Chargeback, PSD2, e-commerce hotels: more problems ahead

Direct sales (or disintermediated sales) are a subject close to every hotelier's heart: the problem arises, however, when - quite legitimately - the hotelier wants to guarantee himself against contractual breaches by the customer (no-show, early departure).

We know that, with the entry into force of Strong Customer Authentication (SCA), pre-authorisations or transactions made remotely, i.e. without having the credit card in the POS, are no longer usable: for more details, I suggest you read the article at this link.

Dirk Pinamonti, head of e-commerce at Nexi, said that "more than 70% of complaints relating to online hotel bookings concern payments that are not recognised by credit card holders. Our goal is to reduce these types of disputes and allow hotels to offer customers a simple, secure and transparent experience, from the moment of booking to checkout" (find the full article at this link).

Basically, the credit card holder, after having booked (or even stayed) at a hotel, would dispute the payment and the hotel would suffer the charge back of the amounts collected. 

Hence the introduction of PSD2 which, by means of the double authentication factor, guarantees that the transaction can be traced back to the legitimate credit card holder. 
This innovation has been welcomed by hotels which, all too often, have suffered damage from customers who can be described as opportunistic to say the least.

But Nexi didn't stop there and created the "Incasso senza Pensieri" service: a link requesting payment to the customer of the amount specified in the contractual provisions. 

The advantage of this service is that NEXI expressly asks the customer to accept the hotel's terms and condition (by reporting them), thus relieving the hotelier of the responsibility for this proof.

So far, so good.

The problem, however, still exist with e-commerce: the case in which the customer decides to book independently on the hotel's website.

A few days ago, one of our hotel partners had a transaction made on their website disputed.

In this case too, the payment was made via the NEXI gateway in accordance with the provisions of Strong Customer Authentication but, in this case, the circuit operator asks the hotel for certain proofs

1. that the customer has expressly accepted the conditions of sale and the cancellation policy
2. that the transaction is "clearly traceable to the card/reservation holder"

It is therefore not a question of unauthorised or fraudulent use of the card, but proof of acceptance of hotel's terms and condition and the traceability of this transaction to the legitimate holder is required.

As far as the first point is concerned, NEXI affirms that the "click to accept" modality is allowed (also because the alternative would be the electronic signature), in other words the tick that we must necessarily insert in order to go ahead and finalise a purchase. And so far we are there: all e-commerce provide the box to be checked to proceed even if, logically, the circumstance that you can not proceed to purchase without accepting, should exempt the hotel from providing evidence of acceptance of hotel's terms and condition by the customer.

The problem arises with the second point. 

How do we prove that the manual operation of accepting the conditions has actually been done by the card's owner?

If we focus our attention on the purchase process, we can divide it into two simple steps:

1.  On the hotel's website, the customer chooses the room and rate, accepts the terms and condition (otherwise they cannot proceed) and clicks on the button to make the transaction
2.  The customer is directed to the payment gateway, which identifies him or her by SCA and finalises the payment. 

One might think, perhaps superficially, that the payment request to NEXI arrives after a few moments from our site, comes from the same IP address (which has necessarily accepted the cancellation policy) and is then identified by the payment gateway via SCA to proceed with the payment.

What are the chances that the person who accepted the sales conditions on the hotel's site is a different person from the one who, a few moments later, makes the payment to NEXI? 

Another question: with the "Incasso Senza Pensieri" service, the payment gateway claims to be responsible for identifying the contracting party and ensuring the transparency of the contractual terms of the purchase, i.e. it makes the customer accept the hotel's terms of sale.
But how does NEXI have proof of authorship of this acceptance?

Still superficially, it occurs to me that, if there is a way for the gateway to identify the cardholder and also be sure that the cardholder has accepted the hotel's terms and condition, the same system could also be used in e-commerce transactions and not only with the use of pay by link.

So far, pay by link seems to be the solution (perhaps) to these problems, but e-commerce, widely used by customers to make reservations, still seems to be exposed to chargebacks...