What we’ve learnt from tackling SCA in the travel industry

By Jean-Christophe Lacour, Head of Merchant Services, Amadeus Payments

The deadline for Strong Customer Authentication (SCA) is fast approaching. The vast majority of intra-European Economic Area (EEA) electronic payments above €30 will

require two-factor authentication (2FA) from the 14 September.

There are 2 obvious main concerns: either you’re compliant as a merchant and your conversion rates will suffer as a result of the 2FA-induced more onerous payment

experience on your customers OR you’re not compliant and you risk your transactions being declined by issuers. Such concerns are common across all areas of commerce,

but particularly pertinent for the travel industry.

The two trillion Dollar travel industry relies on electronic commerce and is significantly more complex than most. This explains why the European Association of Payment Services Providers recently called for a 36 month SCA grace period in travel, compared to the 18 months requested for other industries.

In travel, for example, ‘Multi-merchant’ situations are common, whereby an agent sells multiple products from multiple merchants to create a single holiday or trip. It’s currently unclear how authentication should be undertaken, perhaps it is only needed once for all products with the authentication re-used across all merchants? Or, it is possible that the letter of the SCA requirements will mean authentication needs to occur multiple times (risking a really poor customer experience).

At Amadeus, our systems handle approximately 44% of the world’s airline bookings made by travel agencies, and we also support many direct channels, so we’re ‘in the thick of it’ when it comes to enabling SCA.

We’ve been working on this challenge for two years in collaboration with our partners such as Visa and their fraud management specialist CyberSource and authentication specialist Cardinal Commerce. Helping travel merchants become SCA-ready across all channels remains our goal, with application of the 3D Secure protocol at the heart of our approach. Direct channels have a relatively simple fix, with web plug-ins. Indirect channels have taken greater effort, with a mix of 3DS 1.0 and 3DS 2.1 applied.

What’s really important for merchants, their acquirers and PSP partners is putting the right foundations in place now to benefit from the various exemptions afforded by SCA, reducing the need for systematic 2FA and therefore allowing merchants to comply whilst preserving the all-important conversion rate. Having the data exchange, analysis and insight capabilities to exempt based on transaction risk analysis, for example, offers significant promise. Our number one observation, however, is just how complex this area is and the need to start taking action now by implementing a 3DS and testing it. To play ostrich by hoping the grace period will move the goal post by 18-36 months is a very risky approach.