Payment Services Directive II – Strong Customer Authentication

19 Nov 2019

·        What is PSD2 SCA? The Payment Services Directive: Part II – Strong Customer Authentication (PSD2 SCA) is a directive issued by the EU which implements regulatory changes in the payment card sector.  PSD2 is effective from 14th September 2019. Its aim is to support online business travel transactions between the issuing and acquiring banks throughout the EU and European Economic Area (EEA).  PSD2 focuses on tackling credit card fraud by implementing additional authentication processes (SCA using 3DSecure protocols).
 

·        Is SCA new? The use of two-factor authentication has existed for many years, for example it is used to access online banking portals. The volume of online transactions has steadily increased over the past decade and are expected to continue to do so, and with this growth, instances of payment fraud have also increased. SCA is being utilised as a way to protect customers from impacts of the current €1.3 billion online fraud. PSD2 mandates the expanded use of SCA to include online purchases made with individual credit cards throughout the EU/EEA.
 

·        Which countries does it apply to? Regulations apply to all countries in the EU (Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Itlay, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the United Kingdom.  In addition, EEA countries are included: Iceland, Liechtenstein and Norway.  Whilst Switzerland is neither EU nor EEA member, clients and travellers may still be affected in a few exceptional circumstances such as a Swiss client using an EEA-issued card and booking is made via a public website located in EEA/EU.
 

·        Is implementation complete as of 14th September? Currently, not all impacts are known or understood.  The implementation by banks and merchants is fragmented and inconsistent in terms of the interpretation and implementation.  It is affecting the travel booking and payment experience and as a result, some bookings are potentially failing as a result.  Variations occur at country as well as bank and merchant levels.
 

·        What are the additional SCAs? These vary on the provider and include One-Time Passwords/PIN which is entered via bank-generated pop up boxes, approval through electronic device such as mobile phones or biometrics to proceed with the booking payment.  Credit card providers should have already explained how these are generated or delivered to cardholders.
 

·       Are all payment means affected? The Directive affects individual (physical plastic) card payments on public online channels such as bookings made directly on Low Cost Carriers (LCC) websites.  This relates to personal as well as individual corporate credit cards. Transactions for online bookings made with other forms of payment such as virtual payments, lodge cards, direct debit are not affected and remain unchanged.  
 

·       Do all transactions require SCA? Travellers booking through OBTs may require two-factor authentication during final check-out/payment process. Whether or not a transaction is challenged will depend on individual bank participation, transaction risk assessment, value of transaction and the banks involved in the transaction. Ultimately the issuing bank decides whether SCA is required. Mail Order/Telephone Order bookings transactions do not require SCA. 
 

·        Will more than one item in a booking require multiple SCA?  SCA is required for each check-out.  Therefore if a hotel and flight are booked as part of same itinerary separately, then the two-factor authentication can be performed on each transaction.  However, if a “basket shop” is used where flight, hotel, car hire for example are all purchased in one single transaction, then only one two-factor authentication would be required.
 

·        How are hotel bookings charged after check-in/prepayments processed?  Card details are entered at check out and this is when two-factor authentication is done.  Details of this are stored and facilitate the charge to the card when it is actually processed.

Hotel bookings made in the GDS are not affected.  Web-based hotels that require card details at the time of booking will probably require the two step authentication process.  However, the hotel industry is extremely fragmented in its understanding and interpretation of the PSD2.  Many hotel chains/consolidators are either not ready or consider themselves exempt.  
 

·        How are bookings with LCC affected?  For LCCs, the Travel Management Company may use a virtual card to pay the airline.  The traveller’s credit card is then charged by the TMC as a merchant of the transaction.  If the transaction is challenged by the issuing bank of the traveller, two-factor authentication during check out must be carried out.  However, the TMC will not charge the credit card until after the virtual card payment has been processed post-ticketing.
 

·        How are car rentals affected?  These are generally paid by the traveller over the counter to the rental agency directly.  In-person transactions are not affected therefore no impact.
 

·        Is the Directive fully implemented or is it being delayed?  The Directive comes into force on 14th September 2019.  However, it required both banks and merchants to “switch on” SCA for it to become live.  Some financial regulatory bodies (not all) have announced that they will delay enforcement, however, as they currently foot the bill for the best part of online credit card fraud, it is in their interest to introduce it as soon as they are ready.

Recommendations

Card holders to confirm that their contact information is up to date with the bank so that details of the two step authentication can be issued.

Consider the use of a Lodge Card instead of individual credit cards.  Transactions made via Lodge Card are classified as B2B and therefore exempt from two-factor authentication.  

Check with your Credit Card provider what the SCA methods being implemented are.

Ensure travellers are aware of the need for SCA and change in finalizing a booking as a result.


Background

The ITM is aware that, as of 14th September, the implementation of this Directive is still very fragmented and open to individual interpretation by both banks and merchants but is likely to affect the majority of travellers who book using Personal or Corporate Credit cards online.

It is advised to check the implementation with your TMC to gain an understanding of their readiness and Credit Card provider to determine what steps are being implemented for SCA.  Bookings made via GDS, in-person or over the phone are not affected but all those made online via an OBT will be. Both individual and corporate physical (plastic) credit cards are affected and card holders need to ready themselves for the roll out of two factor authentication when making bookings online.

The ITM would advise Travel Managers and Procurement to investigate the use of Lodge Cards where not already used; these are seen as B2B transactions and are out of scope for the use of two step authentication -  SCA. 

In the event of Brexit, it is anticipated that the UK Financial Conduct Authority will continue to implement and enforce these regulations as they are designed to reduce credit card fraud.