It’s hard to believe it was only last year that GDPR came into effect, after many months of pushing companies all around the world to reassess how they capture, store and treat the personal data of European consumers.
This September, another European standard known as PSD2 (the second Payment Services Directive) and requiring Strong Customer Authentication (SCA) will come into play, changing online payments as we know it.
In accordance with the Regulatory Technical Standards drafted by the European Banking Authority and introduced under PSD2, most online payments in the European Economic Area (EEA) will require SCA from September, 14, 2019.
SCA will apply whenever both the issuing bank (the consumer’s bank) and the acquiring bank (the bank the consumer’s funds are being transferred to) are located in the EEA.
With Worldpay reporting that card-not-present fraud now accounts for almost two-thirds of all fraud in Europe, it is hoped that PSD2 will reduce online fraud and better protect the security of European consumers.
To achieve this, it has been designed so that:
- Consumers have to complete SCA, typically via a two-factor authentication (2FA) process, to approve almost all online payments where both the issuer and acquirer are within the EEA. This means that for each payment, a consumer will need to pass two requests for information that only that consumer knows, has, or is, such as a pin code or face ID. The 2FA process will typically have a time constraint of a few minutes between when a payment is attempted and an associated authentication is requested, and when it needs to be provided.
- Payment service providers (PSPs) – such as banks and payment gateways – have to facilitate the above 2FA process for consumers making online payments, in order to satisfy their SCA obligations.
Where consumer protection and conversions collide
For all of us who operate within the field of travel, PSD2 is another regulatory attempt to protect the consumer, but without fully contemplating the practical impacts to how our increasingly-complex industry operates.
One of the unique, and often problematic, aspects of the hotel and travel industry is the plethora of payment choices made available to consumers, along with the timing of those payments in relation to the consumption of the product.
Unlike most e-commerce transactions that require consumers to fully pay for their product at the time of purchase, there are numerous ways the modern hotel guest can book and pay for their accommodation.
PSD2 is a timely reminder of how fast and demanding today’s landscape is for hoteliers, who should stay across the latest movements.
Renee Robbie - SiteMinder
Among these may be the need to pay a deposit, pay in full upfront, pay later for a stay or extras, or pay a cancellation fee or no-show fee.
In spite of PSD2 looming, a lot remains uncertain, including how hotels will charge for cancellations passed through OTAs.
Cancellation charges pose a large area of concern, given that the guest will not be around to perform 2FA when a hotel needs to process a payment to the card saved on file.
What does this mean for an industry where both cancellations and bookings made via third parties are so innate?
Without doubt, the friction created by having to perform SCA is a barrier to businesses such as OTAs and internet booking engines that work hard to convert online browsers into reservation-holding guests.
From September, these businesses will need to decide between adding friction to their booking process and hurting conversion, or not performing SCA and creating the risk that the cards they have captured will be declined when payment is attempted later by the hotel when the guest is not present.
It’s not an envious position for any accommodation booking site to be in, as established masters of online marketing and paths-to-purchase. Will there be consequences for failing to perform SCA?
And, do those consequences outweigh the loss of conversions? Will we see booking sites start to take more payments upfront or will they pass the authentication burden to the hotel?
The clock is ticking to make a choice.
The chain reaction
Since the rise of the digital era, the hotel payments landscape has served as one of the most complex areas for any hotel technology provider and, indeed, any hotelier, to navigate through.
In large part, this has been due to the fact that hotel payments conceal an incredibly intricate and highly-regulated process that involves the entire hotel distribution chain; typically including an OTA or booking engine, a channel manager, a property management system, a payment gateway or processor, and, of course, a hotel.
Each of these parties have a critical role to play in the capture and transfer of credit card details before a payment is even made.
In the world of PSD2, all of these parties will need to work all the more seamlessly together, be ready to perform SCA and pass along the required values, at the right points in time, to successfully process a consumer’s card payment.
