On September 14th 2019, radical new regulation will shake up online card transactions, yet hotels are not prepared for the fundamental changes in store - and less than 5% of merchants are even aware that the legislation exists.
Strong Customer Authentication (SCA) is a requirement of the European Union’s sprawling Revised Directive on Payment Services (commonly known as PSD2), and will demand that issuers receive two separate types of authentication to approve the vast majority of online (‘card not present’) transactions.
When SCA comes into effect on September 14th, ‘card not present’ transactions will require two of the following three types of authentication: Knowledge (something you know - for example, a password); Possession (something you have - a credit card or smartphone); and Inherence (something you are - biometrics such as Touch ID or even voice recognition). A credit card and CVV number are no longer enough. A number of exemptions do apply, including contactless payments, commercial transactions, recurring charges and more. Low-value transactions can also be exempt but, according to research from 3C Payment, only if they are below an Exemption Threshold Value that is dependent on the reference fraud rate of the bank.
For many industries with a direct merchant-to-customer relationship, this new regulation will act as a fantastic opportunity for businesses to increase their security and provide consumers with confidence in their online transactions. But ecommerce in the hotel industry is made up of a complex web of distribution and payment channels and the ‘merchant’, as defined by this new regulation, isn’t always clear-cut. Hoteliers face a rush to reach compliance by the September deadline. Collaboration between all parts of the distribution chain is needed, as Paul Rodgers, Chairman of pan-European payments organisation Vendorcom, predicts that hotels risk up to 30% of payment authorisation requests being declined when SCA comes into effect if no action is taken.
The confusion around how authorization will be communicated between OTAs and hotels - and the ensuing risk of revenue and reputation damage - could indirectly lead to hotels shifting to a merchant OTA model when it may not make sense for their organization, impacting the already delicate dynamic between hotels and OTAs.
A direct impact on the direct channel
Before getting into possible third-party implications, though, hotels need to know how the new regulation affects their direct channel. Although telephone banking and Mail Order Telephone Order (MOTO) transactions are exempt, all online payments will require SCA compliance, essentially requiring a fundamental change (and potentially costly investment) to a hotel’s website to be able to capture the required authentication. But the management of hotel websites is often a complex process that the hotel may not have full control over, with multiple payment flows, franchises, and booking engines that need to be accounted for. Along with this, the inevitable increase of declined card transactions will require staff to answer questions, chase down unpaid bills and deal with the impacted customer experience that any added friction will create.
Despite all this, there are steps that hotels can take to start preparing for the September deadline. Facilitating alternative payment methods such as bank transfers will be key. Systems like Apple Pay (which requires Touch or FaceID to process payment) provide both Possession and Inherence authentication in the form of a guest’s smartphone and biometric data respectively. Authentication at check-in is also needed, potentially through an app or even Chip & Pin if payment was not taken upfront. However, adding the 3D Secure (3DS1) protocol to your direct payment collections process is the easiest way to ensure compliance with SCA. Branded as ‘Verified by Visa’ and ‘SecureCode’ in certain cases, 3DS1 is a way for merchants to take secure payment that is not affected by chargebacks - and crucially collects a second authentication factor through a static password that is entered on the bank’s separate redirect page.
Thankfully, a new version called 3D Secure 2 (3DS2) was released late last year that is more seamless and has more flexibility, and certain payment gateways such as Stripe are already making moves to ensure it’s implemented well in advance of SCA’s implementation date. Despite this, it’s up to hotels to ensure that all relevant internal and external partners in their direct channel are using 3DS1 or 3DS2, and to discuss with gateways and acquirers on how to flag transactions and where exemptions may come into place. This could even be a long-term advantage for hotels - as Mirai point out, parity in payment-collection security and quality could replace rate parity as a core distinguishing factor for hotels.
Are OTAs ready for SCA?
With so many intermediaries involved in the distribution process, though, compliance starts getting complicated. Most hotels deal with a number of third-party merchants as part of their distribution process, including a number of global OTAs who may not view complying with European regulation as an immediate priority to how they operate. The agency model, where card details are passed on by an OTA to later be charged by the hotel, faces disruption with the introduction of SCA. This could even potentially instigate a wider move to the merchant model and the fees and dependency that comes with it.
The first major challenge is that, unless payment is taken face-to-face at check-in or check-out, the OTA will have to obtain authentication from the guest at the point of booking, requiring them to have the likes of 3DS1 or 3DS2 in place to do so. Secondly, this authentication will have to be passed on and match the later authorization request from the hotel, which is something that issuers may find difficult to do (although Mastercard have already confirmed a degree of leniency with this process). An added complication is that any authentication only lasts for 90 days. Across the thousands of hotels we work with, 17% of bookings made in the last six months had a lead time of over 90 days. Hoteliers may have to acquire authentication multiple times for a significant minority of their bookings, adding considerable friction to the pre-stay process.
The good news is that many of the major OTAs are already in the process of ensuring SCA compliance - many, but not all. Also, even if they are not the company taking the funds, an OTA will need to authenticate at the point of booking, and it’s uncertain whether they will be comfortable with taking a test payment to do so. This added friction to the checkout process, alongside the fact that each of the over 6000 European banks may have their own interpretation of SCA rules, means the impact to the customer experience may well be inconsistent and frustrating - potentially causing damage to your brand image and abandonment rates.
Too much, too soon?
Despite the good intentions behind it, SCA regulation was not designed with the complexities of online travel in mind. The need for greater authentication protocols is welcome, and hoteliers can start to take positive actions and reach out to appropriate parties, but the regulation and the timescale to implement it does not account for such a complex distribution chain. Mirai CEO Pablo Delgado states that not only are “hotels are not at all ready and will not be for a long time”, but also that “the industry will not be ready either”. Hotels will surely feel aggrieved at the fact that even if OTAs, travel agents, banks, gateways and card issuers are collectively unprepared, it will be hoteliers that feel the pain of unhappy guests.
With three months to go, and still little clarification, visibility or guidance from the responsible authorities as to how the regulations can be easily implemented, the September deadline is unrealistic, if not entirely impossible to achieve for many hotels. Will the authorities relax their restrictions, or work with hotels during a transition period, or does this regulation spell the end for the agency model as we know it? With only three months until SCA comes into force, we’re still no closer to knowing.