Upcoming changes to Credit Card payments with PSD2
There are some important changes to rules on credit cards and access to financial information coming soon, which could affect businesses.
Any business that accepts card payments will fall under the remit of a change in the law (called PSD2 or the revised version of PSD or Payment Service Directive).
In this article there is information that all business owners should know.
What is PSD2 and when does it take effect?
PSD2 or the revised version of PSD (Payment Service Directive) is a European directive that comes into force on September 14th 2019.
PSD2 states that it is no longer sufficient to simply ask for a customer's credit card and CVV for online transactions, but a double authentication method is now required to authorize the transaction. This double authentication is known as SCA or Strong Customer Authentication, and it’s about a user to having to use something additional to his PIN or CVV when paying with his card, like a temporary security code or token sent by SMS or a mobile app for example.
What does PSD2 aim to do?
PSD2 aims to make online transactions safer. With a double authentication system (SCA), which means double verifying the online transaction, it is expected that fraud (e.g. purchases using stolen cards) will be reduced.
What businesses are affected by PSD2?
All businesses that accept online payments from their customers, regardless of what they sell, will be affected.
In the hotel industry, it will particularly affect hotels and properties that charge the end customer at the time of booking. All these businesses will have to adapt to PSD2.
This will affect the non-refundable rates and payments made at the time of booking. All transactions that fall under the scope of PSD2 will have to go through double authentication.
This will also affect refundable rates (credit card provided as a guarantee at the time of the booking that would be charged in case of no-show or in case cancelation fees occurred), as all transactions will have to go through double authentication at the time of the transaction.
What does it mean for hotels and property owners in simple words?
- Property owners and hotels cannot charge the guest card without the guest authorizing the charge by a dynamic code or verification (3D Secure). This means non-refundable bookings delivered from Online Travel Agencies (OTAs) with just credit card numbers cannot be charged. The same applies for no-shows or cancelations fees that cannot be charged at a later stage without the guest authorizing the charge.
- Any booking engine or OTA not using 3D Secure will be obsolete or will need to be upgraded.
- OTAs will start working towards accepting the credit card payment securely at time of booking for deposits and non-refundable rates and even the total cost of every booking (Check with your OTA that they have you covered by the time PSD2 goes into effect).
- Virtual cards provided to hotels from travel agents should be excluded from all this.
- All payments must be secure (verified by a dynamic code, e.g. SMS to customer or the use of an app to confirm transaction).
What can hotels and property owners do?
- Make sure their booking engine uses 3D Secure or similar method.
- In case of non-refundable rates, consult the Online Travel Agents regarding payment at time of booking and request that funds are collected through a virtual card or via bank transfer.
- Onsite payments when the cardholder is present is already covered by Point of Sales (POS) terminals provided by banks.
- Phone transactions should be fine at the time of booking, potentially a grey area still as the card details provided may be stolen.
Reference: Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC