The Science Of Fear: A Politically Incorrect Reflection On Strong Customer Authentication

OF CREDIT CARDS AND AVAILABILITY HEURISTIC

Between November 2017 and January 2018, Chinese smartphone manufacturer OnePlus suffered a major security breach, allowing hackers to steal credit cards data from over 40,000 customers. According to the company, "a malicious script was injected into the payment page code to sniff out credit card info". Unfortunately, I was amongst the affected customers, and it took me a few months and a lot of paperwork to finally get back the money fraudulently spent on my card.

I had my first card twenty years ago and, except for the abovementioned incident, I concluded around 5,000 uneventful purchases. In my life as a credit card user, therefore, fraud only had an incidence of 0.02%. The odds of being struck by lightning are twice as much and, as I don't make a fuss about the lack of more severe regulations on electric discharge, I try not to panic about events for which the occurrence is statistically irrelevant.

That being said, if the day after the OnePlus' breach you would have asked me if I wished for a more secure payment system I would have likely said yes. APA Dictionary of Psychology defines this particular cognitive bias as availability heuristic: when information "is highly available in memory [it] leads people to believe that those kinds of events are more probable than they actually are". It's our (human) tendency to overestimate the odds of certain events happening, simply because they recently happened to us or to someone we do know.

But, if you would ask me the same question almost two years from that incident, would I give the same answer? I doubt it. The memory faded and I can see the event for what it was: statistically irrelevant. "We are the healthiest, wealthiest, and longest-lived people in history", wrote Daniel Gardner in his seminal book The Science of Fear, yet "we are increasingly afraid". And this paradox is particularly evident in the way the new EU online payment regulation, effective in just two months, was designed.

YOU KNOW, YOU OWN, YOU ARE: FROM CVV TO BIOMETRICS

If you have no idea what I am talking about, you are not alone: it is estimated that less than 5% of merchants today are aware of this regulation created to "enhance the security of payment transactions and the protection of consumer data"
.

At a first look, the Revised Payment Service Directive (PSD2 for short) seems like the proverbial manna from Heaven, yet the regulation could ultimately doom the end-users experience with (superfluous) extra levels of friction. And PSD2 could be particularly damaging for our industry: according to a recent ValuePenguin study, in fact, almost half of all online credit card purchases are made on travel websites, meaning around 50,000 online transactions every single minute. Prerogative of these transactions is their immateriality: when travelers purchase a flight online, for instance, they don't have to physically present their credit card to the airline company, they simply type its numbers on an online form. And, here, is where things get complicated.

An essential requirement for PS2D compliance is the adoption of the Strong Customer Authentication (SCA) for (with few exceptions) all online transactions. For a purchase to be authorized, under PS2D, two out of three different types of authentication methods are needed, namely knowledge, possession and inherence. A password or a pin are typical examples of knowledge: they are something the traveler "knows". Possession, on the other hand, is something the traveler "owns" like a phone or a token. Inherence takes the Frommian's highway, as it refers to something that travelers "are": their voices, fingerprints, faces, etc. In a word: biometrics.

Starting from September, if you're not able to fulfill two out of these three requirements, you won't be able to shop online, period. What about that funny three-digit number on the back of your card? Or SMS' authorization? These methods won't do the trick any longer.

SCA COULD BE THE END OF DIRECT BOOKINGS
According to Vendorcom's Chairman, Paul Rodgers, because of SCA up to "30% of transactions could be declined". In our industry, where guests' cash-back requests for no-shows or late cancellations are the norm, the risk increases exponentially.

We all like to think of humans as fundamentally good, but assuming that guests will voluntarily authorize that first-night-penalty charge on their card is pure naivete. To make things more complicated, the authentication only lasts for 90 days, so hotels with longer booking windows will have to acquire multiple authentications for the same reservation, adding up human work, errors, and frustration.

