Tues., Jan. 25 at 12pm ET / 9am PTSponsored By: TripActions
Thu, Feb. 10 at 1PM EST / 10AM PST
Sponsored by: Direct Travel
Thurs., Jan. 20 at 12pm ET / 9am PTSponsored By: TripActions
Virtual Event Series - March/April 2022
2022 Dates TBA
Virtual Event - March 16, 2022
Filter in or out as many as 200 cities, as well as hotel and car rental class and meals of the day and watch as the per-diem calculator automatically adjusts per diems to your program. Drill down into cost breakdowns and export the results.
Card security measures that take effect in the European Economic
Area Sept. 14 are set to disrupt corporate travel payments. The introduction of
Strong Customer Authentication "will see a greater requirement for people to authenticate when booking
travel," said Richard Warren, senior consultant
with payments consultancy FirstPartner/The Human Chain. "This is most likely to be the case when
they are using plastic cards. The process of booking travel through a travel
management company or online booking tool may need to change."
Lodge and virtual cards look much less likely to be affected, but
different countries are allowed to interpret the regulatory technical standards
for SCA in different ways, so there is no guarantee they will remain immune across
the entire EEA, which comprises the European Union, Norway, Iceland and
Ironically, given the U.K.'s imminent departure from the EU, only that
nation's financial regulator, the Financial Conduct Authority, is believed to
have set out in detail its approach to SCA so far. Yet even the FCA's guidance has
left travel and payment companies uncertain of when SCA will and won't be
required. Complicating the picture, according to BCD Travel VP of commercial
payment solutions Mario Kriebel, "only issuers can decide whether they think they need to apply SCA or not."
Therefore, travel managers could end up making different changes to their
payment processes not only in different EU countries but also for different
payment providers in the same country.
All that is clear is that change is coming. Here's BTN's best
understanding at this point of what SCA will mean for travel managers.
What Is Strong Customer
Part of the revised EU Payment Services Directive, better known as
PSD2, SCA is designed to combat card fraud. It requires online payments over 30
euros to be verified with an additional form of identification, meaning the
payer must validate with two of these three forms of authentication:
Are Corporate Payments Exempted?
Yes. And no. "By
default, there is a requirement to authenticate every electronic transaction,
but there are some transactions which are out of scope and some which can be
exempted," said Warren. Following fierce lobbying against the European
Banking Authority, payment and travel companies gained an exemption for "secure
corporate payment processes and protocols" in the final SCA rules,
published in 2018. But, as travel manager groups warned at
the time, a vague
definition of "payers who are not consumers" means no one knows how
national regulators will interpret when corporate exemptions do or do not
apply. This with less than four months until the regulation goes into effect.
"The industry is hoping for the best but
preparing for the worst," said Lars Schmidt, AirPlus International senior
product manager of payments. "There is a lot of uncertainty. Everyone is
trying to interpret how SCA should be done. Each issuer is aiming to keep the
changes as minimal as possible. It's our job to be concerned so that the
customer isn't concerned. The idea behind SCA, which is to reduce fraud, is a
good one, but the implementation is very demanding when it comes to B2B
processes, where fraud levels are low and changes like this hurt more than they
Tim Jefferson, also a senior consultant with
FirstPartner/The Human Chain, said: "Other [national] regulators have not
come out of the gates on corporate payments, but they are taking a much firmer
line than the FCA on the interpretation of other aspects of SCA."
& Virtual Card Payments
In its most recent guidance, published December
2018, the FCA said "lodged or virtual
corporate cards, such as those used within an
access-controlled corporate travel management or corporate purchasing system,
would potentially be within scope of [the corporate payment] exemption."
But Warren warned: "It's not
clear other regulators will come to the same conclusion. We have not seen any
specific indicators at the moment."
Few of the sources BTN spoke to are confident
all regulators will follow the FCA and specify lodge and virtual cards as
potentially exempt. At the other extreme, a specification that lodge and
virtual cards must use SCA would cause major problems because lodge and virtual
card payments are made centrally, making it impractical for a particular
individual to provide authentication.
A more likely outcome, however, is that some
regulators might not clarify whether lodge and virtual cards are exempted. If
that happens, individual issuers may choose to demonstrate to regulators that their
particular lodge/virtual products can be exempted because their fraud levels
are sufficiently low.
