From 14 September 2019, a new European directive (PSD2), aimed at making online payments safer, requiring Strong Customer Authentication (SCA), will be in force across the European Economic Area. This means that your guests’ online payments may be affected if your payment methods are not compliant in time.
Does this sound too complex? Let us try to explain what this new law is and how it impacts your guests and hotel business.
The PSD2 directive aims to make payments safer, protect your guests and level the playing field for new and existing payment providers. As a result, it requires payment service providers (PSPs) like banks, card issuers and technology solutions to make a significant number of changes to existing operations. It also impacts anyone who makes or receives online payments, including online travel agencies (OTAs), online booking engines and property management systems.
With PSD2 comes SCA (Strong Customer Authentication), a more rigorous authentication process to validate online payments. It applies when both a guest’s card issuer and your bank (where you receive funds) are located in the EEA.
To be PSD2 compliant, guests need two of the below authentication factors (called two-factor authentication, or 2FA) to approve almost all online payments.
(e.g. password or PIN)
(e.g. phone or hardware token)
(e.g. fingerprint or face recognition)
3D Secure is an often used term when we talk about SCA and it is used by PSPs to perform SCA. It is a set of rules that provides extra protection for merchants and customers for online payments. A transaction using 3D Secure will initiate a redirect to the website of the card issuing bank to authorise the transaction. As part of new PSD2 rules, payment providers will work to implement 3DS2.
In a pre-PSD2 world it was sufficient for an online travel agent (OTA) or internet booking engine (IBE) to capture a guest’s card details as a form of guarantee for the booking without performing any authentication to validate the card details or the person entering them.
In a post-PSD2 world all this changes.
From September 14, 2019 the OTA and booking engine have an opportunity to perform SCA when capturing the guests’ card details; regardless if payment is taken at the time of booking or for delayed payments (i.e. delayed deposits, cancellation fees, no shows).For you to successfully perform a transaction with the card (often called a Merchant Initiated transaction – MIT), your guests’ card details, along with proof of SCA having been performed, needs to be passed through the network of delivery intermediaries like OTAs, booking engines and payment gateways. This means that your online payments could be at risk of failing if card details have been captured without SCA being performed and the proof of SCA being performed is not available at the time when the card is charged.
Although payment service providers (PSPs), like banks and payment gateways, are responsible for facilitating the authentication process for guests making online payments, there is significant impact on payments and transactions for hotels. We recommend that you review your guest payment flows to assess the impact of SCA on your business. Here are some of the scenarios and suggestions to look out for
Watch this video to get your guide to all things about the SCA regulation under PSD2 & its impact on your property.
You can also download this SCA cheat sheet put together by our in-house experts to keep this information handy.
Little Hotelier supports SCA for all hotel payment scenarios in the markets where Little Hotelier Payments is available.
If you are an existing Little Hotelier customer using an external payment processing solution in these markets, we cannot guarantee that your solution is compliant and recommend that you migrate to Little Hotelier Payments. Switching on Little Hotelier Payments is very simple – watch this video and activate today. Broader EEA expansion of our SCA-compliant payments processing solution is planned during 2020.
|PSD2||Payment Services Directive 2 was introduced by the European Union to unify and create a single market for European payments.|
|SCA||Strong Customer Authentication is a requirement of the PSD2 law to make online payments more secure and reduce payment fraud.|
|3DS||(Also called 3D Secure) is authentication process used by an issuing bank to validate a cardholder. This process typically relates to a guest receiving a mobile code which then needs to be captured into a response page before the payment can be processed.|
|3DS2||is a refined version of the 3DS process which provides a more frictionless experience for the guest. This has become the standard for new payment service providers in complying with PSD2|
|EU||The European Union which consists of 28 member states.|
|EEA||European Economic Area, which is EU countries and Norway, Iceland and Liechtenstein.|
|SEPA||Single Euro Payments Area regulation which was set down by the European banking authority, which consists of standards and technical rules for payment services and infrastructure in Europe.|
|MIT||Merchant Initiated Transaction is where the merchant tries to collect the payment on the customer’s behalf in their absence.|
|VCC||Virtual Credit Cards – A virtual credit card (VCC) is a virtual credit card number (VCN) typically used for online purchases, and often for single-use transactions.|
|MOTO||Mail order / telephone order channel.|
|OLO||One Leg-Out — transactions are described as OLO when any one of the following applies:
Send this to a friend