corporate-wage-slave

I've started this thread, in the light of an experience (post 2). This post is just to give an overview of the impact of the Payment Service Directive 2 (PSD2) and Strong Customer Authentication on bookings made with directly with Hilton via their website.

The short version is that for some European transactions on Hilton.com you will need to do a separate credit card authentication for non-flexible bookings, using a company called 3C, since hotels may otherwise not be able to collect pre-payment. Moreover the situation with charging no-shows on flexible bookings is currently awkward. This is because Hilton has not fully integrated PSD2 into their booking engine. If you don't follow this through you risk your hotel bookings being cancelled. When you make a booking via hilton.com, the final screen warns of this possibility.

The problem with this process via 3C is that it looks like a phishing attempt, and seems to fly in the face of other advice not give credit card information to emails sent unsolicited.

I won't give chapter and verse about this big, big topic, there is plenty of material online elsewhere. But in essence from 14 September 2019 PSD2 is fully in place for all wholly EEA transactions. So that's European Union and countries like Norway and Iceland. Brexit makes no difference, the UK has adopted PSD2. By transaction, I specifically mean if you use a EEA credit card to book a Hilton hotel which takes online payment via the EEA's banking system. The fact that the hotel guest or even the hotel is perhaps not in the EEA isn't relevant, it's just the transaction.

So if you use a European credit card on hilton.com to book a hotel in Europe you are almost certainly in scope for this. If you are an American booking a USA hotel, you are almost certainly not in scope.

The impact is something called Strong Customer Authentication (SCA). Again there is plenty about this online but typically if you make an online transaction within Europe these days you are often asked to present a password, or use a PIN code sent by SMS to your phone, to confirm the transaction and to provide security to both the customer and the banks that the transaction isn't fraudulent.

However the Hilton website has not been fully updated for this, instead at the end of the booking process customers are told they may receive an email from [email protected], where the credit card transaction will have to be completed a second time.

If you get such an email, which may be sometime after the booking, then you are directed to a website operated by 3C, which is part of the German Bertelsmann conglomerate. You then enter in your credit card, and it may take you through the Strong Customer Authentication process.

Hilton is far from being the only organisation lagging on PSD2 incorporation, and locally some regulators have given online companies more time to complete the requirements of PSD2. But this is to let FTers know about this.

If you don't complete the process with 3C you are at risk of your reservation being cancelled. I would hope the hotel concerned would make some further attempt to contact you before doing this and there is perhaps a contractural issue involved here: Hilton only say you "may" be contacted by the email address, what happens if you don't receive an email? Or it gets deleted by your email host?

For no-shows it's more problematic. My understanding of PSD2 is that hotels can't easily charge no-show guests for online flexible bookings - typically that's the first night's rate - unless it went through SCA. They can do this if the transaction was made by telephone or made by direct email, but not for online transactions. What I do know is that some hotels (making no reference to Hilton hotels here) are using the payment codes used for telephone transactions to collect sums via card readers even though the transaction was online. This doesn't sound compliant to me, and presumably banks will stop this at some point and / or customers can recall the transaction. If that happens, hotels still have a contract with the guest to recover the no show rate, so it shouldn't be seen as a free pass.

Hilton's own advice on this is here:
https://hiltonhonors3.hilton.com/en/...-security.html

corporate-wage-slave

My own experience of this was a non event on one level, the hotel was entirely relaxed about the issue, but it was interesting to see how my reservation could have been cancelled.

I had booked a Doubletree in Amsterdam for a one night stay on an inflexible rate. I booked on Thursday, for a stay on Monday. The warning came up about the credit card authentical (see post 1) and I made a mental note to keep an eye out for it.

The email indeed did arrive on Saturday with the subject heading:

One last thing: your DoubleTree by Hilton Hotel Amsterdam - NDSM Wharf payment

Now this went to a work email address, into a spam account and I only noticed it by chance on Monday. I recognised what it was about and the first paragraph went:

We need to authenticate your transaction and complete payment for your stay at DoubleTree by Hilton Hotel Amsterdam - NDSM Wharf. We are doing this to comply with the European Commission’s PSD2 requirements.

