Payment regulations: travel companies must brush up on communication
With less than one-fifth of companies informing their travellers about the impact of strong customer authentication (SCA) regulations, could the delays to implementation be a welcome break?
Just because the deadline for implementing PSD2, the new payment directive in Europe, has been delayed beyond September 14th, it doesn’t mean that travel companies should rest on their laurels.
That is the view of Jean-Christophe Lacour, Head of Merchant Services at Amadeus, who argues that if travel firms aren’t ready to let customers use two-factor authentication then the banks may reject payments, and this will hit conversion rates. Amadeus is one of the many companies selling payment solutions and recently announced that it will bring Visa’s Cybersource, a 3D secure 2-authentication system into its fold.
One of the challenges with the new European payment directive, PSD2, is that every regulator has been required to transpose the new Secure Customer Authentication (SCA) regulation. In essence, this would mean that European shoppers will have to authenticate online payments of over €30 (most travel payments are) with two of the following – something they know (a password), something they have (a mobile phone) or something they are (a fingerprint or facial identification).
However, given the complexity of the requirements and lack of preparedness, in September the European Banking Authority (EBA) said that national authorities could extend this deadline. And, many have. In the UK, for example, the Financial Conduct Authority (FCA) has confirmed an 18-month delay to the introduction of Secure Customer Authentication (SCA) rules for e-commerce transactions. Meanwhile, Germany’s regulator has put forward a timeframe of 15 months, while the French say they will be 95% compliant by the end of 2020. Elsewhere, it’s a mixed bag.
With no harmonised approach to the grace period, and given the regional and global nature of travel payments, there is uncertainty about what happens when this has run its course. “One of the areas of confusion that could impact travel companies, is in the area of cross-border transactions,” says Lacour.
Risk of procrastination
The good news is that 97% of companies surveyed by Amadeus are aware of SCA – there has certainly been enough press about it. But there are still organisations that are not prepared and the risk with the latest delay is that there is further procrastination. According to Lacour, there is every reason to take this seriously - and not just from a regulatory perspective. New security technologies that underpin the success of this new regulation can help firms to control the growing cases of online card fraud, which cost Europe €1.3bn, according to the European Central Bank estimates that Europe loses to online card fraud each year. But the benefits do not only end at fraud. Innovative technologies can reduce friction, and genuinely improve the buying experience, and in today’s environment customers expect to transact with ease.
With no harmonised approach to the grace period, and given the regional and global nature of travel payments, there is uncertainty about what happens when this has run its course
While PSD2’s scope is Europe, which, along with India, has led the way with the introduction of secure customer authentication, a number of countries are monitoring how it is being deployed. Asia Pacific is a major growth area, and here payments have taken an interesting turn. “Already there are over a billion users bolted onto WePay,” says Lacour, “so if you are an airline or retailer tin Europe you would be wise to support this form of payment.”
EyeforTravel has already published an in depth analysis into the evolving payments landscape – How travel tech payments are powering ahead. But the question now, given the delays to PSD2, is what should firms that are running behind do?
Here are a handful of recommendations from a recent Amadeus report
Educate your travellers: One of the most overlooked aspects of the SCA debate is communication with customers. Many have been exposed to some of the changes with two-factor authentication through online bank and email sign-on, but Amadeus’s recent survey finds that less than one in five travel companies have communicated with their customers about the issue. Instead, 25% are relying on card issuers and industry communication programmes to educate travellers.
Move with the times: Companies, says Lacour, need to implement new 3D secure 2.X protocol across systems, primarily websites. This replaces the 20-year-old 3D Secure 1.0 protocol. Version 2.1 and 2.2 allow travel retailers to exchange far more information about the transaction with the card issuer, and this helps to tackle fraudulent payments far more effectively, with as many as 120 new data points. It also enables biometric authentication using the fingerprint scan option in say the iPhone. Both are really beneficial when implementing SCA in a way that protects the user experience.
Measure payment authentication acceptances rates: Firms should closely measure their payment authentication and acceptance rates so they can compare those with post 14 September to monitor for any impact when SCA begins to be phased in.
More detailed advice can be found here in Amadeus’s Strong Customer Authentication report.