PSD2 is approaching like a tsunami and, as with GDPR in May 2018, it will bring about a revolution for the sector and a new headache for hotels (or perhaps not, as we’ll see later). It’s a regulation full of acronyms and technical terms, with an impending date of entry into force and multiple exemptions and exceptions. A period of confusion, hours of debate and a huge rush to “adapt” is therefore guaranteed.
At Mirai, we’ve been researching this new regulation for months and, in particular, the impact it will have on hotels and their direct sales. We’ve talked with many experts on the subject and, in this post, we’ll try to simplify what is a complex regulation, “translate” it into hotel terms and clarify to what extent it will affect hotels and their direct sales, as well as what actions are needed in order to “adapt”.
What is PSD2 and when does it take effect?
PSD2 or the revised version of PSD (Payment Service Directive) is a European directive that comes into force on September 14th 2019. Briefly summarising, PSD2 states that it is no longer sufficient to simply ask for a client’s credit card for online transactions, but rather a double authentication (known as SCA or Strong Customer Authentication) is now required to authorise the transaction. This means that at least two of the three factors below will be required to complete the transaction:
- “Something the customer has” such as a credit card or mobile phone.
- “Something the customer knows” such as a bank password or a PIN sent to their mobile phone.
- “Something the customer is” identification using a fingerprint or facial recognition (biometric identification).
Even though the date it is officially due to come into force is the September 14th 2019, there are rumours of a possible delay as the whole industry are experiencing huge delays (particularly card issuers) and is unlikely to be ready for this date.
What does PSD2 aim to achieve?
PSD2 aims, among other objectives, to make e-commerce safer. Over the last few years, fraud using stolen or duplicated cards has gone through the roof, resulting in a wave of chargebacks. These fraud cases pose an ever increasing problem for the whole industry, including businesses, banks, card issuers and brands. With a double authentication system (SCA) it is expected that fraud and, as a result, chargebacks, will be greatly reduced.
PSD2 also aims to make e-commerce friendlier, facilitating authentication processes in order to accept new formats such as biometrics or mobile payments instead of card payments.
Finally, it aims to reduce the cost of online transactions, freeing up access to banking interfaces (APIs) and allowing more businesses to compete in this payment ecosystem, thus creating greater competition and lower costs.
Will PSD2 affect all transactions?
No. Only transactions that fulfil both of these conditions will be subject to PSD2.
- The card issuer is European (belonging to one of the 28 EU countries). The card issuer is not VISA, MasterCard or AMEX, but rather the bank itself or, in some cases, companies that issue co-branded cards such as airlines (Iberia, Lufthansa) or large shops (IKEA, Carrefour). Therefore, the “nationality” of the end customer is not important, rather the “nationality” of the card issuer.
- The acquirer or financial institution (normally a bank) that processes the transaction on the merchant’s behalf is also European (in this case, it’s typically your bank).
Therefore, a client with a card issued by Deutsche Bank making a purchase on an online shop that processes payment through CaixaBank in Spain will fall under the scope of PSD2 and the client will have to go through double authentication to complete the transaction.
However, a client with a card issued by the Bank of America making a purchase on an online shop processed through BNP in France will not fall under the scope of PSD2.
Will those who don’t “adapt” to PSD2 be fined?
Unlike GDPR, which was compulsory for all hotels (and all businesses in general) and which entailed inspections and fines, “adaptation” to PSD2 is limited to a much smaller group of businesses.
It is primarily payment gateways and the banking or financial sector that have to adapt. It will be those groups that the regulator will be keeping and close eye on, and they could be fined if they fail to comply.
Therefore, hotels will not be subject to inspections or sanctions related to the application of PSD2. The responsibility of every business with online sales (this applies to hotels’ direct sales) will be limited to their choice of payment platform, which does have to be adapted to PSD2.
Is the United Kingdom one of the countries that falls within the scope of PSD2?
Yes, for as long as they are still part of the EU.
If the United Kingdom finally leaves the EU (the next tentative date is 31 October this year), it is yet to be decided whether there will be a special agreement with the UK or whether it will fall outside of the scope of PSD2.
What does 3DS2 have to do with PSD2?
