Strong Customer Authentication requires card holders to perform two-factor authentication for the vast majority of electronic payments made within the European Economic Area, reducing fraud by providing a higher degree of confidence that the person performing the transaction is the rightful cardholder.
In the travel industry, where a high number of bookings are made via travel agencies, performing two-factor authentication will require changes to the way agencies and suppliers handle payments.
It is particularly challenging to ensure that payment processes meet the requirements when a travel agent performs SCA on behalf of many different travel suppliers in a single booking. That is why we are going to tackle it in this article.
Imagine a traveller places a booking for a holiday that includes a flight, a hotel, and car rental with an online travel agency (OTA).
Step 1
Immediately, we may encounter the concept of a Merchant Initiated Transaction (MIT). It is possible that any of the three merchants will wish to charge the traveller’s card without them being present – for example, the traveller cancels and incurs a fee, or the car rental firm may introduce a charge if the car is returned with less than a full tank of petrol.
For the airline, hotel, or car rental firm to be able to initiate these payments later on, it is important that the traveller enters an MIT agreement at the time of booking. Therefore, the OTA needs to clearly provide terms and conditions from each merchant at the time of booking, as well as to collect proof that the traveller has consented to this agreement.
Step 2
Next, the OTA will ask the traveller to perform an SCA check using a One Time Passcode sent to their mobile phone. Importantly, this SCA check must be for the entire balance of all products in the booking.
Step 3
Because this scenario involves multiple travel suppliers (also known as merchants) behind the scenes, the SCA check performed by the OTA at the time of booking needs to be useable by the airline, the hotel, and the car rental firm, so each entity can process its own payment.
This can be achieved using the 3RI protocol (also known as ‘3DS Requestor Initiative’), which allows a ‘silent authentication’ to occur in the background without any need for the traveller to perform any action. Silent authentication works by dynamically linking the original SCA check that the traveller performs for the OTA to subsequent payments initiated by the airline, hotel, and car rental firm when the traveller isn’t present.
So, in this multi-merchant scenario, the OTA would conduct the initial SCA check in step 2, followed by three silent 3RI checks on behalf of each merchant (airline, hotel, and car rental firm). Each merchant then has the unique proof of authentication data that they can use when authorising their portion of the payment.
For this to be successful, the separate 3RI authentications must not exceed the total value of the authentication performed by the traveller during step 2, removing any risk that the traveller might be overcharged.
Importantly, 3RI is only available if the OTA and travel suppliers involved have upgraded their systems to the latest industry standard authentication protocol ‘3DS 2’, which was recently released by the payments technical body EMVCo. That is one reason why Amadeus advocates moving to 3DS 2 as soon as possible.
Step 4
The OTA sends the unique SCA 3RI authentication to each of the travel suppliers, which can then process their individual payments. The traveller’s card will display three separate transactions totalling the original amount for which the traveller authenticated during step 2.
Whilst the 3RI process is the desired end-state for authenticating card holders in multi-merchant travel bookings, there is an acknowledgement that this capability has not yet been adopted at scale. Therefore, it is expected that the original SCA check performed by the agent can be used by each supplier as proof of authentication in the short term. However, this will only be an interim solution, and all travel players should prepare for 3RI based on the 3DS 2 protocol as soon as possible.
Advice for handling ‘Multi-merchant’ scenarios:
Travel suppliers need to ensure that contracts with travel agents have been updated to enable the traveller to enter an MIT agreement.
Travel agents need to provide the MIT terms and conditions clearly at the time of booking.
Travel agents need to do an SCA check for the full amount of the package trip.
Travel agents and travel suppliers need to have upgraded to the 3DS 2 authentication standard so that the agent can perform separate 3RI (silent) authentications for each supplier involved in the booking.
Travel suppliers need to have assessed their payment flows to ensure API and technology partners can pass the required proof of authentication through the distribution chain.
This expert opinion is a continuation of another article on the topic of Strong Customer Authentication in travel payments, which examines how authentication works when the travel agency processes the payment as the Merchant of Record.
About Jean-Christophe Lacour
Jean-Christophe Lacour is head of merchant services where he has responsibility for the P&L, strategy and product portfolio for travel merchants. Prior to joining Amadeus, he held senior roles at Visa Europe. Jean-Christophe holds an MSc in Engineering (Computer Science and Electronics) from Tier 1 French university École Centrale de Marseille. He started his career at Gemalto. Connect with him on LinkedIn.
About Amadeus
Amadeus serves every part of the global travel ecosystem, processing payments for travel agencies, airlines, airports, ground handlers, hotel chains, rail operators, car rental companies, tour operators, travel insurance providers, and cruise and ferry operators in 192 countries. When looking to introduce SCA, you can download the new report provided by Amadeus to understand readiness levels across the industry.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now