The industry wide fraud mitigation framework

Card-Not-Present (CNP) fraud represents almost 85% of all card fraud in Australia. To help combat CNP fraud, the Australian payments industry body, AusPayNet, have implemented a new fraud mitigation framework. APN is a self-regulatory body set up by the payments industry to improve the safety, reliability, equity, convenience and efficiency of payment ecosystem in Australia. This framework is designed to collaboratively reduce eCommerce fraud across the Australian Payment Industry. It uses an industry-wide approach to reduce CNP payment fraud for:

  • merchants (businesses)
  • consumers (customers)
  • issuers (banks)
  • acquirers (card providers)
  • card schemes (payment networks)
  • payment gateways (online services that authorise payments)
  • payment system providers and (services that accept electronic payments)
  • regulators (like APRA or ASIC).

The success criteria of this framework will be a reduction in online fraud across the payment industry as we continue to build consumer trust and support the growth of eCommerce.

What you can do to prevent CNP fraud

As a NAB merchant, it’s important to remain compliant and minimise your risk of accepting fraudulent payments. To help, we recommend implementing a strong customer authentication (SCA). This will help protect your businesses from fraudulent behaviour, and also reduce the likelihood that you go over the merchant fraud rate threshold. Other things you can do are:

  • ask for comprehensive customer details
  • complete validity checks
  • ask for identification for the delivery of goods and
  • invest in a fraud management tool.

What is Strong Customer Authentication (SCA)?

Strong Customer Authentication (SCA) is also known as a two-factor (2FA) or multifactor authentication method. It’s used to authenticate and verify the cardholder’s identity during a transaction and helps to reduce the risk of fraud and account takeover. SCA uses three categories to check your identity:

  • something you know – a password, passphrase, an answer to secret question or a pin
  • something you have – a credit card, hardware token or smartphone
  • something you are – biometrics scan (finger, facial, retinal, voice, iris).

The merchant rate fraud threshold

The merchant rate fraud threshold is an indicator for intervention. We calculate the merchant fraud rate basis points (bps), with the following formula:

Merchant fraud rate basis points (bps) = Value F / Value T x 10,000

  • Value F = value of fraudulent settled, online CNP transactions per quarter
  • Value T = value of all settled, online CNP transactions per quarter

Exceeding the merchant rate fraud threshold

You’ll go over the merchant fraud rate threshold if:

  • your merchant fraud rate is greater than 20bps and
  • you’ve experienced over $50,000 worth of fraud in a quarter.

Should this happen, we’ll get in touch to help you reduce the level of fraud your business is experiencing. Depending on the severity and frequency of the fraud, we’ll guide you through four stages of fraud prevention.


Stage one

If you exceeded the merchant fraud rate for one quarter, we’ll start working with you to take measures to reduce your fraud rate.

id card

Stage two

If you exceeded the merchant fraud rate for two quarters, you’ll be required to perform an SCA on all transactions.

card shield check

Stage three

If you exceeded the merchant fraud rate for three quarters, you’ll be required to pass all transactions to the issuer to perform an SCA on all transactions.


Stage four

If the fraud rate continues to be breach the threshold, the acquirer will face sanctions.

Cyber safety tips for your business

man and women checking laptop

First line of defence for cyber threats

Learn how you can help keep your business safe with the Cisco Umbrella cyber security solution.
man making coffee

Don't let your business data be held to ransom

Tips for protecting your business and data from ransomware attacks.
man and women talking

Safely storing your data

Your stored business data travels in and out of your network. What key controls can you put in place to ensure it’s safe?

Stay informed

Report a suspicious NAB message
Report a suspicious NAB text

047 NAB 0003