How Strong Customer Authentication (SCA) Will Affect Your Travel Program

Martin Koderish

By Martin Koderisch of Edgar, Dunn & Company

There’s about to be a shakeup in corporate travel. If your travelers are going anywhere in Europe, a new EU directive, and the laws which result from it, will change the way you pay for flights, hotels, and amenities. The new payment security rules are called Strong Customer Authentication (SCA). Here’s an overview of what’s involved, what’s covered by the new rules (and what’s not), and what travel managers have to do to get ready for the change.

Online Fraud – the Context For SCA

Online fraud has been on the rise since ecommerce took off. Experian’s 2019 report shows a 30% increase in online fraud in the space of a year, and the problem isn’t going away.

Because of the scale of the problem, the EU has implemented a new Payment Services Directive, known as PSD2, to combat it. Key provisions of this directive have become law in various European member states.

The SCA rules are one of the key pillars of PSD2. After a recent deadline change, they’re now scheduled to go into effect on December 31, 2020. The SCA rules apply to two types of transactions: card payments and credit transfers from a bank account.

Because of the scale of the problem, the EU has implemented a new Payment Services Directive, known as PSD2, to combat it. Key provisions of this directive have become law in various European member states.

The SCA rules are one of the key pillars of PSD2, and they’re scheduled to come into effect on December 31, 2020. The SCA rules apply to two types of transactions: card payments and credit transfers from a bank account.

What is SCA?

Once SCA comes into effect, online digital payments will require two-factor authentication (2FA). Consumers won’t just be able to use their credit or debit card; they’ll need other ways to verify that the transaction is authorized. In other words, there’s an additional step before a payment goes through.

Under PSD2, consumers will have to supply two of a possible three sources of validation. Technically, the three factors are called knowledge, possession, and inherence. That means:

  • Something you know, such as your PIN or a password
  • Something you have, such as your mobile phone or credit or debit card
  • Something you are, such as a fingerprint

For example, you might have a banking app on your phone. Your bank will know that this app is on a digital device that belongs to you, complying with the possession (something you have) factor. To provide a second level of authentication to confirm a transaction, you can enter a PIN or use a fingerprint.

The underlying technology supporting 2FA for card payments is called 3D Secure. This technology has been around since 1999 and has recently been updated to be mobile-friendly to provide a better front-end customer experience. Importantly, 3D Secure allows banks to assess risk in the background to determine if there’s a need to complete 2FA for a particular transaction.

It’s important to note that, rather than being the exception, authentication of online transactions will become the norm. Failure to comply could result in fines. However, there are some exemptions to be aware of.

5 SCA Exemptions You Should Know

Under the SCA rules, there are five types of transactions where exemptions apply. These are:

  1. Low value transactions
  2. Recurring payments
  3. Transaction risk analysis
  4. Trusted beneficiaries
  5. Corporate payments

Let’s look at these in more detail.

1. Low Value Transactions

Transactions under the value of €30 are considered low value transactions, so they don’t usually require authentication. But if a customer initiates five successive low value transactions, or the total value of those transactions, exceeds €100, then the SCA rules come into play, and 2FA will be required.

2. Recurring Payments

The recurring payments exemption covers payments where the amount and payee are identical. An example is subscription payments like Netflix, Hulu, or Spotify. However, anyone setting up a subscription will have to use strong authentication for the first payment. After that, future payments will be exempt.

It’s worth noting that this exemption does not apply to recurring payments of varying amounts. However, regular bill payments like utility or phone bills of varying amounts are classified as ‘merchant initiated’ payments, which are out of the scope of SCA. You will need to do SCA during the set up, but won’t have to authenticate every payment.

3. Transaction Risk Analysis

Transaction risk analysis is what it sounds like – a real-time assessment of whether a particular transaction is likely to be fraudulent. If a transaction is deemed to be low-risk, and is under the value of €500, then it could be exempt from the need for 2FA. However, fraud thresholds that acquirers need to demonstrate are much lower, so in practice the TRA will be up to €100.

This exemption is applied by the acquiring bank, but in order to offer it, that bank has to demonstrate to financial regulators that it’s operating in a low-fraud environment. Banks operating with high-risk merchants and situations won’t be allowed to offer this exemption, which means SCA rules will apply.

4. Trusted Beneficiaries

This exemption is also known as whitelisting. It means that cardholders can indicate that they trust certain beneficiaries or merchants, and don’t feel they need to authenticate those transactions securely. This exemption is still a work in progress. At the moment, customer whitelisting needs to be endorsed by the issuing bank, which might not happen if the issuer suspects a fraud risk. And as with other exemptions, the first transaction still needs to be strongly authenticated.

5. Corporate Payments

One of the exemptions under the SCA rules covers payments between businesses. This might affect travelers using corporate cards, for example. In order to exempt these payments, the financial institution needs to prove it has a process similar to 2FA. For example, if travelers need to login to a secure site to get approval for a corporate card payment, that could meet the criteria.

Impact of SCA on Corporate Travel

The corporate travel sector is complex. In particular, travel has a complicated payment chain involving airlines, hotels, travel management companies, and other players.

One of the major challenges is that it’s difficult for issuers to identify which transactions need to be compliant, and which do not. For example, merchant-initiated payments (such as hotel charges applied after departure) are not covered by SCA and don’t require authentication. In addition, not all parts of the chain are ready for the change. In particular, there’s a lot of legacy technology that needs to be updated for SCA to operate as it should.

There are ongoing consultations and working groups to resolve this issue. It’s expected that there will be a grace period for implementation of SCA for different players in the travel industry. This will allow the time to upgrade technology and reach consensus on which transactions need to be authenticated.

5 Ways Travel Managers Can Prepare for SCA

In the meantime, it’s important for travel managers to prepare for this upcoming change. Here are five steps to take:

  1. Check in with and analyze your corporate card issuer to ensure they are aware of and ready for SCA.
  2. If travelers are allowed to use their own cards, figure out who the main card issuers are, and check with them about their SCA readiness.
  3. Ask your card issuers if they have applied for any necessary exemptions. This will vary by location. In some countries, there’s a formal application process, which can be time-consuming. In others, issuers provide a statement and regulators under-take spot checks.
  4. Update your travel policies to reflect the need for 2FA for corporate travel expenses.
  5. Use traveler engagement to communicate with travelers about this coming change. There’s nothing worse than being caught unawares.

 

Need to learn more about how SCA will affect your travel program? Watch the recording from our July 25th webinar, Strong Customer Authentication (SCA): Impact on Corporate Travel, to learn more

Get in Touch

If you have any further questions on how SCA might affect your program, contact us today.