As last year’s implementation of GDPR recently illustrated, regulation changes worldwide can significantly impact travel programs, and global programs, in particular, need to be aware of and ahead of key changes. Upcoming in September 2019, two-factor credit card authorization becomes mandatory for credit cards issued in Europe.
From a travel perspective, the key to this change in credit card authorization is its potential impact on corporate travelers — and how to manage and minimize that impact.
New Credit Card Authorization Security Changes
The new credit card authorization security measures, called Strong Customer Authentication (SCA), take effect September 14, 2019, across the EEA: the European Union, Norway, Iceland and Liechtenstein. The intent of SCA is to combat credit card fraud, the new authorization requirements mirroring, in the electronic space, two-factor authentication already required for physical card payments, i.e., chip and PIN. Online payments over thirty euros will need to be validated with an additional form of authentication, such as PIN, card/phone, a fingerprint.
In the corporate travel space, where the individual making the booking, whether agent or admin, may not be the corporate traveler him/herself, SCA has significant potential impact. TMCs, GDS providers, and the card industry are all looking at ways to minimize impact.
The intent is for corporate payments to be exempt; SCA includes a provision for “secure corporate payment processes and protocols”, and as such, no SCA is required for corporate payments provided certain equivalent security thresholds are met. However, what these thresholds are will be set by each individual country/EU member state impacted, meaning these regulations could differ by country. The reality of to what extent corporate travel will be affected remains to be seen.
Lodge cards, virtual cards and corporate cards with corporate pay should have immunity; GDS bookings are also expected to escape the requirement for SCA’s additional credit card authorization though this has not yet been firmly guaranteed.
From a travel program perspective, the current conversation on credit card authorization impact to corporate travelers should focus on the potential issues with plastic cards and TMC transactions not via the GDS. If not already aware of the presence and extent of both aspects in your program, now is the time for an audit of your company’s travel payment methods and transaction methods.
If your travel program has presence in any of the EEA States, now is the time to take action. For any travel not booked and paid for by the traveler, consider switching to lodge and/or virtual cards, or, if you do not have a virtual card in place, particularly in the months where the extent of SCA enforcement is first being explored and flexed, consider a credit card RFP that includes SCA preparation as an item of consideration. Review leakage if possible to determine what transactions could be going through the GDS or on a virtual card instead, and hold a conversation with your TMC how existing non-GDS transactions, such as booking on websites on a traveler’s behalf should a particular rate not be available on the GDS, as with particular low-cost carriers, will be conducted in post-SCA world.
How KesselRun Can Help Your Company
KesselRun offers an experienced hand driving a payment or transaction audit, credit card RFP, or even complete management of your TMC/card provider/other vendor relationships, as well as should you have any questions on the travel industry’s current SCA expectations and readiness. As a reminder, we also offer CapTrav as a tool to capture leakage and bring all corporate travel spending power into your travel program. As well, should you need assistance with traveler communication or strategy in the coming change, consult with KesselRun: our goal, as with any industry shakeup, is to keep our clients’ corporate travelers’ experience running as smoothly and seamlessly as possible.