Guest Post: Are you ready for Strong Customer Authentication?

Guest Post: Are you ready for Strong Customer Authentication?

Make payments a strategic priority, says Jean-Christophe Lacour, Amadeus head of merchant services

Make payments a strategic priority, says Jean-Christophe Lacour, Amadeus Payments’ head of merchant services

Back in 2013 Kim Kardashian and a host of other celebrities in the US were the victim of credit card fraud. A pair of fraudsters obtained card details from darkweb hackers and racked up many thousands of dollars in purchases. This is one of the remaining difficulties with online payments today – ensuring the payee is who they claim to be. In the industry its known as ‘authentication’ and it’s about to get an upgrade designed to tackle the $21 Billion in fraud we see in travel each year.

Even if you don’t work specifically in travel payments you’ve probably heard about the Payments Services Directive II (PSD II) a wide-ranging directive that aims to modernize the way payments work within the EEA. There are a number of changes under the directive, ultimately laying the groundwork for direct bank to bank payments. But less well understood are the requirements around Strong Customer Authentication (SCA), which have significant implications for travel. And you need to be ready for this change by 14 September this year.

SCA is designed to reduce fraud by bringing two-factor authentication (2FA) i.e. at least 2 of Something you know (e.g. PIN), Something you have (e.g. chip card or mobile device) and Something you are (e.g. fingerprint) to the vast majority of payments made within the European Economic Area. If you shop you’re most certainly already practicing 2FA with your chip & PIN card and if you bank online you might already have practiced 2FA by authenticating yourself to your phone with your fingerprint.

This might sound simple enough and eminently sensible but clearly this introduces potential friction to travel commerce. In a world where consumers are accustomed to Amazon and Uber offering one click payments travellers aren’t likely to tolerate 2FA if it isn’t handled correctly. At Amadeus we think this is actually an opportunity for those travel merchants that can get it right avoiding ‘abandonment’ and lost revenue.

Improvements to the 3D Secure protocol

Just like travel selling, payments are underpinned by industry-wide protocols that govern how data is exchanged between merchants and other players in the chain. Authentication is governed by the 3DS protocol which has recently been upgraded. 3DS 2.0 includes some important updates:

• The ability to transfer 10X the amount of data between travel retailers and the banks responsible for authenticating their cardholders to improve the process
• Support for biometric authentication (which is now common to mobile devices)
• Native support for ‘in-app’ authentication on mobile (coming with 3DS 2.2)
• Ability to handle exemptions under SCA requirements (coming with 3DS 2.2)

These improvements present an opportunity for the travel industry. At Amadeus we are working closely with our partners at organisations such as Cyber Source, the payment schemes and acquirers to integrate 3DS 2.0 into the wider travel eco-system. Our vision is for any travel merchant (agency, hotel airline) using Amadeus systems to benefit from the new protocol.

Protecting the customer experience

Achieving SCA, and with it more secure payments, whilst protecting the traveler experience is going to be a balancing act. The directive itself includes a series of ‘exemptions’, situations where SCA isn’t deemed necessary, which we expect savvy merchants to apply in ways that protect the customer experience.

One such example is the concept of a ‘trusted listing’ offered by card issuers meaning that travelers can add trusted merchants to a whitelist. Another is the ability to exempt payments under €500 from 2FA, as long as the correct risk analytics and controls are in place. Merchants that have prepared and implemented the correct underlying technology can benefit from advances in AI that are able to analyse vast amounts of historic payments to flag up higher risk transactions. With such systems in place, merchants are in a much stronger position to work with their acquiring partners to take advantage of the exemptions under SCA.

This situation isn’t dissimilar to Capital One’s credit scoring innovation. The firm famously differentiated based on its ability to analyse large datasets in order to confirm if a potential credit card applicant would be accepted, without calling on a credit reference agency to make the decision. When it comes to SCA those merchants able to enhance their own risk and fraud analytics will also have the confidence to assume the additional risk involved in exempting payments from 2FA.

When you consider that well over half of travel payments are already made using mobile in China and alternative methods such as e-Wallets are growing by 7% per annum in many major markets, it’s clear the industry needs to be able to authenticate travelers quickly, simply and without additional friction.

If you’re not already thinking about how best to apply SCA to protect the customer experience now is the time to make payments a strategic priority.