The European Commission has exempted corporate payments from its
finalized requirements for payment security authentication. In so doing, the
commission resisted vehement opposition from the European Banking Authority.
Travel and payment representatives, though, had campaigned hard to keep the
exemption. Without it, they said, lodge cards in particular would have become
unworkable. "This is a success resulting from industry lobbying,"
said AirPlus International CEO Patrick Diemer.
The European Union's Revised Payment Services Directive, or PSD2, is
introducing strong customer authentication (see
sidebar) for payments, but the European Commission's finalized requirements
effectively exempt virtual card, lodge card and corporate pay corporate cards from SCA.
What Is Strong Customer Authentication & How Does It Apply?
Strong customer authentication is an additional form of verification
used to complete a payment, such as a four-digit PIN texted to a cardholder. At
the beginning of 2017, the European Banking Authority, under direction from the
European Commission, produced draft standards for how and in what circumstances
SCA must be applied to remote electronic payments. The travel and payment
industries argued SCA is incompatible with instruments like lodge cards that
have no one-to-one relationship with an individual person. Card companies also
contended that fraud rates are much lower for corporate payments, making
additional authentication unnecessary.
The European Commission responded in May by drafting
Article 17, an exemption for "dedicated corporate payment processes,"
but the EBA fought hard to scrap it, arguing not all corporate transactions are
low risk and that it's hard to define a "corporate" payment in legal
terms.
In the final text published last week, the commission opted to
retain Article 17 but change the wording. The article now begins, "Payment
service providers shall be allowed not to apply strong customer authentication,
in respect of legal persons initiating electronic payment services through the
use of dedicated payment processes or protocols that are only made available to
payers who are not consumers." It adds that payment providers must satisfy
relevant authorities "that those processes or protocols guarantee at least
equivalent levels of security" as defined in PSD2.
The news will come as a particular relief to Nordic travel buyers.
The region's four travel management associations estimate 95 percent to 97
percent of their members' air bookings through travel management companies are
settled via lodge cards. Finnish Business Travel Association managing director
Sari Viljamaa said: "It's good news this won't be extended to B2B
transactions, but I am still a little worried that there will be room for
national legislators to make their own interpretations."
However, individual pay cards, which have been treated as consumer
cards since the EU Interchange Fee Regulation took effect in 2015, are
effectively excluded from the exemption. "Lodge cards, virtual cards and
corporate cards with corporate pay are fine, but SCA still is required for
plastic cards [that] don't fall under the exemption," said Diemer. Some
corporate travelers have either individual pay corporate cards or even personal
cards within the profiles TMCs use to make bookings on their behalf. In such
cases, said Diemer, SCA will be required in order to complete payment. The same
goes for leisure bookings. Conferma director of strategic relationships Paul
Raymond agreed with Diemer. "We need to prepare for SCA anyway, so we are
looking to see if there is a secure, easy way to do this," he said.
AirPlus is creating a working group of card companies, global
distribution systems, TMCs and other relevant parties to
figure out a mutual approach to SCA. The group will meet in Germany for the
first time this month. "The industry needs an industrywide solution,"
said Diemer. "We should have one procedure for everyone."
The best option seems to be trusted beneficiaries, better known as "white-listing,"
by which the customer nominates payees that can bypass SCA. "Even a white list
requires technical development," said Diemer, but unhelpfully vague
wording in the European Commission's final regulatory text makes it unclear
whether trusted beneficiaries would be permitted for corporate payments. "If
it's not allowed, we need to change procedures. There are various ways we can
think of, all of which are unhelpful," Diemer added.
Diemer expects the new SCA requirements to drive more European
travel programs toward unequivocally nonconsumer payment mechanisms like lodge
cards. Raymond predicted that virtual cards, which are tied to a centrally
billed account, will gain the most. "Virtual cards lend themselves more
readily to SCA because they are single transactions which can be related to an
individual," he said.
The European Parliament and the European Council of member states
must confirm the standards, which will take around 18 months to become law.