Amadeus recently conducted research to assess the travel industry’s readiness for new payment security rules in Europe. Jean-Christophe Lacour, the company’s head of merchant services for payments, explains what is changing and when, and discusses the implications.
The way consumers make payments in Europe will enter a new era from Dec. 31, 2020, (September 2021 in the United Kingdom) as the Strong Customer Authentication requirements of the Payments Services Directive II come into force. SCA mandates the vast majority of online payments made in the European Economic Area be subject to two-factor authentication; for example, entering a one-time passcode sent to your phone alongside payment card details when conducting an e-commerce transaction.
This seemingly minor change has significant implications in corporate travel, where bookings often involve multiple travel suppliers in a single transaction and cardholders are not typically present. There are many players in the distribution chain that must play a role in making SCA checks happen.
According to our research, conducted June through August, only one-third of 60 responding airlines, hotels and travel agencies expected to be ready to apply SCA checks across all sales channels by Dec. 31. Many had expected the European Central Bank to again push back the deadline, but that hasn’t happened despite our research showing Covid-19 set back SCA programs in travel by an average of six months.
The Secure Corporate Payment Exemption
Applying SCA for corporate travel is difficult. Even at this late stage, there remains some uncertainty about how authentication should work in certain scenarios. However, the Secure Corporate Payment exemption holds promise.
According to the European Banking Authority, card issuers can exempt payments from SCA for “processes or protocols that are only made available to payers who are not consumers” if they guarantee at least equivalent levels of security and satisfy competent authorities.
One example could be corporate self-booking tools, where payments occur in closed environments, likely behind a company firewall and using a virtual private network. Due to these advanced security features, some local regulators view the probability of fraud in a closed corporate system as lower than in other channels. Therefore, payments initiated in corporate self-booking tools may often be exempt from SCA. However, the decision to allow the exemption depends on the local competent authority, so it’s essential to understand each market’s specific regulations.
Lodge cards and virtual cards also may be subject to authentication exemptions. A virtual card issued on behalf of a company cannot be authenticated by an individual (because it isn’t associated with one). The same is true for lodge cards. In addition, virtual cards tend to be single-use, available only for a transaction with a specified merchant, often for a specified amount. This makes virtual cards far more resistant to fraud than lodge cards. Again, the local regulators’ views will determine if virtual cards can be considered exempt from SCA.
When a travel management company designs its payment process to adhere to the Secure Corporate Payment requirements, a payment can be flagged as such when provided to the card issuer. In theory, all payments could then proceed.
In this scenario, the travel supplier remains the merchant of record, and the TMC only handles the authentication, passing the SCA data through the chain to the travel supplier. However, it is the merchant of record that assumes liability for any fraud. If a TMC opts for this pass-through model of SCA and persistent fraud is discovered, the travel supplier would be expected to cover any losses incurred.
The Elephant In The Room: Business Model Change
For some TMCs, SCA could be the trigger that prompts them to consider a business model change. They may assess how they collect the customer’s card information — perhaps via the TMCs self-booking tool, via email or face to face — and decide it is too difficult to deliver SCA in every scenario. For example, in face-to-face bookings, there is no physical payment card terminal on the market that completes authentication with the cardholder and then forwards that information to the distribution system and eventually on to the travel supplier to process the payment. Such technology doesn’t exist.
In this case, a TMC could decide to adjust its model and become the merchant of record. It would process the payment and assume legal liability. It might do this because it significantly reduces the complexity of authenticating the cardholder. A TMC can perform the SCA check at the time of booking — no matter how the corporate traveler chooses to book — in much the same way an airline does when a leisure traveler makes a booking on its website.
In this model, an airline or hotel need not try to authenticate a customer after the fact. A TMC would neither need to convey the authentication data through the distribution chain nor request an exemption on behalf of an airline.
When the TMC becomes the merchant of record, it completes the payment with the traveler and then settles with its suppliers, perhaps using B2B virtual card payments. By splitting a single but very complex payment flow into two neater and more controllable payments, it’s potentially much easier to meet SCA’s requirements in corporate travel. TMCs should map out payment flows to decide if the merchant of record model is right for their businesses.
The corporate travel world has been awaiting the capability within distribution systems to flag transactions as Secure Corporate Payments. This is an important step in allowing more payments to legitimately proceed without the need to actually perform an SCA check — protecting the overall booking experience. Amadeus designed an API update, now in testing, that will deliver this capability to the industry at the beginning of next year.
• Under Amex’s Shadow, Travel Management Companies Tighten Payment Ties
• Industry Seeks Answers From EU Banking Authority On Potentially Problematic Payment Rules
• Canadian Travel Firms Last Year Beat Back Visa Rules Mandating Card Security Codes, Skirting Issues Southwest Bookers Could Face
• With Success Stories Piling Up, Industry Seeks Common Virtual Payment Processes
• Amex Combines Virtual Account Numbers And Centralized Business Travel Accounts