3DS2 is an evolution of the 3DS system (previously called 3DS or 3DS1) which was implemented a few years ago, primarily in Europe, to give additional security to online transactions. In practice, it is those purchases that request a PIN via mobile phone or an additional password.
3DS2 is a new standard created by a consortium of large card issuers called EMVCo that is attempting to improve the current 3DS1 user experience and to provide additional security. It is based around requesting additional details from the customer, such as who they are or who they bank with, as well as accepting biometric identification (fingerprint or facial recognition) on iOS and Android devices.
3DS2 will be the standard double authentication method in Europe and it is valid to pass the SCA demanded by PDS2. Therefore, we will wait to see how banks adapt their standards from the current 3DS to 3DS2 over the coming years. It is also expected that 3DS2 will extend beyond Europe and become a worldwide standard.
What shops or websites are affected by PSD2 and 3DS2?
Any business that takes electronic (online) payments from their customers, regardless of what they sell: clothes, food, tickets (sports, cinema, etc.), holidays or hotels.
In the hotel sector it will particularly affect businesses (normally OTAs) that use the merchant model, where they charge the end client at time of booking. All these businesses will inescapably have to adapt to PSD2.
In the case of hotels’ direct sales, it will particularly affect non-refundable rates and payments made at the time of booking. All transactions that fall under the scope of PSD2 will have to go through double authentication.
How will it affect my telephone or face-to-face sales?
It won’t have any effect.
Telephone and email sales (MOTO or Mail Order and Telephone Order) is one of the several exemptions PSD2 has, and payments can continue to be taken in the same way, using just a card number and without double authentication. In order to take the payment, the credit card reader needs to be configured to transaction type MO-TO and it will allow you to process the payment without problems.
Face-to-face sales are also unaffected as the client is present; purchase authorisation is done physically, in first person.
How does PSD2 impact my direct sales?
Unlike the majority of OTAs (except Booking.com, for now), hotels don’t usually charge their customers at time of booking. Therefore, PSD2 shouldn’t be a worry, as it will not apply to the majority of bookings. However, this doesn’t mean that it won’t have any impact.
We will differentiate between “pay at hotel” bookings (usually with flexible cancellation) and “pay now” bookings (normally non-refundable).
- Flexible bookings and customer payment at the hotel.
- There is no online transaction and, therefore, PSD2 does not apply.
- In the case of a no-show or a cancellation outside of the established time frame, you will have the card the customer left as a guarantee. We will look at what will happen with these manual payments later.
- Non-refundable bookings and pay now.
- The correct method will be to use an online payment gateway that will verify the customer’s double authentication for those transactions that fall within the scope of PSD2. From September 14th , all bank payment gateways have to be 100% adapted to the regulation, so the only thing you need to do is ensure that your payment gateway has been adapted.
- If you are not currently using an online payment gateway to take payments, it may be time to consider using one, as taking payments using a physical credit card reader with a card linked to an online booking will become more complicated.
Will I be able to use a card reader to charge cards obtained from an online booking?
It is common for hotels to use a card reader to manually charge customers’ cards used on the hotel’s website or through Booking.com. The two main scenarios for these types of charges are as follows:
- Non-refundable bookings without an online payment gateway (payment is taken manually at the hotel).
- Charging no-shows or cancellations outside of the allowed time frame.
When the card has been obtained electronically (from the internet) and if the transaction falls within the scope of PSD2, double authentication should be required to complete the transaction. That means that if you only have the card number, you can NOT manually charge a card using a card reader as you will not have double authentication from the customer.
However, there is a bit of a workaround that could just be the lifeline hotels need, at least in the short and medium term. And that is the exemption of telephone bookings (MO-TO) from PSD2. As you’ve already seen, bookings made by telephone or by email are exempt from double authentication and payments can be taken by configuring the card reader to MO-TO to carry out the transaction. Who or what will stop you from managing these online bookings and manually taking payment (as has been done until now) in this way? Probably nobody. At least not in the short term. It’s not the ideal solution, nor is it likely to be sustainable in the long term (especially if you have lots of chargebacks, which is not the standard scenario), but it is a way to get by while the confusion currently surrounding PSD2 is being resolved.