So I tried to follow the link to 3C's website, but I was blocked by the firewall - on investigation it was because the firewall detected this as a phishing attempt and therefore didn't allow me to go any further. I tried it on my mobile phone - and could see the details there - but it involved way too much information and key presses, and the screen layout had not been designed with mobile devices in mind, it was full screen website based. OLCI and room selection went fine, no issue there.

When I got to the hotel, they were fine with the OLCI process but I told them I hadn't paid for the room, which they then confirmed. The hotel was nothing like full so it wasn't in anyone's interest to cancel the reservation, and they simply took payment there and then via a card reader. They were fairly relaxed about it, but clearly if the hotel was full, and on a cheap inflexible rate, I can imagine the situation being more problematic.

The "one last thing" subject header isn't helpful. I'm sure I'm not alone in getting vast amounts of irrelevant emails from travel companies, so I would suggest Hilton uses a more relevant subject title (and perhaps incorporate the word Important ). Even better would be if Hilton could incorporate the SCA via their app, as many other companies have managed to do.......

MarcD

In quite a lot of bookings over recent months since this came in, I've had the 'one last thing' email once, the day after making the booking. I have to admit even knowing that it might come, it did feel like a phishing attempt and I did give the email and it's links a very close inspection before going through with the authentication.

The overall outcome was the payment ended up being taken twice, once directy by the hotel and once by 3C which took a call to the property to resolve. Initially they couldn't find the second payment but did get back to me within a couple of days to let me know that they had found it and refunded the duplicate.

This was a booking at Hilton St. George's Park (Burton-upon-Trent, UK).

Sisosig

This 3C Payments looks like such an unprofessional club. They are one of those payment providers that offer the currency conversion scam. In Europe they have modern standard type terminals but contact-less payment almost never works. Which is a pain because I have smartwatch without a floor limit, so
a) I always have to use a card
b) always have to enter a PIN code on the terminal
This takes much more time than just holding your watch against the terminal for two seconds. By the way, same issue with 3C at Marriott and IHG.

Also for some reason they seem to require front desk staff to provide a paper slip for the "credit card reservation" for incidentals. What do I need this stupid piece of paper for? It's a reservation, it's not a payment.

Now with this transaction at NDSM Wharf, and in a short while probably all hotels that use 3C.

The 3C webpage looks ludicrously simple, like it was designed by a Romanian hacker in the 1990's. You have to type ALL your credit card info by hand (unless you use your browsers fill-in-forms function - but why would you do that with credit cards). And the next time you make a prepaid stay at the same hotel, you'll have to do it all over again. Takes all the fun out of making quick mattress run stays.

karatelovr

so if I'm reading this correctly, this is only for the prepaid rooms? If you wish to book a cancellable room and pay upon checkout, that is not part of the process, correct?

TIA,
Kara

:D!

I read CWS's post with interest as this reminded me of some posts I read on the Doubletree Madrid thread. Quoted:

However, looking at the dates of those posts, they were from 2018 before the directive came into force, but at least one Hilton hotel was already doing something like this.


Anyway, this raises a number of questions -
1) For direct Hilton prepaid bookings, hotels usually charged me a few hours to a few weeks after booking; but some also charged me a few weeks to a few hours before check-in, while a few didn't ever charge me and I paid at check-in. (I understand that US Hilton prepaid bookings are immediately charged by Hilton.com.) Does this mean that this email will also come at a random time, whenever the hotel tries to submit the charge?

If the hotel doesn't initiate the payment process until shortly before check-in, guests are quite likely to be travelling in the 24 hours before check-in and may not even see the email before arriving at the hotel. If the reservation is cancelled because of this, it would hardly be the fault of the guest.


