Strong Customer Authentication will transform online card purchases from September, but even at this late stage it remains unclear how corporate payments will be affected
Do you have 14 September ringed in red on your calendar? If not, it’s time to reach for your marker pen. A financial crisis started in the UK on 14 September 2007 with a run on Northern Rock, the first in this country for 150 years. This year, 14 September could trigger a minor crisis for travel managers unless they prepare, because that’s the day Strong Customer Authentication (SCA) becomes mandatory in the European Economic Area (the EU plus Norway, Iceland and Liechtenstein, as any pub quiz anorak will tell you).
SCA is a requirement to provide secondary verification for online card payments, such as entering a PIN texted to a cardholder’s phone, or biometric identification. I covered this subject in the Corporate Cards and Payments 2019 supplement accompanying BBT’s May/June issue. So why am I bringing it up again? Because, at the time of writing, there has been minimal communication from travel management and payment companies about how SCA could affect many corporate travel programmes.
Admins will no longer be able to pay for online bookings by entering their travellers’ corporate card details
The inactivity is understandable because no one is sure precisely how business travel payments will be affected. SCA was designed primarily to reduce consumer card fraud but it has generated unintended consequences for corporate travel that have not yet been fully mitigated. The unknowns include:
- National regulators could interpret the rules slightly differently, especially a vaguely worded exemption for “secure corporate payment processes and protocols”.
- Each issuer must then decide how to follow those rules – for example, will they deem plastic corporate cards subject to SCA in all circumstances?
- In the UK, the regulator has said virtual and lodge cards are “potentially” exempt from SCA, but issuers can’t be sure until they receive an official response to their exemption application.
- There is uncertainty around the extent to which plastic corporate cards for transactions through TMCs and corporate booking tools are exempted.
- There is even speculation that texting PINs to cardholders’ phones may be considered an unacceptable authentication method in some EU countries.
I read advice about SCA sent out by one issuer late last year and some of it looked plain wrong to me, so you can understand the reluctance by others to commit themselves.
In spite of these many uncertainties, some action points are already clear. There is little doubt your business will have to change its payment arrangements whenever the booker and payer are not one and the same person. If, for example, a corporate card is used to pay for online bookings for more than one person, that will likely have to stop. Likewise admins will no longer be able to pay for online bookings by entering their travellers’ corporate card details.
It’s also fairly clear that virtual and lodge cards will attract SCA less than anything paid for with plastic. So be aware change is coming and knock urgently on the doors of your Travel Management Company: An agency which manages business travel for a company. and card provider to ask what prep you should be doing.
The frequent flyer freebie
I was very interested to read that in October Qantas will fly an Airbus A380 from Melbourne to Tokyo bookable only using mileage redemptions on its frequent-flyer scheme. I don’t know how much it costs the airline to fly 484 people all that way for no fare (although there is speculation it’s an otherwise empty leg to collect punters returning from the Japanese Grand Prix), but I do know Qantas isn’t a charity. Since many of the 484 passengers accumulated their mileage through flights paid for by their employers, it’s Qantas’s corporate clients who indirectly ponied up for much of that 10h 25min trip on a superjumbo.