From 14 September 2019, a new European directive (PSD2), aimed at making online payments safer, requiring Strong Customer Authentication (SCA), will be in force across the European Economic Area. This means that your guests’ online payments may be affected if your payment methods are not compliant in time.

Does this sound too complex? Let us try to explain what this new law is and how it impacts your guests and hotel business.

What is the scope of the PSD2 regulation?

The PSD2 directive aims to make payments safer, protect your guests and level the playing field for new and existing payment providers. As a result, it requires payment service providers (PSPs) like banks, card issuers and technology solutions to make a significant number of changes to existing operations. It also impacts anyone who makes or receives online payments, including online travel agencies (OTAs), online booking engines and property management systems.


What is SCA?

With PSD2 comes SCA (Strong Customer Authentication), a more rigorous authentication process to validate online payments. It applies when both a guest’s card issuer and your bank (where you receive funds) are located in the EEA.

To be PSD2 compliant, guests need two of the below authentication factors (called two-factor authentication, or 2FA) to approve almost all online payments.

SOMETHING THE
CUSTOMER KNOWS

(e.g. password or PIN)

SOMETHING THE
CUSTOMER HAS

(e.g. phone or hardware token)

SOMETHING THE
CUSTOMER IS

(e.g. fingerprint or face recognition)

3D Secure is an often used term when we talk about SCA and it is used by PSPs to perform SCA. It is a set of rules that provides extra protection for merchants and customers for online payments. A transaction using 3D Secure will initiate a redirect to the website of the card issuing bank to authorise the transaction. As part of new PSD2 rules, payment providers will work to implement 3DS2.


How does SCA impact hoteliers & guests?

The Payment Services Directive 2 (PSD2) has implications for the travel and hospitality distribution landscape, particularly for “hotel collect bookings”. Since SCA will require two-factor authentication, it will affect a lot of transactions for hotels – both the pre-stay stage (from the time of booking until the guest arrives at the property) andthe post-departure stage.

In a pre-PSD2 world it was sufficient for an online travel agent (OTA) or internet booking engine (IBE) to capture a guest’s card details as a form of guarantee for the booking without performing any authentication to validate the card details or the person entering them.

In a post-PSD2 world all this changes.

From September 14, 2019 the OTA and booking engine have an opportunity to perform SCA when capturing the guests’ card details; regardless if payment is taken at the time of booking or for delayed payments (i.e. delayed deposits, cancellation fees, no shows).For you to successfully perform a transaction with the card (often called a Merchant Initiated transaction – MIT), your guests’ card details, along with proof of SCA having been performed, needs to be passed through the network of delivery intermediaries like OTAs, booking engines and payment gateways. This means that your online payments could be at risk of failing if card details have been captured without SCA being performed and the proof of SCA being performed is not available at the time when the card is charged.


How can hotels prepare for SCA compliance?

Although payment service providers (PSPs), like banks and payment gateways, are responsible for facilitating the authentication process for guests making online payments, there is significant impact on payments and transactions for hotels. We recommend that you review your guest payment flows to assess the impact of SCA on your business. Here are some of the scenarios and suggestions to look out for

Payments at booking – full or partial payment at the time of reservation.
Delayed payments – pre-payment prior to check-in, cancellations and no-show fees
Settlement at check-out – balance payments, food and other incidentals.
Post departure payments – guest walkout, delayed minibar charges and damages.

Preparing for SCA but don’t know where to start?

Watch this video to get your guide to all things about the SCA regulation under PSD2 & its impact on your property.

You can also download this SCA cheat sheet put together by our in-house experts to keep this information handy.

Download our cheat sheet

 

How will Little Hotelier support SCA?

Little Hotelier supports SCA for all hotel payment scenarios in the markets where Little Hotelier Payments is available.

If you are an existing Little Hotelier customer using an external payment processing solution in these markets, we cannot guarantee that your solution is compliant and recommend that you migrate to Little Hotelier Payments. Switching on Little Hotelier Payments is very simple – watch this video and activate today. Broader EEA expansion of our SCA-compliant payments processing solution is planned during 2020.

