AMEX tell me BA cannot process online payments due to PSD2?!
#1
Original Poster
Join Date: Mar 2016
Programs: BA Gold
Posts: 681
AMEX tell me BA cannot process online payments due to PSD2?!
Spent the last 2 hours trying to make a BA online holiday booking with 3 x BA AMEX cards being repeatedly declined for no good reason.
I have just spoken to Amex who tell me that BA is non-compliant with the Second Payment Services Directive (PSD2) and is currently unable to process online transactions from UK credit and debt cards. Can this really be true and, if so, why is this not being reported anywhere? I'd have through the FT regulars would be well aware of the issue and that there would have been endless discussion about it.
What the hell is going on??
I will be really annoyed if the holiday price changes before I can complete the booking. Amex offered me 3,000 Avios which I refused.
Argh!!!
I have just spoken to Amex who tell me that BA is non-compliant with the Second Payment Services Directive (PSD2) and is currently unable to process online transactions from UK credit and debt cards. Can this really be true and, if so, why is this not being reported anywhere? I'd have through the FT regulars would be well aware of the issue and that there would have been endless discussion about it.
What the hell is going on??
I will be really annoyed if the holiday price changes before I can complete the booking. Amex offered me 3,000 Avios which I refused.
Argh!!!
#2
Join Date: Jan 2016
Location: LON
Programs: BAEC
Posts: 3,911
I can't comment on the specifics but I am aware that there is a bunch of pain at the moment for online retailers to upgrade their payment handling to do the full 3DS v2 challenge, and for those that have bespoke integrations between their website and payment services provider it's typically not a tick box upgrade. Because of the previous data breach involving card holder data the card brands are probably giving BA a hard time and playing hardball. Retailers should have migrated to PSD2 by end of 2021, and have been 'encouraging' retailers who were non-compliant by doing an increasing number of soft declines on valid PSD1 transactions.
PSD2 in practical terms points to implementation of 3DS v2, this is the box that appears from your issuing bank and in v2 this is more intelligent. The password is gone, and being asked for a OTP every time is now on the way out. The new standard does profiling of the risk of your transaction which is performed by your card issuer by looking at a number of factors - who, what, when, value, source IP, device been seen before, buying habits, previous retailer, etc. which feed into a decision whether the transaction should be frictionless or has a 2nd factor challenge. For the layperson, this is why you now probably don't get a challenge on every transaction, but do one for an unusual device or different internet connection from usual or a new retailer for a high value and you will probably get a challenge to complete the transaction.
Sounds like BA have failed to keep their payment systems up to date which is surprising considering how critical they are to their bottom line, and also with the context of the previous data breach.
PSD2 in practical terms points to implementation of 3DS v2, this is the box that appears from your issuing bank and in v2 this is more intelligent. The password is gone, and being asked for a OTP every time is now on the way out. The new standard does profiling of the risk of your transaction which is performed by your card issuer by looking at a number of factors - who, what, when, value, source IP, device been seen before, buying habits, previous retailer, etc. which feed into a decision whether the transaction should be frictionless or has a 2nd factor challenge. For the layperson, this is why you now probably don't get a challenge on every transaction, but do one for an unusual device or different internet connection from usual or a new retailer for a high value and you will probably get a challenge to complete the transaction.
Sounds like BA have failed to keep their payment systems up to date which is surprising considering how critical they are to their bottom line, and also with the context of the previous data breach.
Last edited by plunet; Feb 17, 2022 at 8:10 am
#3
Join Date: Dec 2014
Location: UK
Programs: BA, U2+, SK, AF/KL, IHG, Hilton, others gathering dust...
Posts: 2,552
As a data point, I made a BA Holidays booking online yesterday and paid with a UK-issued BA Amex. It took 2 attempts, but the first attempt did not show a card decline, it stated that it was an issue with confirming one of the hotels so they had not tried to charge the card. After changing that hotel, the transaction went through successfully.
I’m not a card payments technical expert, but have run a business where these particular upgrades were an issue. It was often an unpredictable carrot and stick approach, with the card companies setting “hard” deadlines, which then turned out to be softer than anticipated. Eventually they do become really hard deadlines, but I’d be surprised if Amex just turned BA off, given the depth of the relationship. Equally it would not surprise me at all if BA’s integration with Amex were bespoke and complex, I’m aware of some of its (non-payments) integrations that certainly fit this description.
Just to add, I don’t know if it’s related, but there has been a change with authorising cards on phone bookings. I recently made an Avios booking over the phone (paid with BA Amex) and I had to enter the CVV number using the phone keypad, an automated service triggered by the agent who was dealing with my booking. This was not required on the previous phone booking I had made, which was last August, so something changed in the interim.
I’m not a card payments technical expert, but have run a business where these particular upgrades were an issue. It was often an unpredictable carrot and stick approach, with the card companies setting “hard” deadlines, which then turned out to be softer than anticipated. Eventually they do become really hard deadlines, but I’d be surprised if Amex just turned BA off, given the depth of the relationship. Equally it would not surprise me at all if BA’s integration with Amex were bespoke and complex, I’m aware of some of its (non-payments) integrations that certainly fit this description.
Just to add, I don’t know if it’s related, but there has been a change with authorising cards on phone bookings. I recently made an Avios booking over the phone (paid with BA Amex) and I had to enter the CVV number using the phone keypad, an automated service triggered by the agent who was dealing with my booking. This was not required on the previous phone booking I had made, which was last August, so something changed in the interim.
Last edited by Oaxaca; Feb 17, 2022 at 1:45 am Reason: Add comments about phone authorisation.
