In September 2019, despite calls from many players in the hospitality and travel (H&T) sectors to delay its implementation, PSD2 legislation requiring two-factor authentication (2FA) entered into force in the EU and UK.
Intended to be a leap forward in the prevention of fraud related to credit and debit card transactions, the positive expectation has unfortunately, in some quarters, led to equal measures of disappointment and confusion.
Many believe that regulation is both impractical and impractical, with an extremely disparate set of stakeholders unable to comply, either voluntarily or practically.
The overriding problem
It is very common for consumers to book hospitality and travel services through independent online travel agents (OTAs), which provide details on the availability of hotel rooms, flights and cars. rentals and then book them on demand in real time on behalf of clients of thousands of hotel service providers around the world.
OTAs often capture payment card details – essential for a merchant to receive payment for products and services that will be used at a future date and for which the final balance is usually unknown at the time of booking. These data effectively serve as a guarantee, until the opportune moment to debit the cardholder’s account.
For example, in the hotel industry, OTAs transmit this information to the merchant who will use it to bill customers in the event of late cancellation, âno showâ and for any additional service or product consumed during their stay. With the establishment of self-service check-in and check-out facilities, this process has also offered hoteliers additional protection to ensure that they are paid for the duration of a guest’s stay and can charge back all products and services consumed throughout – whether the customer leaves “physically” or not.
However, with 2FA now a legal requirement for online transactions over â¬ 30, there is an inherent limitation in the system, with the current state of regulation, which has a huge impact on what used to be common practice in the world. ‘industry. If the merchant needs to debit a customer’s card where 2FA did not take place, the payment request will be refused by the card issuer. The issuer, by complying with PSD2, has the duty to refuse the payment request, leaving it to the merchant to actually prove the cardholder’s consent to debit his card. 2FA is essentially the electronic proof needed to show that the card holder has authorized a payment, without which the merchant remains exposed.
Some market commentators, fearing an inevitable increase in refused transactions, estimated it could cost the EU and UK hotel industry â¬ 5 billion or more in lost revenue per year.
The UK’s Financial Conduct Authority (FCA) has been approached by representatives from the H&T industry and solution providers to examine the issue and offer recommendations to mitigate potential losses.
However, since PSD2 is enshrined in European law, it essentially sets the rules for processing payments while leaving it up to industry practitioners to determine the best way to modify systems and practices in order to comply with them. Although there was a consultation period before the law came into effect, what the legislator may not have fully appreciated is the time it takes for traders, OTAs, technical solution providers, payment service providers (PSPs), acquirers, card schemes and card issuers. fully align with a new set of standards – which had yet to be designed, ratified and mandated, let alone implemented and tested across the H&T industry and the payments ecosystem.
Obtaining 2FA at time of booking has not been the norm in the H&T industry and in an industry heavily impacted by global travel restrictions and national lockdowns due to COVID-19, the additional burden and cost Upgrading systems and business practices couldn’t have come at a more difficult time.
Following the implementation of the PSD2 legislation, 3D Secure for e-commerce has been mandated by most of the card systems which, in order to minimize refused payment requests, have worked with industry practitioners H&T to define additional âvoluntaryâ standards for providing proof of 2FA in payment transactions.
As laudable as these initiatives are, the process can only be reliable after everyone in the industry has actually signed up, which is likely to take an indefinite amount of time.
The crux of the matter is that the changes required in industry standards to help facilitate 2FA have taken some time compared to the new legislation – indeed, many of these standards have only been published. that at the relatively recent stage of the project, and without being mandated, it will probably take a long time. years to achieve mainstream adoption.
During this time, card issuers have no choice but to comply with the law, so many transactions are inevitably refused even though they would have been previously authorized, putting the merchant at risk. and the consumer suffer as a result.
One solution could be for the cardholder’s payment to be taken at the time of booking and refunded, if applicable, after the event. However, this would almost certainly prove unpopular with consumers booking services often weeks or months in advance and with high average transaction values.
However, all is not lost. It is already becoming evident that many PSPs and merchants are adjusting to the changes.
For example, the use of âPay-by-Linkâ payment solutions enables OTAs and merchants to obtain 2FA following the reservation, thus ensuring the essential guarantee of future payment, before arrival. This process also offers merchants the option of obtaining the cardholder’s consent for any incidental charges occurring before, during or after the customer’s stay, with the secondary benefit of being able to sell other services as part of the process.
The implementation of the latest 3DS compatible payment solutions for online merchant-owned reservation services also ensures that directly secure commercial merchants not only have a lower acquisition cost, but a higher authorization success rate, associated with the benefits of a payment guarantee for incidental costs.
Add to that the fact that merchants with little history of e-commerce fraud can also ask qualifying acquirers for a âTransaction Risk Analysis (TRA) exemptionâ. This effectively removes the need for 2FA on most transactions, providing a high authorization success rate while simplifying the cardholder’s experience. TRA exemptions often come with the condition of using appropriate anti-fraud monitoring tools.
Despite the challenges, the industry is clearly motivated and obliged to find ways to adapt within the current legislative framework. It is very encouraging to see a growing number of H&T reservation solution providers redouble their efforts in working with the payments industry to ensure that reservations contain all the vital data necessary to ensure that their merchants are paid for the business they acquire on their behalf.
I am confident that as new tactical solutions emerge, industry operators and traders will not only mitigate the negative impacts of PSD2, but thus find new ways to maintain or improve the overall consumer experience. . Only time will tell if the cost to industry of implementing PSD2 compliance is justified when compared to the fraud reduction it was supposed to bring.
About the Author:
Tony Hammond is senior vice president of global product delivery at FreedomPay.
Prior to joining the company in 2018, he served as Senior Director EMEA – Payment Solutions at Oracle.