Amadeus will be ready for strong customer authentication (SCA) for ecommerce transactions from September but warns many businesses may not.
Jean-Christophe Lacour, Amadeus head of merchant services, warned of “an SCA cliff edge”, telling Travel Weekly: “There is a lot of anxiety from merchants about [the risk of] poor customer experience if cardholders have not been told by banks that this is coming – because customers face interactions online they did not face before.
More: New online rules risk ‘massive loss of business’
Comment: Strong Customer Authentication
“Travel suppliers, travel management companies and online travel agents are also concerned that a lot of business will be declined by banks.”
Strong Customer Authentication (SCA) will impose new verification requirements for online payments of £30 (€30) and above from September 14 – mirroring the existing distinction between contactless and chip-and-pin card payments for face-to-face transactions.
SCA forms a key part of the second phase of the EU’s Payment Services Directive 2 (PSD2).
Lacour explained: “Prior to September 14, the typical experience in the UK has been you go to a website and probably encounter a request to authenticate yourself.
“Typically, a merchant does a risk assessment. If you are a regular purchaser and buy from the same laptop the merchant will recognise and trust you. If it’s your first time on a site, it will refer [the transaction] to the bank for authentication. That is when the 3D-Secure [3DS] system kicks in. If the bank recognises you, it may authenticate you. The method is down to the bank.
“Most UK transactions are like that today. You might see something pop up on screen and it disappears without asking for a password. Or it will send a one-time password and ask you to enter it.
“In the UK, most verification is ‘passive’, but in Spain and Germany most transactions involve more active authentication. But from September 14, any intra-European transaction above €30 [£30] will be subject to two-factor authentication.”
Lacour insisted: “Amadeus will be ready for this as a payment provider and as a GDS. As a GDS, we are upgrading all our systems to take authentication data and pass it on [and] all systems will be ready.”
The company acts as a payment provider “mainly for airlines but also for agents”. He said: “We are upgrading the 3D Secure [3DS] offer to make it compatible with the latest protocols.” He calls this 3DS 2.0.
He noted: “There are exceptions [to SCA]. One is for ‘white listing’. A card will ask if you want to list a ‘preferred merchant’ and transactions will not be subject to two-factor authentication. Each card would trigger a request from an issuer to register the merchant. A second is ‘transaction risk analysis’ – if a card issuer or acquirer concludes you have a low fraud risk.”
But he said: “We encourage customers to be ready. For those not ready, it would be bad to see every transaction declined.”
A challenge for corporate travel
Strong customer authentication (SCA) will pose a challenge in corporate travel although the sector enjoys an important exemption.
SCA means two-factor authentication will be needed for all online transactions of £30 and above from September 14.
Amadeus head of merchant services Jean-Christophe Lacour said: “There is an exemption for ‘secure corporate payments’ for corporate or stored cards [also called lodge cards] in online booking tools.”
The challenge is that travel management companies (TMCs) need to flag transactions to benefit from the exemption and Lacour acknowledged: “There is no such flag [mechanism] on a GDS now.”
He said: “Iata and the GDSs acknowledge we need to work on this. [The issue is] how do we communicate the context of a transaction so it is recognised by the [card] issuer as an exemption. We need a common system of flagging – a standard.”
A solution should be in place “in 18 months to two years”, he said, adding: “It is complicated technically, but we probably have 18 months [to do it] in the UK. We are all working on upgrading our systems.
“In the short term, TMCs will continue as today with a majority of transactions flagged as mail or phone order which are out of the scope of the regulation.”
He added: “Issuers are aware TMCs do business with stored cards. Most will recognise a TMC customer even if the regulation is enforced from September 14.” A stored or ‘lodge’ card is a corporate card ‘lodged’ with a TMC.
However, Lacour said: “A [corporate] card holder may not be present when a transaction is triggered. If the TMC takes the regulation literally it may have to call the client and ask them to log on to authenticate themselves. In practical terms, that is what we are talking about.
“The industry needs a period to turn this around.”
However, he noted: “The fraud rate on TMC transactions is much lower [than in leisure] because access to cards is controlled.”
EBA acknowledges concerns
The European Banking Authority (EBA) has acknowledged widespread concerns about the deadline for introducing strong customer authentication (SCA).
It noted last month: “The complexity of payments markets across the EU . . . may lead to some actors in the payments chain not being ready by September 14.”
National agencies may therefore “decide to allow limited additional time . . . [on] condition that payment service providers have a migration plan and will executive the plan in an expedited manner”.
However, the EBA also insisted: “Sufficient time has been available for the industry to prepare for the application date of SCA, given the definition of SCA was set out in Payment Services Directive 2 (PSD2) in 2015 [and] PSD2 already granted an additional 18-month period for the industry to implement SCA.”
The UK’s Financial Conduct Authority confirmed it would “give some firms extra time”, noting: “The legal deadline for complying remains September 14. However, the FCA recognises the challenges in meeting this deadline. We aim to quickly agree a plan with stakeholders, a timetable for achieving this and key milestones and targets.”
However, the FCA warned: “We will take enforcement action against firms if they do not meet the relevant requirements for SCA from September 14.”
More: New online rules risk ‘massive loss of business’