– Concur Travel * Client Fact Sheet – Strong Customer Authentication (SCA): EU Directive on Payment Services (PSD2) September 17, 2021
Overview
Payment Services Directive (PSD2) is a European regulation for electronic payment services. It seeks to make payments more secure in Europe, boost innovation and help banking services adapt to new technologies. One major development in PSD2 is the introduction of new security requirements, what is known as Strong Customer Authentication (SCA).
SCA is a European requirement created to make online payments more secure. The directive requires that purchasers in certain online electronic transactions be authenticated using multi-factor techniques to increase the security and reduce fraud opportunities. It is up to each supplier and bank/card issuer to determine on a transaction by transaction basis whether this extra level of authentication is required.
Which Transactions are Affected?
SCA applies to online payments made in the European Economic area (the EU plus Norway, Iceland and Liechtenstein), as well as the UK in September 2021.
This includes bookings for all verticals (air, car, hotel, rail) as well as all sources (GDS, direct connect).
Are There Any Exemptions?
The following scenarios are out of scope, which means that SCA does not apply: • Non-card payments • Payments outside the EU • Inter-region payments (one leg out or OLO) – issuer/acquirer is not in the EU • Mail Order/Telephone Order (MOTO)
– Concur Travel * Client Fact Sheet – Strong Customer Authentication (SCA): EU Directive on Payment Services (PSD2) September 17, 2021 Page 1 of 9 The following scenarios are in scope, but are exempt from additional authentication: • Low value/low risk transactions (article 16) – under 30 EUR • “Trusted” merchants (article 13) – user must designate directly with their bank/card • Secure corporate payments (article 17)
♦ Ghost/Lodge cards
♦ Virtual cards
♦ Approved corporate cards*
*It is up to each issuing bank to determine whether they have authority to approve corporate cards. Not all will be exempt. Please check with your issuing bank to understand if your card program is exempt.
To date, SAP Concur has been advised the following schemes and banks will support the secure corporate payment exemption within Concur Travel: • American Express • CITI • Bank of America • Barclaycard
The following will not support a secure corporate payment exemption: • AirPlus
SAP Concur will continue to meet with issuers to determine whether they will support this exemption and update this list accordingly. If you do not see your issuer listed and can provide an update on their support, please open a support case to let us know who we can reach out to for verification.
When Does SCA Go into Effect?
SCA was scheduled to come into force on September 14, 2019, but the European Banking Authority (EBA) acknowledged doing so would adversely affect the region, given a widespread lack of preparedness. For all EU countries other than the UK, the deadline was December 31, 2020.
Specific to the UK, the deadline to decline non-SCA transactions has been extended again until March 14, 2022. Issuers and merchants will continue to enhance their SCA until then. However, after the extended deadline passes, penalties for merchants and issuers will be applied for not having this in place.
Travel and Hospitality Interim Solution (MOTO)
Currently, the Travel and Hospitality industry has been granted the ability to use MOTO as an “out of scope” exemption until the indirect sales channels are ready. This ensures there will be no disruption to users by way of declined charges, for the short term.
– Concur Travel * Client Fact Sheet – Strong Customer Authentication (SCA): EU Directive on Payment Services (PSD2) September 17, 2021 Page 2 of 9 What Should Customers Do?
Customers can manage SCA requirements in a variety of ways: • Review your form of payment policies and determine if changes are needed
♦ Corporate ghost/lodge cards do not require two-factor authentication
♦ Virtual cards via Conferma Pay do not require two-factor authentication
♦ Utilize agency invoice (non-card payments) where possible, which is out of scope for SCA
♦ Consider whether you allow personal cards to be used; personal cards will require two-factor authentication
♦ If using corporate cards, contact your card scheme; have they submitted for the Secure Corporate Payment (SCP) exemption? • Communicate to your travelers on the upcoming changes:
♦ Consider updating your Company Notes or using the Choose Credit Card custom text option to provide guidance.
♦ Communicate with travel arrangers directly. They may or may not be aware of these changes and will need to alert their travelers if they plan to book travel that may require two-factor authentication. • Arrangers and users alike will not be able to complete a booking without having received authorization, when SCA applies.
♦ Communicate with users directly:
• Consider listing frequent suppliers as “trusted” with their card company; this must be done by the individual user. • Ensure contact information is up to date with the card company, including mobile device. If they don’t have a valid mobile contact, the authorization requests are likely to fail.
Travel Arranger Bookings
Travel arrangers will be impacted by SCA. When SCA applies to a payment type, the card holder (not the arranger) is required to authenticate the transaction. Thus, only payment types that are out of scope or exempt from SCA will be available to the travel arranger.
Travel arrangers should review the payment options available to them and their travelers and ensure they have a payment option available that can be used.