Contact Us

Frequently Asked Questions

The Payment Services Directive (PSD2) refers to a ruling passed in the European Economic Area (EEA) to promote a safer payments environment for merchants and consumers. The directive aims to control rising fraud rates in the region, particularly when a cardholder is not in the physical presence of the merchant (e.g. a guest making an online payment).

An important element of PSD2 is the requirement for Strong Customer Authentication (SCA) which officially comes into effect from 14 September 2019.

SCA requires payment service providers to validate that a customer initiating an online payment is legitimately allowed to do so. E.g. Online merchants (such as yourself) must authenticate that a guest making an online booking is the cardholder. This authentication is typically built into an online checkout flow and “challenges” two or more of the elements below:

  • What the person knows (e.g. a passcode)
  • What the person has (e.g. a phone) and
  • What the person

SCA is applied through a process called 3D Secure (3DS). 3DS is typically initiated by a cardholder’s bank to validate that they initiated a transaction (usually by sending a mobile code sent to the cardholder’s phone). This process has been refined with the introduction of 3DS2 which now reduces the impact on the guest’s online experience.

Having a good understanding of the steps involved in your guests’ payments is key to establish compliance. As a guide, consider your payment flows and the need to be PSD2 compliant during the following steps:

  • Payments at booking – full or partial payments at the time of reservation may require SCA while the user is on-session
  • Delayed payments – pre-payments prior to check-in, cancellations and no-shows
  • Settlement at check-out – balance payments, food and other incidentals
  • Post departure payments – guest walkout, delayed minibar charges and damages

A common challenge faced by hotels is that while a guest may enter their card details online when capturing a booking, the card details are securely stored as “Card on File” to allow a hotelier to initiate the payment at a later stage. i.e. when your guest is “off-session” or not online. This makes the actual payment of deposit, balance, extras, cancellations or no-shows difficult as the guest is unlikely to be available to complete SCA. These Card on File payments are at particular risk of being declined by the issuing bank if SCA is not performed. To overcome the challenge with these payments, you should remember to capture the guest’s card details at check-in using a compliant payment method and take a pre-authorisation from the guest that the card will be charged at a later date.

Examples of PSD2 compliant payment methods include:
  • Technology solutions, such as an online booking engine or PMS, with a compliant online payment gateway like Stripe
  • POS transactions such as chip and PIN transactions, as the user must have their card and PIN
  • Apple Pay payments as they involve the user’s mobile phone and their fingerprint or face scan

To reduce card fraud, there is an increased regulatory pressure to change how hotels have fundamentally received payments. With the implementation of SCA, the greatest risk to your hotel business is that non-compliant transactions will be declined and you may see a drop in booking conversions, occupancy and revenue. There are also challenges with managing cancellations & no-shows as these are usually charged as “Card on File” payments which will no longer be possible.

The industry is working very hard to meet the new SCA requirements and LittleHotelier is in close contact with business partners like OTAs, PMSs and payment gateways to ensure that our products meet the new demands.

Ultimately, PSD2 and SCA are in the best interest of consumers, your guests and your business. Although there may be an initial impact on conversions, the benefits are expected to greatly outweigh the short term hurdles.

To overcome any challenges until the industry has fully caught up with compliant solutions, consider alternative payment workflows that are exempt from SCA or ways to make it easier to capture SCA. Approaches include:

  • Getting payments in person (when the credit card and PIN are sure to be present),
  • Capturing payments upfront through your booking engine (to minimise the risk of not being able to charge cards on file), or
  • Distributing your inventory via OTAs that issue a virtual card (as they are exempt from the regulation).

The main exemptions to SCA include:

  • Low value transactions – any transaction below €30 can receive a low value exemption and go through without SCA. However, there is a velocity limit of five consecutive transactions, or a cumulative limit of €100. After these limits have been reached, SCA is required again.
  • Whitelisting – after the first SCA verified purchase, a consumer can whitelist a merchant so that subsequent transactions do not require SCA. Merchants need to implement 3DS2 (see glossary) in order to fully turn on whitelisting functionality.
  • Corporate payments and virtual credit cards – corporate cards that are not in the cardholder’s name and virtual credit cards are exempt from SCA.
  • Merchant-initiated transactions (MIT) – payments made with saved cards when the customer is not present in the checkout flow (sometimes called “off-session”) may qualify as merchant-initiated transactions. These payments technically fall outside the scope of SCA. In practice, marking a payment as a “merchant-initiated transaction” will be similar to requesting an exemption. And like any other exemption, it will still be up to the bank to decide whether authentication is needed for the transaction.
  • MOTO (Mobile Order Telephone Order) transactions – this transaction type is excluded because it’s currently very difficult to use two-factor authentication over the phone, via fax and mail.

