As part of the EU Second Payment Services Directive (PSD2), Strong Customer Authentication (SCA) requirements will come into effect for merchants from 14 September 2019.
This article provides the most recent information from Mastercard on the timeline and milestones for the SCA roll-out and the impact of different SCA use cases for airlines, hospitality and online travel agencies.
This means that any online transaction in which both the acquiring and issuing bank are within the European Economic Area must be authenticated using two of three factors:
- Something the customers knows (e.g. a password or PIN)
- Something the customer has (e.g. device or hardware token)
- Something the customers is (e.g. through consumer fingerprinting or facial recognition).
However, it is worth noting that it will not be a smooth journey to implementation. Only recently the European Banking Authority (EBA) published an opinion stating that card data cannot constitute a knowledge element for SCA.
This will significantly affect many European countries, as the One-Time-Password (OTP) generated as an SMS and card details, for example, would not be enough to meet SCA requirements.
Questions remain as to what the second authentication element would be in this scenario and how this data would be stored and transmitted across the payment processing chain.
The uncertainty could lead to either a postponed activation period for SCA requirements or a grace period after the deadline to allow organizations to adjust. Regardless of the deadline, the enforcement of the requirement at a national level will necessarily be flexible, and the timeline will be decided by EU regulators.
The EBA’s Opinion on the elements of strong customer authentication under PSD2 allows National Competent Authorities (NCAs) to provide “limited additional time” to issuers and acquirers to migrate their customers to compliant authentication solutions.
Mastercard acknowledges that despite significant investments to comply with PSD2 RTS (Regulatory Technical Standards), issuers and acquirers will be unable to apply SCA on September 14, 2019.
This is because not all cardholders are enrolled in compliant authentication solutions, and most online merchants are currently unable to request SCA.
A strict enforcement of PSD2 RTS on September 14, 2019 will therefore result in a substantial increase of declined transactions and abandonment rates. This will decrease consumer trust in electronic payments.
In accordance with the EBA Opinion, Mastercard has called for a harmonized European roadmap based on clear and progressive milestones and is closely monitoring progress:
- Communication to cardholders and merchants completed by March 14 2020
- Account range and merchant enrollment onto EMV 3DS 2.1 with full support of exemptions and exclusions by September 14, 2020
- Merchants allowed not to send EMV 3DS flow or not to request an exemption for transactions requiring SCA, Issuers allowed to approve such transactions until March 14 2021
Following the EBA Opinion, most Member States are in favor of providing additional time to the industry and are awaiting a communication from EBA on the final deadlines.
Several Member States have already stated that they will provide additional time (a.o. France, Germany, Italy, the Netherlands and United Kingdom).
SCA represents a significant challenge for the travel industry due to the complexity of the travel ecosystem.
Within the main three travel sub-verticals we address in this article – airlines, hospitality and OTAs – there are sprawling ecosystems of partners, suppliers and intermediaries participating in the process of booking.
In many cases, the entity that has the initial contact with the customer, and can authenticate the transaction, might not be the merchant that offers the service and captures the funds.
In addition to these complex payments journeys, in which different players often take payment from customers at different points, often on behalf of other businesses, the travel industry has a complex setup of interconnected technology systems.
For example, the airlines’ GDS systems, or processes like BSP, will need to be adapted for SCA.
One of the key challenges is understanding how card schemes will enforce SCA for these different payment use cases, who authenticates the transaction and when.
Similarly, while all businesses must adhere to the same requirements, each sub-vertical has different payments process and customer experiences that will be impacted by SCA in different ways.
So, how does SCA affect each travel sub-vertical?
Airlines
As with other sub-verticals in the travel industry, airlines operate in a complex ecosystem of third parties and agents. This makes the question of which organization performs Strong Customer Authentication, and when, a complex one to answer.
Many airline ticket purchases are done by third parties, such as marketplaces like Expedia, or online travel agents. The airline industry has a unique setup in place with the Billing and Settlement Plan (BSP), which will need to be adapted for SCA.
