31 December 2020 was more than just the end of a bizarre year, it was the final deadline for implementing the EU’s SCA (Strong Customer Authentication) requirements. But what does this exactly mean and how does this affect business travel payments?
PSD2 – modernizing Europe’s payment infrastructure
As the popularity of electronic payments increased over the last 20 years, EU regulators realized that banking and payments legislation needed to be updated to keep up with increased use of electronic payments. Therefore, in 2018 the EU’s passed the revised Payment Service Directive (PSD2). The goal of PSD2 was to:
• Modernize payment legislation by setting the “rules of engagement” for Banks, Payment Service Providers (PSP), and Third-Party Providers (TPP) and enhancing payment integration within the EU through a uniform framework
• Set consumer protection standards through new technological requirements for digital data security, authorization, and transmission
• Foster innovation and competition between banks and FinTechs (like e-money institutions, online lenders, etc.) through secure information sharing protocols.
While PSD2 sets the legal framework for European payments and contains various provisions regarding data security, operational categorizations, and technical protocols. SCA is one of the technical requirements established under PSD2. Due to the complexity, and lack of readiness by markets, not all provisions of PSD2 came into effect at the same time. Which is why the SCA deadline was extended, and enforcement can vary by market.
SCA sets authentication standards for payments made through online channels (i.e., electronic payments) or where the customer (individual or corporate entity) can digitally access their payment account information (i.e., mobile app, web browser). It aims to reduce the risk of online fraud and protect customer account information. Authorization needs to come via a 2-Factor Authentication (2FA) process, where 2 out of the following 3 unique elements are needed:
• Knowledge – something only the user knows (i.e., PIN, password, etc.)
• Possession – something only the user possesses (i.e., plastic card, mobile phone, etc.)
• Inherence – something inherent to the user (i.e., biometrics, voice recognition, etc.)
- Additionally, online transactions (i.e., internet, mobile) should also include a unique authentication code, linking the transaction to a specific amount and payee.
This process is provided by a bank or payment provider. If a customer makes an online purchase and cannot be identified through 2FA, the payment can be flagged as non-compliant and declined.
HRS’ business travel payment solution overcomes SCA challenges
HRS has already been prepared for SCA! HRS’ payment solution, HRS Invisible Pay, uses Virtual Credit Cards (VCC) through our Payment Service Partners (such as AirPlus, Amex, CitiBank) for business travel hotel payments. VCCs are exempt from SCA because of their secure nature and strict protocols. VCCs generate a virtual card number for a specific purpose, with a set date range and fund limit in which it can be used. In the case of Invisible Pay, the corporate client sets the use parameters and provides pre-authorization for their traveler.
The VCC number is generated when the corporate traveler creates a booking through the managed channel. The VCC number is pre-authorized, and the VCC and payment instructions are forwarded through secure channels and held on-file with the hotel. This VCC number can be only be used 3 times during the booking process: booking pre-authorization, check-out, and an additional time for hotel add-ons.
The VCC charge request is sent to the payment provider, which verifies the credentials, and if approved, the payee is charged. The VCC number can no longer be used, protecting the customer’s account information and reducing payment fraud. Additionally, HRS also uses its own strict API protocols and integrations into corporate information systems to ensure customer data privacy and convenience.
Interested in learning more about how HRS protects your data, simplifies your payment process, and leverages this to boost program compliance? Get in touch today!