By Jean-Christophe Lacour, Head of Merchant Services, Payments, Amadeus.
Much has been written about the recent introduction of Strong Customer Authentication (SCA), which mandates all electronic payments above €30 be subject to two factor authentication. When it comes to SCA, not all industries are equal.
Indeed the travel industry is frequently cited as one of the most complex and our own research with large travel sellers recently found that only a third were prepared for the 14 September SCA deadline. But why is authenticating travellers so hard?
- Delayed consumption: flights and holidays are often booked six months or more in advance. When it comes to Merchant Initiated Transactions (MIT), where the merchant takes payment from a card, this can pose challenges. MITs can be exempt from SCA but two-factor authentication must be performed for the first payment the merchant takes from the customer’s account, for example when you book the holiday itself. However, if the various merchants then need to take subsequent payments, say €50 MITs for the hotel mini bar, the authorisation period will have lapsed (which is typically 90 days). This means the industry needs to find a way to conveniently enable SCA for relatively low value MITs, which it has traditionally taken for granted
- Multiple Merchants of Record: when you book a holiday via a travel agent several travel providers might be involved (e.g. airline, hotel, car rental company). Under PSD2 it is good news for the travel industry that a single authentication can be used across a multi-merchant booking. Here, the travel agent must typically be identified as the Merchant of Record (MoR) with the authentication reflecting the total amount of all services combined. The challenge comes in passing that authentication between the interested parties.
- Travel is an intermediated industry: travel is sold through multiple channels including airline and hotel websites but a large percentage is sold indirectly through online, traditional, and business travel agents. This means the end traveller isn’t always present when a payment is made, with cards often ‘lodged’ within various systems. Take corporate travel for instance when a business travel agent may use a lodged card, or a card might be stored in a corporate self-booking tool, or simply a personal assistant might make a booking without the traveller being present. So, when an SCA request is triggered and the end traveller that is required for authentication isn’t available to respond, clear processes are needed to ensure issuers know when the secure corporate payment exemption can be invoked.
- Passing contextual information to issuers is complex: today many indirect bookings (those made via travel agencies) can be considered Mail Order Telephone Order (MOTO) or a lodged card and therefore exempt from SCA. However, for issuers to apply this exemption certain information needs to make its way through the travel distribution chain from travel agent, to booking technology provider, to travel supplier (e.g. airline), to issuer. Without that contextual information, issuers may feel they need to request SCA. Being able to effectively flag a transaction in the correct context requires new messaging standards to be agreed and implemented between travel agency groups, issuers and technology providers, something we are working hard on at Amadeus alongside the industry. In the meantime, the card schemes are recommending that such transactions are not systemically declined whilst this work is undertaken.
- Is the transaction in the European Economic Area?: SCA only applies when the acquirer and issuer are both based in the EEA. Today, for some indirect travel bookings the location of the acquirer isn’t known. That’s because the travel agent or travel technology provider authenticates the transaction but cannot ‘see’ the location of the merchant’s acquirer. At Amadeus, we’ve taken steps so we can effectively identify the merchant’s location for use by issuers when forming a judgement about when SCA should apply. The introduction of 3DS 2.X, the industry’s upgraded authentication protocol, also helps to alleviate this issue. We’re rolling out this technology across our systems.
In this article we’ve covered just a few examples of the complex authentication scenarios common to the travel industry, there are several more. At Amadeus, we’re advocating continued collaboration between all players, so we can reduce fraud by delivering on SCA in a way that protects the traveller’s digital experience. It’s certainly a challenge but we’re ready for it.