Airlines have “no excuse” for missing new PSD2 deadline

There is no excuse for airlines not to have their core strong customer authentication (SCA) technology in place in 15 months, says Amadeus’s head of merchant services Jean-Christophe Lacour, on the side lines of the Amadeus Future of Airline Payments Conference in Madrid yesterday.

While the industry may be facing complex use cases that could warrant more time to migrate fully to SCA, organisations need to prove they are trying, according to Lacour.

“It is difficult to ask for yet another extension” when an organisation is at the start of its SCA migration, says Lacour. “You look at 100 percent [SCA migration], so if you can secure 90 percent of it, then maybe for 10 percent you can say you’ve been good, and maybe that’s ok.” But Lacour questions the need for further extensions of the second Payment Services Directive (PSD2).

A joint industry letter dated September 13 – one day before the original PSD2 deadline – was sent to the European Banking Authority requesting an extension period of 18 months for full SCA integration. Eight organisations, including Mastercard, Visa, and Ecommerce Europe, recommended the new migration date of March 2021. Another letter dated September 18 requested an even longer adoption period of 36 months for specific cases, including for the travel and hospitality sector. The EBA chose December 31, 2020 as the deadline.

Lacour says Amadeus had to remain neutral on the letters’ extension requests.

“What we decided to do is to remain neutral. We did not speak in favour of or against it because obviously a lot of the signatories are customers of ours … but the truth is it was difficult for us to support extending for that long.”

“As an airline, what you have to remember is they have lots of environments. They have the customer website, the consumer website – that’s relatively easy, like any other website. There’s no excuse. You plug a 3DS solution, and you make it work.”

Other environments such as those at airports are more complex, according to Lacour. For example, the majority of airports are equipped with keyboards with a magstripe reader, and such face-to-face transactions are not authorised by PSD2.

“I think the schemes – and they won’t say that publicly which is fair enough – [they] also informed their issuers and told them: ‘don’t do anything stupid on some transactions, because it makes no sense from a business standpoint’,” says Lacour about magstripe transactions in airports.

“I think 15 months extra is not bad. It probably won’t be enough to solve all the complex traveller cases, but if we talk about a website for an airline, for me there is no reason why they can’t do it.”

In the travel industry, issuers and acquirers have typically held off on adopting new technology or regulations by waiting for the other party to start first.

“What we have to hope is that the schemes find the right incentives for that chicken and egg game to work quite quickly.”

“I think schemes have to play their part by ensuring that issuers and acquirers adopt as quickly as possible. Once you have that, then as a retailer it’s a little bit easier, because at least you know that the main parties are participating. Then you can focus on your own environment.”

Related reading