A year on from GDPR mania and there’s another major piece of legislation for those operating in the EU/EEA that’s about to kick in courtesy of the lovely folks in Brussels. But this time - it’s about bringing a tidal wave of security measures into the world of online payments while also encouraging competition amongst providers (both good things for us all). And...drum roll...it goes by the name of another enticing acronym - PSD2.
Before we get started and clued up - what’s the big deadline day?
14 September 2019.
Remember it. Write it on a napkin. Type it into your Asana. Stick it in your calendar. Get it tattooed on your….
What is PSD2?
The change will potentially impact hoteliers whenever they charge guests without them being physically present (ie. online bookings, pre-stay deposits, cancellation fees, no shows etc).
In a nutshell - online sellers will now require forced authentication - or Strong Customer Authentication (SCA) requiring two-factor authentication (2FA) to be confusingly precise - on most payments from customers. The basic idea is that, from September, people buying items will be required to provide two forms of verification when making online transactions — for example entering a code from their phones or another connected device like a wearable; a biometric scan; or a separate PIN.
In practice, that means an extra step in the online booking experience for guests. That implies more friction when paying. And, bottom line, that equals a potential drop off in payment conversions for your business if the guest doesn’t authenticate and you ending up out of pocket.
How much could this affect your business? It’s difficult to say but a recent corollary was when India introduced authentication in 2014. E-commerce businesses saw an overnight 25% drop in online business. Admittedly, a travel purchase is more of a committed purchase than pulling the trigger on a new summer bikini so the drop off should be less. Furthermore, things will return to normal weeks or months after September 14, as it did in India. Nonetheless, there will be a material change so we all need to be talking more about it...
(Don’t like nutshells? Check out our Appendix describing the PSD2 beast in full for some fun bedtime reading...)
Next steps for hoteliers
The main - and valid - concern is about losing business on account of the added friction of the extra steps that authentication demands. After all, 20 percent of all online payments currently authenticated through the most prevalent SCA solution that already exists - 3D Secure (that familiar but pesky extra box from card providers branded as “MasterCard SecureCode”, “VISA Secure”, “American Express SafeKey” etc.) - are lost…
The good news is - 3DS is getting an upgrade to the creatively named...3DS2. This should make things smooth again…(see Appendix for more salacious detail)
The bad news is - it’s still a long way off and nobody needs 12-18 months of uncertainty. So we are going to need to use the old version still...
This is where Mews steps in (…on...drum roll...September 14, 2019)
How do we plan to tackle PSD2 at Mews?
In short - we will have to send a verification email to some (not all) of your guests to verify payments. Frankly, this is the only solution that exists...until the market catches up...
How many of your bookings will be affected with such an email? It’s difficult to say for sure, but to give you an idea, Stripe believes just 44% of businesses might be ready by the September deadline and that will apply to the channels you use.
Let’s zoom out a bit - there are two main methods for online payments to arrive at your property:
- Taking direct bookings - Whether this is through the Mews booking engine or your own direct booking solution, it results in the guest’s card details being securely stored in the PMS.
- Taking bookings via an OTA - two things may happen: either the OTA passes on the guest card details, which are then securely stored in the PMS, or the OTA issues a virtual card without sending the guest card details through.
We ONLY act on any payment in which the guest card details get passed on to the PMS. In these cases, when a customer makes a reservation, and based on the settlement rules of the property, we attempt to charge the card.
This instantly triggers the automatic sending of a request to the issuing bank to charge the card. If the issuing bank doesn’t support 3DS, the credit card is charged as per usual.
If we receive a response from the bank that 3DS is required, we automatically send a 3DS email to the customer. This all happens instantly so you don’t have to worry about it...we just wanted to explain the plumbing...
Payment card approval email
For those that do need to be verified, the customer will receive an email from Mews and will be required to approve their credit card details using 3D Secure. Example of the email:
The customer clicks the “Verify Payment” button and will be redirected to the Mews Navigator web app. Here, we will show detailed information about the reservation and payment.
The “Verify payment” button triggers the 3D Secure. Once it is completed, we store the identifier of this “agreement” and use it for any subsequent transaction by the cardholder in the future.
The second version of the European Union Payment Service Directive (PSD2) is a game-changer in the European payments landscape. Banks will be required to open their legacy systems to the outside world and allow 3rd parties to provide financial services on top of the banks’ data and infrastructure. In practice, that means the banks will no longer only compete against other banks but with anyone who has a license to offer financial services. Hello competition!
In layman’s terms, that means the likes of Google and Facebook could now join the payments party. So, in the future, customers may be able to use Google or Facebook as a primary channel to initiate and receive payments while still having money placed in their bank accounts.
