Reprieve from Card Payment Authentication Requirements Around Europe

Business Travel News 9/19/2019

AAA World Article

Sighs of relief went up across Europe the past several weeks as a slew of European jurisdictions announced extensions to the Sept. 14 implementation date for card security requirements. The deadline had threatened to sow chaos across the continent's payments sector, especially in corporate travel. Despite the reprieve, questions remain about how Strong Customer Authentication rules will be applied, and the delay actually could increase the threat of complications, some experts warn.

Designed to stem electronic payment fraud across the European Economic Area—made up of EU member states, plus Iceland, Liechtenstein and Norway—SCA mandates that most electronic payments made within the EEA be subject to two-factor authentication, requiring the person making the payment to authenticate themselves using two of the following three elements: something they know, such as a PIN; something they have, such as a card or mobile device; and something they "are," typically, a biometric verification like a thumbprint.

While relatively straightforward in the retail ecosystem, multifactor authentication presents unique complications for corporate travel due to the structure of the corporate booking process. For instance, if a traveler books using a corporate card held in the name of a travel manager, the travel manager would need to perform the verification but may not be available at the time. Likewise, a booking request for a low-cost carrier made via email to a travel agent may not be fulfilled until hours later if a cardholder can't authenticate the transaction. (Most global distribution system bookings likely will be exempt from the multifactor authentication requirement.)

Fortunately, many common types of corporate travel payments fall within various exceptions to SCA rules. Among the carve-outs are transactions for which either the card issuer or acquirer are based outside the EEA. That means a U.S.-issued card, for instance, can be used throughout Europe without two-factor authentication. Also outside the scope of SCA are lodge cards and virtual cards; payments made via secure B2B channels, including global distribution systems; Mail Order Telephone Order payments; and recurring payments made to merchants that are white-listed by an issuer at the request of a payer.

However, those exceptions largely are based on various regulators' interpretations and assumptions about comments and guidance, and there's still no clear codification of how they will be applied across use cases and jurisdictions, said BCD Travel VP of commercial payment solutions Mario Kriebel. "The biggest challenge is that the rules are out but they're not very clear," he said. BCD asked more than 40 of its travel supplier partners how they are preparing for SCA implementation, and none had a clear idea of how their processes would change to accommodate the new rules, he said.

A recent survey by Amadeus revealed a similar lack of preparedness. Only 35 percent of airline and travel management companies planned to have implemented SCA procedures by the original Sept. 14 deadline.

That lack of readiness was presumably a major factor in the decision by many European jurisdictions to push back the deadline, an authority the European Banking Authority granted to national officials in June 2019. Since then, more than 20 of the EU's 28 member states have delayed implementation, including most of the bloc's biggest economies, such as the U.K., France, Germany and Italy.

However, now that individual countries are working on different time lines, havoc could come for cross border transactions, noted Amadeus Payments head of merchant services Jean-Christophe Lacour. "If a card is issued in a jurisdiction that is using two-factor authentication and buying in another that still hasn't implemented it, the purchase may be declined by the issuer because there's no two-factor authorization in place, Lacour noted.” A lot of business is done cross border, but there has not been anything coming from the EBA to say what would happen in that case. Until they come out with a clear statement, it's unclear how those issues would be resolved."

Adding to the complexity is the sheer number of players—including payment providers, banks, merchants and fintech specialists—that must coordinate to develop technology and protocols for sharing and authenticating cardholders' personal data, Lacour added.

Amid the lingering uncertainties about the SCA rules and the time line for implementation, Lacour recommended travel stakeholders engage directly with their local regulators to get a clearer picture of potential exemptions that may apply and what requirements and expectations will be in place in various markets as SCA rolls out across Europe. "This area remains in flux with the industry raising concerns and regulators continuing to clarify their positions," Lacour observed. "At Amadeus, we're encouraging our customers to move forward with SCA readiness now to minimize any impact to conversion rates and the traveler experience."


Other Articles

TSA Check: On-The-Spot PreCheck Enrollment May Be Coming Soon to an Airport Near You

TSA just wrapped up a pilot program that allows travelers to enroll on the spot in the TSA PreCheck expedited airport security clearing program, without having to visit an enrollment center.

Uber Unveils New Safety Features to Protect Passengers

The move comes after a series of incidents that have resulted in public outcry over the potential lack of safety measures that such companies offer.

Ranked: The Best Airports in North America

The top-performing airports all have one thing in common: relatively new facilities that accommodate more passengers, incorporate local food and beverage offerings, and offer easy access.