EU’s customer authentication rules could create challenges for corporate cards
AirPlus International warned that the proposed European Union regulations for increasing card security could prevent the booking and payment processes that occur through travel management firms and online corporate booking services, from functioning, according to a report by Business Travel News.
The second Payment Services Directive, which is set to take effect in January 2018, aims to regulate new types of payment service providers, freeze card surcharges and improve the security of online payments.
“At the moment, it is completely unclear how we can implement this,” Patrick Diemer, AirPlus managing director said. “We have spoken to American Express, MasterCard and Visa, and they all see the same problem and are advocating for the same thing.”
Though the directive’s outline has been agreed to for several years, the draft technical standard introduced by the London-based European Banking Authority has thrown a curveball at the card industry.
The EBA is implementing a new rule in which all cardholder-not-present payments must be verified with strong customer authentication, or SCA, which requires at least two of the following elements: something only the user knows (password and answers to security questions), something only the user possesses (PIN number the bank texts customer to complete a transaction), and something the user is (biometric identification).
Diemer said the new rule has an “unforeseen consequence” in that “in business travel, the cards are issued to corporations, not consumers,” which means that there is “not an identifiable person sitting in front of the screen.”
Personal authentication is counter-intuitive for centrally billed accounts, aka lodge cards, as these cards are used by many individuals.
He also points out that SCA will create issues “where the TMC has the traveler’s corporate card stored, when you call your TMC or make a booking on the online booking engine, then an agent or machine will go to this profile and create a transaction,” said Diemer. “The third party can be a person but it can also be a machine like a purchasing platform or an online booking engine.”
As a result, automated booking and payment processes will be forced to make significant changes or even be replaced by manual processes, Diemer said, adding that the EU’s so-called fix will only worsen the situation.
“The reason we are advocating [against the SCA stipulation] is not just because we don’t know how to implement SCA,” Diemer said. “It’s also that the fraud rates in our industry sector are much lower than in consumer businesses.”
AirPlus has recommended three possible options for improving the regulation: to introduce SCA controls only if the issuer’s fraud rate exceeds a stated threshold, to create a whitelist that exempts specified merchants, or to exempt all wholesale and business-to-business transactions from the SCA requirement.
Diemer said that while the European Parliament and European Commission seem to empathize with the concerns of corporate issuers, the EBA, which he expects will issue its finalized regulation by the summer, “has not been willing to look at corporate or B2B business in a separate way. I don’t think it understands the practical implications of implementing its rules in our sector.”