GLOBAL REPORT—Just as hoteliers have become used to the General Data Protection Regulation (GDPR), introduced approximately 18 months ago, another piece of European Union legislation, the Payment Services Directive regulations, known as PSD2, is set to go into effect.
PSD2 regulations (overruling legislation dating to 2007) cover online customer authentication, and full compliance is required by 14 September for companies either in the EU or those who do business with companies or customers in the EU, which is also true of GDPR.
The main takeaway for hoteliers, sources said, is that they need to have their booking and payments technology seamlessly up to scratch and working across all markets to avoid the risk of guests dropping out of booking processes and buying rooms elsewhere.
Daniel Badenas Orts, operations manager at business consultancy Mirai, said the major threat to hotels is the danger of decreasing conversion.
“E-commerce (facilitators) should not force customer authentication, as this will make any transaction risky and decrease conversion,” he said.
Badenas estimated that 30% or more of transactions are abandoned in Europe, while credit-card company Mastercard calculates that figure at between 20% and 25%.
Angus McFadyen, partner at legal firm Pinsent Masons, said payment regulations were looser before the introduction of PSD2.
“The big step this year is that authentication is mandated on all payments by default unless there is an exemption possible. For payments over the counter, not much will change, but we will see the end of swipe and sign,” he said.
“There will be an increase in the need for pin entries when (a customer performs) contactless payments, and online it will be for every transaction.”
McFadyen said the main authentication software is called 3D Secure Version 2, usually abbreviated as 3DS2.
“This will be better for people using mobile devices, but if (a hotel) has not upgraded, and a lot have not, then expect drop out,” he said.
Carl Weldon, COO, Europe, Hospitality Financial and Technology Professionals, said the new regulations also are stricter about storing of payment information.
“Credit-card information now has to be held securely—not in an Excel sheet spreadsheet, but under a security veil or tokenization,” he said.
Knowing, having, being
Authentication now is based on three things: Something the customer knows, such as a password or pin; something the customer has, such as a phone or a security token; or something the customer is, such as fingerprints or facial recognition.
Moyn Uddin, head of security and privacy at Cyber Counsel* and the co-author of “Cyber Resilience Best Practices,” said PSD2 is different than GDPR in that it is a regulation, not a directive, implemented consistently across the EU, with no further national legislation required.
The United Kingdom might have to go through some other PSD2 scenario if it leaves the EU on 31 October, sources added.
Jim Cathcart, director of policy and regulation at UKHospitality, the U.K.’s principal hospitality association, said everyone is waiting to hear the U.K. Financial Conduct Authority’s response to PSD2’s roadmap and managed transition.
“According to the FCA, with some exceptions, the information and conduct provisions of PSD2 apply to transactions in all currencies, and whether both or only one of the payment services providers is in the European Economic Area,” Uddin said.
“As a result, much more conduct of business and information requirements will apply to international payments. I have not seen any figures for non-EEA countries, but if EEA countries are experiencing issues, they must be, too, as usually they would take lead from the EEA countries. There is usually a wait-and-see approach to these things.”
The burden on companies is heavy, he said.
“Businesses are still struggling with GDPR, so it is very challenging for businesses to keep track whilst also running normal operations. However, it will be good for the customers and provide new services and more innovation in banking. Established players will find competition from new ones entering the market with new and more attractive propositions,” he said.
Seamless and global
The process for non-refundable transactions differs from flexible bookings, which still require pre-authorization, sources said. Bookings on different channels will naturally be funneled through different payment processes, all of which need to comply with PSD2 regulations.
“Have your technology be seamless and adapt it to the new directive to protect customers,” Badenas said.
More facilitators have entered the credit-card and payments market, more have been encouraged to do so, and more customers use mobile devices and different payment mechanisms, which is generating the need to strengthen and organize regulations, sources said.
The goal is to bring more third-party providers into compliance with PSD2 regulations, to join the traditional banks and credit-card companies, which would provide more value and innovation.
“Awareness of PSD2 services is still surprisingly low. … With any new complex regulation or directive, there are always hiccups and delays, so this should be expected. Impact will be reputational as well as monetary. Businesses can do as much as possible and try to meet the September 2019 deadline. Some of the services may have to be phased in or the requirements relaxed. The European Banking Authority is already considering some flexibility in this area,” Uddin said.
“PSD2 providing access to personal and financial data to third parties has not been communicated well. Awareness needs to be raised. The other issue is security, and compliance with regulations such as GDPR when you are allowing access to personal data. This could be secondary processing for instance,” he added.
Legislation mazes
Cyber Counsel’s Uddin said what remains unclear is how security of application programming interfaces and access from third parties would be managed, and how customer consent would be obtained.
Payment Card Industry Security Standards Council regulations still exist for how credit-card information is stored, if it is allowed to be stored and when it needs to be deleted.
No doubt, fines will be metered out to those falling afoul of PSD2 rules, as they have for alleged breaches of GDPR.
Marriott International currently is in dispute with the United Kingdom’s Information Commissioner’s Office concerning a £99.2 million ($123.6 million) fine levied on the data breach of the Starwood Hotels & Resorts reservations database that began before Marriott acquired Starwood.
Pinsent Masons’ McFadyen said another issue is that there will be some double-authentication processes in play if, for example, payment on one credit card is being used to purchase a stay at a hotel processing payments through a second credit card, or if payments occur across national markets.
McFadyen said there is a great deal of noise about the new regulations in the e-commerce industry, which doesn’t seemed prepared for them.
“The regulators cannot change the implementation date but will be a little relaxed for some period of time after 14 September, but no one is sure for how long,” he said.
“Customers will not know if a transaction will go through until it doesn’t,” he added, noting worries that there will be a less consistent customer experience from brand to brand.
Regulatory fines more likely will be imposed on banks and credit-card processors than on hotels and businesses.
“There is little risk to the consumer, as banks will reimburse them, but the banks might recharge losses back to the merchant. The card issuers will put pressure on merchants,” McFadyen said.
The rules might also change how payments are passed on from third-party booking platforms such as online travel agencies to hotels.
Hoteliers might have to re-authenticate payments data if the original booking has a lead time of more than six months, which adds to the risks of customers dropping out of the booking process due to discontent and data irregularities.
More to come?
Coming on the heels of GDPR, these new regulations seem to signal a trend.
Another similar piece of legislation, the California Consumer Privacy Act has the potential to be copied or adapted by other U.S. state legislatures, HFTP’s Weldon said.
“There is a need for a world standard,” he said.
Weldon added that if Brexit happens, U.K. law might also be at conflict with GDPR.
“GDPR sort of is in its third stage, but ultimately it is good data practice. Why would you not be doing this? And customers have a right to ask where data comes from and that it should be deleted, which is good, too,” he said.
Uddin said data security will also play a large part in the success or failure of PSD2, as this type of financial data is “an attractive target for the bad guys.”
He added PSD2 implementation will mean the eagerly awaited next phase of EU-wide open-banking legislation will be delayed, and, for the time being, consumers and third-party providers will not benefit from the huge amount of information the banks currently monopolize.
“Many banks simply did not grasp the amount of work required. I believe the delay has primarily been with the strong customer authentication, which is a requirement of PSD2,” Uddin said.
Regulations around payments have drifted behind those concerning general customer data as regulated by GDPR, Weldon said.
*Correction, 30 July 2019: This story has been updated to correct Moyn Uddin's title at Cyber Counsel.