Why PSD2 SCA is a Challenging Journey for the Travel Sector

The decision by many regulators not to enforce PSD2 Strong Customer Authentication (SCA) on electronic payments on 14th September has given valuable breathing space to e-commerce and payments players. However, the travel and hospitality sector will find compliance extremely challenging even with the benefit of proposed 18 month managed implementation periods.

According to a recent research study commissioned by leading travel distribution and technology company Amadeus, only 35% of travel and hospitality businesses would have been ready for the 14th September deadline. With specialist travel industry analyst Phocuswright forecasting European online travel bookings of the order of €180 billion, any disruption to travel payments will have a significant economic impact for the sector and the payment providers who support it. This post reviews some of the key SCA issues facing travel and hospitality payments in a PSD2 world. It also proposes some starting points for travel companies looking to address the challenges.  

Only one in three travel companies are ready for PSD2 SCA and two thirds expect a negative impact on sales

The travel company PSD2 SCA readiness survey at the heart of the Amadeus report shows a low level of industry readiness and significant concerns over the impact of SCA.

• Only 35% of travel businesses would have been ready to apply SCA by the 14th September 2019 deadline
• 65% believe that SCA will have a negative impact on online sales with respondents fearing that between 10% and 20% of all travellers will abandon bookings during the payment process if SCA is mandated
• Few are yet taking positive steps to prepare travellers for SCA. Less than 20% have made any attempt to increase customer awareness, although 42% are planning on doing so “soon” and a quarter are just going to “rely” on card issuers to communicate with customers
• Travel companies are going to rely on “banking and technology partners” to deliver compliant solutions

Concerns about abandonment reflect the findings of a recent 451 Research report produced on behalf of Stripe, which predicted a negative impact of €57 billion across the EU online economy in the first year after SCA takes effect.

PSD SCA set to add to the inherent complexity of travel and hospitality payments

Travel and hospitality payments have always been complex. Distribution, booking and delivery involves multiple parties with a mix of direct and indirect, merchant and agent models and frequent cross-border transactions.

By way of example, a trip may be booked through an OTA such as Expedia or Booking.com, who will generally take card details to guarantee elements of the booking. That booking will however frequently be fulfilled by multiple suppliers – an airline, one or more hotels a car rental company etc. The agent will be responsible for the application of SCA where it is required, but in many instances the supplier will collect the payment, often sometime later when the traveller arrives or checks out.

The picture is further complicated in that while a booking may look to the consumer like a pure e-commerce transaction, manual intervention in the payment process is common and leading legacy booking, payment and settlement systems have not traditionally supported payment security solutions such as 3-D Secure.

The simple assumptions on the nature of e-commerce transactions that underpin the PSD2 SCA Regulatory Technical Standards (RTS) never took account of this level of complexity and this makes compliance particularly challenging.

Fortunately, there are some type of payments that are common within the Travel Industry that are out of scope of SCA. These include:

• Bookings that are considered Mail Order Telephone Order (MOTO),
• Merchant Initiated Transactions (MITs), where the payer does not actively trigger the payment (so long as SCA was applied when the agreement governing the MIT was set up), and  
• One-leg-out transactions where either the payer’s PSP or the payee’s PSP is outside the EEA

The PSD2 RTS also make available a number of exemptions to the application of SCA where transaction risk is lower.

The Amadeus research indicates that just over 75% of firms expect to be ready to authenticate online customers according to SCA requirements by mid-2020. In our opinion that is optimistic. While those directly processing transactions should have adopted 3-D Secure by then, we think it is unlikely the ecosystem will be in a position to optimise application of exemptions. We also believe that the managed implementation timescales being agreed with regulators may not offer enough time to resolve the complex payment challenges that PSD2 SCA sets for the travel and hospitality industry. Examples of where the issues lie include:

• In the agent booking model, where the party applying the SCA is not the merchant of record (MOR), there are complexities associated with meeting the dynamic linking requirement and ensuring that a merchant requesting authorisation of a transaction can prove that authentication has been successfully applied.
• In many cases, intermediaries and merchants do not have full visibility of the origin of the transaction and it may not be clear whether SCA has been or needs to be applied.
• The use of MOTO is also complex. The fact that travel and hospitality transactions have commonly been classified as MOTO in payment systems offers to opportunity to simplify things in the short term by treating these transactions as out of scope. However, the fact that such payments may not necessarily originate through a true MOTO channel may in future be challenged by regulators.
• Agreements to apply delayed, incremental and no-show charges will need to be authenticated in most cases and this can cause complications.   
• The legal interpretation and actual implementation and management of the secure corporate payment exemption is quite uncertain, with “secure payment processes and protocols” having to be approved by the regulators or National Competent Authorities (NCAs). This is complicated in a multi jurisdiction environment such as Europe and when the parties such as corporate Travel Management Companies (TMCs) that often operate what may be considered secure corporate payment environments are not regulated by the NCAs.  

There are solutions that will alleviate the impact

Correct identification of out of scope transactions and efficient application of exemptions will considerably alleviate the impact of SCA on consumers. The Amadeus study indicates that travel companies recognise this with over 70% stating they plan to apply exemptions.

The payments industry has also been working hard to put in place the tools and guidance that will optimise the application of SCA and minimise the disruption to the purchase experience.

3-D Secure is key to the approach for card payments. The main schemes are mandating Issuer adoption of the latest version of 3-D Secure (EMV 3DS 2.2.0) By September 2020. The Amadeus research reports that 56% of respondents intend to use 3-D Secure 2.0. The reality is that all agents and intermediaries initiating e-commerce transactions and merchants taking online payments will need to support it.

This does bring benefits. 3DS 2.2.0 includes flags to identify exemptions and tools such as 3DS Requestor Initiated (3RI) messages that will help meet the dynamic linking requirement in complex multi-party scenarios.    

Card schemes are also introducing new authorisation message flags to indicate out of scope transactions and the application of exemptions. Additional frameworks and rules are being put in place to ensure correct identification and processing of MITs.   

There is however still a lot of work to be done to enable agents, intermediaries and suppliers to support these tools, to take full advantage of the exemptions and of out of scope transactions and to ensure they are compliant with the regulation.  

What should travel sector players do?

Key practical steps that we think the travel and hospitality must do now to ensure that they are PSD2 SCA compliant or working towards it under agreed managed roll outs are:

• Come fully up to speed with the requirements of the regulation, understand what they mean in a travel and hospitality context and what solutions are available
• Work with their technology providers and the payment card schemes to better understand the tools available such as EMV 3DS2.2.0 to meet the PSD2 SCA regulatory requirements and manage the exceptions. Check with the card schemes and your acquirers and payment facilitators for guidance 
• Map existing business processes to identify and manage PSD2 SCA challenges and opportunities going forward
• Work with travel and hospitality trade associations such as UK Hospitality and UK Finance who are working closely together on travel and hospitality PSD2 SCA compliance during the managed roll out programme in the UK and also with other European trade associations and the local NCAs

Taking these initial steps will help make the transaction to PSD2 SCA a slightly less challenging journey for the travel and hospitality sector.