Table of contents

Every so often, a new piece of legislation comes along that causes headaches and restless nights for businesses. You probably remember the endless conversations and confusion about what you could or couldn’t do when GDPR was introduced a few years ago. Anyway, we’ve got some good news for you: PSD2 isn’t one of those times.

Sorry if we scared you a little. The fact is, we’ve been working on PSD2 since before the first elements of the directive came into effect in 2019. Since then, we’ve made a number of decisions that ensure it’s easier for all of our hoteliers to comply with the legislation, whilst also maintaining a great user experience for guests. Here’s everything you need to know about PSD2.


What is PSD2?

PSD2 stands for Payment Services Directive 2. Catchy, right? It’s a piece of legislation from the European Union that’s designed to make online payments more secure for customers and businesses. As well as security, its stated goal is to open up payment markets to more competition, greater choice and better prices for consumers.

The need for improved security protocols is fairly obvious. Online payment options are becoming more varied and more frequent, and the global proportion of online transactions is increasing every year. Regulators saw the need for increased security for these payments, which is where PSD2 comes in.

PSD2 requires all online payments in the EEA (European Economic Area) to have Strong Customer Authentication (SCA) that protects against fraud – there are some exceptions, which we’ll get to later. Essentially, this means that when a customer makes a transaction, they will be asked to verify they payment with an additional piece of information by using 3D Secure (3DS) authentication. This can be:

  • Something owned, such as a code sent to a phone
  • Something known, such as a pre-existing password or security question answer
  • Something you are, such as a fingerprint or facial recognition


PSD2 exemptions

There are usually exceptions to the rules, and PSD2 is no different. In some cases, the guest won’t need to verify payments via SCA. These are:

  1. For transactions less than €30
  2. For transactions via virtual credit cards
  3. For ‘one-leg-out' transactions, meaning if either the card is issued outside of the EEA, or the hotel is based outside of the EEA
  4. Payments sent via channel managers
  5. For future transactions – i.e. once the customer has verified their identity with your property once, they don’t need to do it again


PSD2 in the hospitality industry

Wait a minute, you might be thinking. Did you already tell us about PSD2, like, two years ago? Yes, we did. The first parts of the new regulation were brought into effect in September 2019, but now we have much more information about how it will specifically effect those in hospitality. The caveat here is that although PSD2 is a EEA-wide scheme, it may be implemented slightly differently per country. You should definitely check out your own government’s information to see the timeline for your business.

Many hoteliers had justified concerns when PSD2 was announced, largely because payment is often not taken during booking, but at a later date. If a customer needs to provide SCA for every step – for example during booking, check-in, and settling room extras – it will worsen the guest experience and potentially harm conversions.

As much as 75% of online payments in the EEA area will be affected by PSD2, so if you’re a European property, you can expect to be affected. And in a time where every piece of business is precious, the nightmare scenario is that customers get confused or annoyed by the new payment flow, are worried by what they see as possible scams, and abandon their stay with you.

But don’t worry. If you’re a Mews customer, this isn’t going to happen.


PSD2 for Mews customers

“Mews' customers can have peace of mind when it comes to the rollout of PSD2 – we’ve been planning for it for over 2 years,” says Jirka Helmich, our Chief Product Officer. “We want the hoteliers who use Mews to focus on the things they are best at, which is creating remarkable guest experiences for the people who come to their hotels.”

Reassuring words. But what do they mean in real terms? Our team has worked on optimizing the customer flow to ensure that your conversions won’t be affected, and your guests still have a smooth journey.

Mews initiates authentication at the moment of reservation using Mews Booking Engine, regardless of whether payment is taken immediately or otherwise. This is the most frictionless point of the journey to ask for authentication, as guests are already entering personal/payment details anyway. Once the customer confirms their booking in this first instance, they won't have to provide SCA verification for any further transaction with your property. Mews tokenizes and stores the card details for future payments.

Online check-in is another point in the guest journey that we collect the guest’s payment card. If a guest checks in online and authentication wasn’t performed yet (i.e. the booking was done through a different channel), Mews will authenticate the card during online check-in.

When it comes to reservations made through channel managers, limitations in intermediary systems mean that a special interim solution has been agreed by regulators. Essentially, Visa, Mastercard and American Express created a temporary exemption for indirect sales in the hospitality sector. Firstly, it’s the responsibility of the booking agent to ensure SCA is met. Once this is done, Mews can flag the transaction as MOTO (Mail Order/Telephone Order) if the booking agent can’t pass on the authentication, allowing you to process the transaction at any later point without asking the guest to verify their details again.

VCCs (virtual credit cards) issued by OTAs are also exempt, as are any in-person payments such as at check-out via front desk or self-service kiosks, which are considered as ‘card present’ payments.

If your guest forgets to pay for something in the minibar, or has to make any other post-stay payments, you can again initiate the payment without further authentication because you already have verified card details stored.


Payment security for non-EU customers

Depending on where you are in the world, you may have different online payment security rules. If you’d like to make your property’s payments even more secure, we have good news: we decided to roll out 3D Secure payments across all geographies. 3DS is the actual two-factor authentication that happens for payments, which in the case of PSD2 is used as part of SCA. But you don’t need PSD2 to use 3DS. Any Mews property can enable 3DS on Mews Booking Engine and Mews Online Guest Services.


PSD2 takeaway

If you take away nothing else from this blog, let it be this: we’ve done everything we can to ensure that any Mews customers (or future Mews customers) comply with PSD2 while also maintaining a smooth experience for guests. If you have any concerns, just reach out to your account manager or customer success representative and we’ll be happy to talk.


PSD2 glossary

PSD2: Payment Services Directive 2, introduced in 2019 by the European Union to create a single, secure market for European payments.

SCA: Strong Customer Authentication, a requirement of PSD2 that ensures online payments are performed with multi-factor authentication.

3DS: 3D Secure is the authentication process that an issuing bank uses to validate a cardholder. Typical processes include a guest receiving a pin code via mobile, or presenting fingerprint verification, which then confirms the payment.

EEA: The European Economic Area, which is EU countries and Norway, Iceland and Liechtenstein, in which PSD2 applies.

MIT: A Merchant Initiated Transaction is where the merchant (the property) tries to collect the payment on the customer’s behalf in their absence, for example post-stay mini-bar charges.

VCC: Virtual Credit Cards, typically used by OTAs (online travel agencies) as a way of making more secure online purchases, often for single-use transactions.

MOTO: Mail order / telephone order channel, exempt from PSD2 regulations. Reservations made via channel managers fall into this category.

OLO: One Leg-Out transactions are exempt from PSD2 regulations, and occur when either the payment card is issued outside of the EAA, or the merchant (property) isn’t located in the EAA.