New online payment rules come into force next year, which could affect corporate travel programmes. Jean-Christophe Lacour, Head of Merchant Services, Payments at Amadeus, shares his expert advice.
The way online payments are made in Europe will enter a new era from December 31 2020, and from September 14 2021 in the UK, when Strong Customer Authentication (SCA) requirements of the Payments Services Directive II come into force. This represents a major victory in the fight against card fraud but is also one of the biggest changes to online payments in recent memory.
SCA mandates that the vast majority of payments made in the European Economic Area (EEA) must be subject to two-factor authentication, for example, entering a one-time passcode sent to a phone alongside ’risk-based’ screening (where data analysis is used to judge the likelihood of fraud). This additional check helps to ensure the person paying is the rightful card holder, also known as ‘authentication’.
This seemingly minor change has significant implications in travel where bookings often involve multiple suppliers in a single transaction and there are many players in the distribution chain with each playing a role in making SCA checks happen.
According to our recent research, with respondents from airlines, hotels and travel agencies, only one third of companies expect to be ready in time for the December 31 deadline, with a further quarter likely to be ready in the first half of 2021. On average, our research suggests the pandemic has set SCA programmes back by six months in travel.
How will SCA impact travel programmes?
SCA primarily impacts suppliers, travel agencies, technology partners (such as Amadeus) and the payments companies that work in travel. However, employees booking travel with cards are likely to be required to perform SCA and it’s important that travel managers ask the right questions to their travel partners to confirm readiness for SCA.
If travellers provide card details via a self-booking tool, it’s possible they may be asked to perform an SCA check. This could be a code sent to their mobile or a biometric check. Payments made from some self-booking tools may qualify as being ‘exempt’ from SCA but this differs locally across Europe, depending on the position of the local regulator. Exemption for self-booking tools is not a de-facto position.
If SCA checks are required for the self-booking environment used then it’s important to know the self-booking tool and travel content providers have made the necessary upgrades to the way they handle payments. Failure to complete SCA when requested may result in a failed transaction.
Paying with virtual cards can help.
An increasing number of businesses are paying for travel bookings with virtual card numbers. Often single use, these card numbers are linked to a specific booking that helps reduce the time it takes to reconcile payments in the back-office, whilst improving spend management.
Virtual cards can be designed to be spent with a specific supplier and for a specific amount, related to a particular booking, so fraud risk is naturally lower. In addition, and unlike consumer cards, virtual cards are usually linked to a company and so it isn’t always possible to authenticate against an individual person. Ultimately, the decision as to whether virtual cards are deemed exempt sits with the local regulator, with many local regulators already granting specific exemptions for virtual cards
We recommend travel managers begin discussions with self-booking tool suppliers, TMCs and payments suppliers now to understand how prepared they are for the coming deadline.
To learn more about SCA and its impact on travel, download a new Amadeus report.