Mandatory security measures for online card payments from 14 September could force some companies to update their booking and payment procedures if they pay with plastic cards. Lodge and virtual cards, on the other hand, look set to be exempt.
Major changes to card payments are set to take force across Europe by 14 September. That’s the date by which EU member states (plus Norway, Iceland and Liechtenstein) are required to enforce anti-fraud security measures called Strong Customer Authentication for online transactions. Payments through corporate plastic cards in particular are likely to be affected: cardholders will be required to take a secondary step to identify themselves, such as entering a PIN code sent to their mobile phone.
Since 14 September is not very far away, you may be surprised you haven’t heard yet about SCA. But payment and travel companies still aren’t communicating widely because they aren’t sure what to say. Even though the date is imminent, few countries’ national payment regulators have announced details yet of how they will enforce SCA and which use cases are exempted from the general principle that SCA must be applied. In particular, regulators have not specified how they interpret ambiguous language in the EU’s regulatory technological standards for SCA governing when corporate payments can be exempted.
To make matters even more complicated, each card issuer will have to make the final decision on whether, for example, it considers SCA applies to all payments by plastic corporate card through a travel management company. Current indications are that different issuers are taking different views on this question, so there will not even be consistency within the same country. “It’s clear that change is coming, but it’s not 100 per cent certain what that change will look like,” says TravelpoolEurope managing director Søren Schødt. “However, we do know that lodge and virtual cards, the main payment methods we use at Travelpool Europe, are likely to be exempted. It’s users of plastic cards who are most likely to have to change their processes.”
Here’s what we know so far.
What is Strong Customer Authentication?
SCA is intended to drive down fraud levels for payments made for Internet purchases. It requires cardholders to identify themselves using “two-factor authentication”, which means verifying themselves with two of the following three elements:
Does SCA apply to corporate payments?
SCA is intended mainly to combat high levels of fraud in consumer payments but it applies by default to any electronic transaction. However, some kinds of payment are out of scope or exempted. The regulatory technical standards exempt “secure payment processes and protocols” for corporate payments but give little definition of what this phrase means.
Will all corporate payment methods be treated the same?
Almost certainly not. Strangely, even though it may not even be a member of the EU by 14 September, the first national regulator to provide some guidance about how it will enforce SCA was the UK’s Financial Conduct Authority. For corporate payments, the FCA distinguishes very clearly between virtual cards (one-time electronically generated card numbers) and lodge cards (a company account lodged with a travel management company) on the one hand, and plastic corporate cards on the other.
Denmark’s financial regulator has also issued some guidance but, unlike the FCA, it did not offer any specific clarifications about corporate payments.
Are virtual and lodge cards exempt?
In the UK, yes, which is a big relief, because it is very difficult to see how SCA could be made to work in practice for these two forms of payment. Both are centralised payments, where there is no individual payer, so it would be challenging to identify exactly who could provide authentication.
But while the exemption for virtual and lodge is good news in the UK, no one is certain these methods will be exempt in all other countries. However, even if there is no blanket exemption, issuers may still apply for an exemption specifically for their virtual and lodge products if they can prove fraud levels for those products are acceptably low.
In summary, therefore, some doubts remain about virtual and lodge, but at the moment they look by far the most likely forms of corporate payment to avoid SCA.
What about plastic corporate cards? Are they exempt?
This is where it starts to get more complicated. Once again, we only have the guidance from the UK’s FCA to help us. It says: “In our view, the use of physical corporate cards issued to employees for business expenditure in circumstances where a secure dedicated payment process and protocol is not used (e.g. where online purchases are made via a public website) would not fall within the scope of this exemption.”
The big question here is: what counts as a “secure dedicated payment process and protocol” (for which an exemption would apply) and what doesn’t?
Does that mean there will be changes to the way we book and/or pay for travel?
For many businesses, yes. What is certain is that if you use a plastic corporate card to pay for a booking through a public website (a hotel’s own site, for example, or an online travel agency), SCA will be required. That’s no problem where the booker is also the cardholder, but sometimes the two are different.
If you pay for more than one traveller with the same plastic corporate card ...
... this practice will have to stop, because the request for authentication will be sent to the named corporate cardholder, and they may not be available to authenticate or even know who made the booking.
If your department books on behalf of travellers, using those travellers’ plastic card details to pay ...
... this will also have to stop, because again the request for authentication will be sent to the cardholder, not the booker.
In both these cases, the solution is to switch to paying by virtual or lodge card (assuming they have been exempted), or to make corporate cardholders responsible for booking their own travel.
What about paying with a plastic corporate card for bookings made through travel management companies or via corporate booking tools?
This is the issue on which there is least agreement. Generally, the travel and payment industries believe reservations made through global distribution systems are exempt or out of scope, although once again there is no absolute certainty.
As for online booking tools, Bank of America Merrill Lynch, in a guide it has issued on applying SCA to commercial card internet purchases, wrote: “SCA is not required when it is done via the online booking tool provided by the TMCs as they use GDSs to book the transactions.” But has BAML understood corporate travel properly? Online booking tools are not necessarily “provided by” TMCs and not all air, hotel and other choices in an online booking tool are distributed via GDS.
If a TMC is making a public website booking on behalf of a customer – for example a low-cost carrier flight – this will almost certainly require SCA. Once again, therefore, making virtual or lodge cards available to cover non-GDS bookings by TMCs looks like sensible planning.
The TravelpoolEurope perspective – Get ready now for SCA
SCA is like Brexit: it’s obvious that everyone needs to prepare, but it’s difficult to know how to get ready when so many details remain uncertain. However, some action points are clear.