European Commission Finalizes PSD2 Authentication Rules For Corporate Cards

With Europe’s PSD2 fast-approaching implementation, there are still key questions surrounding the new payments regulations. Among them: whether or not PSD2’s Strong Customer Authentication (SCA) requirements will apply to corporate payments.

According to reports in Business Travel News on Wednesday (Dec. 6), the European Commission (EC) has finalized its ruling on the matter and has exempted corporate payments from its payment security authentication rules.

Strong Customer Authentication rules require an additional level of authentication when a payment is made; in the consumer payments space, that could mean a requirement that a cardholder is texted a four-digit PIN number to verify their identity at card-not-present transactions.

The European Banking Authority has opposed calls for the EC to omit corporate card payments from SCA rules.

As Business Travel News explained, some travel industry players argue that these rules could not reasonably be applied to corporate payments when using products like lodge and commercial cards, because these cards are not used by just one person. Other industry players also argue that because fraud rates are lower in corporate payments compared to consumer payments, there is no need for additional verification measures.

According to reports, the European Commission’s decision exempts virtual corporate cards, lodge cards and corporate pay cards from Strong Customer Authentication requirements under PSD2.

In an interview with the publication, Sari Viljamaa, managing director of Finland’s Business Travel Association, said the decision is a win for the corporate payments industry, but concerns remain.

“It’s good news this won’t be extended to B2B transactions, but I am still a little worried that there will be room for national legislators to make their own interpretations,” the executive said. The publication noted that the Nordic region’s four travel management groups have estimated as much as 97 percent of their clients’ airline bookings are made through travel management companies via lodge cards.

Patrick Diemer, CEO of corporate payments firm AirPlus International, also noted that individual pay cards used by corporate travelers may still fall under SCA rules.

“Lodge cards, virtual cards and corporate cards with corporate pay are fine, but SCA still is required for plastic cards [that] don’t fall under the exemption,” he said. Reports added that some business travelers may be using individual corporate cards or may have their own personal cards on file with their travel management companies, which would still fall under SCA rules.

Paul Raymond, director of Strategic Relationships at corporate payments firm Conferma, added that the EC’s ruling doesn’t mean corporate payment players in Europe can ignore SCA rules altogether.

“We need to prepare for SCA anyway, so we are looking to see if there is a secure, easy way to do this,” he told the publication.