The Three Domains of Protecting Hotel Payments and Revenues
With so many difficulties from the pandemic still playing out, the calendar year of 2022 for hospitality will mark a dedicated stretch of time for continuing to streamline processes and staying lean on the labor front while increasing productivity. This means automating wherever possible, simplifying the daisy chain of enterprise software, deploying better tech to help augment the guest service and finding creative ways to keep costs down amidst still-ambiguous demand forecasts.
There’s a lot that can be done to fit these lofty goals, but where to start? New advances within the payment industry touch on all of these aspects with immediate applicability, so it’s worthwhile to see how the latest and greatest can help a hotel property. In particular, we emphasize that many of these developments represent ‘low hanging fruit’ – relatively frictionless business upgrades that will elicit incremental cost savings and productivity gains, representing a quick win to give your organization some buffer to then tackle large-scale projects.
At the forefront of the payment world is a concerted effort to rein in fraud – which hurts both the merchant and the processor – by rolling out additive layers of credit card verification and transaction flexibility. When you tally all the expenses associated with a fraudulent reservation – room opportunity cost, cleaning costs, representment costs, processor penalties and so on – a single case can amount to roughly 250% of the total booking value. To help fight this, a key practice that requires a full explanation and a discussion on the bigger picture of payment evolution is Three Domain Secure or 3-D Secure (3DS).
How 3DS Works
This isn’t anything revolutionary as this protocol is already in use and standardized for Europe, Africa, Australia and Russia – going on for almost two decades in some territories. But it’s soon set to take hold of the North American market, which will breathe new life into the prospect of 3DS as a global standard as well as what’s deemed a passing grade by payment card industry data security standards (PCI DSS) to in turn prevent interchange rate hikes.
Without getting into all the different acronyms and definitions for the payment industry (for which they are legion), what the three domains refer to are the broad-level delineations of parties involved to authorize payments and move funds over:
- Merchant (in this case a hotel), acquiring (merchant’s) bank and payment gateway
- Cardholder and issuing (cardholder’s) bank
- Interoperability network such as a credit card processor
The current system has payments verified within the first and second domains via the payment gateway interacting with an internet-based access control server that then separately parlays with the third domain to authorize the release of the funds from the cardholder’s account. Now with 3DS, customers at a merchant’s payment terminal are automatically brought to an issuer’s internal verification portal where a distinct user authorization key or text-delivered, one-time password must be inserted to complete the transaction.
This extra step helps to shift the burden of liability for fraudulent payments from the merchant to the issuing bank. Genuine fraud, or the unauthorized use of a card, is inordinately minimized while friendly fraud, or claiming a chargeback after services were adequately rendered, is also somewhat thwarted. Significantly for our industry where many hotels have of recent become prime targets for fraud, this means a lot of relief not immediately palpable from comparing annual income statements because that aforementioned 250% of total booking value is often buried under several disparate line items.
In cases of genuine fraud at hotels, while nowadays a fraudster may gain access to a guest’s 16-digit card number, expiry date and security code on the back, it’s extraordinarily rare that they will also know the secondary passcode required for the issuer’s 3DS verification portal. And for friendly fraud chargebacks, the input of this 3DS user authorization key subsequently raises the evidential threshold necessary to prove that the merchant acted in bad faith, increasing the likelihood for the acquiring party (that’s you) to win a dispute.
The Bigger Picture in 2022
Why are we homing in on 3DS of all things affecting the hotel industry? As hinted at in the intro, compared to all the other challenges that hotels will have to confront in the coming years – guest expectations coming out of the pandemic, new service demands requiring hefty capex and tackling climate change through sustainability upgrades, to name three – getting your payment systems in order is a fairly simple task that’s a steppingstone towards successfully operating in the new normal.
To drive profitability for the rest of the 2020s, you can no longer rely on a huge topline revenue figure to pad your gross profit and net operating income (NOI). All the recent COVID-19 variants have demonstrated just how quickly out-of-the-red occupancy targets can disintegrate, as aided by the exceptionally lenient cancellation policies which also aren’t going away anytime soon. Instead, the decade ahead will be defined by leaner, turnkey operations – fewer team members on hand to complete repetitive tasks and mandating more productivity from those that remain.
The only way forward is through automation in order to maintain a healthy NOI while occupancy forecasts in key segments remain in their respective nadirs or, worse, are one big question mark. Some hotels have already discerned ways to buoy profits and service debt with peak-period occupancies in the 25% to 40% range so that they are also somewhat immune to the stubborn labor shortage challenges that will continue to plague us for at least the next few business cycles.
Your front office team no longer has the time to manually transfer payment cards from a gateway into the property management system (PMS); this action also being in breach of PCI compliance standards. Your accountants likewise don’t have time to prepare documentation in order to properly dispute upwards of 5% of all room reservation. Thirdly, with erratic revenue projections and opaque forward-looking travel demand data, you can no longer afford to incur fraudulent charges (sometimes docked as negative revenues) or have your processing fees go up, even by a few basis points, because you, the merchant, have been deemed high risk according to the latest PCI DSS covenants.
The Future of Payments
The broader theme behind our push for 3DS adoption is that its implementation will ultimately help reduce direct costs, administrative time and negative revenues. With this heightened level of transactional security also comes the flexibility to enact further upgrades to your payment ecosystem.
First off is 3DS2 which attempts to solve the friction induced by requiring a second password inserted into a separate frame prompted from the issuer by only requiring one when a challenge algorithm deems a transaction of high risk after reviewing a guest’s payment history and other contextual data. As well, this contemporary version allows developers to keep the auxiliary passcode wholly with a hotel’s branded app so that the (mostly mobile) guest experience isn’t perturbed.
After this, the big phase will be doing all this while eliminating the physical payment card itself. Many payment platforms capable of handling 3DS2 customer pass-throughs are similarly adept at facilitating transactions straight from a digital wallet that verifies transactions based on what a customer has (phone) and is (face scan or thumbprint) and not necessarily what the customer knows (password). Think Apple Pay, Google Pay, WeChat Pay and a host of other mobile payment services.
And let’s not even get into where cryptocurrencies fit into all this! The bottom line is that the sooner you upgrade your hotel’s payment apparatus, the sooner you can start cushioning your NOI then move on to solving far tougher challenges. In this sense, 3DS or 3DS2 is a fantastic first step for 2022.