OTAs will have an opportunity to perform SCA at the time of booking during card capture.

During the lead up to 14 September 2019 we are expecting that OTAs will advise their customers and partners on how they will support the PSD2 directive. We anticipate that a number of OTAs will transition their partners in the EEA to “OTA collect” payment models and supply a Virtual Credit Card (VCC) instead of providing the guest’s card details to accommodation providers. Virtual Credit Cards are exempt from SCA, so this solution, while possibly not ideal for some, will be functional.

We advise that you contact your OTA partners to ensure that they are working with payment providers to get compliant by September 14th.

The UK’s (Financial Conduct Authority) FCA has confirmed it will be providing an 18-month ‘phased implementation’ of SCA enforcement in the UK, starting from 14 September 2019. This means that the FCA will not take enforcement action against issuing banks and payment service providers in the UK if they do not meet the relevant requirements for SCA from 14 September 2019. SCA is still expected to come into full effect at the end of the 18-month period. Further, given that it is the issuing (cardholder’s) bank that decides whether or not to accept/decline a payment, if the cardholder’s bank is not in the UK (eg. a guest travelling from another EU country), there remains the risk that payments from these guests will decline if they do not meet SCA requirements.

During the lead up to 14 September 2019 we are expecting that OTAs will advise their customers and partners on how they will support the PSD2 directive. We anticipate that a number of OTAs will transition their partners in the EEA to “OTA collect” payment models and supply a Virtual Credit Card (VCC) instead of providing the guest’s card details to accommodation providers. Virtual Credit Cards are exempt from SCA, so this solution, while possibly not ideal for some, will be functional.

We advise that you contact your OTA partners to ensure that they are working with payment providers to get compliant by September 14th.

Only if your property is located in one of the countries in the European Economic Area (EEA) it’s likely you will be subject to these new regulations. SCA will only apply when both a guest’s card issuer and your bank are located in an EEA country.

However similar variants to PSD2 SCA can be expected to be implemented across the globe over the coming years.

We recommend that you reach out to your payment provider and check how they are going to reach compliance in time for the September 14 deadline.

Definitions

PSD2 Payment Services Directive 2 was introduced by the European Union to unify and create a single market for European payments.
SCA Strong Customer Authentication is a requirement of the PSD2 law to make online payments more secure and reduce payment fraud.
3DS (Also called 3D Secure) is authentication process used by an issuing bank to validate a cardholder. This process typically relates to a guest receiving a mobile code which then needs to be captured into a response page before the payment can be processed.
3DS2 is a refined version of the 3DS process which provides a more frictionless experience for the guest. This has become the standard for new payment service providers in complying with PSD2
EU The European Union which consists of 28 member states.
EEA European Economic Area, which is EU countries and Norway, Iceland and Liechtenstein.
SEPA Single Euro Payments Area regulation which was set down by the European banking authority, which consists of standards and technical rules for payment services and infrastructure in Europe.
MIT Merchant Initiated Transaction is where the merchant tries to collect the payment on the customer’s behalf in their absence.
VCC Virtual Credit Cards – A virtual credit card (VCC) is a virtual credit card number (VCN) typically used for online purchases, and often for single-use transactions.
MOTO Mail order / telephone order channel.
OLO One Leg-Out — transactions are described as OLO when any one of the following applies:
  • The card is issued outside of the EU
  • The customer’s bank is outside of the EU (for credit transfers)
  • The merchant isn’t located in the EU

Contact Us

Talk to a LittleHotelier hotel expert today to help find the right solution for unleashing your hotel’s full online potential

Contact us

Send this to a friend