PSD2 Update
What is the PSD2?
Payment Services Directive n.2. is the second European directive that aims to:
- create a unified European payments market
- make payments safer and more secure
- allow third-party applications to access financial data
- create a frictionless payment customer experience (avoid opening new windows to process payments)
- protect the consumers more.
This directive mainly requires the implementation of the strong customer authentication (SCA, also known as two-factor authentication) for e-commerce payments via the deployment of the technology called 3DSecure.
The directive has taken effect on the 1st of January 2021 for the hospitality industry.
Something very important for hotels to know about 3DSecure is the liability shift.
When an e-commerce transaction has passed the 3DSecure process, the liability which comes from chargeback loss is shifting from the merchant (the hotel) back to the bank. This applies to those e-commerce transactions where the card holder denies having made a transaction, or in case of fraudulent transactions.
Generally speaking, there are three kinds of payment transactions:
- E-Commerce: When the guest is processing a live payment (Internet Booking Engine/IBE and payment links)
> Affected by PSD2 - MOTO: When CC details are passed on to apaleo and processed in a second instance (Channel Managers)
> Not affected by PSD2 - Terminal (POS/PDQ): When a guest pays with a physical card at a terminal device
> Not affected by PSD2
Only the e-commerce transactions will be affected by this directive, therefore only IBE payments and payment links will go through 3DSecure.
Regarding the IBEs: the ones which have the integration with apaleo PAY (powered by Adyen) like UP IBE and OnePage Booking will automatically introduce the 3DSecure step. The other IBEs will continue to treat the payments as MOTO transactions rather than e-commerce (therefore, those IBEs will capture the CC details and will send them to apaleo to be processed by us). The liability shift does not apply to MOTO transactions.
IBE |
apaleo Pay |
E-Commerce |
MOTO |
UP IBE (UP) |
Yes |
Yes |
No |
Booking Button (SiteMinder) |
No |
No |
Yes |
OnePage Booking (HNS) |
Yes |
Yes |
No |
D-Edge’s Booking Engine (D-Edge) |
No |
No |
Yes |
Vertical Booking |
No |
No |
Yes |
SHR |
No |
No |
Yes |
RoomCloud |
No |
No |
Yes |
GauVendi |
Yes |
Yes |
No |
YieldPlanet |
No |
No |
Yes |
Cubilis (Stardekk) |
No |
No |
Yes |
Dirs21 |
No |
No |
No |
Custom IBE |
Yes |
Yes |
No |
Thank you for taking the time to read our message. We would like to highlight that no actions are required from our hotels to be compliant with this new regulation.
If you have questions on this topic please check our FAQ section here below. If you can’t find your question, please do not hesitate to contact our support team via the ticketing system.
FAQ
What about AMEX?
You should have received a communication from AMEX regarding the activation of SafeKey (which is their version of the 3DSecure technology). If you have activated SafeKey on your Amex account, please contact us and we will enable the SafeKey also on payments processed by apaleo Pay (powered by Adyen). If you have not activated your SafeKey or received an email, please reach out to your AMEX account manager.
Is there any action for me to take?
No, there is currently no action for our hotels to take.
What if my guests cannot pay on the website anymore?
It might happen that some of your guests have not activated the 3DSecure step from their side yet and therefore the payment has failed.
The activation and use of 3DSecure depends on the issuing bank and on their individual clients. Both stakeholders need to activate this step. First the issuing bank has to enable this step, and secondly the bank clients need to activate the two-factor authentication with their devices/apps. Most probably the issuing bank has already made this step available for their customers. Therefore, the bank clients (your guests) shall log in into their Banking app, enable the two-factor authentication or contact their bank.
How can I activate the two-factor authentication/ 3DSecure on my website (booking engine)?
If you use UP IBE, OnePageBooking IBE, GauVendi or a Custom IBE then the 3DSecure is already enabled on your Booking Engine.
If you use Booking Button (SiteMinder), D-Edge’s Booking Engine (D-Edge), Vertical Booking, SHR, RoomCloud, YieldPlanet, Cubilis (Stardekk) or Dirs21 you need to contact your respective account manager and request to integrate apaleo PAY as a payment service provider (PSP) for their Booking Engine.
Why are my guests not prompted the two-factor-authentication when booking on my website or when requested to pay via payment links?
There could be a few reasons your guests were not prompted the two-factor-authentication:
-You are not using an IBE which supports apaleo PAY.
-The payment was done on a Moto transaction and not e-commerce
-The guest's bank is not based in Europe.
-The guest has not activated yet the two-factor-authentication on her/his bank account, and therefore this step was skipped in the payment process.
- Low transaction value: Transactions under €30 EUR will be exempt from two-factor-authentication. However, the issuing bank will keep track of the amount of payments made. So, if the total amount attempted on the card without strong authentication is higher than €100 EUR, two-factor-authentication will be required. It will also be required every five transactions.
-Recurring transaction: If you store the card in apaleo, then the all of the other transactions that you will trigger will not go through the two-factor-authentication.
-B2B transactions are exempted from 2 factor authentication
If you wish to always request the 2 factor authentication for the e-commerce transactions, then send us a ticket and we will activate the setting in Adyen so that e-commerce transactions will always require the 2 factor authentication step.
Beware that this might of course reduce the number of payments going through as the guest will always be requested to perform this step and if they don't have the setup completed on their bank account, then they will not able to perform a payment, hence the reservation will not be created (referring specifically to reservations coming from your Booking Engine).
This might be a conversion risk especially if your hotel's website has a high percentage of bookers coming from outside of EU. In fact the adoption of the SCA/ 2 factor authentication has been rolled out as compulsory only in Europe. Most guests in US do not have this step enabled in their online banking as the PSD2 directive is an European initiative.
Can I still charge a credit card that is tokenized (saved as payment account) for a reservation with charges that occur after the initial booking?
This depends on how the credit card was saved (=tokenized) as a payment account in apaleo. If it was tokenized through a transaction with SCA (strong customer authentication, like 3DS), as it is the case for most IBEs, then you can charge the credit card with services that occurred later than the initial booking, like i.e. drinks from minibar. This is then considered a Merchant Initiated Transaction. Please note MITs are not covered by liability shift!
When the credit card was entered manually as a payment account in apaleo then it will most likely not be possible to charge it as the transaction will be declined by the issuer for not having an SCA. At the moment this is still possible sometimes as the issuers are not implementing PSD2 very strictly. But the amount of declined transactions will rise very quickly in the next months until it will be completely impossible to charge without SCA.