Proposed European Union rules for beefing up card security could
make the booking and payment processes that occur through travel management
companies and online corporate booking tools unworkable, AirPlus International
has warned. The second Payment Services Directive is scheduled to take effect
in January 2018. AirPlus managing director Patrick Diemer described the
relevant section as "not feasible," telling BTN, "At the moment,
it is completely unclear how we can implement this." Diemer added that the
corporate payments industry is united in its opposition. "We have spoken
to American Express, MasterCard and Visa, and they all see the same problem and
are advocating for the same thing," he said.
The objectives of PSD2 include regulating new types of payment
service providers, prohibiting card surcharges and improving the security of
online payments. The outline of the directive has been agreed to for several
years, but the draft technical standard created by the London-based European
Banking Authority has thrown up an unexpected surprise for the card industry.
The EBA is insisting that cardholder-not-present payments must be verified with
strong customer authentication, or SCA, which requires two or more of the
following elements:
- Something only the user knows,
such as a password and answers to security questions
- Something only the user
possesses, such as a PIN number the bank texts to the account holder to finish
a transaction
- Something the user is, in other
words: biometric identification
The "unforeseen consequence," Diemer said, is that "in
business travel, the cards are issued to corporations, not consumers. There is
not an identifiable person sitting in front of the screen." Personal
authentication is palpably nonsensical for centrally billed accounts, aka lodge
cards, which are not assigned to any one individual. SCA is also problematic "where
the TMC has the traveler's corporate card stored, when you call your TMC or
make a booking on the online booking engine, then an agent or machine will go
to this profile and create a transaction," said Diemer. "The third
party can be a person but it can also be a machine like a purchasing platform
or an online booking engine." In consequence, he warned, automated booking
and payment processes will need radical adaptation or even have to be replaced
by manual processes.
The intention of SCA is to reduce fraud, which is a cost to issuers,
but Diemer believes that, in this case, the cure is very much worse than the symptoms.
"The reason we are advocating [against the SCA stipulation] is not just
because we don't know how to implement SCA. It's also that the fraud rates in
our industry sector are much lower than in consumer businesses," he said.
According to European Central Bank figures, one of every 909 transactions on
credit cards issued to private individuals was fraudulent in 2013. In contrast,
one of only every 39,683 transactions through the centrally billed AirPlus
Company Account was fraudulent from January to August 2016.
AirPlus has proposed three options for amending the regulation:
- Introduce SCA controls only if
the issuer's fraud rate exceeds a stated threshold
- Create a whitelist that exempts
specified merchants
- Exempt all wholesale and
business-to-business transactions from the SCA requirement.
Diemer said the European Parliament and European Commission have
understood corporate issuers' concerns, but the EBA, which he expects will issue
its finalized regulation by the summer, "has not been willing to look at
corporate or B2B business in a separate way. I don't think it understands the
practical implications of implementing its rules in our sector."
This is not the first time commercial card
issuers have been at loggerheads with European legislators. The Interchange Fee
Regulation, which went into effect in December 2015, led directly to a loss of more
than 100,000 cardholders for AirPlus and depressed
the company's profits by €12 million for 2016. "In a way, this is deja vu from the interchange regulation, which was also developed for
consumers and completely ignored the requirements of the corporate
sector," said Diemer.
AirPlus welcomed other aspects of PSD2. AirPlus U.K.
and Ireland commercial director Jon Fox said the directive opens opportunities
for more creative partnerships with new financial technology players,
especially for managing non-travel B2B payments.