- Australia’s CNP Fraud Mitigation Framework went into effect July 1, 2019
- SCA will be required for merchants who breach fraud thresholds outlined in the Framework
- SCA may be required as early as Q4 2019 for merchants who breach the threshold for these two consecutive quarters: Q2 and Q3 of 2019.
- Merchants should streamline the compliance process by working with PSPs that are equipped to meet local regulatory requirements
For Australian-issued cards, nearly 85% of all card fraud is considered card-not-present (CNP) fraud, which happens mainly online. This problem is certainly not unique to Australia – in fact, card-not-present fraud accounts for 60-70% of all card fraud in developed countries.
Europe has recently addressed this issue with its rollout of the Revised Payment Service Directive (PSD2). This included the enforcement of Strong Customer Authentication (SCA), which is the addition of more authentication layers to curb CNP fraud. Most major global markets are now looking to standardize CNP protections, with Australia following suit with its recent release of the CNP Fraud Mitigation Framework that went into effect July 1, 2019.
The framework, enforced through AusPayNet, outlines the set of requirements for issuers and acquirers to authenticate online CNP transactions. This includes applying SCA practices to help reduce online fraud. Under this framework, merchants must remain below the initial fraud threshold of AUD $50,000 in fraud losses and a fraud-to-sales ratio of 0.2% per quarter. Merchants that exceed this threshold for two consecutive quarters may be required to implement SCA on their transactions.
While Europe’s PSD2 mandates SCA for all online transactions, Australia’s CNP Fraud Mitigations Framework only requires SCA for merchants and issuers that are consistently in breach of these thresholds. Acquirers have submitted their quarterly merchant data outlining their fraud rates and threshold breaches for Q2 and Q3 of 2019. If a merchant has exceeded the threshold for these two consecutive quarters, acquirers may require that the merchant perform SCA on all transactions as early as Q4 of 2019. If a merchant is in breach for three consecutive quarters, merchants may be required to pass all transactions through to the issuer for SCA.
How to get ready for SCA
For the risk-averse, having SCA provisions in place sooner rather than later will save merchants from costly business headaches like downtime due to a last-minute technical scramble, or worse, the risk of losing sales if it’s not in place.
Australian merchants can leverage Checkout.com’s 3DS2 solution to help meet all SCA requirements via one unified API. Through one integration, merchants will also be able to take advantage of all our flexible and scalable capabilities such as multi-currencies, wallets, network tokens, account updater, and first-class authentication.
As major markets work toward similar ecommerce protection protocols, online merchants should consistently evaluate their payments strategy and partners, apply streamlined payment systems, and most importantly, ensure that their PSP can support local regulatory needs.