In this guide
Understanding 3D Secure and Liability Shift
Types of Transactions and PSD2
Frequently Asked Questions
Do I Need to Take Any Action to Comply with PSD2?
Activating Two-Factor Authentication on My Website?
Why Aren't Guests Prompted for Two-Factor Authentication?
What About AMEX and SafeKey?
Overview of PSD2 Compliance
This guide aims to clarify PSD2 compliance, 3DS, and transaction types within Apaleo, ensuring you're well-equipped to manage payments securely and efficiently.
What is PSD2?
The Payment Services Directive n.2 (PSD2) is a European regulation aimed at creating a safer, more innovative, and integrated payments market. It introduces strong customer authentication (SCA) requirements, mainly through 3D Secure (3DS) technology, to enhance security for electronic payments. For the hospitality industry, PSD2 became effective on January 1, 2021.
Your Role as an Apaleo Pay Customer
As an Apaleo Pay customer, there's no proactive action required from you to comply with PSD2. The regulation primarily governs banks and payment processors like Adyen, ensuring transactions are secure. However, although transactions lacking strong customer authentication (like 3DS) don't directly affect your compliance, they may increase the risk of fraud or chargebacks.
Understanding 3D Secure and Liability Shift
Why is 3D Secure Important?
3D Secure is a security protocol that adds an additional layer of authentication for online payments, reducing fraud and shifting liability from you to the bank in certain cases of fraudulent transactions or chargebacks.
Liability Shift Explained
Liability shift occurs when a transaction processed through 3DS moves the responsibility of chargeback losses from you (the merchant) to the bank. This is particularly relevant for e-commerce transactions where the cardholder disputes a charge.
Types of Transactions and PSD2
Types of Transactions
- E-Commerce Transactions: Affected by PSD2, these include payments made through Internet Booking Engines (IBEs) and payment links. When these transactions are authenticated via 3DS, they benefit from liability shift.
- MOTO Transactions: Mail Order Telephone Order (MOTO) transactions, where credit card details are manually entered into Apaleo, are not covered by PSD2's SCA requirements. Consequently, they do not benefit from liability shift.
- Terminal Payments: Payments made in-person using a terminal are not subject to PSD2's SCA requirements. These transactions do not provide information about liability shift in your transaction logs.
Maximizing Liability Shift
To ensure maximum protection under PSD2, use payment links and e-commerce payments that undergo 3DS authentication. For bookings requiring a credit card guarantee, consider using payment links instead of directly charging the payment account, especially when using automation tools like make.com.
FAQ
Do I Need to Take Any Action to complly with PSD2?
No immediate action is required for hotels to comply with PSD2 through Apaleo Pay.
Activating Two-Factor Authentication on My Website
If your booking engine is integrated with Apaleo Pay, 3DSecure is already enabled.
IBEs without an Apaleo Pay integration will treat the payments as MOTO transactions rather than E-Commerce - they essentially send the card data through to Apaleo to be processed by us. The liability shift does not apply to MOTO transactions.
Why Aren't Guests Prompted for Two-Factor Authentication?
By default, the setting for Apaleo Pay merchants is to not apply 3D Secure authentication, unless the issuing bank requires it to complete the authorisation. If you would like to make your requirements stronger, contact our support team to configure your merchant to use 3D Secure whenever possible.
Even with the stricter requirements, there will still be transactions that don't go through 3D Secure authentication. Several reasons could cause this, including not using an IBE supporting Apaleo Pay, the transaction being categorized as MOTO, or the guest's card issuer not supporting 3D Secure yet, or when the card isn't enrolled. Also, low value transactions (under 30 Euros) do not go through two-factor authentication.
What About AMEX and SafeKey?
If you've activated SafeKey (AMEX's 3DS technology) on your account, inform our support to enable it for Apaleo Pay transactions. If you have not activated it on your AMEX account, contact your AMEX account manager for activation instructions.