It should be clarified that charging a card with a card reader without double authentication and without the customer present will continue to be a transaction that can be reversed. And even more so when PSD2 comes into force.
How do I ensure my direct sales comply 100% with PSD2?
There are two options that, although they will ensure you comply with PSD2, have major disadvantages that discourage their use (at the moment, at least):
- Incorporate a bank payment gateway into all bookings (flexible and non-refundable bookings). That way we guarantee that all transactions within the scope of PSD2 pass through double authentication (SCA). In the case of non-refundable bookings, the payment will be taken at time of booking. In the case of flexible bookings, only authentication will be made (not the payment), thus allowing payment to be taken at a later date (on check-out, for example).
For the curious among you, it works as follows: after user authentication, a token called CAVV (Cardholder Authentication Verification Value) is generated and, together with the card, this token allows you to take payment later, thus disconnecting the time the booking is made from the time payment is taken. The CAVV only allows you to take the booking amount and not a higher value.
The main downside to this approach is the impact it will have on your sales conversions. This is to be expected because:
- The longer the sale process takes, the more times we have to jump to the bank’s website or the more fields we require completing (3DS2 requires the completion of the email and telephone fields to finalise the transaction), the more clients will fall by the wayside.
- In addition, not all European cards have double authentication systems yet, therefore a percentage of our clients could be left without being able to make a booking.
- Finally, even though online payment gateways will be adapted to PSD2, the real problem will come from card issuers who will not adapt in time. If a card issuer denies or prevents double authentication, it’s very possible that the transaction will be lost and you will lose the client.
- Pre-stay email with a link to a payment gateway. Another valid solution, although far from ideal again, would be to incorporate an automatic process in the PMS or CRS (that contains information about all the hotel’s bookings, whether made through the hotel’s own website or through Booking.com) that sends an email to the customer with a link to a payment gateway inviting them to pay online 3-4 days before their arrival (the final date for cancellation). This payment gateway would take the customer through double authentication if the transaction falls within the scope of PSD2.
Concerns surrounding this solution are:
- Would it encourage customers who aren’t entirely convinced to cancel their booking?
- What happens if payment is not completed? Would you cancel the booking? Would you keep the booking? The answer may vary depending on the season, how busy you are, etc.
- The worst is that this process will be completely manual and, therefore, a step backwards in automation.
- Also, this won’t solve the issue of clients not showing up, as they are unlikely to respond, and you will be left with the same uncertainty as before.
What will Booking.com and Expedia do in order to adapt to PSD2?
What you do with your direct sale is very closely related to what your primary competitors (Expedia and Booking.com) will be doing. We have to consider that customers that book directly through your website without visiting these OTAs first are rare.
Expedia primarily works with the merchant model (they charge the client first and then they pay you). Expedia is therefore obliged to adapt to PSD2. The grey area is what will Expedia do with bookings made using the agency model (when the customer pays the hotel directly), which is the model primarily used by Booking.com (so far). The question is whether Expedia and Booking.com will take customers through double authentication for bookings to be paid at the hotel? And if they don’t, how will you take payments for non-refundable rates or no-shows? If they do carry out authentication, will you be obliged to use their payment methods via virtual cards which will result in higher costs for you?
The reality is that if you decide to adapt to PSD2 with the option of incorporating a payment gateway into your direct sales for all bookings (non-refundable and flexible), and neither Booking.com or Expedia (in agency model) do anything to send customers through the same double authentication process, it could result in a loss of clients, as it will be much easier to book through an OTA than it will be to book through your website.
On the other hand, if OTAs decide to implement double authentication even for bookings that are to be paid at the hotel and you don’t request it (or you do it at a later date, not at time of booking), customers could turn away from OTAs and opt for your direct channel instead.
We’re not Expedia or Booking.com, but conversation has always been key for OTAs and they will do everything they can to avoid any changes that will impact their conversions. Therefore, it is not expected that Expedia or Booking.com (both in agency model) will make a faux pas. Remember that they can argue that there is no online transaction for bookings that are paid at the hotel and, therefore, double authentication is not necessary. What about when the booking is a no-show? It’s not their problem, it’s yours.