– Concur Travel * Client Fact Sheet – Strong Customer Authentication (SCA): EU Directive on Payment Services (PSD2) September 17, 2021 Page 3 of 9 SCA by Segment Type and Source
AIR
TRAVELFUSION
Two-factor authentication is already in place for the airlines that support it. The airline industry is still in the process of implementing SCA and not every airline is ready yet.
SAP Concur has partnered with Travelfusion to deliver a Travelfusion-hosted solution for the following airlines: • EuroWings • EasyJet • Vueling
Travelfusion supports airline-hosted SCA for the following airlines: • British Airways • Cebu Pacific • Condor • Eastern Airways • FinnAir • Flynas • GoAir • Loganair Limited • Ryanair • Transavia • Volotea
For more information, refer to the Travelfusion Travel Service Guide.
SOUTHWEST AIRLINES
SCA is not applicable as Southwest Airlines is based in the United States and is not subject to PSD2 and SCA.
CLEARTRIP
SCA is not applicable as Cleartrip is based in the India and only uses deposit accounts as payment, which are not subject to PSD2 and SCA.
– Concur Travel * Client Fact Sheet – Strong Customer Authentication (SCA): EU Directive on Payment Services (PSD2) September 17, 2021 Page 4 of 9 GDS
Amadeus
SAP Concur will develop logic to determine if SCA applies to a GDS-sourced air booking and if so, facilitate the two-factor authentication. Details will be communicated via release notes when ready.
Travelport
For now, Travelport will process all GDS air transactions as MOTO (Mail Order/Telephone Order) and will not require Strong Customer Authentication. SAP Concur will develop logic to determine if SCA applies to a GDS-sourced air booking and if so, facilitate the two-factor authentication. Details will be communicated via release notes when ready.
Sabre
For now, Sabre will process all GDS air transactions as MOTO (Mail Order/Telephone Order) and will not require Strong Customer Authentication. If needed in the future, SAP Concur will develop logic to determine if SCA applies to a GDS-sourced air booking and if so, facilitate the two-factor authentication. Details will be communicated via release notes when ready.
RAIL
AMTRAK
SCA not applicable as Amtrak is based in the United States and is not subject to PSD2 and SCA.
VIA RAIL
SCA not applicable as Via Rail is based in Canada and is not subject to PSD2 and SCA.
TRAINLINE
Trainline have announced they will be sunsetting their hosted SCA solution this month. Based on this, SAP Concur will develop logic to determine if SCA applies to Trainline bookings and if so, facilitate the two-factor authentication. Details will be communicated via release notes when ready.
For more information, refer to the Trainline Direct Connect Travel Service Guide.
EVOLVI
Once the user selects a train, the user is redirected to the Evolvi site. Evolvi will determine whether SCA applies to the booking and facilitate the process.
For more information, refer to the Evolvi Direct Connect Travel Service Guide.
– Concur Travel * Client Fact Sheet – Strong Customer Authentication (SCA): EU Directive on Payment Services (PSD2) September 17, 2021 Page 5 of 9 SNCF
For SNCF content sourced from Sabre, agency invoice is the only option supported to bill for SNCF tickets, which does not require SCA.
For SNCF content sourced from Amadeus, customers have the choice between credit card payment and agency invoice. Agency invoice does not require SCA. For customers using credit card payment, SAP Concur will work with Amadeus to develop logic to determine if SCA applies, and if so, facilitate the two-factor authentication. Details will be communicated via release notes when ready.
For more information, refer to the SNCF Direct Connect Travel Service Guide.
DEUTSCHE BAHN BIBE
Once the user selects a train, the user is redirected to the Deutsche Bahn BIBE site. Deutsche Bahn BIBE will determine whether SCA applies to the booking and facilitate the process.
For more information, refer to the BIBE Direct Connect Travel Service Guide.
SILVERRAIL
SAP Concur is evaluating different solutions for SilverRail ticketing. Details will be communicated via release notes when ready.
For more information, refer to the SilverRail Direct Connect Travel Service Guide.
RENFE
SAP Concur recommends that clients do not allow use of personal credit cards (only use ghost/lodge cards) as Renfe does not currently support SCA.
HOTEL
AIRBNB
Once the user selects a property, the user is redirected to the Airbnb site. Once Airbnb provides their plans for SCA, we will update the TSG accordingly.
For more information, refer to the Airbnb Direct Connect Travel Service Guide.
HRS
SAP Concur will develop logic to determine if SCA applies to HRS hotel bookings and if so, facilitate the two-factor authentication. Details will be communicated via release notes when ready.
For more information, refer to the HRS Direct Connect Travel Service Guide.
