Major update of our first article on the subject of the SCA in September 2019.
Since 15 May 2021, following a decision by the European authorities, all European consumers have benefited from enhanced protection for purchases and bookings made via the internet (SCA). This new system inevitably has consequences for your online bookings. Here is a summary of the issues at stake and the solutions provided by elloha.
1) What is the SCA?
SCA is a new security protocol for online payments (Strong Customer Authentication) imposed by the European authorities. To put it plainly, from now on it will not be enough to give your bank card number (16 digits + date of validity + 3 CVV digits) in a secure area to finalise a booking. Customers will also have to enter a numerical code on their mobile phone and/or a fingerprint and/or a facial print (FaceID), as more and more mobile terminals allow. This is the principle ofreinforced authentication.
This protocol goes further than 3DSecure, which involved retrieving a code from your mobile phone and entering it on the Internet to finalise your online payment. With SCA, customers will have to authenticate themselves a second time via their mobile phone, using either their fingerprint or their facial print. They will therefore have to use not one but two means of authentication.
Note: this new protocol only applies to payments over €30. Above this amount, the SCA may also benefit from special arrangements that the banks (of the cardholders, i.e. your customers' banks) will decide at their own level. It is therefore possible that a booking of more than €30 is not subject to the SCA protocol. In this case, everything will proceed as usual.
In other cases, without this reinforced authentication, the online purchase or booking may be rejected by your customer's bank, which could lead to significant losses in terms of turnover.
2) Why 15 May 2021?
Initially, the SCA was due to be implemented from 14 September 2019, but too few banks and payment systems were ready by that date. For this reason, the European authorities have postponed its final implementation until 15 May 2021. All the players had to comply, and Stripe and elloha have already done so, rest assured!
Some banks had already adopted the SCA protocol before 15 May 2021. It's worth pointing out that this adoption was haphazard (the banks didn't necessarily notify all the players in the chain). This may therefore have had an impact on some of your bookings.
3) What impact has this had on tourism businesses?
Let's say it straight out: for bookings of less than €30, there will be no impact because the SCA will not apply.
Another low-risk case: if your offers tend to be sold in prepaid mode, you shouldn't have to suffer from this new protocol. Why not? Because the customer will receive the SCA notification from their bank at the same time as they are finalising the booking (on your booking engine or with you, over the telephone). For them, the payment attempt they receive will be obvious and they will validate it. So you don't run the risk of being refused payment at that moment.
The number of cases of payment rejection can increase, however, when a customer books with you using postpaid for a sum of more than €30.
In general, you offer postpaid to facilitate certain "Book now, pay on arrival" bookings or where you have decided to collect part of the sum at the time of booking (e.g. 30% deposit) and the balance on arrival (or with an interim payment on arrival).
This means that your customer will receive an SCA notification each time you attempt to debit their card:
at the time of booking, for the deposit: as mentioned above, this shouldn't be a problem because the customer will be notified at the very moment they book with you. They will therefore know why they need to accept the SCA validation.
when you try to debit their card before they arrive: in this case, your customer may not remember that you had to debit them later. They may or may not see it, they may or may not link it in their head to the booking they made with you and ... if they don't remember, they may think it's an attempt at fraud and therefore reject your request for payment.
similarly, if you try to debit their bank card after they have left your premises: for good or bad reasons, your customer may decide to reject the payment when the SCA notification is sent by their bank to their mobile phone ...
In all these cases, apart from recontacting your customer and making an adjustment payment with them over the phone, you may find that you have no way of recovering the balance of your bookings.
You may also no longer have access to CVVs to enter them manually on your physical payment terminal: the customer's bank may no longer accept them as a means of securing payment.
4) How can you protect yourself?
To avoid these inconveniences (although there is no guarantee that this will always protect you, since, as we have seen, protocols and exceptions may vary from one bank to another), we have put in place several very practical solutions:
on the one hand, the possibility of selecting your payment methods (prepaid or postpaid) according to your offers and not at the level of all the offers on your elloha account: this will allow you to impose prepaid on the most "sensitive" offers and to leave the freedom of postpaid on the "less risky" offers. Find out more here
we havealso rolled out a new e-mail system that notifies your customers as soon as you collect all or part of their booking. By being notified in this way, your customers will find it easier to accept the notification sent to them by their bank, as they will remember that it relates to their booking,
finally, thanks to our connection with Stripe, you benefit from a payment tracking system that tells the banks whether or not you are a 'reputable' merchant. The expression is a little exaggerated, but it is important for the SCA. Indeed, if Stripe (which sees all your transactions) notes that you have suffered few disputes from cardholders, it also asks the bank to allow you to benefit from an SCA exemption, even for amounts over €30. This waiver request is made in the space of a few thousandths of a second as you prepare to debit the customer's card.
Note: you must use Stripe as your payment method to benefit from this override request system (Read here to activate Stripe on your elloha account). Please note that the real-time override request is not systematic and Stripe's rating rules may change depending on the period and the operator. elloha therefore makes no undertaking that Stripe will systematically activate these override requests on your bank transactions. elloha also makes no undertaking with regard to other secure payment platforms such as Paybox or Payzen.
In conclusion
These changes, which came into force on 31 December (and which some banks are already applying without necessarily communicating about them), are likely to disrupt the business of tourism professionals.
For several months now, the elloha teams have been actively working on this issue in conjunction with our fintech partners, first and foremost Stripe (see video above). However, the subject is not technically simple because, as you can read in this article from yesterday's Les Echos, no one (from banks to technology platforms) is or will be ready at the same time.
As far as elloha is concerned, the technical developments are ready in terms of :
the ability to manage different payment methods (postpaid and prepaid) depending on your offers to limit your payment risks in line with your commercial offers,
the systematic sending (when the email is entered) of an alert message to your customers as soon as a "deferred" collection is in progress on their reservation file and/or their bank card (or when you have received their cheque, for example).