What can hospitality firms do to mitigate the effects of PSD2?
In September 2019, despite appeals by many within the hospitality and travel (H&T) industries to delay its implementation, PSD2 legislation requiring two-factor authentication (2FA) came into force across the EU and the UK.
Intended to be a quantum leap forward in the prevention of fraud related to credit and debit card transactions, the positive expectation has unfortunately, in certain quarters, led to equal measures of disappointment and confusion.
It is believed by many that the regulations are both impractical and unworkable, with a hugely disparate set of affected parties unable to comply, either willingly or practically.
The overriding issue
It is very common for consumers to book their hospitality and travel arrangements through independent online travel agents (OTAs), who provide details of hotel room, flight and hire car availability and then reserve them on request in real-time on behalf of the customers of thousands of hospitality service providers, globally.
OTAs often capture payment card details – essential for a merchant to be able to receive payment for products and services that will be used at some future date and for which the final balance is typically unknown at the time of booking. Those details effectively act as a guarantee, until the appropriate time comes to debit the card holder’s account.
For example, in the hotel industry, OTAs convey such details to the merchant who will use them to charge guests in the event of late cancellations, ‘no shows’ and indeed for any additional services or products consumed during their stay. With implementation of self-service check-in and check-out facilities trending up, this process has also afforded hoteliers added protection to ensure that they get paid for the full term of a guest stay and can back charge for any products and services consumed throughout – whether the guest ‘physically’ checks out or not.
However, with 2FA now being a legal requirement for online transactions above €30, there is an inherent limitation in the system, as the regulations currently stand, that greatly impacts what was common industry practice. Should the merchant need to charge a guest’s card where 2FA did not take place, the request for payment will be declined by the card issuer. The issuer, in complying with PSD2, has a duty to decline the request for payment, leaving the merchant to effectively prove a cardholder’s consent to debit their card. 2FA is essentially the electronic proof needed to show that the cardholder authorised a payment, without which the merchant is left exposed.
Some market commentators, fearful of an inevitable increase in declined transactions, have estimated that this could cost the EU and UK hotel industry €5 billion or more in lost revenue per annum.
The UK’s Financial Conduct Authority (FCA) was approached by H&T industry representatives and solution providers to consider the issue and offer recommendations to mitigate potential losses.
However, with PSD2 being enshrined in European law, it essentially set the rules for payment processing whilst leaving industry practitioners to determine how best to change systems and practices in order to comply. Whilst there had been a consultation period prior to the law coming into effect, what the legislature may not have appreciated fully is the time it takes merchants, OTAs, technical solution providers, payment service providers (PSPs), acquirers, card schemes and card issuers to fully align on a new set of standards – which had yet to be designed, ratified and mandated, let alone implemented and tested across the entire H&T industry and payments ecosystem.
Obtaining 2FA at the time of reservation has not been the norm in the H&T sector and in an industry heavily impacted by global travel restrictions and national lockdowns due to COVID-19, the added burden and cost of upgrading systems and business practices could not have come at a more challenging time.
Following implementation of the PSD2 legislation, 3D Secure for online commerce was mandated by most card schemes who in a bid to minimise declined payment requests have worked with H&T industry practitioners to define additional ‘voluntary’ standards for providing evidence of 2FA in payment transactions.
However laudable though these initiatives are, the process can only be reliable once all industry players effectively ‘opt in’, which is likely to take an indeterminate amount of time.
Where next?
The nub of the problem lies in the fact that required changes in industry standards to help facilitate 2FA lagged some time behind the new legislation – indeed many of these standards were only published ‘in draft’ relatively recently, and without being mandated will likely take many years to attain mainstream adoption.
Meanwhile, card issuers have no choice but to comply with the law, hence many transactions are inevitably being declined that previously would have been authorised – running the risk that both merchant and consumer will consequently suffer.
One solution might be that cardholder payment is taken at the time of booking and refunded as appropriate after the event. However, this would almost certainly prove unpopular with consumers booking services often weeks or months in advance and with high average transaction values.
All is not lost, however. It is already becoming apparent that many PSPs and merchants are adapting to the changes.
For example, the use of ‘Pay-by-Link’ payment solutions are enabling OTAs and merchants to obtain 2FA following reservation, thereby ensuring the essential guarantee of future payment, prior to arrival. This process also affords merchants the opportunity to obtain cardholder consent to any incidental charges arising before, during or following the guest’s stay with the side benefit of being able to up-sell and cross-sell other services in the process.
Implementing the latest 3DS-enabled payment solutions for merchant owned online booking services is also ensuring that the business merchants secure directly not only has a lower cost of acquisition but a higher authorisation success rate, coupled with the benefits of a payment guarantee for incidental charges.
Add to this the fact that merchants who have a low history of fraud associated with online commerce can also apply to qualifying acquirers for a ‘Transaction Risk Analysis (TRA) exemption’. This effectively removes the need for 2FA on most transactions, providing a high authorisation success rate whilst simplifying the cardholder experience. TRA exemptions often come with the condition of using appropriate anti-fraud monitoring tools.
Despite the challenges, the industry is clearly motivated and compelled to find ways to adapt under the current legislative framework. It’s very encouraging to see a growing number of H&T reservation solution providers doubling down in working with the payment industry to ensure that reservations carry all the vital data needed to guarantee their merchants get paid for the business they acquire on their behalf.
I am confident that as more tactical solutions emerge, industry operators and merchants will not only mitigate the negative impacts of PSD2, but in doing so will find new ways to maintain or enhance the overall consumer experience. Only time will tell whether the industry cost of implementing PSD2 compliance is justified when juxtaposed against the reduction in fraud it was expected to deliver.
About the author:
Tony Hammond is senior vice president of global product delivery at FreedomPay.
Prior to joining the company in 2018, he served as senior director EMEA – payment solutions at Oracle.