Paying
for travel in Europe has become more complicated following the introduction of mandatory
cardholder verification known as Strong Customer Authentication. Use of a
plastic card is now likely to require an additional procedure such as keying in
a one-time passcode sent to the cardholder’s mobile phone. 

SCA
is straightforward for consumers but, when it comes to corporate travel, an
authentication step makes matters messy because third parties are often
involved in the reservation and payment process. There are external
stakeholders such as travel management companies, booking tools and global
distribution systems; and there could be internal stakeholders, like
secretaries and other bookers. 

There
is also a complex set of use cases for when SCA does or does not apply, and on
top of all of that there has been misinformation. “When this was first raised a
year ago a lot of us were told that global distribution system bookings
wouldn’t be affected, but that advice is no longer true,” said Will Hasler, a
member of the industry affairs committee of the Institute of Travel Management.
In fact, for the time being, SCA does apply to payment for many GDS-channelled
reservations (see below). 

“There’s
a lot of ignorance and uncertainty about this topic,” says Hasler. “We’re
struggling to tell bookers what to do because we’re still trying to get to the
bottom of it ourselves, and suppliers aren’t quite sure what’s going on
either.”

ITM
has responded by forming a working party drawing together stakeholders from across
the corporate travel and payment ecosystem to provide more clarity on SCA. The
first output was a webinar for members earlier this month. Based in large part
on that event, here is a Q&A intended to answer the questions buyers are
asking about the topic.

The
webinar was moderated by ITM head of programme Kerry Douglas. Speakers were
American Express Global Business Travel e-commerce programme manager Dawnne
Unger; SAP Concur EMEA senior director for supplier management Paul Dear; and
Barclaycard head of core product Linda Weston.

Is SCA required for payments with lodge and virtual cards?

No.
Secure corporate payments are exempted from the regulation and issuers are
allowed to treat their lodge and virtual cards as secure corporate payments if
their fraud rates remain exceptionally low. Therefore, regardless of any variables
described below, SCA does not apply currently so long as you pay by lodge or virtual
card.

Is SCA required for payments with plastic cards?

In
principle, yes. If a card has an individual person’s name on it, then that
person will need to authenticate the payment. However, there are various
exemptions and exceptions which mean SCA may not always be needed. Everything
that follows in this Q&A relates to plastic cards for named individuals,
whether corporate or consumer.

Is SCA required when travelers based outside Europe book with airlines, hotels or other suppliers inside Europe?

If
the card is issued outside the European Economic Area or United Kingdom, then
no. This is known as One Leg Out, which makes the payment out of scope. In
theory, merchants are supposed to use “best endeavours” to apply SCA to One Leg
Out transactions. In practice, this isn’t happening yet, but beware of other
countries also introducing SCA, including India. Where this happens, the
exemption will no longer apply.

Is SCA required when travelers based inside Europe book with
airlines, hotels or other suppliers outside Europe?

If
the merchant’s acquirer (the bank accepting the card payment) is based outside
the EEA/UK, again the answer is no because this is also a One Leg Out
transaction.

Is SCA required for bookings by phone direct to hotels, airlines or
other suppliers?

No,
so long as payment is taken at time of booking. This is categorised as a MOTO
(mail order/telephone order) transaction, which is out of scope.

Is SCA required when booking by phone through a travel management
company?

It
depends. If the TMC receives a booking order from a traveler via telephone, fax
or e-mail and then makes the reservation on a GDS, the transaction counts as
MOTO and therefore SCA is not required. If the TMC books through a website (of
a low-cost carrier, for example), it effectively becomes an online booking and
therefore SCA is needed for payment.

Following Brexit, the UK is no longer part of the European Economic
Area. Does that mean SCA doesn’t apply there?

No,
the same SCA rules apply. The UK enacted legislation in line with the European
Union’s Revised Payment Services Directive (better known as PSD2) before it
left the EU. SCA is one element of the directive. However, whereas most EEA
countries made SCA mandatory as of 31 December 2020, the deadline for the UK is
14 September 2021.

