Strong Customer Authentication in Australia: Understanding AusPayNet’s CNP Fraud Mitigation Framework

Thanks to EMV chip technology, Australian merchants have enjoyed a significant reduction of fraudulent in-person credit card transactions, with losses from counterfeit/skimming fraud at their lowest since 2006.1

However, that doesn't mean credit card fraud went away. As in-person fraud became more difficult, criminals shifted their efforts to the digital realm and began focusing on what’s known as Card-Not-Present (CNP) fraud. As a result, almost 85% of all credit card fraud in Australia now takes place online.2

In an effort to combat this considerable increase in online card fraud, the Australian Payments Network (AusPayNet) recently issued new rules requiring Strong Customer Authentication (SCA) for merchants identified as “high-risk.” Here's how those rules may impact your business.

Combating fraud with SCA

You may already be familiar with SCA as a part of Europe's PSD2 regulations. Under that mandate, applicable transactions are required to have two independent authentication factors performed in order to be approved. These factors are categorized in three ways: "knowledge," as represented by something like a password or PIN; "possession" of something, like a device or card; and "inherence," as proven by a fingerprint or other biometric. As a global standard, SCA is a key element in AusPayNet's efforts to mitigate CNP fraud.

How the fraud mitigation framework works

In its CNP Fraud Mitigation Framework, AusPayNet defined new fraud thresholds that merchants and issuers are required to meet. AusPayNet set the initial fraud threshold for merchants at 20 basis points (0.20% of CNP transaction value) and $50,000 in fraudulent CNP losses per quarter, while the initial fraud threshold for issuers was set at 15 basis points (0.15% of CNP transaction value).

Merchants with fraud rates below those levels are not required to apply SCA to any transactions. Merchants unable to meet that threshold for two consecutive quarters will be deemed “high-risk” and will be required to apply SCA to most transactions. Low-risk transaction types such as recurring payments, trusted customers, and wallet transactions are also exempt from SCA requirements regardless of whether or not a merchant has been deemed “high risk.”

Key dates

The new rules went into effect on July 1, 2019, with acquirers reporting on merchant data chargebacks as of Q2 2019. Currently, enforcement is scheduled to begin on December 31, 2019.

What's next for ‘high-risk’ merchants?

Braintree has already begun reporting on chargeback rates in order to remain compliant with AusPayNet's CNP Fraud Mitigation Framework. Any Braintree merchant that has been identified as “high-risk” will be contacted to discuss how to integrate 3D Secure (3DS), the solution we recommend to perform SCA on transactions acquired in Australia.

If you are contacted, it’s important to integrate 3DS as soon as possible. “High-risk” merchants that neglect to use 3DS to authenticate transactions risk an increase in declines. Continued failure to apply SCA to applicable transactions could lead to a scenario in which the merchant’s acquirer demands that the merchant’s payments processor (i.e., Braintree) stop processing for that merchant altogether.


As the commerce platform for large and fast-growing enterprises that are building the most innovative commerce experiences globally, Braintree is committed to keeping you informed about the latest news and information regarding SCA requirements in Australia. If you have questions about the CNP Fraud Mitigation Framework or Braintree’s 3DS solution, contact us.

  1. Australian Payment Card Fraud 2018, Australian Payments Network, 2018.

  2. IBID.

Braintree We enable beautiful commerce experiences so that people and ideas can flourish. More posts by this author

You Might Also Like