#5
Join Date: Jul 2016
Location: Cornwall
Posts: 774
Well, this is typical BA.
This regulation was released in 2018, yes, nearly 4 years ago. Mind you, looks this they updated the code for one page since then. The website is a mess, I wonder what they are paying Tata for.
As a data point I made a holiday booking using a BA amex on Sunday that if I remember correctly did indeed require secondary authorisation.
This regulation was released in 2018, yes, nearly 4 years ago. Mind you, looks this they updated the code for one page since then. The website is a mess, I wonder what they are paying Tata for.
As a data point I made a holiday booking using a BA amex on Sunday that if I remember correctly did indeed require secondary authorisation.
#6
Join Date: Oct 2014
Location: UK
Programs: BA Pyrite
Posts: 179
Just off the phone with a very helpful chap from BAH after failing to make an online payment and so attempting it via the call centre. Looks like there's a problem somewhere on BA's side.
When I spoke to Amex prior to calling BAH they reported that the failed online transaction hadn't reached them. No mention of PSD2 in my case.
When I spoke to Amex prior to calling BAH they reported that the failed online transaction hadn't reached them. No mention of PSD2 in my case.
#8
Join Date: Jan 2016
Location: LON
Programs: BAEC
Posts: 3,911
Well, this is typical BA.
This regulation was released in 2018, yes, nearly 4 years ago. Mind you, looks this they updated the code for one page since then. The website is a mess, I wonder what they are paying Tata for.
As a data point I made a holiday booking using a BA amex on Sunday that if I remember correctly did indeed require secondary authorisation.
This regulation was released in 2018, yes, nearly 4 years ago. Mind you, looks this they updated the code for one page since then. The website is a mess, I wonder what they are paying Tata for.
As a data point I made a holiday booking using a BA amex on Sunday that if I remember correctly did indeed require secondary authorisation.
For those who have off the shelf shopping cart and payment services the transition has probably been a non-issue or just a tickbox somewhere, it's the bigger retailers with custom integrations and legacy infrastructure where the pain is really being felt.
#9
Original Poster
Join Date: Mar 2016
Programs: BA Gold
Posts: 681
The woman from Amex told me it was all UK credit and debit card transactions on BA would fail due to non compliance.
That was clearly rubbish because I managed to put the flights on 72 hour hold using my debit card but I still need to call to pay on Amex.
That was clearly rubbish because I managed to put the flights on 72 hour hold using my debit card but I still need to call to pay on Amex.
#10
Join Date: Jul 2016
Location: Cornwall
Posts: 774
Although the PSD2 standard was released in 2018, the first few years were needed for the backend stuff (card brands (Visa, MC, Amex, Discover), card issuing banks (Barclays, NatWest, Starling, etc), and more latterly the payment services providers (Worldpay. sagepay, etc) to all get their house in order. The real reality is that some early mover merchants with backend services that were ahead of the curve were probably able to start to use 3DS v2 in late 2020. Because of all of the above, many merchants were only really able to tackle this in 2021, and there's a good long list of stragglers.
For those who have off the shelf shopping cart and payment services the transition has probably been a non-issue or just a tickbox somewhere, it's the bigger retailers with custom integrations and legacy infrastructure where the pain is really being felt.
For those who have off the shelf shopping cart and payment services the transition has probably been a non-issue or just a tickbox somewhere, it's the bigger retailers with custom integrations and legacy infrastructure where the pain is really being felt.
Pretty sure I implented this in 2019 through a custom integration with stripe, yes ok not quite the same, but before 2020.
#11
Original Poster
Join Date: Mar 2016
Programs: BA Gold
Posts: 681
Just as a data point I tried to make a BAH booking for flights plus car for Mr NW in Club as he needs the double TPs.
I also tried to make a flight only booking for myself and the junior NWs in Y.
I tried my BA Amex, my BA Amex on Mr NW’s account and Mr NW’s BA Amex. All failed multiple times. Sometimes the system told me I still needed to input the 4 digit code and kept taking me back to the payment page. Other times it said card declined and told me to contact the issuer which I did to no avail.
I also tried to make a flight only booking for myself and the junior NWs in Y.
I tried my BA Amex, my BA Amex on Mr NW’s account and Mr NW’s BA Amex. All failed multiple times. Sometimes the system told me I still needed to input the 4 digit code and kept taking me back to the payment page. Other times it said card declined and told me to contact the issuer which I did to no avail.
#12
Join Date: Aug 2014
Posts: 2,657
Spent the last 2 hours trying to make a BA online holiday booking with 3 x BA AMEX cards being repeatedly declined for no good reason.
I have just spoken to Amex who tell me that BA is non-compliant with the Second Payment Services Directive (PSD2) and is currently unable to process online transactions from UK credit and debt cards. Can this really be true and, if so, why is this not being reported anywhere? I'd have through the FT regulars would be well aware of the issue and that there would have been endless discussion about it.
What the hell is going on??
I will be really annoyed if the holiday price changes before I can complete the booking. Amex offered me 3,000 Avios which I refused.
Argh!!!
I have just spoken to Amex who tell me that BA is non-compliant with the Second Payment Services Directive (PSD2) and is currently unable to process online transactions from UK credit and debt cards. Can this really be true and, if so, why is this not being reported anywhere? I'd have through the FT regulars would be well aware of the issue and that there would have been endless discussion about it.
What the hell is going on??
I will be really annoyed if the holiday price changes before I can complete the booking. Amex offered me 3,000 Avios which I refused.
Argh!!!
BAH have had payment issues reported today. So looks like affecting all cards but only for BAH so flight only is ok.