chain – merchants, consumers, Issuers, Acquirers, card schemes, payment gateways, payment system providers, and regulators. It is a framework designed to reduce fraud in CNP online channels, while also ensuring that online transactions continue to grow and thrive. The key tenets of this framework have been established by the industry:
1. Consistently apply Strong Customer Authentication (defined below)
2. Leverage global standards and best practice from other jurisdictions where possible
3. Be technology neutral to provide choice and ease of implementation
4. Use dynamic data wherever possible to reduce fraud
5. Act now, plan for the future – deal with the current fraud issues with the ability to review and update the Framework over time.
This framework requires participants across the payment value chain to take a more active role in reducing CNP fraud. For Card Issuers in particular, the two main obligations within this new framework are as follows:
• Ensure fraud rate remains below Issuer Fraud Threshold
• Perform Strong Customer Authentication or Risk Based Authentication when requested by the Merchant
This framework has set an industry fraud benchmark for an acceptable level of Issuer and merchant risk. Quarterly reporting to AusPayNet of fraud rates will be mandated as part of this framework. Issuers and merchants with fraud rates under the established threshold will not be required to perform any additional fraud mitigation activities. Issuers and merchants operating over the industry fraud rate will be required to perform Strong Customer Authentication. Should Issuers and merchants continue to breach industry thresholds over consecutive quarters, fines and sanctions can be imposed.
Strong Customer Authentication (SCA)
SCA is an authentication method requiring the cardholder’s identity to be verified with at least two independent factors from the following categories:
1. Something only the cardholder knows (knowledge factor) – a password, an answer to a secret question or a PIN
2. Something only the cardholder possesses (possession factor) – a credit card, a hardware token or a smartphone
3. Something the cardholder is (inherence factor) – a biometric feature such as a fingerprint scan, an iris scan, or facial recognition; or a behavioural feature such as type or swipe dynamics.
Although cardholder authentication will actively reduce the occurrence of fraudulent activity, the industry must also consider the user experience when implementing an authentication solution. The framework should provide the consumer with confidence that online transactions are secure without adding a disproportionate degree of friction to the transaction journey.
The industry timeline for the implementation of the framework is outlined below:
Indue has been involved with developing the industry-wide framework via representation and collaboration at forums and consultation submissions. Indue has commenced an internal program of work to build the capability to support the required AusPayNet reporting. We will work closely with all of our card issuers in the next few months to ensure understanding of the initiative requirements and next steps to comply with the new framework.