The challenge

A global hotel chain, headquartered in the US, identified that it was exposed to the Strong Customer Authentication (SCA) regulation in the EU. Compliance would be challenging, because of the complexity of the company’s payments architecture.

The chain owned and operated hotels in the US but used a franchise model across Europe. Hotels in Europe chose their own payments acquirers and were using different versions of the company’s highly customised hotel management software.  

Although online travel agents (OTAs) remain important to the hotel’s business, it wanted to encourage more direct bookings. Direct bookings are attractive because the hotel retains control of pricing and there are no commission fees.

Where guests paid on check-out, there was no risk exposure under SCA. However, when guests prepaid to get a better room rate, it was complicated. The hotel chain took bookings on its global website (in the US) and forwarded payment details to the hotel where the room was booked. That hotel then processed the payment locally. However, at that point, it would need to authenticate the customer. Contacting the customer to finalise payment up to 24 hours after the booking would be a poor customer experience, especially if payments were being processed at antisocial times.

The hotel chain wanted to ensure payments were compliant, secure and had minimal friction for customers. At the same time, the company saw an opportunity to become an industry leader in managing digital identities. Its app was increasingly important for the customer experience, supporting the loyalty program and innovative features such as remote check in and room unlocking.  

How EDC helped

The hotel chain chose EDC because of our specialist payments expertise, our in-depth knowledge of payments regulation and our prior experience working on SCA projects.  

To begin with, we mapped the hotel’s complex payment flows across Europe, covering 50 use cases including central prepayments, in-hotel payments, loyalty payments, booking changes and cancellations. We grouped hotels according to which version of the hotel management software they were using. For the first time, the company could see the full range of payment scenarios across its European hotels. The situation was in stark contrast to the US operations, where there was just one acquirer, and one version of the hotel management software.

We then advised the hotel on where process changes would be required to comply with SCA. Based on the payment volume, we quantified the risk and ranked the changes by urgency. We developed a roadmap to compliance, scrutinising the company’s existing payment acquirers to validate their support for SCA.

The hotel chain appreciated our advice on cybersecurity, because achieving SCA compliance would require the hotel to bring credit card details in house. Previously, they were stored by a trusted third party.

By following our recommendations, the hotel was able to not only achieve compliance, but also simplify its payment architecture and build a foundation for new digital customer experiences.

‍