Corporate Cards—Booking Travel Via Consumer Websites
The FCA—and there is no reason to believe other
regulators will take a different view—is clear that plastic corporate cards
used for web bookings are not exempt. "In
our view, the use of physical corporate cards issued to employees for business
expenditure in circumstances where a secure dedicated payment process and
protocol is not used (e.g. where online purchases are made via a public
website) would not fall within the scope of this exemption," the authority's
That should create little inconvenience when corporate travelers
both book and pay for themselves. In other cases, change beckons. "It may not be the cardholder who books travel,"
said Warren. "It may be an administrator or a travel department. Companies
will have to prepare for cardholders themselves needing to authenticate. SCA
will make it very difficult if the cardholder and the booker are not one and
the same person."
Also affected will be an administrator or
manager who uses the same plastic corporate card to book travel for different
people. "We see this very often in small companies," said BCD's
Kriebel. "The cardholder might get 20 authentication requests on their
phone per day, not knowing who they are for. Either you will have someone
approving without checking, or this practice will have to stop. The potential
solution here is a virtual card."
Corporate Cards—Booking Through "Secure Corporate Environments"
"The area where things are less certain is
where a plastic card is held in a secure corporate environment, such as a TMC
profile," said Warren. "The FCA wording doesn't specifically say it's
OK, but we read that it is within the scope of this exemption. The trouble is: That's
not certain, and there is also a lot of difficulty around how these exempted
transactions can be identified versus those which are made on a website and
Online booking tool or TMC transaction via a GDS: "We would like all corporate cards used
in the TMC environment to be out of scope," said Adrian Parkes, CEO of U.K.
TMC organization GTMC. But the crucial practical test for a "secure
corporate environment" appears to be whether the reservation is channeled
through a global distribution system.
Discussions with payment companies and GDSs
have led GTMC to conclude that GDS bookings will escape the need for SCA but that
other channels won't. TMCs are hearing similar. "GDSs are saying that
bookings are out of scope anyway because they are [mail order telephone order].
If that's the case, it takes out a large part of what TMCs do from SCA,"
Working on this assumption, and it remains an
assumption, GDSs and the card industry are looking at practical ways for
GDS-based reservations to flag messages to the card company that SCA need not
TMC transaction not via a GDS: Kriebel, Warren and Parkes agree that SCA will
be required when TMCs book via websites on behalf of the client, such as for a
low-cost carrier, rail journey or hotel. "It might be better to move that
type of content to virtual cards," said Parkes. "Not only are there
no issues [for virtual cards] with SCA, there is also a lower risk of fraud and
the management information is good."
American Express declined to respond to a
question from BTN about reports that it is pursuing allowing cardholders to
create a so-called white list of trusted beneficiaries, payees for which SCA is
not needed. "It could be effective, but the problem is that in travel, you
deal with a lot of merchants and will need a lot on the list," said Warren.
For example, each hotel in the same chain usually counts as a separate
merchant. "I don't see it as a panacea," he said.
the Travel & Payments Industries Be Ready by Sept. 14?
Probably not. "I'm pretty sure that if the
GDSs have to develop something, they will not be ready by 14 September,"
said Kriebel. Warren is also doubtful but believes corporate travel may avoid a
cliff edge. "It will be very challenging to have everything in place by 14
September, and some aspects of the regulation have only very recently been
clarified, while others still await clarification. There has been a lot of
lobbying to help regulators understand the complexities because travel and hospitality
is one of the most difficult sectors for payments. The hope is that regulators
will therefore take a pragmatic view about enforcement. They won't necessarily
take punitive action immediately, but they certainly won't tolerate companies
doing nothing to prepare."
Travel Managers Prepare for SCA?
"It's important travel managers understand
SCA—and recognize they will start to experience challenges, especially if they
use plastic cards—and what they need to do to make sure transactions don't fail,"
Consider the following actions:
Corporate lodging platform HRS has signed a global partnership with Citi to integrate Citi's virtual...
American Express Global Business Travel has added expense management to its mobile app for clients...
Corporate travelers soon will be able to use UATP accounts for rides with Uber as well as orders...