Travel firms need to be ready on September 14, says lawyer Mardi MacGregor

The travel industry is well-aware of the second Payment Services Directive (PSD2), having had to end the practice of surcharging for card payments in January 2018.

What has perhaps taken some by surprise is the introduction of strong customer authentication (SCA) requirements from September 14, 2019.

On June 21, the European Banking Authority (EBA) published an opinion on this issue which is likely to be of real interest to travel companies which take payments online.

The purpose of the new SCA rules is to make online payment more secure and to reduce the risk of fraud.

Under the new rules, a payment service provider must verify a customer’s identity in accordance with the SCA requirements in certain situations, the most relevant being where a customer makes an online payment.

The SCA rules require payment service providers to verify the customer’s identity by using two or more of the following elements:

  • Knowledge (something only the customer knows);
  • Possession (something only the customer possesses); and
  • Inherence (something the customer is).

These elements must be independent of each other: breach of one must not compromise the reliability of the others.

What does the EBA say?

The EBA opinion provides a non-exhaustive list of the authentication approaches currently used in the market and comments on whether it considers these to be compliant with the SCA requirements.

The EBA also provides some commentary on each of the three SCA elements above, and on the combinations of these.

In addition, it considers but dismisses the possibility of making more time available for regulated entities (and their customers in the industry) to prepare for the commencement of SCA.

The EBA does, however, acknowledge concerns regarding the preparedness of e-commerce businesses for SCA and recognises that the entire payments chain, including card schemes and merchants (such as OTAs) must take steps to apply or request SCA in order to avoid situations where payment transactions are interrupted, blocked or rejected.

As a result, the EBA’s opinion allows for the possibility that some National Competent Authorities (NCAs) such as the UK FCA will choose to work with some authorised entities “and relevant stakeholders, including consumers and merchants” to help them prepare, and may “provide limited additional time to allow issuers to migrate to authentication approaches that are compliant with SCA… and acquirers to migrate their merchants to solutions that support SCA” on an “exceptional basis” (only).

These delays will only be available where payment service providers have agreed a migration plan with the NCA.

The FCA released a statement in response to the EBA confirming that it will quickly agree a plan with all stakeholders across the payments industry that encompasses a blueprint for compliance, a timetable for achieving this, and key milestones and targets to deliver SCA.

The FCA confirmed it will not take enforcement action against firms if they do not meet the relevant requirements for SCA from September 14 in areas covered by the agreed migration plan, where there is evidence they have taken the necessary steps to comply with the plan.

The implications for the travel industry

Travel companies that take payments online need to maintain an open dialogue with the banks and other regulated payment service providers they deal with in order to understand fully any changes they might be asked to make to their payments systems, infrastructure or customer-facing website.

We have been advising travel companies (and other online merchants and technology providers) on whether proposals put forward by their regulated counterparts are necessary and reasonable in light of the SCA requirements.

Other issues relevant to travel companies include:

  • How should payments to travel companies be initiated?
  • When can the SCA requirements be disapplied?
  • What are the implications of SCA for online travel companies which offer instalment or low-deposit plans?
  • How are customers likely to react to the new SCA requirements and how can travel companies communicate these requirements in a way that enhances the customer journey and reduces customer attrition?
  • What are we seeing from other online merchants in this area? Are there lessons to be learned from other retail industries?

Our experience acting for both regulated and unregulated merchants, technology providers and other stakeholders in the payments ecosystem, as well as our travel industry expertise, mean we are able to provide both a broad overview of the market and detailed advice on the issues that really matter.

Mardi MacGregor is a senior associate at Fox Williams