Whenever the payment is taking by the airline merchant, the travel agent will need to pass on proof of authentication to the airline. Transactions currently being flagged as Mail Order Telephone Order (MOTO) remain out of scope for SCA.
However, in other cases the OTA might take the payment for the tickets, and in that case the consumer will need to be authenticated and authorized by those customer-facing organizations.
For direct sales made through the brand website, all in-scope transactions will require SCA.
However, it’s crucial to note that the airline industry generally has a high Average Transaction Value (ATV), aside from low-cost or domestic carries.
Because of this high ATV, these purchases will not be able to use some of the exemptions to SCA that are more common in other verticals, such as low value or transaction risk analysis exemptions.
Hospitality
The hospitality sector faces a particularly big challenge with SCA, due to its complexity, the number of intermediaries involved, and the wide range of payment use cases and customer touchpoints that must be supported.
Not to mention that this is an industry still working with legacy transaction flows, often manually handling card details (scenarios that are not considered secure by the new regulatory regime).
The hospitality industry is built on a strong mix of card not present transactions (prepaid rates when booking online), card present transactions (paying the remainder at the front desk), as well as a large number of additional sales for incidental services (room service or spa treatments) for which credit card details must be stored and payment reconciled at the end of a guest’s stay.
As with many other sub-verticals in travel, online card payment can come either through the brand website, or through one of many intermediary services such as Booking.com or Expedia.
In situations like these, where transactions are initiated and authenticated via a third-party (i.e. OTA), the third-party needs to gather the customer’s card details, carry out an authentication, and then pass this authentication information onto the hotel to carry out a pre-authentication. However, this is a convoluted process and the existing systems are not set up to manage it.
There are also scenarios in which guests are charged for services after they have checked out – such as items consumed from the mini bar or cancellation fees in the event of no-shows.
These transactions will need to operate under the Merchant Initiated Transaction (MIT)framework so that they can be processed without SCA.
However, this brings with it a list of stringent requirements: the terms and conditions of the merchant need to explicitly mention language around MIT, the initial registration of card details requires SCA, and the consumer cannot trigger the transaction.
Online travel agents
OTAs are in a unique situation when it comes to SCA. Because they handle the entire user experience and serve as an intermediary service between customers and service providers (airlines, hotels, car rental, etc.), they can take card payments from customers on behalf of those third parties.
Moving forward, OTAs will be required to authenticate customers, and it is likely that they will need to provide proof of authentication to third party providers.
This situation becomes increasingly complicated during the sale of package holidays – in which payment is being taken on behalf of airlines, hotels, car rental providers, tour operators, etc.– and authentication information needs to be shared to multiple parties.
Card networks are actively engaged defining the rules to accommodate such complex use cases. We anticipate that it will be an ongoing challenge to ensure these complicated authentication journeys are secure without adding excessive friction to the customer experience.
Secure corporate payments
A specific exemption that has been defined within the PSD2 RTS regulation allows the use of corporate cards in a secure environment.
Such cards and environments are quite common in the travel industry: either as a method to make payments between OTAs and airline merchants or as a method for corporate customers to make travel bookings on their corporate card.
The exemption is taking away potential user friction from SCA in such environment, however the application itself can be a challenge.
Conclusion
Strong Customer Authentication is going to present many challenges to an industry as large and complex as travel.
However, it’s important to remember that the objective of SCA – and the PSD2 regulation it supports – is to make transactions safer and more secure for customers and merchants alike.
The technical aspect of SCA is complex and will vary hugely depending on your business. At the same time, addressing the challenges of SCA will allow airlines, hotels and OTAs to develop a greater relationship with customers and deliver a better, more secure customer experience.
Travel companies will be capturing more information about their customers and can translate it into better customer experiences, loyalty programs and stronger security for sensitive payment data for all customers.
Travel companies will need a payment partner who can provide robust assessments on the quality of data collected with the SCA and look into a specific company’s payment performance to help improve approval rates.