2) After you get the email, how long do you have to pay? I wonder if this effectively lets prepaid reservations become flexible? With IHG, if the hotel has not yet taken payment, you can change the date or even room type of the reservation and it seems that hotels do not notice, and only charge the new amount (if the changed booking is still a prepaid rate) or even don't charge until check-out (if flexible). You have nothing to lose by attempting this as you are on the hook for the original rate. I have not tried it with Hilton. Of course if you phone or email the hotel they often don't mind changing prepaid rates to another date with the same or higher prepaid rate, and only charge the additional amount.

Furthermore, regarding CWS's experience with paying on check-in, I wonder if most hotels would not be too bothered about the prepayment if they aren't overbooked, or whether most hotels would actually cancel the reservation. Admittedly this is a rather niche issue for me because I prefer to pay continental European hotels in cash if possible, but normally I can only do this with flexible rates and would not book a much dearer flexible rate just for this reason. So if I judge the hotel to be half empty I may deliberately ignore these payment requests and see what happens.

Also it would prevent hotel charges from coming as a surprise. A hotel did not charge me for a prepaid reservation for several months, and the stay was still a few months away when I made a large purchase on that card. This took the balance close to the credit limit, and the hotel chose to charge me right after that. Fortunately there were no ill effects as the bank allowed me to go quite far over my limit, so the hotel charge went through. I promptly sent a payment to the card and was not charged any overlimit fees. But if this process was used I would have paid off the card before trying to pay the hotel and the problem would be sidestepped completely.


3) How is the amount of the charge displayed? I know that for some hotels, particularly in NL, they often try to DCC my Visa or Mastercard cards, which requires a complaint, refund (always less than the amount which was charged) then further complaints. I would hope that going through this payment portal prevents DCC, or at least gives you the option to decline.


4) Is it Hilton that decides which cards are affected, or is this something that hotels have to implement themselves? What if I, a consumer in the EEA (well, the UK) use a non-EEA card to book a hotel in the EEA?


When did the hotel charge you directly - at the same time as the email or a long time after? And which payment did they refund (if you can tell)?

corporate-wage-slave

There was also the recent thread on someone charged a higher room rate than the booked rate after OLCI which perhaps was connected. If I may summarise your questions:
1) I think it is a random time when the email arrives, it didn't arrive in the first few hours, so it's going to be detached from the booking process, which is in itself a nuisance to a frequent traveller.
2) In my case there isn't a deadline mentioned in the email, or on the 3C page. In fact even though I have settled up directly at the hotel, the 3C page is still visible, so it is detached from the payment process flow.
3)The amount charged on the email and 3C screen is only available in Euros, I'm not sure if DCC would show up later, I would guess not.
4) It's European law, albeit local regulators are giving leeway for a few months to banks. So as soon as a financial institution decides that SCA has to be in place, they won't complete the transaction initiated by the hotel. So in essence the bank of the hotel in question will largely determine whether to go through this, and within a period of months this could/should be the rule rather than the exception.

If your credit card is not issued in Europe then this process would not apply, and from the background information it seems specific to inflexible rates. However there are wider implications for things like no show fees, mini-bar consumption spotted after departure and any other transaction where the customer is not actually in front of you - or a SCA input screen - when you want their money. A colleague staying at another Dutch property has mentioned another problem: the email has a "Pay Here" button in the email body. His email software simply doesn't connect to anything when you click on the button, nor is the underlying URL written out separately. So in its current form he is simply unable to link to the 3C screen. The email does provide an email address at Hilton for any queries however. So he sent an email off, been to the hotel, paid locally as I did in post 2, hasn't heard back from corporate Hilton yet......

OskiBear

Thanks to OP creating this thread. I've noticed this on my recent European bookings and last night just switched a pre-paid booking. I was going to come here to FT to post a question but happily found this thread.