At Mirai, we believe that OTAs, especially Booking.com, have a unique opportunity to achieve something they have been chasing for a long time, and that is to move from the agency model to the merchant model. Using PSD2 as an excuse, they could force hotels to accept the merchant model (at least for non-refundable rates) and not just offer it as an option, as they have done until now. They will make it appear positive by spinning the line: “let us take care of collecting payments, this complex regulation and we’ll take any responsibility away from you”.
From a hotel’s point of view, it seems like a very attractive offer, but that is until you consider the two major disadvantages that disqualify it completely:
- Taking payment by virtual card raises costs of these bookings by between 1% and 3%, depending on the case, and that is in addition to the already high cost of bookings made through Booking.com.
- Allowing Booking.com to charge the customer opens the door to all sorts of disparities, something which has been happening for some time with hotels already using these payment methods (their Early Payment Benefit programme, for example). Giving Booking.com the option to create these disparities is like opening a Pandora’s box of unexpected consequences.
And Facilitated Bookings… what will happen to them?
Update September 2022: «Express Booking» for hotels closes as of 1 October, 2022
PSD2 is a new challenge for booking assistants and metasearch engines. We’re primarily talking about TripAdvisor’s Instant Booking, trivago’s Express Booking (tEB) and Book on Google (BoG).
With these booking assistants, the customer enters their credit card number onto their interface and, therefore, it is the responsibility of the booking assistant to find a technical solution that guarantees compliance with PSD2. We will wait to see what solutions they apply and when they will be available. We know that they are working on it and we will see the results soon.
Apart from trivago Express Booking (tEB), none of these systems currently allow double authentication with 3DS, therefore, nothing will change on September 14th. Hotels will be able to continue taking payments as they always have done, as long as their payment gateway allows it, or to continue taking manual payments, as many do.
Will anything happen when PSD2 comes into force on 14 September 2019?
No. We don’t think anything will happen.
Very few will be ready on that date. Payment gateways (although the most important insist that they will be), banks and, the slowest link in the chain, card issuers, are all unlikely to be ready.
However, September 14th will be turning point when the whole industry will have to reflect and start making online decisions with PSD2 in mind. Once again, the regulation has to be brought into force before anyone takes it seriously.
Seeing what we’ve seen, PSD2 will have minimal impact on direct sales at least in the short term. Continuing operating as you have been until now is probably the best recommendation we can make, at least during the first phase. We should first wait until we have been reassured that the banking sector has adequately adapted and until we’ve had chance to closely monitor the movements of OTAs. That is, of course, assuming that card readers will allow manual payments to be taken using MO-TO mode as specified in the regulation.
We don’t think it is worth adding an online payment gateway or to authenticate every booking, as it could have a counter-productive effect on conversion, particularly if OTAs decide to skip validation.
What we would recommend, if anything, and in the medium term, would be an “after-the-fact customer validation” approach, sending the customer an email from the PMS or CRM a few days before arrival for all bookings that are due to be paid at the hotel (direct sales and OTA agency model). It’s not a perfect solution, but at least it brings you closer to meeting the strict requirements of PSD2.
Only once we’ve seen what decisions have been made by the main OTAs working in agency model (primarily Booking.com, but also Expedia) should you reconsider any decisions concerning your direct sales.
PSD2 is another turn of the screw on e-commerce and customers will benefit from increased security and, with 3DS2, increased convenience and usability. But that will be in the long term. Today, confusion is still running high and the industry doesn’t seem prepared. In fact, they are already talking about postponing it before we reach a situation of widespread chaos.
However, hotels should not let their guard down and should thoroughly research the regulation and the impact it will have on the industry and on their direct sales. In fact, it’d be a good idea to start researching now and gaining a deeper understanding of the different online payment gateways that are available, as it seems as though the industry is moving in that direction, at least for non-refundable rates.
On the other hand, you shouldn’t be hasty and rush into decisions that could affect your direct sales. With the information currently available, the most reasonable approach seems to be to wait until the confusion has been cleared up and the main players in the industry have adequately adapted to the regulation (banks, payment gateways, card issuers, etc.), as well as waiting to see what decisions are made by the main OTAs.