Are you ready for SCA?
Are you ready for what might be our next big disruptor - SCA?
Just when you thought you had gotten your head around GDPR, along comes Strong Customer Authentication (SCA)! Are you ready? Do you understand how this will impact your business? If the answer is no, then you are not alone... This extra layer of payment security becomes law in September 2019 and the implications are unclear at best. And of course, one of the industries hardest to be hit is of course hospitality - due to the sheer complexity of how we accept and process multiple layers of payments.
This was a hot topic at the Book Direct Summit last week in Paris and with permission from TripTease, I would like to share a white paper with you that will hopefully go some way to explain this complex new payment law, that few of us are aware of. If I may give you some high-level information (and you may need to sit down for this)
What is it? - As of 14th September 2019, the new European Payment Services Direction (PSD2) requires Strong Customer Authentication (SCA) as a means to further prevent credit card fraud by forcing a second method of authentication into all payment processes.
How does it work for our customers? - SCA requires all payments to be authorised by two of the three following methods: 1) KNOWLEDGE - something you know, such as a pin or password 2) POSSESSION - something you have, such as credit card or mobile phone 3) INHERENCE - biometric data such as touch ID or voice pattern technology.
Who does it affect? - This will affect every country in the European Union and the bad news for anyone in the UK is that this legislation applies, irrespective of any future Brexit plans. However, both the merchant and the acquirer - in other words, both the payment auth and end person requesting, both need to be in Europe. At this stage it is unclear if guests outside the EU may need SCA in the future.
What does this mean in practice? - It means that for every single transaction that your customer makes with you, they will need to provide two authentication factors. Many of us are used to having a pin sent to our phone or email as a secondary layer to authenticate some transactions (around 2% of all transactions are made this way but this new law will see this increase to around 40% of all transactions). However, hoteliers have not had to consider SCA before now but 14 September is your deadline to implement this.
How will this affect our direct business via brand.com? Imagine both scenarios - you either take full payment at time of booking or you just process the booking and take payment on departure. Either way, you take a credit card number to secure the booking, which is processed via your booking engine and then stored securely in your PMS.
The bad news for hotels is that even if no payment is taken at time of booking, this new legislation requires SCA when the booking is made.
How does that work? - Imagine a booking is made and payment expected on departure, this will mean that a zero transaction will be made at time of booking and your customer will be asked for SCA (two out of the above 3 steps) even though no money is taken.
It gets even better... if this transaction is made more than 90 days before arrival, then the authentication expires and your customer will have to re-enter the two steps again. Yes really...
What if the reservation is paid at time of booking? - The two steps will be enforced and at this stage it is unclear if taking the SCA again at time of check-in will be necessary.
Will this affect my conversion online? - Perhaps is the answer. We all know the high rate of basket abandonment and adding this second step may well frustrate our customers. Can your booking engine provider work out if your guests are European and force SCA and not if they are from the US for example? I doubt it.
What happens if the booking is made via an OTA or GDS? - the same rules apply but the third party will then be forced to authenticate. However, there seems to be further legislation required which may in fact force many of the OTA's to review their approach and demand full payment up front. Is this one of the reasons that Booking.com have introduced their early payment model? Maybe...
Are there exemptions? - Yes but hotels are unlikely to qualify due to the value of most transactions. But the good news (if you can call it that, is that phone bookings are exempt), but who on earth wants to go back to that!
What do I do now? - 1) Talk to your payment gateway provider 2) Talk to your booking engine provider 3) Reach out to your OTA's and ask how they plan to process payments 4) Insist that they complete authentication at time of booking 5) Talk to your PMS supplier 6) Update your terms and conditions
And most of all, be ready for change! I urge you to please take ten minutes and read the attached white paper and get ready. This will be law from 14 September and this absolutely will affect your business!
Good luck and remember, for all things revenue, just ask@rightrevenue.wpengine.com