The travel industry is well aware of the second Payment Services Directive (PSD2), having had to end the practice of surcharging for card payments in January 2018. What has perhaps taken some by surprise is the introduction of strong customer authentication (SCA) requirements from 14 September 2019. On 21 June 2019, the European Banking Authority (EBA) published an opinion on this issue, which is likely to be of real interest to travel companies which take payments online.
What is SCA?
The purpose of the new SCA rules is to make online payment more secure and to reduce the risk of fraud. Under the new rules, a payment service provider must verify the customer’s identity in accordance with the SCA requirements in certain situations, the most relevant for travel companies being where a customer makes an online payment.
The SCA rules require payment service providers to verify the customer’s identity by using two or more of the following elements:
- knowledge (something only the customer knows);
- possession (something only the customer possesses); and
- inherence (something the customer is).
These elements must be independent of each other: breach of one must not compromise the reliability of the others.
What does the EBA opinion say?
The EBA opinion provides a non-exhaustive list of the authentication approaches currently used in the market and comments on whether it considers these to be compliant with the SCA requirements. The EBA also provides some commentary on each of the three SCA elements listed above, and on the combinations of these elements.
In addition, the EBA opinion considers, but dismisses, the possibility of making more time available for regulated entities (and, consequently, their affected customers in the travel industry) to prepare for the commencement of SCA. The EBA does, however, acknowledge concerns raised regarding the preparedness of e-commerce businesses for SCA, and recognises that the entire payments chain, including card schemes and merchants (such as online travel companies), must take steps to apply or request SCA in order to avoid situations where payment transactions are interrupted, blocked or rejected.
As a result, the EBA’s opinion allows for the possibility that some National Competent Authorities (NCA), such as the FCA, will choose to work with some authorised entities “and relevant stakeholders, including consumers and merchants” to help them prepare, and may “provide limited additional time to allow issuers to migrate to authentication approaches that are compliant with SCA… and acquirers to migrate their merchants to solutions that support SCA” - on an “exceptional basis” (only). These delays will only be available where payment service providers have agreed a migration plan with the NCA.
What does the FCA say?
The FCA has released a statement in response to the EBA opinion confirming that it will quickly agree a plan with all stakeholders across the payments industry that encompasses a blueprint for compliance and readiness, a timetable for achieving this, and key milestones and targets to deliver SCA.
The FCA have confirmed that they will not take enforcement action against firms if they do not meet the relevant requirements for SCA from 14 September 2019 in areas covered by the agreed migration plan, where there is evidence that they have taken the necessary steps to comply with the plan.
What are the implications for the travel industry?
Travel companies that take payments online (e.g. via a website or app) need to maintain an open dialogue with the banks and other regulated payment service providers that they deal with, in order to understand fully any changes that they might be asked to make to their payments systems, infrastructure or customer-facing website.
We have been advising travel companies (and other online merchants and technology providers) on whether proposals put forward by their regulated counterparts are necessary and reasonable in light of the SCA requirements. Other issues particularly relevant to travel companies include:
- how should payments to travel companies be initiated?
- when can the SCA requirements be disapplied?
- what are the implications of SCA for online travel companies which offer instalment or low-deposit plans?
- how are customers likely to react to the new SCA requirements and how can travel companies communicate these requirements in a way that enhances the customer journey and reduces customer attrition?
- what are we seeing from other online merchants in this area? Are there lessons to be learned from other retail industries?