The second Payment Service Providers Directive (PSD2) has finally come into full force in the European Economic Area (hereinafter referred to as the EEA) with effect from the end of 2020.
Its aim is to guarantee consumers and/or card users’ greater transparency and improved security for online payments.
For the hotel industry, PSD2 will bring changes to booking procedures and the way customer credit card details are handled.
In this article, we shall be taking a closer look at the ins and outs of PSD2 and what the directive will mean for your business.
What is PSD2?
PSD2 stands for Payment Services Directive 2(EU) 2015/2366. This directive applies to all companies, that take credit card payments and conduct online transactions. This will of course include hotels. The directive is currently limited to the EEA. This means that it is only binding when both guest and hotel are domiciled in the EEA.
The aims of PSD2 are clearly focused on the welfare of the consumer. The security of electronic payment transactions in particular is to be increased. In addition, PSD2 should also guarantee the right conditions for a level playing field in competition within the SEPA (Single European Payments Area). This directive also incorporates technical innovations that have come about since the first Payment Service Providers Directive.
PSD2 focuses on online payments. From now on, strong customer authentication (SCA) with two-factor authentication (2FA) will be required for every payment transaction.
Here, two of three factors must be used:
Knowledge: something that only the customer knows, e.g. a password or a PIN
Possession: something that belongs to the customer, e.g. a smartphone that is registered to him or her
Inherence: a characteristic of the customer, e.g. a fingerprint, voice recognition, or facial recognition
If the 2FA is successful, proof of this is stored on the system as what is known as an “authentication token” and the payment can be completed.
PSD2-compliant payment service providers now offer 3D Secure 2.0 (3DS2 for short) to carry out 2FA. This means that customers are redirected to their bank’s website to authorize payments there.
Take a hotel reservation as an example: The guest enters his credit card details into the online booking form to pay for his room in advance. He is redirected to his bank to confirm the payment. Here, he enters a code that the bank has previously sent to his cellphone.
What are consequences of PSD2 for hotels?
PSD2 will apply to many transactions in a hotel, such as room bookings and payments before, during, and after a hotel stay.
Before PSD2 came into force, the OTA or the booking screen could ask for the guest’s credit card details as a guarantee. No authentication was required for this. You can still ask for credit card details as a guarantee, but if you wish to secure permission to trigger a payment, either straight away or in the future, 2FA will be required at the time the online booking is made without 2FA, there is a risk that online transactions (such as pre-payment of the hotel stay or blocking a guarantee amount) initiated by the PMS may be refused by the system.
Initially, this can only make online transactions more difficult, as guests will not yet be used to carrying out 2FA for a guarantee. At first, travelers will give up on more booking processes when they encounter the new and unfamiliar measures. Once PSD2 has bedded in and is accepted as normal by guests, however, it will bring hotels a significant advantage.
Use of 2FA for online transactions (“cardholder not present” transactions) results in a liability shift. This means that a guest can no longer cancel his transaction after 2FA, not even by raising an objection with the bank. This will now give hotels more security and protection against chargebacks in the event of cancellations for guaranteed bookings.
How your hotel can get off to a good start with PSD2
With hotel bookings, there is often a bit of time between the reservation and arrival – time in which a guest might change his mind. A credit card guarantee used to be a good option to prevent this, avoiding no-shows and guaranteeing bookings.
Nowadays, other solutions are required to comply with the latest regulations and to keep a lid on no-shows and cancellations whilst simultaneously guaranteeing a pleasant customer experience.
Pre-payment during the booking
The ideal booking scenario for every hotelier is a direct booking via the hotel website. If part-payment or payment in full is required at this point, your booking screen must be PSD2-compliant and use 2FA in order to be able to carry out the transaction. Hotel-Spider’s Spider-Booking is PSD2-compliant.
If a guest books via an OTA, responsibility for correctly conducting the translation rests with the third party provider. However, you should nonetheless make sure that all your business partners are working in compliance with PSD2.
Payments outside the stay
Transactions are required in a range of different situations outside a hotel stay. These include manual input of card details to set up a guarantee or charging a card because of a last-minute cancellation or a no-show. It used to be easy to trigger payment as the guest’s card was stored in the PMS.
While this is still possible today, there is no liability shift for transactions where the cardholder is not present (e.g. when entering the card number without the PIN via the terminal). The guest could thus demand the return of any cancellation fee that had been imposed via his bank. To avoid this, the hotel can carry out 2FA during or after the booking. In such cases, however, you should bear in mind – especially with early bookings – that the SCA token is valid for only 90 days.
Hotels will nonetheless have an option to skip over 2FA (which may be perceived by guests as annoying) during booking. Instead, you can send the guest a text message that will link to the web booking screen. Here, he can enter his credit card details with 2FA to guarantee his booking. Depending on the day of arrival, this message can be sent directly after the reservation or shortly before the stay, in order to maintain the 90-day deadline of the SCA token. This important step can easily be automated using Hotel-Spider’s Spider-Booking4 system.
Payment at check-out
At check-out, the guest will either settle the entire amount or pay the difference from the part-payment already made. If this transaction is carried out at reception with a card-reader and PIN input, it is called a “cardholder present” transaction, as the cardholder is indeed there in person for the payment. In such cases, liability automatically switches from the hotel to the customer and the payment cannot be retrospectively challenged.
If you wish to offer online check-out, there are two options:
- a PMS offering PSD2-compliant online payments
- a partner like Hotel-Spider who can store the authentication code for 2FA authorization for later transactions
Transactions after check-out
Every now and then it will happen that a guest leaves the hotel without paying or a charge will have to be made after departure for damage or minibar products. If the hotel does not have 2FA for the credit card on file, there is a significant risk that this transaction will be refused by the system.
Here, hoteliers have two options to cover their backs and achieve a liability switch:
- The tried-and-trusted credit card authorization with a card and PIN during check-in: Here, you should charge the cost of the entire stay plus a buffer for additional expenses.
- 2FA with 3DS2 before arrival: The authentication code is generated before arrival and stored for later transactions.
Does all this sound like a big adjustment to make? Well, it is. But Hotel-Spider will make it very easy for your hotel, as we take all the stress out of it for you.
PSD2 comes with very obvious advantages over the long run, as well. Online transactions will become more secure for guests and hotels alike. Hotels will enjoy more effective protection against dropped revenue arising from no-shows, cancellations, and charge-backs, and there will now be a clear liability switch with online transactions as well.
If you have any further questions about PSD2, are wondering if your hotel already complies with all the rules, or are looking for a partner who will take care of all this for you, please feel free to get in touch with us.