Retailers that fail to mitigate card-not-present fraud (CNP) risk sanctions – with regulatory payments changes set to take effect within e-commerce trading.
E-commerce purchases continue to command a growing share of the retail spending pie. The NAB online retail index estimates that in the 12 months to March 2019, Australians spent $28.76 billion on online retail. This represents around 9 per cent of the traditional bricks and mortar retail sector and is about 18 per cent percent higher than the same period running up March in 2018.
Meanwhile card-use continues to grow, with the total value of transactions increasing year-on-year from 2013, jumping from $748,111 billion in 2017 to $788,647 in 2018, according to the Reserve Bank of Australia.
But it’s not all good news. Fraud as a percentage of all card transactions last year represented less than 0.1 per cent, or $574 million of the total transaction value.
CNP fraud [where a shopper is not physically present at the time of a transaction] is established as the most prevalent type of fraud on Australian cards, representing approximately 85 per cent of fraudulent transactions, according to Australian Payments Network (AusPayNet), the self-regulatory body for the local payments industry.
Retailers now have the task of improving payment security measures, while mitigating friction in the online shopping journey of customers.
The rise of CNP fraud in Australia reflects a global trend of growing cybercrime in general, according to AusPayNet.
Fraudsters have now migrated to online fraud, after facing stronger protection using chip technology on in-store transactions. Large scale data breaches and identity theft – where fraudsters assume the identity of another individual and perform transactions under a false identity – are a recurrent issue.
As a result, retailers are increasingly cautious about dealing with online crime.
“Cybercrime is escalating to a magnitude not been seen before,” says Michel van Aalten, country manager AUNZ for payments platform, Adyen.
“Retailers and the entire payments industry are trying to find the best approach to solving the problem.”
It’s a problem that Adyen has seen experienced by retailers worldwide. The global payments platform, which helps businesses accept e-commerce, mobile, and point-of-sale payments, says regulatory changes have already been enforced abroad. 3D Secure verification is now obligatory on domestic purchases in India – with van Aalten asserting law changes are on the rise across the globe.
“The new regulations in Australia have gone live quite recently and might be considered revolutionary in Australia’s e-commerce landscape,” says van Aalten.
Down Under, AusPayNet’s CNP Fraud Mitigation Framework took effect in July, earlier this year. The framework defines the minimum requirement for an issuer and merchant to authenticate CNP transactions, and mandates Strong Customer Authentication (SCA) for those issuers and merchants whose fraud rate is consistently in breach of agreed industry thresholds.
“The framework states that whenever a merchant breaches the CNP framework fraud threshold over two consecutive quarters, strong customer authentication will have to be applied on all payments,” says van Aalten.
“And when you look at 3D Secure and SCA worldwide, usually shoppers find a certain level of friction acceptable, especially when it’s a high value transaction.”
In certain markets, consumers are already familiar with a bit of friction, including dynamic passwords or one-time passwords received via phone.
However in Australia, strong customer authentication is relatively new and has already led to a drop-off on the consumer side, due to dissatisfaction over extra security measures during the payments process. van Aalten says this friction and drop off is the biggest fear for retailers.
“Strong customer authentication in Australia might soon affect retailers that breach their fraud threshold. The payment landscape and environment need to be prepared and need to be able to cater to the needs of the merchant as well.”
Van Aalten says while compliance towards the framework is essential, payment providers also want to ensure that the process must ensure balance between security and frictionless customer experience.
“It’s not something that can be done overnight. Each retailer entering the e-commerce market must remember to define their fraud strategy and make sure they have proper defences in place. We usually recommend merchants apply SCA within their fraud strategy.”
Adyen doesn’t recommend SCA on all payments, but to instead have a sophisticated system that identifies which payments are likely to be genuine and which payments are likely to be fraudulent.
“If a shopper regularly shops in a particular store, the retailer should be able to recognise them as a loyal, returning shopper, helping to reduce friction for whenever their next purchase is made,” says van Aalten.
“It’s all about balancing security and optimising the consumer’s experience.”
And the final point to note for retailers – fraud is not exclusive to merchants that sell expensive equipment or re-sellable items.
“Fraudsters are not only targeting high value items, there is fraud appearing in all kinds of businesses, including food delivery, music subscription or movie streaming services,” says van Aalten.
“It’s really important for all merchants to be aware and make sure that they have the measures in place to combat fraud by combining their risk management and authentication solutions.”
Contact Adyen to find out more about payment solutions that balance cybersecurity and customer expectations.