The Regulatory Technical Standards (RTS) on strong customer authentication in accordance with PSD2 come into effect on 14 September 2019. This new method for increasing the security of online payments not only affects banks and acquirers. Any business providing a mix of services will need to be on board in order not to put conversions and loyal customer relationships at risk.
In particular, online travel agencies (OTAs) that collaborate with multiple service providers but do not make direct disbursements to them will face a new challenge. From a purely legal perspective, they are not required to apply PSD2. Nevertheless, the new security procedure will affect their business model.
Here’s why: As a rule, OTAs bundle services from a range of merchants, such as hotels, airlines, car rentals and insurance companies. When a booking is made, they forward their customers’ payment information directly to the merchant or an agreed third party for settlement.
If an OTA opts out of PSD2, its customers will complete the booking process without completing 3-D Secure authentication in future. As a result, the merchants will have to send customers a separate payment link retrospectively to ensure that the 3-D Secure authentication is carried out and the payment can be made reliably, excluding the possibility of it being declined.
Of course, the OTA could also redirect its customers to the merchants’ own booking pages, or integrate and maintain their various payment gateways. However, this would come at the expense of the unified booking experience, with greater complexity and a negative impact on conversions. And it would also annoy and confuse those customers who prefer to book every aspect of their trip through one single provider.
Thankfully, help is at hand and OTAs that want to continue offering their customers a unified booking experience after 14 September can avail themselves of a simple solution with the new 3-D Secure Authentication Only method. This separates the 3-D Secure Authentication procedure from the payment authorisation and settlement. So the OTAs can carry out a single authentication process for all of their bundled service providers and send the authentication data along with the rest of the payment information to the merchants and third parties. The subsequent authorisations are handled as 3-D Secure transactions by the merchant.
In summary, by using 3-D Secure Authentication Only, OTAs can continue to let their merchants process payments through their own payment gateways, enabling 3-D Secure with all its associated benefits. OTAs can take advantage of stable processes and low costs, since they can spare themselves the expense of integrating and maintaining a range of external payment gateways. In addition, the user experience during the online booking and purchasing process is not impaired since the customer authentication only needs to be carried out once. As a result, the 3-D Secure Authentication Only method is a simple and future-proof way of implementing a range of different booking scenarios in the travel and hospitality industry.