29 Aug
2019

New rules to reduce fraud in consumer card payments

You may have seen recent media coverage of new rules relating to consumer card payments that will enter into force from 14 September 2019, called Strong Customer Authentication (SCA). This is part of the EU’s Payment Services Directive (PSD2), which was originally introduced in January 2018.
 
The latest security provisions are designed to reduce fraud levels, especially in on-line card payments, by enhancing checks on consumers’ transactions and introducing a two-stage verification process. The second stage requires consumers to enter two further forms of identification to confirm card payments. For example, the customer may need to enter a code that has been sent to their phone or use fingerprint authentication via their mobile banking app, if they have one. 
 
It is important to familiarise yourself with these changes, as there is a risk of disruption to online payments if necessary steps aren’t taken. 
 
Earlier this summer ABTA issued a briefing for Members and if you have not done so already we advise you to speak to your Payment Service Provider (PSP – otherwise known as your merchant acquirer) to check everything is in place to mitigate the risk of payments disruption. This is because there are some concerns that the payments industry across Europe have been slow to adopt the necessary technology to adapt to these changes.
 
In the short term, there is some good news in that as a result of concerns raised by organisations such as ABTA and lobbying activity by the banking trade body, UK Finance, the Financial Conduct Authority (FCA) recently confirmed there will be a certain amount of flexibility before the rules are actively enforced. This should mean that travel businesses have a minimum of 18 months extra to fully prepare. However, it’s important that you check with your PSP that they are ready now. ABTA will continue to work with UK Finance, the FCA, and other stakeholders, to influence next steps. 
 
The new rules will apply when the cardholder’s bank (issuer) and Payment Services Provider (acquirer) are both registered in the EEA, although there are some general exemptions including telephone and mail order transactions. For more detail and useful links please revisit our briefing, which can be found here.

Mark Tanzer, Chief Executive