Paying for travel in Europe has become more complicated following the introduction of mandatory cardholder verification known as Strong Customer Authentication (SCA). Use of a plastic card is now likely to require an additional procedure such as keying in a one-time passcode sent to the cardholder’s mobile phone.
SCA is straightforward for consumers but, when it comes to corporate travel, an authentication step makes matters messy because third parties are often involved in the reservation and payment process. There are external stakeholders such as travel management companies, booking tools and global distribution systems; and there could be internal stakeholders, like secretaries and other bookers.
There is also a complex set of use cases for when SCA does or does not apply, and on top of all of that there has been misinformation.
“When this was first raised a year ago a lot of us were told that GDS bookings wouldn’t be affected, but that advice is no longer true,” says Will Hasler, a member of the industry affairs committee of the UK's Institute of Travel Management (ITM). In fact, for the time being, SCA does apply to payment for many GDS-channelled reservations (see below).
“There’s a lot of ignorance and uncertainty about this topic,” says Hasler. “We’re struggling to tell bookers what to do because we’re still trying to get to the bottom of it ourselves, and suppliers aren’t quite sure what’s going on either.”
ITM has responded by forming a working party drawing together stakeholders from across the corporate travel and payment ecosystem to provide more clarity on SCA. The first output was a webinar for members earlier this month. Based in large part on that event, here is a Q&A intended to answer the questions buyers are asking about the topic.
The webinar was moderated by ITM head of programme Kerry Douglas. Speakers were American Express Global Business Travel e-commerce programme manager Dawnne Unger; SAP Concur EMEA senior director for supplier management Paul Dear; and Barclaycard head of core product Linda Weston.
Is SCA required for payments with lodge and virtual cards?
No. Secure corporate payments are exempted from the regulation and issuers are allowed to treat their lodge and virtual cards as secure corporate payments if their fraud rates remain exceptionally low. Therefore, regardless of any variables described below, SCA does not apply currently so long as you pay by lodge or virtual card.
Is SCA required for payments with plastic cards?
In principle, yes. If a card has an individual person’s name on it, then that person will need to authenticate the payment. However, there are various exemptions and exceptions which mean SCA may not always be needed. Everything that follows in this Q&A relates to plastic cards for named individuals, whether corporate or consumer.
Is SCA required when travellers based outside Europe book with airlines, hotels or other suppliers inside Europe?
If the card is issued outside the European Economic Area or United Kingdom, then no. This is known as One Leg Out, which makes the payment out of scope. In theory, merchants are supposed to use “best endeavours” to apply SCA to One Leg Out transactions. In practice, this isn’t happening yet, but beware of other countries also introducing SCA, including India. Where this happens, the exemption will no longer apply.
Is SCA required when travellers based inside Europe book with airlines, hotels or other suppliers outside Europe?
If the merchant’s acquirer (the bank accepting the card payment) is based outside the EEA/UK, again the answer is no because this is also a One Leg Out transaction.
Is SCA required for bookings by phone direct to hotels, airlines or other suppliers?
No, so long as payment is taken at time of booking. This is categorised as a MOTO (mail order/telephone order) transaction, which is out of scope.
Is SCA required when booking by phone through a travel management company?
It depends. If a TMC receives a booking order from a traveller via telephone, fax or e-mail and then makes the reservation on a GDS, the transaction counts as MOTO and therefore SCA is not required. If the TMC books through a website (of a low-cost carrier, for example), it effectively becomes an online booking and therefore SCA is needed for payment.
Following Brexit, the UK is no longer part of the European Economic Area. Does that mean SCA doesn’t apply there?
No, the same SCA rules apply. The UK enacted legislation in line with the European Union’s Revised Payment Services Directive (better known as PSD2) before it left the EU. SCA is one element of the directive. However, whereas most EEA countries made SCA mandatory as of 31 December 2020, the deadline for the UK is 14 September 2021.
We have been told online booking tool reservations will require SCA if the online booking is fulfilled directly on a supplier’s website, but will not require SCA if the online booking tool reservation is made via a GDS. Is this correct?
It’s not correct. The wording of PSD2 was ambiguous. It implied a secure corporate booking process might be exempted from SCA in the same way as a secure corporate payment process, and therefore all GDS bookings would be off the hook. Recent guidance has clarified this is not the case for now. However, for a limited period while SCA is introduced, any reservation via a GDS engine, even if it originates through the traveller using an online booking tool, can temporarily be designated as MOTO and therefore out of scope – see next three questions.
Is the travel industry fully ready for SCA?
No. During the ITM webinar, the process of completing SCA for business travel was compared to a relay race. The request and resulting authorisation for authentication have to be passed like a baton from the traveller to the supplier through a long chain that may also involve the online booking tool, the card-issuing bank, a GDS, a hotel aggregator and a hotel reservation system. Not all those baton carriers are fully ready, including some key travel technology players.
If not everyone is ready, does that mean a lot of card authorisations are being declined in EEA countries because SCA cannot be completed?
No, thanks to the travel industry being allowed a temporary workaround while getting its house in order. For a limited period, payments can be flagged as MOTO and therefore out of scope even if they aren’t genuinely MOTO.
How long will the temporary MOTO designation last?
That’s not clear. There is no deadline at present. Instead, the ability to raise a non-genuine MOTO flag is gradually being withdrawn from different parts of the travel commerce infrastructure, such as GDSs, as they become fully able to handle SCA. However, a hard stop may yet be announced.
Why is SCA required for hotel reservations even though funds aren’t usually taken from the card at time of booking?
Card payments remain in scope even if they are for a zero-amount guarantee or hold, as is the case for most hotel bookings. The reason is that the cardholder might not be present when the charge on the card does eventually take place. This could be because the guest has opted for express checkout, or charges are applied for a no show or unacknowledged minibar usage. Such payments are termed Merchant Initiated Transactions (MITs) and now need to be validated by SCA at the beginning of the process to avoid SCA being requested later when the cardholder is probably unavailable to authenticate.
Travel managers should check their online booking tool presents MIT terms and conditions to the cardholder at time of booking. MITs are no longer allowed unless customers explicitly consent to them.
I’ve heard that ground transportation providers are exempt from SCA because they are a low-risk fraud category. Is that correct?
Absolutely not. There are no specific exemptions for any supplier categories inside or outside the travel sector based on risk or any other criteria.
Can SCA be avoided by 'whitelisting'?
To some extent. When cardholders authenticate a supplier for the first time using SCA, the issuer may ask if they wish to designate that supplier as a trusted merchant, in which case SCA will not be needed for future transactions. However, beware of the potential for being tripped up by whitelisting. For example, all hotel properties are different merchants – you can’t whitelist an entire hotel chain. Issuers also reserve the right to override a whitelist and trigger an SCA request if they see suspicious activity on an account.
Can we whitelist preferred travel suppliers at a corporate level for all our cardholders?
No. Only individual cardholders can whitelist, and not necessarily all issuers offer this facility.
In our company, travel bookings are often made by admins/secretaries instead of the actual travellers. Can that practice continue?
It depends on the form of payment. If paying by lodge or virtual card, nothing changes. If the admin is booking with the traveller’s card, that will only work if the traveller is sitting next to them ready to receive and read out the one-time passcode they receive on their mobile phone. But that’s an illegal workaround: only the recipient of the passcode should use it.
I’m still confused or have anomalies that aren’t covered here. What should I do?
Your issuer is your primary guide. You should work with your TMC and booking tool provider too. In fact, all travel managers should maintain dialogue with key partners because the situation continues to evolve and look to associations like ITM for guidance.