Strong Customer Authentication has arrived. Travel players, are you ready?

Bart Tompkins

Managing Director, Payments, Amadeus

This content is only available in this language.

The introduction of two-factor authentication under the Payment Services Directive 2 (PSD 2) impacts payments across the entire travel industry. Knowing how best to prepare and protect the traveler payment experience is key to successfully riding the wave of SCA roll-out across Europe. Although legal responsibility for SCA rests with banks, known as acquirers and card issuers, travel firms have a role to play too. That role involves collaboration, implementing the right technology foundation and knowing how best to set-up your payment strategy so that the various exemptions provided for in the SCA rules can be maximised. Taking such steps will help the travel industry to authenticate travelers in a way that safeguards conversion rates, while helping to reduce card fraud. 

Check out our video for a quick overview by Jean-Christophe Lacour, Head of Merchant Services, Payments:

The right technology foundation

Key to travel retailers implementing SCA is ensuring they harness the right authentication technology. 3DS 1.0 has existed for 20 years and works by taking the customer to a secure URL from the bank that issued the travelers credit or debit card to enter additional authentication details. 3DS 1.0 asks for enough additional information from the person making the purchase that it offers the ability to comply with SCA but it’s a bit clunky i.e. it doesn’t work well on mobile devices, the customer experience is sub-standard, and it only supports limited data exchange between travel retailers, issuers and acquirers. It has basically become the steam train of authentication technology.

If 1.0 is a steam train, then the new 3D Secure 2.X protocol is a hyperloop. It’s a powerful new standard that governs how merchants (the travel retailer) and acquirers (banks working on behalf of the travel retailer) exchange authentication information with card issuers (banks working on behalf of the traveler). The upgraded standard enables merchants to share up to 120 new data points about a transaction with issuers, so they can run advanced machine learning algorithms that spot fraud in the blink of an eye, helping to confirm it is actually their customer using the card. With 3DS 2.X, issuers will also be able to authenticate travelers using biometrics e.g. a simple fingerprint scan on your smartphone to prove who you are. 

For travel retailers such as airlines and travel agents, it’s key that your website is ‘hyperloop ready’ and upgraded to 3DS 2.X, typically a simple task involving a Software Development Kit (SDK). More broadly, it’s important to engage with your acquiring, PSPs and technology partner(s) to ensure you can apply 3D Secure across all sales channels.

Maximizing exemptions to protect the customer experience

Applying exemptions to SCA correctly could result in fewer travelers being asked to practice SCA, protecting the digital experience you provide to them. Here’s the rub, when it comes to exemptions, travel retailers can’t typically apply them, only the card issuers and acquirers can do so and, in some cases, only after seeking local regulatory approval. The role of travel retailers then is typically one of enablement, making sure you’re in a position to provide additional data and reassurance to card issuers or acquirers so they are comfortable to exempt larger numbers of transactions. In addition, some travel retailers may decide to expand their role, assuming greater responsibility in exchange for increased control over the authentication process. There are a few ways this can work.

Transaction Risk Analysis (TRA)

Currently card issuers conduct TRA which is a background process to assess if a transaction is fraudulent. It works by comparing a large number of data points to vast numbers of historic transactions in order to spot fraud, making use of the latest in machine learning technology.

Rather than leaving this task to the issuer, an airline or travel agent’s acquirer(s) can choose to apply the TRA exemption, exempting a payment up to €500 based on an assessment that it isn’t fraudulent. In this scenario, the acquirer assumes liability for any resulting fraud but should be able to exempt more transactions leading to a smooth and stress-free traveler experience. You can see this as a virtuous circle rewarding travel retailers who keep fraud under control.

Going one stage further, acquirers can contractually delegate to travel retailers the TRA process and, with excellent risk analysis systems, be in a position to exempt more payments on behalf of the acquirer. Clearly the decision about TRA depends on your business, its capabilities and the relationship with your acquirers. We expect only larger travel companies will be able to take on this job directly, but even smaller firms can talk with their acquirer(s) about the risk and rewards of taking on TRA.   

Becoming a ‘trusted beneficiary’

Why not ask traveler’s themselves if they’re happy to waive the need for SCA when dealing with you? That’s the logic behind the trusted beneficiaries exemption which helps empower travelers to act with confidence. As a traveler you will be asked to authenticate once, then after completing the process you’ll be given a check-box option to ‘whitelist this merchant’ if you wish.

The whitelist is administered by the card issuer (usually a bank). In this case, SCA is only required for the first payment and not subsequent transactions, although issuers do retain the right to request SCA if a transaction appears suspicious.

Some card issuers are already communicating with their card holders to offer the choice to proactively whitelist certain travel retailers and many are likely to include an option to ‘whitelist this merchant’ during the 3D Secure authentication process, so it makes sense to investigate how your travel firm can be included.

Importantly, it’s not sufficient that a traveler decides to save their card details with your firm, they must proactively whitelist your company via their card issuer.

As the 14 September deadline has recently passed, if you’ve not already taken these steps, we’d encourage you to look into how they might work for your business. With the additional grace periods already communicated by many local regulators we expect many in the industry to be working on this challenge over the coming months.   

Download our guide to prepare your business for Strong Customer Authentication

Download now


Europe, Research