Get ready for major changes to payments processing - PSD2 is on its way
By Claire Sawier and Don Cronin
Just a little over a year since GDPR came into force hoteliers are facing yet more EU legislation with the adoption of the second European Payment Services Directive (PSD2). Here’s what all the fuss is about.
What is PSD2?
If you haven’t heard of PSD2 then you are not alone as awareness across the industry is only beginning to pick up. PSD2 is a follow-up to the initial European Payment Services Directive (PSD1) which was adopted in 2007 to make cross-border payments easier, more efficient, and more secure within EU Member states. PSD2 is being introduced in order to widen the scope of the initial directive. PSD2 is due to come into force on September 14th, 2019 although it’s increasing likely that implementation may be delayed as many Payment Service Providers (PSPs) and merchants continue to struggle to be ready to meet the deadline.
Why is PSD2 being introduced?
There are a number of important benefits to PSD2. It will enhance the initial successes of PSD1 in the prevention of payment fraud and will strengthen data security protection, which is really important in today’s digital payment environment. PSD2 will benefit consumers by making cheaper and more innovative electronic payment options available. New players have emerged in the area of internet payments which enable consumers to pay instantly without the need for a credit card. Examples include Apple Pay, Google Pay and Paypal. PSD2 will regulate these new payment options and make it easier and safer for consumers to access them. This is great news for around 60% of the EU population who do not have a credit card (figures according to the European Commission, Payment Services Directive FAQ).
Another important and significant element of PSD2 is Strong Customer Authentication (SCA) which aims to reduce credit card fraud and make payments more secure for consumers by forcing ‘two factor’ customer authentication to payment processes, in other words, forcing payment processing to challenge users for more identification information before allowing any card charge. The introduction of SCA is a significant legal requirement.
How will Strong Customer Authentication (SCA) be applied?
Strong Customer Authentication mandates that for online payments, both originating and terminating within the EU, at least two of the following three factors must be provided by you online in order to validate the card and allow payments to proceed:
- Knowledge – something only you know (password, PIN or memorised swiping path)
- Possession – something only you have (mobile phone or QR code evidenced device)
- Inherence – something you are (fingerprint, voice, face recognition or retina scan)
From September 14th, hotel bookers online will have to provide two factor authentication instead of single factor (just the card CVV) as is mostly the case today. Some people are already familiar with two factor approaches, such as having a PIN sent to their phone as a secondary layer of authentication, but from mid September onwards it is likely to be used far more frequently to ensure enhanced security.
How will SCA impact online bookings?
The overriding fear is that these authentication requirements will frustrate users to the point that it will negatively affect conversion. More significantly, the immediate threat of potential disruption to businesses and customers is much more of a worry as non-compliant participants run the risk of having customer payments delayed, challenged or rejected entirely. On top of this the continued exposure to fraudulent transactions will continue to undermine business. In the worst case scenario where no action is taken by banks, then hotels should expect higher booking abandonment rates and an increase in authorisation declines.
Are all bookings subject to SCA?
Certain transactions will not be subject to SCA and will remain out of the scope of the legislation. Cardholder-present transactions are an obvious transaction type which will be out of scope. Paper-based transactions, mail-order, telephone-order (MOTO) transactions, and Merchant Initiated Transactions (MIT) will also be out of scope.
Other transactions, while not out of scope, can be effectively managed so that they are exempt from a SCA challenge. These include trusted beneficiary transactions, low monetary transactions, low risk transactions, and recurring payment transactions.
However the majority of online payments will require SCA, even including online bookings which require no upfront payment but use credit card guarantee only.
Will OTA bookings also need to meet SCA requirements?
OTA bookings are subject to the same rules as direct bookings. They too will need to implement two factor authentication. It is not yet known how OTAs will manage this. However it is likely that the preponderance of up-front payments is likely to increase. The exposure therefore is that hotels become further ensnared within the OTA web which is already creating daily difficulties for clients as it stands. If hotels utilise an OTA SCA processing solution then they run the risk of losing even more control of a key element of the booking process and may incur even higher costs. At this stage Bookassist would advise hotels to wait to see what the OTAs propose and be cautious and patient before taking the next step, as understanding the ‘small print’ could be crucial to avoiding future undesired consequences.
What do hotels need to do to prepare for PSD2?
The good news for hotels is that the responsibility for PSD2 lies primarily with payment gateways and the banking or financial sector. Hotels need to ensure that their payment partners are PSD2 ready in addition hotels should check with their own banks and/or payment gateway provider to ensure that they have taken the necessary actions to ensure that they are PSD2 ready and can receive funds without issues post September 14th.
Equally hotels should speak with their PMS supplier, booking engine provider, their online distribution partners and enquire how they plan to authenticate and facilitate payments post September 14th. Confirmed compliance will avoid the risk of a drop in conversion with guests dropping out of booking processes and buying rooms elsewhere.
Hotels will also need to review and update their terms and conditions to ensure that they take account of the new PSD2 legislation.
How is Bookassist preparing hotels for PSD2?
Bookassist has been working for many months with its payment partners to ensure that we and our clients are PSD2 compliant. This has involved an update to all our various payment gateways and integration software. Bookassist will continue to keep clients informed of any additional PSD2 updates including additional requirements, should this become relevant or updated implementation timelines which may be announced.
Claire Sawier is Head of Marketing and Don Cronin is Head of Product at Bookassist (bookassist.com), the multi-award-winning technology and digital strategy partner for hotels worldwide.