Written across European Union law at the beginning of 2018, the legal obligations for Strong Customer Authentication (SCA) come into effect on September 14th. This new regulation requires the entirety of the distribution chain, including hotels, booking engines and OTAs, to make drastic changes to the way they collect payments - yet only 5% of merchants aware of SCA, with less than three months until it starts to be enforced.
To get to the bottom of this looming regulatory hurdle, Lily McIlwain, Head of Marketing at Triptease, reached out to a number of parties involved with the implementation of SCA. At this year's Direct Booking Summit EMEA in Paris, Lily shared her findings with the audience, including some crucial next steps that needed to be urgently taken to start the process of compliance in time for the impending September deadline.
What you need to know:
Two-factor authentication was brought in as part of the European Union's Second Payment Services Directive (PSD2) to increase online customer's security and to reduce 'card-not-present' fraud.
SCA requires two of the following for successful authentication: Knowledge (a password or pin code); Possession (a phone or credit card) and Inherence (Face ID, Touch ID, biometrics, etc.).
From September 14, 2019, two-factor authentication will be mandated across online payments. You need to have it on your hotel's website or transactions will likely be declined by the card issuer.
The acquirer and the issuing bank both need to be in EU for this law to apply - if either party is not based in the EEA, they will be exempt from these requirements.
There are exemptions to this law, including corporate cards.
Why is it important for hotels?
Customers are used to a certain way of paying for a room online. From September 14th, anyone booking hotel room will face an additional level of friction on their path to purchase, which can reduce your hotel's conversion rate.
There are typically a lot of intermediaries involved in booking a hotel online. As the authentication needs to happen at the moment when the payment is taken, more integrations with third parties are required, potentially providing additional friction to the payment process.
For hotels, there are still unknown risks in this process. For example, in a scenario where an OTA takes card payment details, they will have to perform the authentication. However, this only lasts for a limited amount of time, and it is unclear whether hotels need to re-authenticate at check-in.
What steps should you take now?
Recognize that you might get a drop in conversion rate in September.
Speak to your booking engine and payment provider: they should have a plan for setting up two-factor authentication on your hotel's website. Bear in mind that you might need up to fifteen days to integrate some of the systems, so provision for some lead time.
Check that your PMS is ready for the change: additional infrastructure may be required to handle different verification values put in through various distribution channels.
Reassess your relationship with third-party partners within your distribution chain. Wholesalers and OTAs may need to make changes to the way they handle data, and any consequences of them not implementing SCA properly will ultimately hit your hotel the hardest.
Evaluate the impact that SCA may have on the customer experience on your direct channel. Whilst merchant-initiated transactions for no-shows or additional charges are exempt from the legislation, this needs to be communicated clearly to prospective guests or your hotel could face substantial reputational damage.
If you'd like to know more on the specific technical details of SCA, its implementation and any potential repercussions on the industry, we recommend reading 3C Payment's 'Strong Customer Authentication and Hotel Sector Adoption' white paper for more information.