Strong Customer Authentication (SCA)
One of the requirements of PSD2 is to bring more security into the world of online payments. Currently, customers simply provide a credit card number and card verification code (CVC) to the merchant at a checkout page and initiate the payment. In the upcoming PSD2 era, more information will be required and almost all online payments will need to be secured with Strong Customer Authentication (SCA).
SCA requires the application of at least two of three factors to authenticate the customer:
Something the customer knows (e.g. password, passphrase, PIN etc.);
Something the customer physically owns (e.g. mobile phone, wearable device, smart card etc.);
Something that the customer is (e.g. fingerprint, facial features, voice patterns etc.).
The fall and rise of 3D Secure
There are a variety of authentication tools that fulfil SCA requirements and one of the most well-known is 3D Secure. 3D Secure was introduced back in 2001 and is being used by all major card networks under their own brand names – “MasterCard SecureCode”, “VISA Secure”, “American Express SafeKey” etc.
In a sample 3D Secure checkout flow, the cardholder enters their card details and confirms a payment. A redirection to another page is triggered and the cardholder is then required to approve the payment by a one-time code or any other type of password. These values are known only by the cardholder and the issuing bank, which increases the level of security. Once the code/password is validated by the customer’s bank the payment is “strongly-authenticated “.
3D Secure brings benefits for merchants as well, the most important being what is called a liability shift. If a payment was authenticated with 3D Secure, liability for fraudulent payments is shifted from the merchant to the issuing bank.
Unfortunately, the 3D Secure customer experience clearly comes with a lot more friction. So, to make it more seamless, an updated version of 3D Secure has been introduced – 3D Secure 2. In a nutshell, it brings more data elements into the processing of each payment. The cardholder's bank can then decide more effectively if 3D Secure should be required or not based upon their own risk screening procedures. From a customer experience perspective, new authentication options will also be added. For example, you could use your mobile phone and authenticate payments with fingerprint or facial recognition. There is also no need for a redirection to another page – the 3D Secure frame can be embedded directly into the merchant's website or mobile app. However, 3DS2 will most likely only be properly implemented in 2020/21 so there’s a wait...
What is the impact of PSD2 on the hospitality industry?
The typical scenario in hospitality when it comes to online payments is:
- Customer creates a reservation using OTA/Direct booking engine and provides credit card details.
- Credit card details are stored securely within the PMS.
- Based upon property settlement rules, payment is triggered on behalf of the customer (= Merchant Initiated Transaction – MIT)
In most cases, there is no requirement for any authentication from the cardholder. This will have to be changed for the PSD2 era otherwise these payments will be declined by the cardholder's bank.
First, an agreement for future charges needs to be established between cardholder and property. Such an agreement must be obtained via a single payment authenticated by SCA. Second, any charge in the future will be processed as MIT with the reference to this “SCA-authenticated” agreement.
Are there any deadlines for PSD2 in Europe?
The deadline is 14th September 2019. From this date onwards, banks in EU/EEA will decline payments that do not meet SCA requirements (hypothetically).
Does it mean that all payments with no-SCA will be declined?
No. In certain cases, SCA may not be required due to exemptions. These exemptions are:
- For a transaction of less than 30 EUR, up to 100 EUR accumulated or up to 5 transactions since the last SCA. Beyond 100 EUR or beyond 5 unauthenticated transactions, a new SCA is required.
- Recurring payments (e.g. monthly service subscription)
- Payment to a trusted beneficiary – merchant was marked as a trusted one by customer
- Low-risk merchants – merchant with very low level of chargeback ratio
- Merchant Initiated Transaction (MIT) – transaction is initiated on-behalf of the customer without the need of any additional authentication
- MO/TO – credit card data were provided by the cardholder via email or telephone
- Corporate payments – payments with virtual credit cards or any other types of cards held by online travel agents
Please note that the ultimate decision-maker if SCA is required or not is the cardholder ́s bank. SCA might still be required even though payment is qualified for any of these above-mentioned exemptions.
Is there a life after PSD2?
PSD2 is expected to have a major impact on the payments industry. Businesses in Europe will need to modify how they process payments to stay on the top in the post-PSD2 era.
Importantly - there will also be an impact on customers. Modified checkout flows will be introduced and customers will need to learn how to use them. We expect to see a payment success rate drop-off during the first few months but in the longer term, the industry will benefit from this new regulation on account of the lower costs, higher security and better user experience to name just a few advantages.
Fear not, Mews is following ALL updates around SCA daily to make sure that we can provide the best-in-class service for our customers from 14th September 2019.