The new EU requirements for authenticating electronic payments are good news for travel brands, providing easier purchasing processes and greater protection from fraud — without the need for additional security measures on your end.
Here’s a brief look at what your business should know about these changes, what you can do to prepare your business, and the steps Travelport is taking to help. For more details or specific questions, please contact your account manager today.
What is Strong Customer Authentication (SCA) and when does it come into effect?
SCA is a new set of rules under the Second EU Payment Service Directive (PSD2), designed to reduce fraud and make electronic payments more secure.
The new SCA requirements will be implemented across most of Europe on December 31, 2020, with France and the UK to follow in 2021 — full implementation is due in France on March 31, and in the UK on September 14.
What does this mean and who do these rules apply to?
SCA requirements apply to any “customer-initiated” electronic payment within the EEA. Essentially, to be compliant, any business accepting or managing electronic card payments will need to authenticate the cardholder using a two-factor authentication method.
Let’s review what two-factor authentication looks like under the new SCA requirements:
Any transaction using an electronic payment card will require the purchaser to confirm their identity using two of the following authentication methods:
For face to face/retail transactions, this can be as simple as Chip and Pin, where the two factors are:
- something they own — the physical card, and
- something they know — the pin
For eCommerce transactions, cardholders must be authenticated using version two of 3D-Secure (3DS2) — in this case, the two factors might be:
- Something they know — like a one-time password sent by the bank, and
- Something they own — like a registered device (i.e., smartphone) or an email address
Are there any exemptions to the SCA requirements?
There are a few exemptions to the requirements, but only one will be relevant to the travel industry.
The relevant exemption is as follows:
Secure Corporate Payment (SCP) Exemption:
Any travel booking originating from within a secure corporate channel (i.e., not consumer facing), and made using a corporate, lodge, or virtual payment card, may qualify for this exemption.
Once a booking process has been approved and validated as a secure corporate channel by issuers and competent authorities, an SCP exemption can be requested for each qualifying payment card transaction.
If an SCP exemption is being applied for (typically, by a travel management company or corporate booking tool), then all the appropriate agreements between the parties involved in the booking and payment process must first be in place.
There are also some transactions which fall outside the scope of SCA, these include:
- Mail Order/Telephone Order (MOTO) transactions:
SCA requirements will not apply if a customer has made a booking with their agent by phone or in writing (email/letter), and the agent has entered the payment card numbers manually.
It’s important to remember that this exemption only applies if the booking did not originate through a website. MOTO transactions will also be coming under intense scrutiny once SCA has been implemented.
- Merchant-Initiated Transactions (MIT):
MITs are also currently considered out of scope — these are payments taken by the merchant without the involvement of the cardholder, like a car or hotel no-show. These will, however, still require authentication, and for the cardholder to have accepted the terms and conditions at the time of booking.
What this means for your travel brand:
While these new requirements have presented a particular challenge for the travel industry because of the many channels through which payments can be processed, for OTAs and hotels, the new SCA requirements are actually good news. It means that your business transactions will become fraud-free — including no agency debit memos for a chargeback from an airline, and you will no longer need to implement additional fraud prevention measures.
It is a lot to process, but as long as you have properly authenticated a card transaction, your business will be spared the burden of liability for fraud, as this will now sit with the card-issuing bank.
It also means that it will be important to ensure you’re working with the right distribution partner, because a card-issuing bank can decline any authorization for an EU transaction they believe to be improperly authenticated.
How to prepare your business for the new requirements:
In short, if you would normally pass the payment process through to the travel supplier, you will now have to either:
- Carry out authentication and forward a confirmation to the airline, hotel, or other travel supplier, or
- Indicate if the payment is out of scope or exempt from SCA
For eCommerce transactions, where the cardholder has been authenticated by an agent with 3DS2, the payment transaction should be flagged as an eCommerce transaction with the 3DS2 information included.
As well as ensuring your point of sale is compliant (using 3DS2), we recommend that you identify, and speak to all of your business partners involved in your payment processes to ensure that you all fully understand your respective roles and responsibilities in the compliance process — as well as how to do it.
What we are doing to help:
Agencies will now need to pass the required 3DS2 data to Travelport with the payment card details, and our new dedicated payment API is designed to make this process easier — it will transport all the required 3DS2 response data collected by an online agent, and include it in the authorization on behalf of an airline merchant.
It ensures that the required 3DS2 data is included in any downstream card processes (i.e., authorization through Travelport’s GDS, and settlement through IATA Billing and Settlement Plan), as well as ensuring our air customers are in full compliance with the new directive.
This means that any payment card transactions received across the API, along with the 3DS2 authentication response data, will be flagged in the authorization as ‘eCommerce’, and included in the authorization request message to the issuer.
In addition to air, we’re also working to implement SCA through our new API solution across hospitality (hotel, car hire, rail) and low-cost air carriers — which will include passing SCA exemption flags where applicable, for example, secure corporate payment exemptions, which will generally apply to verified TMCs and CBTs.
For more details about our new payment API and how we can help support your business, contact your Travelport Account Manager today.