Posted: 04 Sep 2019 10:14 PM PDT

As part of the EU Second Payment Services Directive (PSD2), Strong Customer Authentication (SCA) requirements will come into effect for merchants from 14 September 2019.

This article provides the most recent information from Mastercard on the timeline and milestones for the SCA roll-out and the impact of different SCA use cases for airlines, hospitality and online travel agencies.

This means that any online transaction in which both the acquiring and issuing bank are within the European Economic Area must be authenticated using two of three factors:

Something the customers knows (e.g. a password or PIN)
Something the customer has (e.g. device or hardware token)
Something the customers is (e.g. through consumer fingerprinting or facial recognition).

However, it is worth noting that it will not be a smooth journey to implementation. Only recently the European Banking Authority (EBA) published an opinion stating that card data cannot constitute a knowledge element for SCA.

This will significantly affect many European countries, as the One-Time-Password (OTP) generated as an SMS and card details, for example, would not be enough to meet SCA requirements.

Questions remain as to what the second authentication element would be in this scenario and how this data would be stored and transmitted across the payment processing chain.

The uncertainty could lead to either a postponed activation period for SCA requirements or a grace period after the deadline to allow organizations to adjust. Regardless of the deadline, the enforcement of the requirement at a national level will necessarily be flexible, and the timeline will be decided by EU regulators.

The EBA's Opinion on the elements of strong customer authentication under PSD2 allows National Competent Authorities (NCAs) to provide "limited additional time" to issuers and acquirers to migrate their customers to compliant authentication solutions.

Mastercard acknowledges that despite significant investments to comply with PSD2 RTS (Regulatory Technical Standards), issuers and acquirers will be unable to apply SCA on September 14, 2019.

This is because not all cardholders are enrolled in compliant authentication solutions, and most online merchants are currently unable to request SCA.

A strict enforcement of PSD2 RTS on September 14, 2019 will therefore result in a substantial increase of declined transactions and abandonment rates. This will decrease consumer trust in electronic payments.

In accordance with the EBA Opinion, Mastercard has called for a harmonized European roadmap based on clear and progressive milestones and is closely monitoring progress:

Communication to cardholders and merchants completed by March 14 2020
Account range and merchant enrollment onto EMV 3DS 2.1 with full support of exemptions and exclusions by September 14, 2020
Merchants allowed not to send EMV 3DS flow or not to request an exemption for transactions requiring SCA, Issuers allowed to approve such transactions until March 14 2021

Following the EBA Opinion, most Member States are in favor of providing additional time to the industry and are awaiting a communication from EBA on the final deadlines.

Several Member States have already stated that they will provide additional time (a.o. France, Germany, Italy, the Netherlands and United Kingdom).

SCA represents a significant challenge for the travel industry due to the complexity of the travel ecosystem.

Within the main three travel sub-verticals we address in this article – airlines, hospitality and OTAs – there are sprawling ecosystems of partners, suppliers and intermediaries participating in the process of booking.

In many cases, the entity that has the initial contact with the customer, and can authenticate the transaction, might not be the merchant that offers the service and captures the funds.

In addition to these complex payments journeys, in which different players often take payment from customers at different points, often on behalf of other businesses, the travel industry has a complex setup of interconnected technology systems.

For example, the airlines' GDS systems, or processes like BSP, will need to be adapted for SCA.

One of the key challenges is understanding how card schemes will enforce SCA for these different payment use cases, who authenticates the transaction and when.

Similarly, while all businesses must adhere to the same requirements, each sub-vertical has different payments process and customer experiences that will be impacted by SCA in different ways.

Airlines

As with other sub-verticals in the travel industry, airlines operate in a complex ecosystem of third parties and agents. This makes the question of which organization performs Strong Customer Authentication, and when, a complex one to answer.

Many airline ticket purchases are done by third parties, such as marketplaces like Expedia, or online travel agents. The airline industry has a unique setup in place with the Billing and Settlement Plan (BSP), which will need to be adapted for SCA.

