Strong customer authentication is an additional form of verification used to complete a payment, such as a four-digit PIN texted to a cardholder. At the beginning of 2017, the European Banking Authority, under direction from the European Commission, produced draft standards for how and in what circumstances SCA must be applied to remote electronic payments. The travel and payment industries argued SCA is incompatible with instruments like lodge cards that have no one-to-one relationship with an individual person. Card companies also contended that fraud rates are much lower for corporate payments, making additional authentication unnecessary.
The European Commission responded in May by drafting Article 17, an exemption for "dedicated corporate payment processes," but the EBA fought hard to scrap it, arguing not all corporate transactions are low risk and that it's hard to define a "corporate" payment in legal terms.
In the final text published last week, the commission opted to retain Article 17 but change the wording. The article now begins, "Payment service providers shall be allowed not to apply strong customer authentication, in respect of legal persons initiating electronic payment services through the use of dedicated payment processes or protocols that are only made available to payers who are not consumers." It adds that payment providers must satisfy relevant authorities "that those processes or protocols guarantee at least equivalent levels of security" as defined in PSD2
Business Travel News 12/5/2017