Industry Consultation on CNP Fraud Mitigation Framework

By Lucy Anderson, Head of Payments Innovation at AusPayNet - 12 September 2018

Since holding the February 2018 Accelerator Event, co-hosted with the Reserve Bank of Australia, AusPayNet has been peddling hard in the fight against fraud. As recently communicated, we have been working in collaboration with the entire range of stakeholders to develop a whole of industry CNP Fraud Mitigation Framework.

CNP fraud, mainly occurring online, has been growing as a portion of payments fraud. The new framework is designed to reduce CNP fraud, while also building consumer trust to support the continued growth of e-commerce as a payments channel. AusPayNet is encouraging e-commerce participants to provide feedback on the framework, which can be requested through our website. Feedback is due by 28 September 2018.

A Collaborative Approach 

The framework was developed using the following collaboratively agreed approach:

  • Consistently apply Strong Customer Authentication
  • Leverage global best practice where possible
  • Solution neutrality – be flexible and support a range of different technical solutions
  • Dynamic data – leverage dynamic data sets where possible
  • Act now, plan for the future – deal with the immediate fraud issue with a goal to iterating the framework over time
Establishing Obligations and Accountability

The framework is divided into issuer obligations and acquirer obligations, with acquirers accountable for monitoring merchant fraud rates.

Issuer obligations

  • Issuers must keep fraud levels across their card base below the industry benchmark.
  • Issuers must notify all customers of any online card transactions over $100, except where the customer has opted out of notifications for privacy reasons.

Acquirer obligations

  • Merchants must have risk-based authentication tools in place to monitor their fraud.
  • Merchants that record fraud above an agreed industry benchmark will be required to use multi-factor authentication, except in the case of the following exempt transactions:
    • Recurring transactions - where the cardholder has given consent to be charged on a pre-agreed set of conditions, and has provided strong customer authentication for the first transaction
    • Trusted cardholders - where the cardholder has been identified upfront and uses the same credentials for future transactions with the merchant
    • Mobile wallets - where the issuer has confirmed with the cardholder enrolment in the wallet, which also has a strong authentication mechanism implemented
Governance and Compliance of the Framework

It is envisaged that AusPayNet will ensure the governance and compliance of the framework under our existing Issuer and Acquirer Community Code. We are currently working with the e-commerce community to garner feedback on the framework. The next steps involve drafting implementation guidelines and seeking further feedback on implementation timeframes.

If you are actively involved in e-commerce and would like to provide feedback or be involved in the consultation, please contact us.