Now, wouldn't it be great if you could just pass this heavy burden to somebody else? You may be want to be careful with what you wish for, especially if you (still) care for direct bookings: it is not so far-fetched, in fact, that OTAs will eventually jump in the merchant game, gathering guest authentications on hotels' behalf. With this premise, virtual cards' adoption by OTAs take a whole new (sinister) meaning. At some point, OTAs will have to reinvent themselves, we all know that, and (personally) I keep betting on the SaaS model: offering SCA processing would be the perfect addition to services such as AppSuite or REV+, and hotels will be locked up for good in a vicious circle of dependency. With SCA, moreover, travelers will very likely prefer to pay directly on OTAs rather than brand.com: OTAs users' accounts are often already associated with the users' personal devices, making the whole checkout experience not only secure, but completely frictionless.

LOOPHOLES AND WORKAROUNDS

And, if the hotel eventually does get a direct booking, dishonest guests can still exploit the Strong Customer Authorization for their own interests.

Let's take a look at the worst-case scenario:

1. John Smith books a refundable rate on the hotel's official website;
2. The hotel is not allowed to process the payment right away, and the charge remains suspended until the day scheduled for departure;
3. Mr. Smith quietly sneaks out from his room in the middle of the night, leaving the hotel with an unpaid invoice and only one (possession = credit card number) of the two authenticating factors needed to process the payment.

This may be me being pessimistic, and I know this scenario will probably never happen for upper-scale properties, but can we honestly say the same for budget hotels, home-rentals or, even more critically, hostels?

Now, if implemented correctly, SCA could put the word end on the guests' chargeback problem (as all transactions will be irrevocable). Olivier Godement, Product Manager at Stripe, gives an interesting interpretation of the problem, saying that, despite "security measures such as the address verification system or the CVC verification", it is because of the high risk of fraud intrinsic in the current credit and debit card payments' regulation "that customers have the ability to dispute fraudulent payments made with their card". I am not entirely convinced about it and, as I think this makes sense for the retail industry, the age-old cashback issue could easily escalate in hospitality, especially when it comes to guests' no-shows.

TECH PROVIDERS' ADOPTION

Starting from September the 14th, SCA will be needed for all online transactions made within the European Economic Area and (Brexit or no-Brexit) the UK. The only exceptions will be contactless payments, recurring charges, and a few more. The industry, therefore, will have to adapt, and will have to do it quickly. Booking engines and PMS, especially, will face a herculean task, as they will need to implement technologies allowing hoteliers to capture and process the two required authentication factors easily.

Being able to process alternative, SCA-complaint forms of payments (such as cryptocurrencies, Apple/Google/Amazon Pay or the old-school bank transfers) and offer a fast and frictionless checkout experience will be crucial in order for travel tech providers to say relevant. On the bright side, smaller, amateurish providers will succumb, yet this extinction does not seem like good tech-Darwinism to me, rather eugenics: many minor booking engines and PMS will die off because of an arbitrary standard that does not take into consideration all the different nuances of our industry.

"Subscription and recurring transactions are", MyCheck's CEO, Shlomit Kugler, explained me, "considered merchant-initiated and, as long as the initial transaction and card was authenticated, are exempt from PSD2 and SCA requirements, allowing a truly one-click payment experience". Problem is that, subscription and recurring are aliens to our industry and, Kugler continued, implementing strong customer authorization during the checkout process "might result in a massive drop in the checkout conversion rate, as it requires additional actions to finalize the transaction".

CONCLUSIONS

During a conversation on the subject, HotelTime Solutions' CEO & Founder, Jan Hejny, shared some of my concerns, but with an optimist twist: "at first", he told me, "it will be painful for travel tech providers to adapt but, once implemented, both the guests and the hotels will benefit from the regulation, as it will reduce the human workload in day-to-day operations, while increasing the security of credit cards' payments". He's probably right, and I should not be carried away by negativity. But, as Laurence J. Peter poetically puts it, I am a man who looks both ways when crossing the street. And, when it comes to SCA, I don't like what I see on any side of it.