We have been told online booking tool reservations will require SCA
if the online booking is fulfilled directly on a supplier’s website, but will
not require SCA if the online booking tool reservations is made via a GDS. Is
this correct?

It’s
not correct. The wording of PSD2 was ambiguous. It implied a secure corporate booking
process might be exempted from SCA in the same way as a secure corporate payment
process, and therefore all GDS bookings would be off the hook. Recent guidance
has clarified this is not the case for now. However, for a limited period while
SCA is introduced, any reservation via a GDS engine, even if it originates through
the traveler using an online booking tool, can temporarily be designated as
MOTO and therefore out of scope—see next three questions.

Is the travel industry fully ready for SCA?

No.
During the ITM webinar, the process of completing SCA for business travel was
compared to a relay race. The request and resulting authorization for
authentication have to be passed like a baton from the traveler to the supplier
through a long chain that may also involve the online booking tool, the
card-issuing bank, a GDS, a hotel aggregator and a hotel reservation system. Not
all those baton carriers are fully ready, including some key travel technology
players.

If not everyone is ready, does that mean a lot of card authorizations
are being declined in EEA countries because SCA cannot be completed?

No,
thanks to the travel industry being allowed a temporary workaround while getting
its house in order. For a limited period, payments can be flagged as MOTO and
therefore out of scope even if they aren’t genuinely MOTO. 

How long will the temporary MOTO designation last?

That’s
not clear. There is no deadline at present. Instead, the ability to raise a
non-genuine MOTO flag is gradually being withdrawn from different parts of the
travel commerce infrastructure, such as GDSs, as they become fully able to
handle SCA. However, a hard stop may yet be announced.

Why is SCA required for hotel reservations even though funds aren’t usually
taken from the card at time of booking?

Card
payments remain in scope even if they are for a zero-amount guarantee or hold,
as is the case for most hotel bookings. The reason is that the cardholder might
not be present when the charge on the card does eventually take place. This
could be because the guest has opted for express checkout, or charges are applied
for a no show or unacknowledged minibar usage. Such payments are termed
Merchant Initiated Transactions (MITs) and now need to be validated by SCA at
the beginning of the process to avoid SCA being requested later when the
cardholder is probably unavailable to authenticate.

Travel
managers should confirm their online booking tool presents MIT terms and
conditions to the cardholder at time of booking. MITs are no longer allowed
unless customers explicitly consent to them.

I’ve heard that ground transportation providers are exempt from SCA because
they are a low-risk category fraud. Is that correct?

Absolutely
not. There are no specific exemptions for any supplier categories inside or
outside the travel sector based on risk or any other criteria.

Can SCA be avoided by “whitelisting”?

To
some extent. When cardholders authenticate a supplier for the first time using
SCA, the issuer may ask if they wish to designate that supplier as a trusted
merchant, in which case SCA will not be needed for future transactions.
However, beware of the potential for being tripped up by whitelisting. For
example, all hotel properties are different merchants—you can’t whitelist an
entire hotel chain. Issuers also reserve the right to override a whitelist and
trigger an SCA request if they see suspicious activity on an account.

Can we whitelist preferred travel suppliers at a corporate level for
all our cardholders?

No.
Only individual cardholders can whitelist, and not necessarily all issuers
offer this facility.

In our company, travel bookings are often made by admins/secretaries
instead of the actual travelers. Can that practice continue?

It
depends on the form of payment. If paying by lodge or virtual card, nothing
changes. If the admin is booking with the traveler’s card, that will only work
if the traveler is sitting next to them ready to receive and read out the
one-time passcode they receive on their mobile phone. But that’s technically an
illegal workaround: only the recipient of the passcode should use it.

I’m still confused or have anomalies that aren’t covered here. What
should I do?

Your issuer is your primary guide. You should
work with your TMC and booking tool provider too. In fact, all travel managers
should maintain dialogue with key partners because the situation continues to
evolve and look to associations like ITM for guidance.