Payment security: implementation delays are good news for travel
Delays are not usually good in the travel industry, but the extension of the deadline for implementing new EU security deals could be. Sally White reports
Two figures show that the online travel industry has good reason to be nervous about the likely increases in booking time resulting from the new and stronger security EU payment standards – PSD2 (the Revised Payments Service Directive). Firstly, most of us will wait no more than just a few seconds for a site to load before giving up and going somewhere else, according to Massachusetts-based software intelligence group Dynatrace. Then Salecycle, a UK based global behavioural marketing company, has found that, at an 88.8% rate, travel sites have the highest booking abandonment and overlong processes are a major cause.
So, all the better that, while not widely publicised, there has been another slippage in the date when the rules will be fully implemented. The European Banking Authority (EBA) has responded to the strong banking lobby and the amount of technology for PSD2 still at R&D stages, and extended the deadline. After several postponements, this was to have been September 14. Now there is no date for full compliance, although December this year and March 2020 are being mentioned.
Even better still, there are growing questions on the need for new laws to up the level of surveillance at all. There are already many security checks in the technology used by western credit card and payment systems – though fraud still seems to be growing. Along its route to enactment the new Strong Consumer Authentication (SCA) rules have met significant challenges. Visa described them when still in draft as “a significant threat to future innovation and Europe’s future growth.”
Calls for greater clarity
The range of changes brought under SPD2 range from requiring the banks to open up their payments infrastructure and customer data to third parties – which has been the major source of financial industry discontent. As far as the travel industry is concerned, it includes the introduction of two-factor authentication for online purchases or credit transfers. Consumers will be asked to provide either something that they know (password or PIN code), something they own (card or mobile phone) or biometric, fingerprint or iris scan as identity.
Financial services and technology law expert, Angus McFadyen at London law firm Pinsent Masons, commented that the industry is able to "control fraud levels to an extent already". He added that the new requirements are "perhaps designed more to help improve user trust and confidence in less e-commerce-driven economies" but questioned whether a solution from the early 2010s "still works today". He also commented that there could be “unintended consequences” and “more clarity” was needed.
Currently one to two per cent of online transactions require cardholder authentication to complete a transaction. MasterCard says that this figure is expected to rise to 25%.
Travel companies that are most affected by the various changes
“The use of passwords to authenticate someone is woefully outdated, with consumers forgetting them and retailers facing abandoned shopping baskets," Ajay Bhalla, president global enterprise risk and security at MasterCard was quoted in online magazine internetretailing.net as saying. "In payments technology, this is something we’re closing in on as we move from cash to card, password to a thumbprint, and beyond to innovative technologies such as artificial intelligence. It’s far easier to authenticate with a thumbprint or a selfie, and it’s safer too.”
Farina Azam, of UK travel law firm TravLaw, speaking at a summit organised by global payments solutions group Wex Travel, said it would be travel companies that are most affected by the various changes brought in. Wex’s blog on the summit quoted the UK Association of Independent Tour Operators as recommending that tour operator members apply an extra 0.5% commission to travel agent’s bookings for payments taken after the introduction of PSD2.
Possible exemptions, that may help the travel industry to some extent, though it could discourage consumers from shopping around, include merchant-initiated transactions. In a guide and discussion of PSD2 on its website, payments software technology group Stripe says: “Payments made with saved cards when the customer is not present in the checkout flow (sometimes called ‘off-session’) may qualify as merchant-initiated transactions. These payments technically fall outside the scope of SCA.” Card details collected over the phone fall outside the scope of SCA.
Solutions to handling the double identification requirement include various incredibly cumbersome ones, such as codes despatched by landline! A hi-tech solution, described by Stripe, of “a new type of credit or debit card where the security code on the back changes every 90 seconds” sounds like a winner. Very much better for the consumer, but likely to be threatened by the costs for the banks!