If I don't get the email or miss it, is there some way I can check to verify that I should be doing something? As mentioned upthread, it's really hit or miss as to when my prepaid reservations actually get charged.

corporate-wage-slave

This goes to the heart of the problem. Because the SCA is detached from Hilton's reservation system - detached by process, detached by time - you have no way of knowing. Naturally if you get an email then you know to act, but you can't tell from the booking itself whether something is pending or not. I have completed 8 separate reservations in January so far, covering 4 EU countries, this is the one example where it has actually happened. And as the final reservation screen says you may be contacted. Or you may not.

yurtripper

So am I correct in assuming from this that if the booking is pre-paid it's potentially your problem, but if the booking is flex it's potentially the hotel's problem?

BTW, Booking.com has been broken for me ever since PSD2 was introduced. It always fails/hangs after the CC details are entered and I hit the final button to pay. I've used a dozen different CCs, multiple platforms (Mac, Windows, iOS), devices (iPhone, iPad, iMac, Surface Pro) and Browsers (Chrome, Firefox, Edge, Brave, Vivaldi - plus each one in Incognito mode also) and had a very long and fascinating back-and-forth with their head office, but despite all that I can no longer complete the checkout process on any Booking.com bookings against my account. I also set up a brand new account (so no Genius discount) - exact same results.

For my non-chain bookings I've now switched to Agoda and haven't had any problems (I prefer their interface and app so I don't see myself ever going back to Booking).

:D!

If the booking is flex then you pay at the hotel and there is no problem... unless you used digital key, never presented your actual card (or phone, if they accept things like Google pay) and departed without checking out...

I wonder if some hotels will now insist on having to see a card where they didn't previously, and by extension not issue a digital key until a card is presented on non-prepaid bookings, if (as CWS suggests) the bank they use gets fussy about implementing the PSD2 properly.


For my non-chain bookings I use hotels.com unless there is some special offer elsewhere. Hotels.com appears to be able to take payments directly for the majority of hotels, and can even do this on flexible bookings (they just refund you if you cancel), although I have encountered some hotels where it says they pass your card details to the hotel - both on prepaid and flexible rates.

However I notice that hotels.com transactions are processed differently. I have a card that verifies all online transactions by SMS, even buying a £2 bus ticket on an app, and using that card on hotels.com doesn't generate an SMS.

I thought that booking.com only passes your details to the hotel and doesn't take payment itself, but I haven't used it in a few years.

Sisosig

At DT NDSM Wharf I was told you would only get this payment request when booking prepaid rates.

MarcD

Just been through my Amex statement and this is the sequence of events:
19 Nov: Advance purchase booking made
20 Nov: Receive the 'one last thing' email
20 Nov: Complete online payment as per email request
20 Nov: Charge to Amex: 3CPAYMENT*HILTON AT ST CARDIFF
22 Nov: Second Charge to Amex: 3CPAYMENT*HILTON AT ST BURTON UPON TRE
27 Nov: Submitted equiry via Hilton.com after waiting a few days for things to sort themselves out automatically
28 Nov: Reply from hotel, also confused as to why the payment is showing Cardiff and querying whether the payment is for this booking but it's the only transaction for the same amount I've made with Hilton.
28 Nov: Called hotel rather than trying to resolve by email. They can't see the duplicate payment but will investigate
01 Dec: Refund to Amex: 3CPAYMENT*HILTON AT ST CARDIFF
02 Dec: Further email from property, duplicate payment located and refunded. Second payment not visible to them at the time due to 'what they believe to be a technical glitch'

So long story short, the payment I authorised online was refunded. Showing as Cardiff doesn't help matters and doesn't offer much reassurance given the circumstances in which you are asked to pay will raise suspicions in most anyway!
My other concern at the time is that there was a £50 off £200 Amex promotion on at the time, and thought that the 3C payments would be a way of stopping the payments counting towards that. Fortunately that wasn't the case and the statement credit posted fine.

florens

Does this apply to bookings made through the app?

aztimm

This has been around for at least several months. I made a booking in November (will arrive on-property tomorrow), and got the email a few days after my reservation. I had to go to a separate page to basically complete the credit card portion again. It said something like if I didn't do this my reservation would be cancelled.
I had just assumed this was going on for a while.