PSD2 Deadline Looms
The new EU Payment Services Directive (PSD2) took effect in January 2018 and is set to make significant changes to the payment industry, which of course means significant changes to the way many of you process your bookings. Unless exempted, PSD2 requires that payment service providers put in place Strong Customer Authentication (SCA) for e-commerce transactions over €30 within the EEA from 14 September.
SCA means that an online transaction must be verified by at least two independent authentication elements:
Knowledge: something only the user knows, e.g. password or PIN;
Possession: something only the user possesses, e.g. a card or a mobile phone;
Inherence: something the user is, e.g. biometric such as fingerprints or facial recognition.
Within the remote card space, there is a scheme in place to ensure SCA called 3D Secure (3DS). While we’re still seeking official documentation from the Financial Conduct Authority and from some of our payment gateway partners to conclusively stipulate the exact requirements, it’s our understanding that all payment gateways must be at least 3DS 1.0 enabled by the 14th September. Therefore, we would strongly advise you to ensure that the payment gateway you’re currently using for e-commerce transactions is 3DS 1.0 enabled. If you believe that your payment gateway is not currently compliant, please contact your account manager to discuss the options open to you.
Virtual Credit Cards (VCCs)
According to the new directive, as of September 2019, a credit card or debit card stored on file to be used for B2B payments is not considered a reliable enough method of payment. We’ve been advised that banks will no longer consider simple debit or credit card payments to be secure enough and will no longer accept any claims for fraudulent activity made as a result of a debit card/credit card transaction.
The Article 17 Exemption exempts the requirement to apply SCA for corporate payments made through the use of dedicated payment processes or protocols where the regulators are satisfied that those processes or protocols guarantee at least the same levels of security as those required under PSD2. In the UK, the regulator specifically references virtual credit cards (VCC) as products that may meet the exemption requirements.
We would therefore advise that those customers who are currently booking suppliers via the Lodged Card Management Portal should instead use a VCC provider. A VCC is an alternative, secure method of payment which eliminates the need for any customer card data to be communicated to suppliers. In order to use this method of payment, you’ll be required to have an account with a VCC provider. When customers are required to pay a supplier then your VCC provider will create a virtual credit card with the payment amount needed to confirm the booking and pay the supplier on your behalf.
Failure to take action to ensure your transactions are PSD2 compliant may result in payments for your bookings being declined by the banks when the legislation becomes effective across Europe on 14th September 2019.
There are two VCC solutions available via Traveltek:
Should you require further information on the above please contact your account manager.
We’ll keep you posted with our progress and will provide you with more information prior to the deadline.