Strong Customer Authentication in travel payments: what happens when the travel agent processes the payment?

To be a Merchant of Record means that a travel player, such as a travel agency, is legally authorised to process the payment and therefore assumes responsibility for collecting money from the traveller and performing the SCA check. The Merchant of Record, or travel agency in this case, then makes B2B payment(s) to settle with all the other travel supplier(s) in the chain, such as an airline or hotel. It is the travel agency that manages the payment process directly, rather than each individual travel supplier. 

Imagine a traveller is booking a hotel stay from an online travel agency (OTA). After they have found the right room, for the right price, they proceed to the payment stage. 

Here, we might encounter the concept of a Merchant Initiated Transaction (MIT), for example, the traveller may be paying for the trip in instalments or there could be a cancellation fee, so the OTA may  need to charge the card again in the future, without the traveller being present. Therefore, if the OTA intends to charge the card without the traveller present (a MIT), it needs to clearly provide terms and conditions at the time of booking, as well as collect proof that the traveller has consented to this agreement. 

In this scenario, the OTA conducts an SCA check using a One Time Passcode (OTP) sent to the traveller’s phone to authenticate them as the rightful cardholder. However, unlike the ‘pass-through’ model, the OTA does not handover to the hotel, instead it processes the entire payment itself. 

So, once the traveller has passed authentication, the OTA performs payment authorisation with its own acquiring bank – and so the process of obtaining funds from the traveller’s bank takes place, without the hotel being involved in the process. 

Within this authorisation process, the OTA should include the new SCA data elements obtained during the SCA check. These include: 

• Transaction ID (showing it is an MIT transaction);

• Electronic Commerce Indicator (proves SCA was successful);

• A cryptogram (proves to the card scheme that the customer’s card can be processed).

Now that the OTA has collected the payment from the traveller it must settle with the hotel, requiring a B2B payment. Here, there are often advantages (virtual cards are typically created for a single amount, for use with a specific merchant, which means they carry significantly lower fraud exposure than a lodge or consumer card) should the OTA use a virtual card product to pay the hotel, given that virtual cards sometimes benefit from the Secure Corporate Payment exemption provided for under CA in many jurisdictions (the Secure Corporate Payment exemption recognises that some payments are inherently more secure because they begin in a secure corporate environment – e.g. within secure booking systems that are protected by security procedures and so SCA is not required). However, it is important for travel firms to check that issuers and local regulators support this exemption because it is not always the case. If the issuer and regulator do support the exemption, then the card issuing bank is able to recognise a virtual card based on the BIN range (the first six digits of the card number) and will be able to apply the Secure Corporate Payment exemption.

If the OTA were to pay the hotel using a traditional consumer card product (assigned to an individual at the OTA) then a further SCA check would need to be performed at this point with that individual. This is one reason why Amadeus advocates virtual card-based supplier payments.

For any ‘on-trip’ payments, the hotel front desk would need to take details of a card held by the traveller, in order to cover any incidentals like meals or the mini bar as it is impractical for the OTA to handle these payments. For travel companies planning to use the Merchant of Record model, here is a quick checklist:

• travel agents need to provide MIT terms and conditions clearly at time of booking;

• ensure new payment data is included in the payment authorisation process;

• consider upgrading supplier payments to virtual cards to ease the SCA burden when settling with suppliers;

• travel suppliers need to ask for the traveller’s card details at check-in to cover any on-trip spend, which are processed as separate payments.

This expert opinion is followed by another article on the topic of Strong Customer Authentication in travel payments, which examines what happens when the booking includes products from multiple travel suppliers.

About Alessandro Monge

About Amadeus