This guide is meant to help you prepare for compliance with the Australian Payments Network Limited (AusPayNet) card-not-present (CNP) framework. The information here is intended to supplement the AusPayNet card-not-present code, and should not be taken as legal advice.
AusPayNet CNP framework
The AusPayNet CNP framework is a regulation by the Australian Payments Network Limited, the self-regulatory body for the payments industry in Australia. The framework aims to establish the industry approach for mitigating fraud in CNP online channels.
Scope
The framework applies to CNP transactions that are issued and acquired in Australia.
Out-of-scope transactions
The framework does not apply to:
- Transactions where the card is physically present, such as point-of-sale transactions.
- Transactions acquired or issued outside of Australia.
- Mail Order/Telephone Order (MOTO) transactions.
- Corporate cards, gift cards, and prepaid cards.
Merchant fraud threshold
The AusPayNet framework requires you to perform strong customer authentication (SCA) if you exceed the merchant fraud threshold for two consecutive quarters. If you are below the merchant fraud threshold, you are not required to perform SCA.
Exceeding the merchant fraud threshold in one quarter means that you have both:
Explanation | |
---|---|
1. More than AUD 50,000 in fraud losses | The value of fraud losses are based on fraud chargebacks received in the quarter. |
2. Fraud-to-sales ratio of 0.2% or above | The fraud-to-sales ratio is calculated as: F/T (F divided by T), where: F: Value of settled, fraudulent online CNP transactions in the quarter. T: Value of all settled online CNP transactions in the quarter. |
Exceeding the merchant fraud threshold
Merchant fraud rates are calculated by Adyen at the merchant account level on a quarterly basis. As your acquirer, Adyen is obligated to report your quarterly fraud figures to AusPayNet.
If you exceeded the merchant fraud threshold, you will receive an official breach notification from Adyen. What you need to do next depends on the number of consecutive quarters that you exceeded the merchant fraud threshold:
# of quarters | What you need to do |
---|---|
1 | Take measures to reduce your fraud rate. Adyen may advise you on available options to do that. |
2 | Start applying SCA to all non-exempted CNP transactions. For possible exemptions, refer to SCA exemptions. |
3 | We recommend that you start applying SCA to all CNP transactions. |
4 | You may be liable to sanctions. |
If your fraud rate is below the merchant fraud threshold for a quarter, you are no longer required to apply SCA on all CNP transactions.
Strong customer authentication
Strong customer authentication (SCA) is an authentication method where the shopper's identity is verified using two out of three factors:
- Something only the shopper knows, for example a password.
- Something only the user possesses, for example a mobile phone.
- Something the user is, for example a fingerprint.
For example, before an issuing bank authorises a payment, a shopper is required to supply a one-time authentication code received on their phone (something only the shopper has), and a password (something only the shopper knows).
SCA exemptions
Even though the framework mandates that all CNP transactions undergo SCA upon two consecutive quarters of breach, there are some exemptions that may be applicable to you. You can either apply the logic for exemptions yourself, or leave it up to Adyen. Issuers will not be able to see who triggers the exemption flow.
SCA is not required for:
-
Recurring transactions: A series of CNP transactions, possibly of different values, with cardholder consent.
To flag a transaction as recurring, include in your payment request: shopperInteraction value ContAuth and add the correct recurringProcessingModel value. -
Trusted customer transactions: Transactions where you have previously identified the cardholder, and the cardholder is using the same card and identifiers as before.
-
Wallet transactions: Transactions made through a digital or mobile wallet where the cardholder was verified, and all subsequent transactions use biometrics or a passcode for authorisation.
The SCA exemptions do not apply in the following situations:
- The cardholder is accessing the online service for the first time.
- The cardholder changes the payment instrument, for example replaces the card on file by a new card.
- More than 180 days have passed since the cardholder last accessed the online service.
Using 3D Secure for SCA
Although there are other methods for applying SCA, we recommend that you use 3D Secure authentication. Both 3D Secure 1 and 3D Secure 2 are eligible methods for applying SCA. For more information, refer to our 3D Secure implementation guides.
Your options for applying SCA by implementing 3D Secure are:
- Let Adyen handle SCA: To set this up, reach out to your account manager, or our Support Team.
- Configure rules with Dynamic 3D Secure: Define additional conditions for transactions that you want to apply 3D Secure authentication on. For more information, refer to Dynamic 3D Secure.
-
Submit preference in your API requests: Specify in each payment request whether you want to perform 3D Secure authentication on this transaction, by including:
authenticationData.attemptAuthentication
: Set to always if you want to perform 3D Secure authentication on this transaction, never if not.
Choose this option only if you have extensive knowledge of AusPayNet regulations and the 3D Secure protocol. Specifying your preference on transaction level will override our default compliance handling logic.