– Concur Travel * Client Fact Sheet – Strong Customer Authentication (SCA): EU Directive on Payment Services (PSD2) September 17, 2021 Page 6 of 9 CUSTOM HOTEL SOURCES
SAP Concur will develop logic to determine if SCA applies to Custom Hotel Source hotel bookings and if so, facilitate the two-factor authentication. Details will be communicated via release notes when ready.
For more information, refer to the Custom Hotel Sourcing Direct Connect Travel Service Guide.
HOTEL SERVICE V2
SAP Concur will develop logic to determine if SCA applies to Hotel Service bookings and if so, facilitate the two-factor authentication. Details will be communicated via release notes when ready.
For more information, refer to the Hotel Service Content Providers Direct Connect Travel Service Guide.
HOTEL SERVICE V1 SAP Concur is evaluating plans for Hotel Service v1. Details will be communicated when final decision is made.
For more information, refer to the Hotel Service Content Providers Direct Connect Travel Service Guide.
GDS
Amadeus
SAP Concur will develop logic to determine if SCA applies to GDS-sourced hotel bookings and if so, facilitate the two-factor authentication. Details will be communicated via release notes when ready.
Travelport
For now, Travelport will identify all GDS hotel transactions that are truly MOTO (Mail Order/Telephone Order) and will not initially require Strong Customer Authentication. Travelport will pass the MOTO flags along to supply partners and merchants
SAP Concur will develop logic to determine if SCA applies to GDS-sourced hotel bookings and facilitate two-factor authentication if required. Travelport will enable SAP Concur to pass the SAP Concur-collected two-factor authentication details to hotel partners. Details will be communicated in the Concur Travel release notes when available.
Sabre
Sabre will provide new APIs to support SCA when booking lodging. SAP Concur will develop logic to determine if SCA applies to GDS-sourced hotel bookings and if so, facilitate the two-factor authentication. Details will be communicated via release notes when ready.
– Concur Travel * Client Fact Sheet – Strong Customer Authentication (SCA): EU Directive on Payment Services (PSD2) September 17, 2021 Page 7 of 9 CAR
SIXT DIRECT CONNECT
SAP Concur will develop logic to determine if SCA applies to Sixt car bookings and if so, facilitate the two-factor authentication. Until this is delivered, Sixt will submit bookings as MOTO. Details will be communicated via release notes when ready.
For more information, refer to the Sixt Direct Connect Travel Service Guide.
HERTZ DIRECT CONNECT
SAP Concur will develop logic to determine if SCA applies to Hertz car bookings and if so, facilitate the two-factor authentication. Until this is delivered, Hertz will submit bookings as MOTO. Details will be communicated via release notes when ready.
For more information, refer to the Hertz Direct Connect Travel Service Guide.
GDS
Amadeus
SAP Concur will develop logic to determine if SCA applies to GDS-sourced car bookings and if so, facilitate the two-factor authentication. Details will be communicated via release notes when ready.
Travelport
For now, Travelport will process all GDS car transactions as MOTO (Mail Order/Telephone Order) and will not require Strong Customer Authentication. SAP Concur will develop logic to determine if SCA applies to GDS-sourced car bookings and if so, facilitate the two-factor authentication. Details will be communicated via release notes when ready.
Sabre
Sabre is planning to enhance its agency and supplier facing APIs to accommodate PSD2 SCA requirements in the second half of 2021. SAP Concur will develop logic to determine if SCA applies to GDS-sourced car bookings and if so, facilitate the two- factor authentication. Details will be communicated via release notes when ready.
– Concur Travel * Client Fact Sheet – Strong Customer Authentication (SCA): EU Directive on Payment Services (PSD2) September 17, 2021 Page 8 of 9 Revision History
Date Notes / Comments / Changes
September 17, 2021 Removed previous highlighting; updated SCA by Segment Type and Source > Air > Travelfusion
September 3, 2021 Removed previous highlighting; updated Trainline section
May 27, 2021 Removed previous highlighting; new updates throughout and highlighted
May 11, 2021 Updates throughout and highlighted
March 3, 2021 Updates throughout and highlighted
January 15, 2021 Updated Rail information under SCA by Segment Type and Source
January 14, 2021 Updates throughout
November 13, 2020 Updated When Does SCA Go Into Effect section
November 10, 2020 Updates to Which Transactions are Affected, Are There Any Exemptions and What Should Customers Do sections
November 9, 2020 Correction to Via Rail information
October 19, 2020 Updated to current understanding
September 20, 2019 Updated What Should Customers Do section
September 6, 2019 First draft
– Concur Travel * Client Fact Sheet – Strong Customer Authentication (SCA): EU Directive on Payment Services (PSD2) September 17, 2021 Page 9 of 9