- 10th July 2019
- James Surridge
In 2016 the European Central Bank (ECB) reported €1.8 billion of card fraud in the Single Euro Payments Area (SEPA). Comparing this report with 2015, online card fraud is the only category to have increased year on year, by 2.1%. Due to the accelerated growth of electronic payments, the European Commission (EC) released the Payment Services Directive 2015/2366 in January 2018. This is best known as PSD2 and supersedes the PSD1 (2007/64/EC) directive.
PSD2 becomes mandatory on 14th September 2019. For hoteliers, this has a few operational consequences. From a customer-facing perspective, this means a new online payment experience, which must support 3D Secure (3DS) v1. In a second phase which is due during 2020 (when card schemes such as Mastercard stops supporting 3DS v1) online payment pages must support 3DS v2.
PSD2 applies to all non-exempt transactions that occur entirely within the European Economic Area (EEA) or those where the card issuer and/or acquirer are located within these countries, who don’t comply will be liable for any fraudulent transactions.
For Hotels located outside the EEA, PSD2 applies only on a best-effort basis. Note: This directive will still apply regardless of the outcome of Brexit.
In this blog, we summarise what PSD2 is, what is required, and what you need to do to be compliant.
Stronger Customer Authentication (SCA)
The requirement for 3DS to be mandatory is focused on implementing SCA. SCA aims to apply similar protections afforded to in-person transactions using Europay, MasterCard and Visa (EMV) chips - “two-factor” customer authentication - to online payments. This means an additional step in the online payment process, to non-exempt transactions, the 3DS step.
3DS – v1 versus v2
Historically Hotels haven’t activated 3DS v1 due to high drop-out rates mid-way through the payment process, even though this could mean a higher risk of fraudulent transactions. You’ve probably come into contact yourself when making online purchases, but in case you haven’t, it typically appears as follows.
3DS v2 aims to address this drop-out rate by putting the booker experience at the forefront of authentication:
- Making it device responsive
- Enabling in-app purchases and mobile payments
- Not requesting cardholder registration during a sale transaction (they are pre-registered by the issuer)
- Replacing static passwords by biometrics and dynamic one-time passwords
- Integrating better with merchant payment systems, supporting hotel branding, style sheets, and display options
- Not redirecting the consumer to another browser page
- Reducing the number of declines, fraud, and friction, supporting 10x more data fields than version 1.0 (over 40 required data elements and 150 total possible data elements) and enabling risk-based authentication
- Supporting customer authentication for transactions without a payment amount (e.g. loading cards into a wallet and Cardholder verification purposes)
- Supporting additional use cases, for example, the card on file, wallets, and tokenization
Example of 3DS v2 in action:
Typically 3DS v2 results in a text message to the cardholders phone, however, it is designed to support biometric authentication as well.
Therefore 3DS v2 delivers:
- Faster journey for the consumer through the payment process. Estimated time is reduced by 85%
- More consumers complete the purchase – drop-off rates decline by an estimated 70%
As stated this directive doesn’t affect just those businesses in the European Union. Therefore, you need to ensure your business is ready by 14th September 2019.
- Activate 3DS v1 if it is not already activated.
You need to ensure that your Internet Booking Engine (IBE) and/or eCommerce payment gateway support 3DS v1.
Failure to activate 3DS v1 by the deadline will likely result in a high number of Declined status transactions. There are some exemptions (like Virtual cards), but most card issuers won’t be on the exemption list. If there is no exemption, then 3DS will have to be supported for a transaction to succeed. Note: Card schemes (e.g. Visa and Mastercard) may apply additional fees for handling 3DS transactions.
- Update your Terms & Conditions (T&C)
Various changes will need to be made to T&C presented to customers at the time of making a booking such as:
- Making it clear how much is being authenticated (maximum amount of the stay)
- Ensuring the customer has agreed on upfront to Hotel initiated transactions for ‘no show’ and ‘post departure’ charges.
- Prepare for the introduction of PSD2 phase 2
The second deadline is during 2020 at which point 3DS v2 will need to be activated. Unfortunately, most of the gateways are not yet ready to support 3DS v2. Guestline is working closely with eCommerce Payment Gateway partners with a view to establishing what changes will be required. It’s already become apparent that some platforms will be sunset as they will not be enhanced to meet this aspect of the PSD2 legislation. More information will follow as it becomes available.
*Guestline also recommend seeking the guidance of a suitably qualified external legal advisor for aspects of PSD2 in relation to your own business compliance matters.
Take a look at our FAQs to keep up to date with any PSD2 changes, or for more information.