ACCC to reject APCA's push for single anti-fraud system

The Australian competition watchdog has issued a draft ruling against an Australian Payments Clearing Association proposal to mandate the use of a single protocol for combating online fraud within Australia.

On January 28, industry-owned regulator APCA applied for authorisation to mandate the use of 3D Secure for all online retail transactions within Australia in order to crack down on card not present fraud.

The 3D Secure protocol is currently owned by Visa, with the next version to be operated by the EMV Co consortium, which is jointly owned by Visa, MasterCard, American Express, Discover, JCB, and UnionPay.

The protocol uses XML messages sent over SSL connections for client authentication as part of the transaction authorisation process, in order to provide an additional security layer for online transactions.

In its submission, APCA proposed to modify its regulations to include a mandate that all credit and debit card merchants in Australia, as well as online merchants, would be enrolled in the 3D Secure scheme.

APCA estimated the total cost of implementing the scheme by all participants would be $393 million, and would directly affect 60,000 Australian online businesses.

During its consultation process, the ACCC received a number of submissions warning about potential risks with the proposal.

PayPal said [pdf] mandating 3DS may have an adverse impact on innovation in anti-fraud technology development by third parties.

“Third party fraud management for payments is a growth area both incumbent and new entrants in the payments space are developing solutions to monitor transactions and manage fraud,” PayPal’s submission said.

“It is therefore critical that the implementation of any 3DS mandate respects the efforts of those looking to develop security solutions and does not result in the reduction of investment in innovation and development in this area.”

The Small Business Commissioner of South Australia [pdf] raised a number of concerns about the impact of the scheme on competition, as well as small business.

In its draft determination, the ACCC acknowledged that the security of online transactions was a major concern, but rejected the need for a single anti-fraud product to be mandated.

“We understand mandating a particular product is out-of-step with the approach taken in overseas jurisdictions. When security measures were mandated in Europe, India and Singapore, for example, a product neutral approach has been taken. APCA has not justified why a different approach is appropriate in Australia,” ACCC chairman Rod Sims said in a statement.

“The ACCC does not accept that it is necessary to mandate a particular anti-fraud product. The cost of online fraud is principally borne by the online business that accepts a fraudulent transaction.

“Accordingly, each business can be expected to take the cost of fraud into account in making decisions about whether to invest in anti-fraud measures, and to engage anti-fraud technologies that are worthwhile for that business’ particular needs and circumstances.”

A spokesperson for APCA said it was "currently reviewing the draft determination issued by the ACCC today and is considering appropriate next steps".