In September 2019, PSD2 legislation, which requires two-factor authentication (2FA), went into effect in the EU and the UK, although many in the hospitality and travel (H&T) sectors were asked to postpone its implementation.
The hospitality industry wants to adapt its payment processes to PSD2
Conceived as a quantum leap in fraud prevention in connection with credit and debit card transactions, the positive expectation has unfortunately led to disappointment and confusion in some circles alike.
Many believe that the rules are both impractical and impractical, as a very diverse group of stakeholders are unable to comply with them, either voluntarily or in practice.
The overall problem
It is common for consumers to book their hospitality and travel arrangements through independent online travel agents (OTAs) who provide details of hotel room, flight and rental car availability and then request them in real time on behalf of customers. book thousands of hospitality providers worldwide.
OTAs often collect payment card details – important for a merchant to receive payments for products and services that will be used at a later date and the final balance of which is usually not known at the time of booking. This information serves practically as a guarantee until the right time to debit the cardholder’s account occurs.
For example, in the hospitality industry, OTAs transmit such details to the merchant who uses them to bill guests for late cancellations, “no shows” and even for additional services or products consumed during their stay. With the increasing implementation of self-service check-in and check-out facilities, this process also provides hoteliers with added protection to ensure that they are paid for a guest’s entire length of stay and all products and services used throughout Period of time consumed, can be billed – whether the guest “physically” checks out or not.
However, since 2FA is now a legal requirement for online transactions over € 30, there is an inherent limitation of the system, as are currently the regulations, that has a major impact on common industry practice. Should the merchant have to charge a guest card where no 2FA has taken place, the payment request will be rejected by the card issuer. According to PSD2, the issuer is obliged to refuse the request for payment so that the merchant can effectively prove the cardholder’s consent to debit his card. 2FA is essentially the electronic evidence needed to show that the cardholder authorized a payment without which the merchant will be revealed.
Some market commentators fear an inevitable spike in rejected transactions, estimating it could cost the hotel industry in the EU and the UK € 5 billion or more in lost revenue annually.
The UK’s Financial Conduct Authority (FCA) was contacted by H&T industry representatives and solution providers to investigate the issue and make recommendations to mitigate potential losses.
However, as PSD2 is enshrined in European law, it essentially sets the rules for processing payments, while leaving it up to industry practitioners to decide how best to modify systems and practices to comply with the rules. There was a consultation phase before the law came into force, but what the legislature may not have fully recognized is the time required for merchants, OTAs, technical solution providers, payment service providers (PSPs), acquirers, card systems and card issuers to fully align with a new set of standards – which still had to be developed, ratified and commissioned, let alone implemented and tested in the entire H&T industry and in the payment ecosystem.
Obtaining 2FA at the time of reservation was not the norm at a more difficult time in the H&T sector and in an industry severely impacted by global travel restrictions and national bans due to COVID-19.
Following the implementation of PSD2 legislation, 3D Secure was required for online commerce by most card schemes that have worked with H&T industry practitioners to minimize rejected payment requests, in order to add additional “voluntary” standards for demonstrating 2FA in payment transactions define.
As praiseworthy as these initiatives are, the process can only be reliable if all players in the industry actually “agree” to one another, which will likely take an indefinite period of time.
Where to go next
The crux of the problem lies in the fact that the changes in industry standards required to facilitate 2FA have lagged behind the new legislation for some time – in fact, many of these standards were only released in draft relatively recently, and it will likely take many to do so they have been mandated years to achieve widespread acceptance.
Meanwhile, card issuers have no choice but to comply with the law and inevitably many transactions that would have been previously authorized are rejected, with the risk of suffering to both merchants and consumers.
One solution could be for the cardholder’s payment to be made at the time of booking and possibly refunded after the event. However, this would almost certainly prove unpopular if consumers often book services weeks or months in advance and the average transaction values are high.
All is not lost, however. It is already becoming apparent that many PSPs and retailers are preparing for the changes.
For example, the use of ‘Pay-by-Link’ payment solutions enables OTAs and merchants to receive 2FA after the reservation has been made, providing the essential guarantee of future payments prior to arrival. This procedure also offers merchants the opportunity to obtain the cardholder’s consent for any additional costs that may be incurred before, during or after the guest’s stay, with the additional benefit of selling other services as part of the up- and cross-selling process.
The implementation of the latest 3DS-enabled payment solutions for merchant’s own online booking services also ensures that business customers secure not only lower acquisition costs, but also a higher authorization success rate, combined with the advantages of a payment guarantee for incidental costs.
In addition, merchants with a low history of fraud in connection with online trading can also apply for a Transaction Risk Analysis (TRA) exception from qualified acquirers. This effectively eliminates the need for 2FA in most transactions, offers a high authorization success rate, while simplifying the cardholder’s experience. Exceptions to TRA are often conditional on the use of appropriate anti-fraud tools.
Despite the challenges, the industry is clearly motivated and forced to find ways to adapt to the current legal framework. It is very encouraging to see a growing number of H&T reservation solution providers redoubling their collaboration with the payments industry to ensure reservations contain all of the critical data needed to ensure their merchants are paid for the business, that they acquire in their name.
I am confident that as tactical solutions emerge, industry operators and retailers will not only mitigate the negative effects of PSD2, but will also find new ways to maintain or improve the overall consumer experience. Only time will tell if the industry cost of implementing PSD2 compliance is justified when compared with the expected reduction in fraud.
About the author:
Tony Hammond is Senior Vice President of Global Product Delivery at FreedomPay.
Before joining the company in 2018, he was Senior Director EMEA – Payment Solutions at Oracle.