AMEX tell me BA cannot process online payments due to PSD2?!
 

Spent the last 2 hours trying to make a BA online holiday booking with 3 x BA AMEX cards being repeatedly declined for no good reason.

I have just spoken to Amex who tell me that BA is non-compliant with the Second Payment Services Directive (PSD2) and is currently unable to process online transactions from UK credit and debt cards. Can this really be true and, if so, why is this not being reported anywhere? I'd have through the FT regulars would be well aware of the issue and that there would have been endless discussion about it.

What the hell is going on??

I will be really annoyed if the holiday price changes before I can complete the booking. Amex offered me 3,000 Avios which I refused.

Argh!!!

I can't comment on the specifics but I am aware that there is a bunch of pain at the moment for online retailers to upgrade their payment handling to do the full 3DS v2 challenge, and for those that have bespoke integrations between their website and payment services provider it's typically not a tick box upgrade. Because of the previous data breach involving card holder data the card brands are probably giving BA a hard time and playing hardball. Retailers should have migrated to PSD2 by end of 2021, and have been 'encouraging' retailers who were non-compliant by doing an increasing number of soft declines on valid PSD1 transactions.

PSD2 in practical terms points to implementation of 3DS v2, this is the box that appears from your issuing bank and in v2 this is more intelligent. The password is gone, and being asked for a OTP every time is now on the way out. The new standard does profiling of the risk of your transaction which is performed by your card issuer by looking at a number of factors - who, what, when, value, source IP, device been seen before, buying habits, previous retailer, etc. which feed into a decision whether the transaction should be frictionless or has a 2nd factor challenge. For the layperson, this is why you now probably don't get a challenge on every transaction, but do one for an unusual device or different internet connection from usual or a new retailer for a high value and you will probably get a challenge to complete the transaction.

Sounds like BA have failed to keep their payment systems up to date which is surprising considering how critical they are to their bottom line, and also with the context of the previous data breach.

As a data point, I made a BA Holidays booking online yesterday and paid with a UK-issued BA Amex. It took 2 attempts, but the first attempt did not show a card decline, it stated that it was an issue with confirming one of the hotels so they had not tried to charge the card. After changing that hotel, the transaction went through successfully.

I’m not a card payments technical expert, but have run a business where these particular upgrades were an issue. It was often an unpredictable carrot and stick approach, with the card companies setting “hard” deadlines, which then turned out to be softer than anticipated. Eventually they do become really hard deadlines, but I’d be surprised if Amex just turned BA off, given the depth of the relationship. Equally it would not surprise me at all if BA’s integration with Amex were bespoke and complex, I’m aware of some of its (non-payments) integrations that certainly fit this description.

Just to add, I don’t know if it’s related, but there has been a change with authorising cards on phone bookings. I recently made an Avios booking over the phone (paid with BA Amex) and I had to enter the CVV number using the phone keypad, an automated service triggered by the agent who was dealing with my booking. This was not required on the previous phone booking I had made, which was last August, so something changed in the interim.

I had no issue paying for a BA Holiday online using my Amex platinum last night.

Well, this is typical BA.

This regulation was released in 2018, yes, nearly 4 years ago. Mind you, looks this they updated the code for one page since then. The website is a mess, I wonder what they are paying Tata for.

As a data point I made a holiday booking using a BA amex on Sunday that if I remember correctly did indeed require secondary authorisation.

Just off the phone with a very helpful chap from BAH after failing to make an online payment and so attempting it via the call centre. Looks like there's a problem somewhere on BA's side.
When I spoke to Amex prior to calling BAH they reported that the failed online transaction hadn't reached them. No mention of PSD2 in my case.

Not sure if BAH process card payments differently but I made an online payment yesterday for flights only with my Amex without any issues

Although the PSD2 standard was released in 2018, the first few years were needed for the backend stuff (card brands (Visa, MC, Amex, Discover), card issuing banks (Barclays, NatWest, Starling, etc), and more latterly the payment services providers (Worldpay. sagepay, etc) to all get their house in order. The real reality is that some early mover merchants with backend services that were ahead of the curve were probably able to start to use 3DS v2 in late 2020. Because of all of the above, many merchants were only really able to tackle this in 2021, and there's a good long list of stragglers.

For those who have off the shelf shopping cart and payment services the transition has probably been a non-issue or just a tickbox somewhere, it's the bigger retailers with custom integrations and legacy infrastructure where the pain is really being felt.

The woman from Amex told me it was all UK credit and debit card transactions on BA would fail due to non compliance.

That was clearly rubbish because I managed to put the flights on 72 hour hold using my debit card but I still need to call to pay on Amex.

None of these are excuses for why BA now can't take card payments? They were warned and should have acted accordingly. Same with any other stragglers. Its their bottom line.

Pretty sure I implented this in 2019 through a custom integration with stripe, yes ok not quite the same, but before 2020.

Just as a data point I tried to make a BAH booking for flights plus car for Mr NW in Club as he needs the double TPs.

I also tried to make a flight only booking for myself and the junior NWs in Y.

I tried my BA Amex, my BA Amex on Mr NW’s account and Mr NW’s BA Amex. All failed multiple times. Sometimes the system told me I still needed to input the 4 digit code and kept taking me back to the payment page. Other times it said card declined and told me to contact the issuer which I did to no avail.

BAH have had payment issues reported today. So looks like affecting all cards but only for BAH so flight only is ok.

Is BA on your AMEX safe list?

i tried to add it yesterday as I thought that might be a work around but the safe list option was not showing on my Amex account.

Deleted - misunderstood the thread and post irrelevant.