On 14th September 2019, new rules for authenticating online payments will enter into force in Europe as according to the second Payment Services Directive or PSD2. The proposal dates back in 2015 and it has the aim of better protecting consumers when they pay online and promoting the development of online and mobile payments.
What is the Strong Customer Authentication?
One of the main implications of PSD2 is the introduction of the Strong Customer Authentication (SCA), a safety standard that will improve security in the payments sector. Basically, asking for a client’s credit card is not secure enough for online transactions, so additional steps are required.
The main point of SCA is the two-factor authentication. SCA requires to authenticate the payment with at least two of the following three elements.
- Something the customer KNOWS (e.g., password or PIN)
- Something the customer HAS (e.g., phone or hardware token)
- Something the customer IS (e.g., fingerprint or face recognition)
Banks will need to decline payments that require SCA and don’t meet these criteria.
When is SCA required?
The new security standard requires that payment service providers use Strong Customer Authentication when:
- The card issuer is European. The card issuer is not the credit card provider (VISA, MasterCard, AMEX) but the bank itself. For this reason, the “nationality” of the end customer doesn’t really matter.
- The acquirer is European. In this case, it’s typically the hotelier’s bank.
Who will SCA affect?
SCA will affect any business that receives online payments from their customers. For this reason, the hospitality sector needs to be up to date. In the hotel sector it will particularly affect businesses that charge the guest at time of booking. In other words, in the case of non-refundable rates and payments made at the time of booking.
Keep in mind that hotels will not undergo inspections or receive fines if they don’t apply PSD2. The only responsibility that hoteliers will have with online direct sales will be to choose the correct payment platform, which has to be adapted to PSD2.
What should property owners do?
As we said, the new regulation requires primarily payment gateways and the banking sector to adapt. To keep it simple, hoteliers and property owner won’t have to “do” anything, apart from choosing the right payment service provider.
When a property receives a booking, there could be 2 scenarios:
- Refundable booking: the customer pays at the hotel and there is no online transaction. In this case, PSD2 does not apply.
- Non-refundable booking: the hotel should use an online payment gateway that will verify the customer’s double authentication for those transactions that require the application of PSD2.
Can a property use a card reader to charge cards received from an online booking?
There are two more particular situations that we need to consider:
– Non-refundable bookings without an online payment gateway (payment is taken manually at the hotel).
– No-shows or cancellations outside of the allowed period
When the property receives the card details from the internet and the transaction has the requirements to apply PSD2, the guest needs to confirm it through double authentication. For this reason, a host can NOT manually charge a card using a card reader as he will not have double authentication from the customer.
At the moment, one solution to this situation would be to receive the payment via telephone or mail. As we’ll see later, bookings made by telephone or by email (MO-TO) are exempt from SCA. In this case, the property will be able to receive payments by configuring the card reader to MO-TO. However, this solution is viable only in the short term, especially if the hotelier experiences a lot of chargebacks.
To sum up, if a property is not currently using an online payment gateway to take payments, we suggest starting using one. In the future, taking payments using a physical credit card reader with a card linked to an online booking will become more complicated.
Exemptions to Strong Customer Authentication
These types of transactions should be free from PSD2:
– Transactions below €30 will be considered “low value” and SCA may not apply.
– Customer that makes a series of recurring payments for the same amount, to the same business. The first payment requires SCA. The next charges may be exempted from SCA.
– Transactions made collecting Card details over the phone or via mail (telephone or mail sales)
– Using “lodged” cards to make payments (e.g., where a corporate card used for managing employee travel expenses is held directly with an online travel agent) and corporate payments made using virtual card numbers.
Note that Payment providers (like Stripe) will be able to request these exemptions when processing the payment. The cardholder’s bank will receive the request, assess the risk level of the transaction, and ultimately decide whether to approve the exemption or not.