SuperControl guide to PSD2
What is PSD2 / SCA / 3DS
On 14 September 2019, new legislation called Payment Service Directive 2 (PSD2) will come into effect – aiming to reduce fraud and make online payments more secure. This means that when charging (or authorising) a card that is not physically present, or when charging cards remotely, you’ll have to perform Strong Customer Authentication (SCA).
This new level of security involves improvements to 3D security (3DS). 3D security has been in place for years, it is the part of the online checkout process where you sometimes must enter a password in a small window served directly by your bank. With these changes you will sometimes be asked for an additional security step, usually a code sent to your phone by SMS.
Which SuperControl clients are affected?
These changes only impact SuperControl clients using Opayo (Sage Pay), Trust Payments (Secure Trading) and HolidayRentPayment. We integrate with some other payment processors, like PayPal and WorldPay, but these payments are processed outside SuperControl.
Postponement of PSD2
Recently the Financial Conduct Authority (FCA) issued a notice that PSD2 will be postponed in the UK for 18 months. This article from the FCA explains further: https://www.fca.org.uk/news/press-releases/fca-agrees-plan-phased-implementation-strong-customer-authentication
Whilst the FCA has announced this, it is still unclear what effect this will have across the EU, since this is an EU directive.
The FCA statement indicates that they won’t be taking any enforcement action against firms if they don’t meet the relevant requirements by September 14. This doesn’t mean that PSD2 is postponed and it is possible that there will be a higher rate of declined cards after the deadline, so you might get a handful of failed payments (card payments from guests from Denmark and Sweden are especially likely to fail because these are the only countries in Europe that haven't delayed the new regulations).
We are working closely with our partners to get current information. Some partners have been quite late in delivering specifications for any required updates making it impossible to implement by the deadline. e plan to have all the changes in place by the end of the year.
How payments are processed in SuperControl
There are three categories of payments processed in SuperControl.
Online bookings and payments taken via the payment form
These are payments where the guest directly inputs their own card. Changes here depend on which payment processor you are using:
Opayo (Sage Pay)
Opayo (Sage Pay) provided a detailed specification well ahead of time. We have implemented these changes and they will go live in advance of the 14 September deadline. These payments should be compatible with PSD2 from 14 September 2019.
Trust Payments (Secure Trading)
Our existing Secure Trading integration already includes a full 3D secure flow. We have only recently been provided the updated specification for their new version of 3D secure. The spec requires a total re-design of the payment flow. We will not have time to implement this by 14 September but will aim to do so by the end of the year.
We are working closely with Trust Payments (Secure Trading) to understand the implications.
Unlike our other two integrated payment processors, HolidayRentPayment has never required 3D security. They have recently provided their specification which requires a significant development project to implement. We aim to complete this before the end of the year.
Within the SuperControl login you can process telephone payments. Telephone payments are excluded from the PSD2 regulations.
Booking.com, Expedia and HomeAway send us card details directly which we process behind the scenes. So, the guest has entered their own card on the channel, but we process it without any further input from the cardholder.
HomeAway has made a change to their system so that the guest will go through the relevant 3DS checks at the time of booking. They will then send us the results of these checks as secure tokens when they provide the card details. We can then use these results when we process the payment meaning that these transactions will comply with PSD2.
Trust Payments (Secure Trading) and HolidayRentPayment can accept these 3DS tokens. Opayo (Sage Pay) currently cannot.
Most SuperControl clients are configured to accept direct payments from booking.com. They send us the card details which we process at the time of booking. Booking.com will not be adding 3DS checks for these payments, so from 14 September it is possible that some payments may fail.
Booking.com also offers their own payments service. The guest enters their card at the time of booking and goes through the relevant 3DS checks. Booking.com take the funds from the guest’s card and transfer them to a “virtual credit card”. This is a single-use card which is only available for the value of the transaction.
Virtual cards are a very secure way of handling payments and totally compliant with PSD2. Even if you only accept Visa and MasterCard payments, you will also benefit from a huge range of payment types in global markets.
You can find out more about “payments from Booking.com”, and how you can enable it in your account, here:
There are three considerations regarding the virtual card service from booking.com:
- Virtual cards are typically charged at the highest corporate rate, meaning that your processing fees will be higher.
- Booking.com charge 2-3% for each virtual card transaction. More information about charges in their help centre: https://partner.booking.com/en-gb/help/policies-payments/faq-payments#link-9.
- If you want to take payment in advance of arrival you must ensure that your booking.com policies allow for a deposit at the time of booking. Otherwise, we won’t be able to charge the virtual card until the arrival date. Because we don’t store card details in SuperControl, if we cannot process a deposit, we won’t be able to process any payment for the booking.
Like Booking.com, Expedia’s solution to PSD2 is to use virtual cards, known as Expedia Collect. The key difference being that it isn’t possible to charge the virtual card until arrival. This means that Expedia virtual cards must be processed manually.
Most integrated clients are already on the Expedia Collect model and will therefore be PSD2 compliant.
For clients who are on the Hotel / Property Collect model Expedia will continue to send card details, but they will not have gone through 3DS checks.
Watch the video
SuperControl's Product Director and Co-founder, Robert Kennedy explains exactly where we are as of 1 September 2019 in this video (it is 26 minutes long):