Whenever the payment is taking by the airline merchant, the travel agent will need to pass on proof of authentication to the airline. Transactions currently being flagged as Mail Order Telephone Order (MOTO) remain out of scope for SCA.

However, in other cases the OTA might take the payment for the tickets, and in that case the consumer will need to be authenticated and authorized by those customer-facing organizations.

For direct sales made through the brand website, all in-scope transactions will require SCA.

However, it's crucial to note that the airline industry generally has a high Average Transaction Value (ATV), aside from low-cost or domestic carries.

Because of this high ATV, these purchases will not be able to use some of the exemptions to SCA that are more common in other verticals, such as low value or transaction risk analysis exemptions.

Hospitality

The hospitality sector faces a particularly big challenge with SCA, due to its complexity, the number of intermediaries involved, and the wide range of payment use cases and customer touchpoints that must be supported.

Not to mention that this is an industry still working with legacy transaction flows, often manually handling card details (scenarios that are not considered secure by the new regulatory regime).

The hospitality industry is built on a strong mix of card not present transactions (prepaid rates when booking online), card present transactions (paying the remainder at the front desk), as well as a large number of additional sales for incidental services (room service or spa treatments) for which credit card details must be stored and payment reconciled at the end of a guest's stay.

As with many other sub-verticals in travel, online card payment can come either through the brand website, or through one of many intermediary services such as Booking.com or Expedia.

In situations like these, where transactions are initiated and authenticated via a third-party (i.e. OTA), the third-party needs to gather the customer's card details, carry out an authentication, and then pass this authentication information onto the hotel to carry out a pre-authentication. However, this is a convoluted process and the existing systems are not set up to manage it.

There are also scenarios in which guests are charged for services after they have checked out – such as items consumed from the mini bar or cancellation fees in the event of no-shows.

These transactions will need to operate under the Merchant Initiated Transaction (MIT)framework so that they can be processed without SCA.

However, this brings with it a list of stringent requirements: the terms and conditions of the merchant need to explicitly mention language around MIT, the initial registration of card details requires SCA, and the consumer cannot trigger the transaction.

Online travel agents

OTAs are in a unique situation when it comes to SCA. Because they handle the entire user experience and serve as an intermediary service between customers and service providers (airlines, hotels, car rental, etc.), they can take card payments from customers on behalf of those third parties.

Moving forward, OTAs will be required to authenticate customers, and it is likely that they will need to provide proof of authentication to third party providers.

This situation becomes increasingly complicated during the sale of package holidays – in which payment is being taken on behalf of airlines, hotels, car rental providers, tour operators, etc.– and authentication information needs to be shared to multiple parties.

Card networks are actively engaged defining the rules to accommodate such complex use cases. We anticipate that it will be an ongoing challenge to ensure these complicated authentication journeys are secure without adding excessive friction to the customer experience.

Secure corporate payments

A specific exemption that has been defined within the PSD2 RTS regulation allows the use of corporate cards in a secure environment.

Such cards and environments are quite common in the travel industry: either as a method to make payments between OTAs and airline merchants or as a method for corporate customers to make travel bookings on their corporate card.

The exemption is taking away potential user friction from SCA in such environment, however the application itself can be a challenge.

Conclusion

Strong Customer Authentication is going to present many challenges to an industry as large and complex as travel.

However, it's important to remember that the objective of SCA – and the PSD2 regulation it supports – is to make transactions safer and more secure for customers and merchants alike.

The technical aspect of SCA is complex and will vary hugely depending on your business. At the same time, addressing the challenges of SCA will allow airlines, hotels and OTAs to develop a greater relationship with customers and deliver a better, more secure customer experience.

Travel companies will be capturing more information about their customers and can translate it into better customer experiences, loyalty programs and stronger security for sensitive payment data for all customers.

Travel companies will need a payment partner who can provide robust assessments on the quality of data collected with the SCA and look into a specific company's payment performance to help improve approval rates.

