One of the most important changes that are taking place regarding online reservations is due to the European regulation PSD2. PSD2 came into force on January 1, 2021, making hotels in Europe have to adapt the collection process to this new regulation.
But what is it and why is it affecting the hotel industry?
PSD2 has been created to make online payments more secure and better protect users. One of the most important parts of this legislation is the so-called SCA (Strong Customer Authentication). The SCA states that to approve online payment, the credit card provider (VISA, Mastercard, etc.) needs to receive 2 of the 3 possible types of authentication:
Something you know – for example the PIN
Something you have – for example, the card or mobile phone
Something you "are" – for example your fingerprint
Whereas in the past you could charge a card with only one type of authentication (something you know – credit card details), now with SCA, it is not enough and the cardholder must authenticate their card with a second method at the time of payment. For the hotel industry that can be a challenge in many of the situations, such as when you have to make advance charges or charge cancellation costs without the customer present.
PSD2 is a European regulation on electronic payment services. Its objective is to increase the security of payments in Europe, promote innovation and encourage the adaptation of banking services to new technologies. It shows once again the importance that the world of 'APIS' or 'Application Program Interface' is acquiring in different financial sectors.
1. What is PSD2?
1. What is PSD2? It all started in 2007, with the first Payment Service Providers Directive (PSD), with the aim of contributing to the development of a single payments market in the European Union, and thus promoting innovation, competition and efficiency in EU territory.
In 2013, the European Commission proposed a revision (hence the '2' of PSD2), which aimed to deepen these objectives. It aims to improve consumer protection, boost competition and innovation in the sector, and strengthen security in the payments market, which is expected to favor the emergence of new payment methods and e-commerce.
2. What are the main novelties?
The changes will have multiple implications, many probably still unknown, but the one that is making the most noise is the opening by banks of their payment services to third companies, the so-called TPPs (Third Party Payment Service Providers).
PSD2 regulates and harmonizes two classes of services that already existed when the first PSD was adopted in 2007 but were becoming popular in recent years: on the one hand payment initiation services (PIS) and on the other account information services (AIS).
The Account Information Service (AIS) consists of collecting and storing the information of the different bank accounts of a client in one place, allowing customers to have a global vision of their financial situation and easily analyze their expenses and their financial needs.
On the other hand, in the payment initiation service (PIS), third-party providers facilitate the use of online banking to make payments online. These services help initiate a payment from the consumer's account to the merchant's account by creating a "bridge" interface between both accounts, filling in the information necessary for the transfer (transaction amount, account number, message) and informing the merchant of the start of the transaction. Likewise, the PSD2 also allows the client to make payments to third parties from the application of a bank using any of its accounts (whether or not they belong to that entity).
Until now, TPPs faced multiple obstacles that prevented them from offering their solutions on a large scale in the different states of the European Union. By removing these barriers, greater competition is expected with the entry of new players and the generalization of the provision of these services by existing actors. In return, TPPs will have to comply with the same rules as traditional payment service providers: registration, authorization and supervision by competent authorities.
The other big news of PSD2 is the introduction of new security requirements, which is known as Strong Customer Authentication (SCA). This involves the use of two-factor authentication in banking operations that previously did not require it, including payments and access to online accounts or through apps, as well as a stricter definition of what can serve as an authentication factor.
Continuing with the example of online shopping, customers will perceive changes in the way they authorize their purchases, mainly in the authentication factors they use as strong authentication has become the default security level and the information printed on the card (number, expiration and CVV) has ceased to be a valid factor for authentication.
3. ¿En qué se materializa la nueva normativa?
En el ámbito de la seguridad, las entidades bancarias han tenido que actualizar los elementos de autenticación que facilitan a sus clientes, sustituyendo tarjetas de coordenadas o 'tokens' con mensajes al móvil o tokens más avanzados, por ejemplo.
Además, han tenido que desarrollar sistemas y procesos que permitan al banco hacer uso de las exenciones que permite la normativa a la autenticación reforzada en aquellas transacciones en que el nivel de riesgo se considera bajo.
En cuanto al acceso de los TPPs, como explicaba en 2016 José Manuel de la Chica, Venture Solutions Architect en New Digital Business de BBVA, “aunque en la PSD2 nunca se habla expresamente de APIs, la mayoría de profesionales del sector tecnológico y financiero damos por hecho que las APIs serán el medio técnico que permitirá a los bancos cumplir con lo que establece la normativa”. Sin embargo, esta expectativa todavía no se ha materializado completamente, por el retraso en la publicación de los estándares técnicos regulatorios por parte de las autoridades y el continuo debate entre los distintos actores del mercado que ha supuesto un retraso en la generación de estándares y protocolos comunes.
En cualquier caso, con independencia del mecanismo técnico desarrollado, la PSD2 ya hace posible que el consumidor autorice a un tercero para que agregue información financiera en su nombre y ejecute pagos en su nombre a través de su cuenta bancaria.
4. And all this, by when?
Although there have been several delays in the development of the standard, due to the delay in the transposition of the directive into Spanish regulations and the delay of the European Banking Authority (ABE) in specifying the technical standards that regulate third-party access and strong authentication, the PSD2 has entered into force progressively since January 2018.
However, the main regulatory milestone has been the entry into force of the authentication and access obligations of third parties on September 14, 2019.
That said, not all these technical requirements have already entered into force, given the possible negative impact that the entry into force of PSD2 could have on electronic commerce, financial institutions will have an additional transitional period whose maximum duration has been established by the EBA on December 31, 2020.