And, that process may well occur after the point in time in which an online hotel booking is made. Unlike e-commerce transactions where the cardholder is "on session" at the time of making a payment, hotel payments are often taken when the cardholder is "off session."
That is, while a hotel guest will enter their credit card details at the time of booking, the actual payment of deposit, balance, extras, cancellations or no-shows often happens at another point in time when that guest is off session and unlikely to be available to complete SCA.
How hoteliers can best prepare, for the known and unknown
The hotel industry today has the lowest level of compliance with the Payment Card Industry Data Security Standard, with only 38% of hospitality companies being considered fully compliant, according to Verizon.
It is also no secret that the industry suffers from a lack of education and awareness about the benefits of technology on guest experience, operational efficiency and cost reduction. Add lofty regulations to these realities, and it is almost as though the digital era and hospitality cannot co-exist.
Indeed, a lot remains uncertain in spite of PSD2 being a mere two months away, including what exactly will happen in the very real and common instances of hotel guests entering their credit card details at the time of booking, and a hotel attempting to charge these on-file cards charged later, either through a terminal or an online gateway.
Card-on-file payments represent a significant share of hotel payments, either in terms of deposits, balance payments, or payments for extras and no-shows.
While there is some enthusiasm for the use of an exemption, whereby payments are flagged as Merchant Initiated Transactions (MIT), this exemption still requires SCA to be performed at the initial payment or at card capture.
Many merchants are thinking that they may be able to use MITs to avoid the need for SCA, but are failing to consider the initial mandate requirement and which party will be responsible for performing it.
Before 14 September, hoteliers should:
- Review their current payment workflows and be aware which of those may be impacted by SCA. The table below shows how different types of payments and card details will be impacted by SCA.
- Consider alternative payment workflows to become exempt from SCA or make it is easier to capture SCA. Hoteliers can do this by getting payments in person (when the credit card and pin are sure to be present), upfront through their booking engine (so as to minimise the risk of not being able to charge the credit card-on-file), or via an OTA that issues a virtual card (as virtual cards are exempt from the regulation).
Important disclaimer: PSD2 and SCA handling in the hospitality industry is an evolving space. The payment flows outlined in this table are SiteMinder’s interpretation of the information that is currently available and should not be considered permanent.
Additionally, hoteliers should ask each of their technology partners, who are responsible for capturing or passing along guest credit card details, how they are preparing for PSD2 and SCA. This includes their OTA partners.
Given that most credit cards in our industry are captured by OTAs, hoteliers should make sure their OTA partners will perform the SCA at the time the card is captured and create a mandate agreement with the guest that the payment can be processed at a later stage.
Watch this space
Credit cards won’t be disappearing any time soon, with recent research from YouGov and ACI Worldwide showing they are still the most popular means of payment when booking holidays online.
Further, 74% of consumers prefer to book their accommodation via a digital device and only 10% book in person.
Yet, PSD2 is another heavy-lift regulation with significant impacts that all hoteliers should be aware of.
It also extends to the many providers of hotel property management systems (PMSs) and internet booking engines (IBEs) in Europe – SMEs in their own right – who are challenged to meet requirements given the limited technical and financial resources at their disposal.
As though the challenge of connectivity is not difficult enough to overcome in a space that also demands continuous innovation, these PMS and IBE providers now have to be concerned with the fundamental issue of how their hotel customers get paid.
Truly, while it is often said that the hotel industry lags others in innovation and adoption, the barriers to entry for both new and existing technology players, during these times, seem insurmountable.
Online travel in Europe is currently growing 5-6% year-on-year, and around 3-in-4 trips made by Europeans are classified as domestic trips.
So, the impact and ask of PSD2 is by no means small. However, with so much still unknown, will the deadline to comply with PSD2 be extended? Only time will tell.
For now, one thing is certain: PSD2 is a timely reminder of how fast and demanding today’s landscape is for hoteliers, who should stay across the latest movements.
This is an evolving space that will inevitably change online payments as we know them, no matter how unique or much more complex the hotel industry might be than those for which the regulation has been written.