KEEPING IT SECURE

If you have been asked to confirm card payment with a PIN sent to your mobile phone in recent months, you have experienced the phenomenon of Strong Customer Authentication in action.

SCA is a European Economic Area-wide (including the UK, which adopted the law before leaving the European Union) strategy aimed at reducing card fraud through additional cardholder verification for e-commerce transactions. It became mandatory in most EEA countries on 31 December 2020 and in the UK on 14 March 2022.

However, if you or your travellers have given SCA verification for a business trip payment, it was most likely to have been done either on a direct supplier website, or using a personal credit or debit card. If payment was for an indirect booking, such as through a travel management company or an online booking tool, almost certainly no SCA was involved, for a couple of important reasons.

The first is that lodge and virtual card payments, which are both centrally billed and are often used for pre-trip bookings, are treated as secure corporate payments, and are therefore exempt.

The second reason is that while payments through plastic corporate cards are not exempt, SCA can be avoided for them on a temporary basis because of a concession of critical importance to travel buyers.

The background is the severe challenge that implementing SCA has caused for the travel industry owing to the involvement of so many intermediaries in paying for an indirect booking. The chain of relevant parties touching a hotel payment include, potentially, a booking tool or TMC, a global distribution system, a property management system and a payment processor.

“Not every stakeholder is ready to take the authentication codes and pass them through,” says Kerry Douglas, head of programme for the UK & Ireland’s Institute of Travel Management. “Authorisation of exemption codes also need to be passed through the chain. It needs everyone to be technically ready.”

European banking authorities were persuaded that everyone in the travel industry was far from ready, and at short notice Visa and Mastercard were permitted to instruct travel industry merchants that on a temporary basis they could designate payments for indirect bookings as Mail Order/Telephone Order (MOTO) transactions, which are out of scope for SCA.

For the time being, therefore, “many of our clients expected major issues with SCA but it seems to be working okay,” says Pascal Burg, a director of multinational payments consultancy Edgar, Dunn & Co.

But does that mean travel managers with responsibility for payments can forget about SCA and focus on other pressing issues? The answer is emphatically no, for three important reasons.

The first is that, even with the temporary MOTO designation, plastic corporate card users are still required to authenticate when booking directly online with suppliers. That means some long-standing payment practices by corporate travel customers are no longer workable.

“Where you have a large population of executive assistants booking on behalf of somebody else, that can be quite challenging because legally you cannot pass authorisation codes between the cardholder and somebody else to complete the booking,” says Douglas. In essence, in the SCA era only the person whose name is on a card should be paying with that card.

The next problem is where both Burg and AirPlus International executive marketing director Michael Heilmann use the same word, “hiccoughs”, to describe some cases where SCA has caused perfectly legitimate payments to be declined.

Burg says there were particular problems, not confined to travel, in Germany, Spain and Italy which have now been resolved. But within travel, according to Heilmann, there have been declines when the price of a transaction changes, for example if a traveller switches to a different room type in a hotel. “The systems handling the SCA cannot reconcile that this is still the same purchase order,” Heilmann says. “But it is a very small number of transactions.”

Avoiding the issue
Another “hiccough” reported by ITM buyer members is cardholders occasionally being asked to enter a PIN that is never sent to them. However, the biggest current challenge of all for ITM buyers is an indirect one. To avoid SCA, some companies have switched to paying for air via lodge cards (also known as centrally billed accounts), where SCA is not required. Lodge cards can be problematic when booking low-cost carriers through content aggregators. Such aggregators typically require a “three-digit security code [as found on the back of plastic cards] which personal assistants would not have access to,” says Douglas.

But the main reason buyers need to keep their eye on SCA is that the workaround MOTO designation for indirect travel bookings “is temporary,” says Burg. “It works but it’s not compliant with the letter of the text. If it’s an e-commerce transaction that takes place online it should not be designated as MOTO; it should be designated as e-commerce” – and therefore subject to SCA.

This is precisely what worries Clive Cornelius, head of travel segment for Visa Europe. “A lot of the challenges are being avoided because a lot of the industry is still using MOTO as a way of processing the transaction,” Cornelius says. “At some point the industry is going to have to stop using it. Everything is working today because they are using a designation that is not its real purpose. A booking that started via a booking tool is not MOTO. We are continually engaging the industry to say you do need to work together to allow the SCA information process to flow.”  

In Cornelius’s view, most travel companies have not yet made the required workflow and systems changes, such as data field modifications. “Some TMCs have done some work but then there’s no way for them to process that data downstream,” he says. “The GDSs and PMSs won’t have a way of receiving this data and making it available when processing the transaction.

“I would hate to see us get to the situation where payments don’t work for our issuers and acquirers and the travel eco-system. It’s one of those situations where the industry needs to pull together and work out how they are going to put this solution in place. We’ve provided to the travel and hospitality industries flows for how it all needs to work but the parties now need to allow that work to take place,” Cornelius says.

One reason so much remains to be done is that “it affects a lot of systems so I’d be surprised if it didn’t require a fair bit of investment,” says Cornelius. Funds for such investment remain elusive as travel companies continue to make up for two years of revenues devastated by Covid lockdowns.

Another challenge is uncertainty. Banking authorities have given no indication of when the temporary MOTO designation for travel transactions will end.

The situation may change as a result of the European Commission’s current review of the Revised Payment Services Directive, better known as PSD2. This could close the MOTO loophole because, says Burg, “if a lot of merchants were to use MOTO as a workaround to avoid SCA, then the regulators could put MOTO in scope.”

An exclusion for travel?
Conversely, there is lobbying going on to exclude payments for indirectly booked travel from SCA obligations permanently. Arguing that the “required solutions are hyper complex and practically impossible to put in place”, Visa has told the review “there is a need to discuss with regulators what other acceptable solutions could be put in place for indirect travel bookings.”

The Global Business Travel Association, on behalf of itself and affiliated national associations, including ITM, has also contributed to the review. It wrote that “given the marginal fraud detected in the business travel sector, GBTA encourages the Commission to exclude the business travel sector from the SCA requirements.”

While it is hard to see how an exclusion could be regulated based on purpose of travel, it may be possible for the review to clarify that indirect travel bookings, especially if routed via a GDS, are a secure corporate process which can be considered exempt or out of scope.

Continuing to lobby Brussels is one of three action points recommended by Visa’s Cornelius for travel buyers contemplating how to manage SCA. The second is lobbying of a different kind. “Ask your TMCs and online booking tools what they are doing [to make themselves SCA-ready] to be part of fixing the problem so that the industry is ready,” he says.

Finally, Cornelius urges “owners of corporate programmes to review their own processes,” including ensuring they have eliminated shared cards, including use by PAs of their managers’ cards, and that they have a workable card option when making direct e-commerce payments to suppliers.

SCA is a challenge many travel managers may have thought had gone away, if indeed they were aware of it in the first place. But it is very clear the reality remains worryingly different. “It’s not over,” says Burg.