About the authors

Eric Liebman is head of travel at Ingenico ePayments and Marc Van Puyvelde is director for market product management, cyber and intelligence solutions for Europe at Mastercard.

Further reading!

Download Ingenico ePayments' SCA use cases for the travel industry, outlining impact of different use cases on Airlines, OTAs and hotels.

Must-know travel tips for hurricane season - WJHL-TV News Channel 11

Posted: 04 Sep 2019 03:56 PM PDT

TRI-CITIES, Tenn. (WJHL)- Thousands are rethinking their travel plans after Hurricane Dorian left catastrophic damage in the Bahamas and now threatens to flood several southeastern states.

News Channel 11 spoke with AAA Travel Agent Cecilia Campbell and Tri-Cities Airport Marketing Director Kristi Haulsee to find out what you need to know before booking trips during hurricane season.

"I just tell them to think about it long and hard because this time of year it's dangerous," said Campbell. "Of course hurricane season starts in June and ends in November so it's hard to restrict people."

Campbell recommends asking hotels what protections they offer before booking a room. She said many have insurance policies that allow customers to recoup the cost of their reservations if they cancel or if the hotel is forced to shut down due to severe weather.

Campbell said those planning to book a cruise should be prepared to accept a credit for cancellation or to endure an itinerary change if the ship sets sail.

"We suggest to all of our travelers that they purchase travel insurance," she said.

Campbell said travelers forced to cancel a trip following a mandatory evacuation order are fully reimbursed.

"There are policies that let you cancel for any reason at any time but you don't get all of your money back," she said.

Campbell said travelers aren't able to purchase travel insurance after a hurricane is named. "It's kind of like buying car insurance after you've had a wreck. You need to have that insurance up front ahead of time to make sure you're secure."

Haulsee said some airlines penalize passengers for changes or cancellations resulting from weather disruptions. "Always read airline policies when booking your flight, sometimes that's included in your email confirmation, sometimes you need to go to their website," she said.

After choosing to travel, Haulsee said passengers should pack essentials like medications and chargers in their carry-on bags.

She also stressed building in buffer time. "Building in a day on the end or a day on the beginning of your travels or both and just expect delays and cancellations when there is a hurricane in the area that you're traveling to."

Marni Otis Joins Red Label Vacations - TravelPulse

Posted: 04 Sep 2019 03:43 PM PDT

Red Label Vacations Inc. (RLV) is pleased to announce the hiring of Marni Otis. Marni joins the team as RLV's director of e-commerce and marketing for its retail divisions.

"Marni has a distinguished career in the travel industry and related experience to this role, making her a perfect fit," says Dianne Jackson, vice president of retail, RLV. "Her creative nature, strategic planning and understanding of customer retention will help her thrive in this role. I am confident our retail brands will be stronger than ever with Marni's expertise."

"Marni will be responsible for the strategy, development and execution of marketing, communication and customer retention programs for RLV's retail brands. She will oversee the retail websites and collaborate with partners and teams to ensure a positive user experience and greater revenue potentials," officials said.

Over the course of her career, Otis has worked with iconic brands in the travel, financial services and consumer-packaged goods industries. She was the director of marketing at Transat Distribution Canada for five years, where she oversaw the omni-channel retail marketing strategy and customer retention programs. She also has worked at The Weather Network and BBDO Toronto.

Otis can be contacted at Marni.Otis@redlabelvacations.com.

Red Label Vacations Inc., a division of the H.I.S. Group, is one of Canada's largest travel companies. Incorporated in 2004, Red Label Vacations owns and operates multiple wholesale and retail travel brands. The retail division; including redtag.ca, itravel2000.com, Sunquest, The Travel Experts, Flights.ca and Cruises.ca; offers diverse products to travellers including destination packages, flights and hotels worldwide, excursions and more. The wholesale travel business, TravelBrands, provides a full range of travel products including air, hotel, car rental, cruise and specialty to travel agents and retail agencies throughout Canada. Red Label Vacations is a comprehensive one-stop shop for agents and travellers alike.