Designed to mitigate CNP fraud

  • Collaborative approach

    AusPayNet is the self-regulating Payments Industry Body, and this Framework is a result of feedback and workshops across the payments industry.

    The framework sets out the industry approach to mitigate card-not-present (CNP) payments fraud for merchants, Issuers, Acquirers, payment gateways, regulators and payment systems providers.

    This is a collaborative approach across the Australian payments industry Success criteria will be a reduction of fraud across the Online Payments ecosystem.

  • An industry standard

    It sets a benchmark for an acceptable level of Merchant, Acquirer and Issuer ecommerce fraud and a threshold for mandating authentication across online CNP transactions.

    AusPayNet will monitor the Framework’s success through Issuer and Acquirer feedback and reporting. And it’ll ensure compliance with the Framework through its existing rules and code set.

  • Customer centred

    This Framework is crucial, since CNP fraud now accounts for almost 85%1 of the card fraud in Australia.

    It builds on the strong industry and AusPayNet tradition of solving for payments fraud issues and improving customer experience.

What’s in scope?

  • The following is in scope

    • Card not present transactions: When card credentials are used without the cardholder being physically present e.g. online transactions
    • Card not present transactions growth: The Year on Year percentage growth of CNP transactions in the Australian payment market
    • Definition of fraud: Refers to payment transaction fraud or fraudulent payment transactions (read the Framework for more on this)
    • Authentication: Risk-based analysis (RBA)2 and Strong customer authentication (SCA)3 are the two types of customer authentication covered in the Framework
    • Cardholder protection: If a cardholder has protected their payment details, been vigilant and not acted fraudulently then they aren’t liable for any fraudulent transactions
  • The following items are out of scope

    • Card present channels
    • Mail order/ Telephone order/ manual entry transactions
    • Corporate cards/ gift cards/ pre-paid cards
    • Remote commerce transactions outside of cards
    • Transactions acquired outside Australia

Merchant obligations & threshold

  • Main obligation

    Merchants must make sure their fraud rates remain under the Threshold of AUD $50,000 and under 0.20% in fraud losses per quarter (as calculated by the Acquirer).

    AusPayNet requires merchants that exceed the threshold for one or two quarters to use a demonstrable risk-based approach to SCA and/or other fraud mitigants.

    Exceed that for three consecutive quarters and merchants are required to perform SCA on all transactions, other than those that qualify for authentication exemption.

    Exceed for four consecutive quarters, then AusPayNet may apply penalties to Acquirersand their merchants.

  • Merchant fraud threshold

    Merchants aren’t obliged to authenticate online CNP transactions if their fraud rate is below the Merchant Fraud Threshold for the previous quarter.

    Merchant Fraud Rate (bps)Value F % Value T 10000


    • Value F = Value of fraudulent settled,online CNP transactions per quarter
    • Value T= Value of all settled,online CNP transactions per quarter

    The Merchant Fraud Threshold is set to 20 basis points and $50,000 in fraud losses (i.e. Value F > $50,000) per quarter. Merchants must ensure their fraud level does not exceed this threshold.

More on AusPayNet

  • AusPayNet is the payments self-regulatory body in the Australian market - established in 1992 to manage the day-to-day operation of the payments clearing systems.

    Its purpose is to improve the safety, reliability, equity, convenience and efficiency of payment systems in Australia. And actively monitor and facilitate industry collaboration to reduce payment fraud.

    Here’s more on AusPayNet

Things you should know

  • 1 Source: AusPayNet 'Code Set for Issuers and Acquirers Community Framework - Volume 7 Card Not Present Code', 1 July 2019.

    2 Risk Based Analysis (RBA) refers to the means or method of  authentication being proportional to the risk profile of the resource of the cardholder is trying to access and/ or action it’s seeking to execute.

    3 Strong Customer Authentication (SCA) in contrast to normal or single factor authentication is a stronger form of authentication and provides more assurance the cardholder actually is who he/she claims to be. SCA means authenticating with two authentication methods instead of one. This can be a combination of two of the following three: something the customer knows (e.g. PIN, dynamic CVV or password), something the customer has (i.e. device, static CVV or token) and/or based on something the customer is (i.e. biometrics).