Strong Customer Authentication requires card holders perform two-factor authentication for the vast majority of electronic payments made within the European Economic Area, reducing fraud by providing a higher degree of confidence the person performing the transaction is the rightful cardholder.
In the travel industry, where a high number of bookings are made via travel agencies, performing two-factor authentication will require changes to the way agencies and suppliers handle payments.We looked at the the ‘pass through’ model in blog one andthe ‘Merchant of Record’ model in blog two of this series.
Ensuring that payment processes meet the requirements when a travel agent performs SCA on behalf of many different travel suppliers in a single booking is particularly challenging. That’s why we’re going to tackle it in this blog.
Imagine a traveler places a booking for a holiday that includes a flight, a hotel and car rental with an online travel agency (OTA).
Step 1
Immediately we may encounter the concept of a Merchant Initiated Transaction (MIT). It’s possible any of the three merchants will wish to charge the traveler’s card without them being present, for example, the traveler cancels and incurs a fee, or the car rental firm may introduce a charge if the car is returned with less than a full tank of petrol.
For the airline, hotel or car rental firm to be able to initiate these payments later on, it’s important that the traveler enters a MIT agreement at the time of booking. Therefore, the OTA needs to clearly provide terms and conditions from each merchant at the time of booking, as well as collect proof that the traveler has consented to this agreement.
Step 2
Next the OTA will ask the traveler to perform a SCA check using a One Time Passcode sent to their mobile phone. Importantly, this SCA check must be for the entire balance of all products in the booking.
Step 3
Because this scenario involves multiple travel suppliers (also known as merchants) behind the scenes, the SCA check performed by the OTA at the time of booking needs to be useable by the airline, the hotel and the car rental firm, so each entity can process its own payment.
This can be achieved using the 3RI protocol (also known as ‘3DS Requestor Initiated’) which allows a ‘silent authentication’ to occur in the background without any need for the traveler to do anything. Silent authentication works by dynamically linking the original SCA check the traveler performs for the OTA to subsequent payments initiated by the airline, hotel and car rental firm, when the traveler isn’t present.
So, in this multi-merchant scenario, the OTA would conduct the initial SCA check in step 2 and then three silent 3RI checks on behalf of each of the merchants (airline, hotel and car rental firm). Each merchant then has the unique proof of authentication data they can use when authorizing their portion of the payment.
For this to be successful, the separate 3RI authentications must not exceed the total value of the authentication performed by the traveler during step 2, removing any risk that the traveler might be overcharged.
Importantly, 3RI is only available if the OTA and travel suppliers involved have upgraded their systems to the latest industry standard authentication protocol ‘3DS 2’, which was recently released by payments technical body EMVCo. That’s one reason why Amadeus advocates moving to 3DS 2 as soon as possible.
Step 4
The OTA sends the unique SCA 3RI authentication to each of the travel suppliers that can then each process their individual payments. The traveler’s card will display three separate transactions totaling the original amount for which the traveler authenticated during step 2.
Whilst the 3RI process is the desired end-state for authenticating card holders in multi-merchant travel bookings, there is an acknowledgement that this capability hasn’t yet been adopted at scale. Therefore, it is expected that the original SCA check performed by the agent can be used by each supplier as proof of authentication in the short term. However, this will only be an interim solution and all travel players should prepare for 3RI based on the 3DS 2 protocol as soon as possible.
Advice for handling ‘Multi-merchant’ scenarios:
If you’re introducing SCA why notdownload our new report to understand readiness levels across the industry and for a concise action plan on how to tackle SCA.
This article was published byThe Paypers , the Netherlands-based leading independent source of news and intelligence for professionals in the global payment community.
TO TOP
TO TOP