Beginning September 14 2019, the revised Payment Services Directive (PSD2) comes into play across all countries within the wider European Economic Area (EEA). This is a mandatory legislative framework, driven by the Card Schemes and Financial Authorities
. It is aimed at making online payments more secure, and will impact the way consumers buy online and how you are able to charge a guest credit card.
This legislation applies when both the cardholder’s bank and the accommodation provider's merchant bank are within the EEA. However, travel is global, and ALL online players will need to adapt their systems. As a result PSD2 is very likely to also affect markets outside the EEA.
What is PSD2?
From September 14 your guest’s bank may require further security checks before they validate a card transaction. These additional security checks involve two-factor authentication to ensure guests prove their identity. This means that guests may now be asked to provide any of the following:
• Something they know (such as a password or PIN sent to their mobile phone)
• Something they own (such as a credit card)
• Something they are (such as a fingerprint biometric log-in)
These types of additional checks are expected to occur more frequently with PSD2 and this will impact all online purchases. It is now the responsibility of the POINT of SALE to secure such additional data checks, as most of these checks require the guest to interact with the screen.
How might this affect you?
eviivo is ready for PSD2. Guests booking on your website via the eviivo booking pages will be able to comply with any additional checks required by their bank. However, it is important to understand the nature of these changes, and how they may affect Online Travel Agency bookings.
Cyber credit card fraud is rampant, and nowhere more so than within the travel industry. At eviivo we have regularly shared advice on how you can protect against this, and security remains core to our values.
eviivo is compliant with PCI-DSS at Level 1 and support 3DS and 3DS2 fully. Therefore any bookings taken through your website via the eviivo booking pages will be 100% PSD2 compliant.
However, bookings taken via OTA websites may not be compliant, as it is OTAs and not eviivo who collect card information at the point of sale. When eviivo receives the credit card details from the OTA we cannot guarantee that the right security measures were originally taken and passed by the OTA. Some OTAs may have already written to you about how they are addressing this, and you should review the options available to you closely.
We are working with all connected OTAs, of course, but their level of readiness varies. Many OTAs have not yet made PSD2 available via API program interfaces, or developed the ability to pass 3DS2 tokens via their API.
As a result we expect some disruption in the sense that a much larger number of cards remitted by OTAs may now fail.
As always, we have done our very best to support you with enhanced options, as follows:
Option 1: Accept the OTA booking without any guest card details, and rely on a Virtual Credit Card (VCC) guarantee provided by the OTA
eviivo suite supports VCCs already, and you can process these within eviivo suite in the usual way, just like any other card.
- Pros: (1) this is easier for the guest, as they provide the card only once, at the time of booking. (2) The OTA is fully responsible for the payment. Any payment guarantee to you, now lies with the OTA.
- Cons: (1) Cash flow delays as you will need to wait until check-in or check-out before OTAs allow you to process the VCC. (2) Increased costs as VCC transactions are subject to a much higher card rate via the OTA and your merchant bank (between 2.5% to 3.5% of the total value of the booking). (3) More administrative work as you will need to use a different procedure for payment collection with each OTA.
Option 2: Tell the OTA that you want to collect payments yourself directly
Option 3: Rely on OTAs to manage all payments on your behalf
- Pros: (1) You remain in control of the guest contact and relationship. (2) Improved cash flow - YOU decide when to collect payment, and can choose from a much wider range of policies.(3) Lower costs as normal card rates apply. Unlike VCCs, these are typically between 0.5% - 1.2% only, depending on the bank you use. (4) Less hassles because the same process applies to all bookings and all channels - be it your own website or an OTA channel.
- Cons: (1) You will most likely see an increase in “declined cards” coming to you from OTAs when you attempt pre-authorization or initial collection. To mitigate this and help you deal with it quickly eviivo has added new automated capabilities to eviivo suite (see details below).
- Pros: Possibly the easiest, least hassle solution.
- Cons: (1) Increased costs and cash-flow delays as OTAs charge extra for the service and they will not transfer the cash until after either check-in or check-out. (2) Some OTAs may charge for the service while others may retain a higher commission – expect an extra 1.3% to 3.5% in costs in addition to normal commission costs. (please check their T&Cs).
How to mitigate increased card declines?
We provide useful professional tips on how to avoid card fraud, plus some really valuable features for anyone using My Payment Manager:
- Automatic card declines are flagged instantly and managed directly within eviivo suite. Both the guest and OTA are notified..
- Automated, customizable emails may be sent to the guest when a card is rejected in order to request new valid card details. The guest email includes a link which redirects them to your own website on the “manage my booking” page. Because they are redirected to your own website, guests know that this is a legitimate request. They can review their booking details, reconfirm their card details, and make payment under the full safety of 3DS2 to guarantee the booking.
- eviivo's auto-prepaid option allows you to implement a fully automated prepayment solution “in front of” OTA channels that operate on a "pay on arrival" basis. This simply means that the process of collecting money from the guest is entirely automated on your end, and under your control. If you maintain a "pay on arrival" contract with an OTA, you are likely to attract more bookings as guests often prefer to pay on arrival. However, you also increase the risk of receiving ‘bad’ cards. eviivo's auto-prepaid solution allows you to request the immediate payment of a deposit as soon as the booking is made, or later based on a schedule of your choosing. Should the card fail, the guest is contacted instantly and asked to provide a valid card to re-guarantee the reservation via your own website's secure payment pages.
What to expect next
Although the new PSD2 law is expected to be effective from September 14, 2019, a gradual roll out by the banks has been permitted. eviivo will monitor this closely and continue to work with the OTAs to understand any further developments. We will keep you updated via the eviivo Help pages or email as details become more finalised by the OTAs.