In case the European Union fails to heed warnings about the
unintended consequences of its revised Payment Services Directive, or PSD2, travel
and financial services companies are examining workarounds for corporate travel
payments. Payment and technology companies are urgently lobbying the European
Commission and European Parliament to carve out better exemptions for the
corporate sector from the directive's technical standards on transaction
authentication. PSD2 is slated to go into
effect in January.
The standards aim to reduce fraud through additional, mandated
authentication measures for all electronic cardholder-not-present payments. Objectors
say strong customer authentication, as it's known, would make standard corporate
travel booking and payment processes, from lodge cards and virtual cards to
travel management companies booking on behalf of customers, much more difficult
at best. At worst, they'd make those processes impossible. Opponents also argue
SCA is unnecessary because fraud levels are far lower in commercial payments. "The
fundamental point for me is that we aren't [just] trying to deal with fraud
[but that] we absolutely are dealing with it," said Citi head of commercial
cards EMEA Steve Robson. "This has come as a sledgehammer blow as a result
of not understanding the industry."
PSD2 aims to allow new entrants into the payments market while evolving
the overall regulatory regime to protect consumers in the digital era. The
European Commission asked the European Banking Authority to draft the
regulatory technical standards for SCA, in which a person must authenticate a
payment using any two of three elements:
An additional element is required for remote transactions, for
example those made via Internet or mobile. This extra element would typically
be a unique authentication code triggered at the point of sale.
Though these measures make sense for
consumer transactions, applying them to the corporate market is a totally
different proposition, a point that critics said the European Banking Authority
missed in the final draft standards it published on Feb. 23. "The way the
EBA is trying to approach this is a little wrong headed," said Robson. "In
lodge cards, for example, there is no one-to-one relationship between the card
and the booker. Who is the user? How do we authenticate it?"
Lynn Hamper, founder and CEO of St
Louis-based travel tech company BizTravelSolutions, also formerly owned a TMC.
She warned the regulation could prove counterproductive. "It is not conceivable for a TMC to
obtain a SCA for each business traveler," she said. "It could
possibly create more fraud by [effectively forcing employers to] furnish each
traveler with their own card. Not only that, most employees do not want to
carry the cost on their own personal credit card, if they have one. How will
those companies be able to handle their travel? With relatively new single-use
virtual cards protecting against fraud, what else can be achieved with a text
message on a phone or PIN number?"
Yet virtual payments technology
provider Conferma said SCA could hobble virtual cards, in spite of their
impermeability to fraud. Once again, the problem relates to the fact that the traveler
and payer are not the same person and therefore the payer is not able to supply
the required authentication. "When a traveler stands at a hotel desk, it's
often not their credit on the virtual credit card; it's the TMC's credit,"
said Conferma chief information security officer John Makin.
Paul Wait, chief executive of the U.K.'s Guild of Travel
Management Companies, said: "This is another classic case of legislators
not understanding the difference between B2B and B2C market practices and
taking decisions without due consideration for the consequences."
Should there be no progress in changing the rules, said Wait, "only
25 percent of U.K. [Billing and Settlement Plan travel agency IATA airline
transactions are] paid for by a card product, and so in simple terms, if
accepting cards becomes unworkable, TMCs will find other ways of charging customers."
However, corporate payment products form a critical element of many
mature managed travel programs, and the prospect of abandoning them is
untenable for travel managers. Payment companies see some, limited workarounds
for certain types of payment. "If it is a cardholder using an online
booking tool, we can find solutions for that, but if someone else is making the
booking [like a TMC consultant who has the traveler's plastic card number
embedded in the TMC's reservations system], I don't see how we can do it,"
said Robson.
Conferma hopes to solve the problem for virtual cards with
Conferma Assure, which is in the works. "Authentication of the payer
happens at an earlier stage and is kept on file," said Makin. "When
the guest checks in or out, the hotel merchant asks Conferma if the
authentication has taken place." Will that arrangement satisfy the
regulator? "There is no better way of doing it," said Makin. "We
can't see a way of doing B2B card payment authentication that will work, so we
are trying to create a technology which will get us as close as possible."
Makin believes the Conferma Assure technology would evolve as
regulators scrutinize it and provide greater clarity on the practical
application of the guidelines they have laid down. He also believes other
corporate payment players may play a more extreme version of this game,
ignoring rules they consider unworkable and waiting for the issue to be tested
in court.
Yet Makin and Robson are among those who believe the best and
still most likely solution is that further concessions will arrive through the
regulatory process. "The card schemes believe there is some space for
conversation with the European Commission," said Robson. "We are
reasonably hopeful that sense will break out here, at least for virtual cards
and centrally billed accounts."
Numerous parties
lobbied the European Banking Authority to exempt corporate payments completely from
SCA requirements, arguing that the fraud risk is significantly more limited. The
European Banking Authority told BTN it "rejected this particular
suggestion on the grounds that corporate transactions overall may indeed incur
risks that require authentication, that
there are already a number of exemptions ... and exclusions under the PSD2
itself that will cover a number of types of corporate transactions, and that the market appears to have already
developed solutions that are compliant with the regulatory technical standards.”
The banking authority did not reply to a follow-up question about what
these solutions are and how they would solve the particular needs of corporate
travel payment.
All three potential kinds of SCA exemption that are relevant to
corporate travel payments are problematic. The first allows cardholders to
create a white list of trusted beneficiaries authorized outside the SCA
process. The regulation states a payer can create such a list through its "account
servicing payment service provider," but not all corporate payment issuers
can be categorized in this way. In any case, said Conferma's Makin, maintaining
and auditing white lists would be a major bureaucratic burden.
For transactions up to €500, there is also an exemption for
payment service providers with a certain verified fraud rate. However, many air
transactions, in particular, cost more than €500 and, said Robson, the proposed
fraud rate threshold is too low to be practicable for many issuers.
Finally, AirPlus International has pointed out there are complete exemptions for cards used on limited networks or
for procurement of limited types of services. Examples include fuel cards and
department store cards. However, if a payment service provider elects to be an
authorized payment institution within PSD2, then all its products are
considered within the scope of PSD2, even if they are limited instruments. The
AirPlus Company Account lodge card, used exclusively to book flights and other
travel requirements through TMCs, is an example of a limited instrument. Yet
because AirPlus has chosen to be a PSD2-authorized payment institution in order
to retain crossborder trading rights, the Company Account is out of scope.
The European Banking Authority did not respond
to this point or to the one about low-risk issuer exemptions. However, it noted
that the European Commission will have the final say on whether to accept the banking
authority's draft and that the EU Council of member states and the European Parliament
also have scrutiny rights.