MIDOCO Midoffice is PCI/DSS (Level 1) certified

To understand how payment works in the German travel industry, we first look at the participants and their relationships. This view similarly may apply to other markets as well. The business among each other defines the processes that arise regarding payment. Depending on how these processes are structured regulatory issues such as data security and e.g. PSD2 apply.

In the tourism industry basically, four types of participants interact:

1. Service Provider and Intermediary

The service provider remunerates a travel agency, travel portal etc. for the mediation of a service. This can be a percentage or in the form of a fee or a combination. The contracting parties arrange for payment according to the agreement. If the service provider makes the direct collection (see also Service Provider/Customer), he will usually receive the travel price from the customer by direct debit, bank transfer or by different payment systems. In the case of agency collection (see also Agent / Customer) by the agent, the customer also pays via offered payment systems, such as credit card, direct debit, etc. in the travel agency or travel portal. In the case of down payments and remaining payments, the service provider or agent may store payment information to simplify the process of remaining payment. If credit card information is stored, PCI/DSS certification is required.

2. Tour Operators with Customer

If the tour operator collects the money (direct collection), the relationship is the same as between the service provider and the customer. In addition, however, the tour operator must also conduct payment strams with partnering service providers.

3. Intermediaries with Customer

If the intermediary is responsible for debt collection (agency debt collection), the intermediary must implement processes and payment procedures that meet the necessary regulatory requirements, as mentioned in the section on service providers and intermediaries. The agent has either directly installed payment methods himself or uses the services of online payment services that offer different payment methods. If he uses online payment services, the payments take place on the servers of the service. Thus, regarding credit cards and PSD2, the intermediary must be able to rely on the online payment service for fulfilment of regulatory requirements. If he processes payments himself, the intermediary needs internal processes that guarantee secure processing of payments.

4. Tour Operators with Intermediaries

Similar to service providers, tour operators sell travel products directly through service centres or websites or indirectly through intermediaries. The relationship is similar to that between service providers and intermediaries. Both parties need to implement strong customer authentication, whether they just process payment information or fulfil the payment themselves. Processing credit card data requires PCI/DSS certification.

5. Service Providers with Tour Operators

The tour operator must pay the service provider the agreed purchase price for the service. Depending on the agreement, payment is made by invoice in agreed quotas at certain times or directly at the time of sale to the customer (dynamic tour operators).

6. Service Providers with Customers

The service provider also sells directly to customers. Customers usually pay using payment systems (Paypal, immediate bank transfer or similar) and credit cards, bank transfer or direct debit. In the case of down payments and remaining payments, the service provider may store payment information to simplify the process of remaining payment. Storing or processing credit card information requires PCI/DSS certification. As of 14.9.2019, suitable processes for SCA (Strong Customer Authentication) must also be in place.

Payment methods can vary:

• Cash (Offline)
• Bank transfer / direct debit (offline, digital/online)
• Credit Card (Digital /Online)
• Online payment services such as Paypal, Klarna, Sofortüberweisung, PayOne,... (Digital /Online)

Moreover, the seller can choose whether to process digital payments himself or hire a service provider. In both cases, the seller must ensure the security of the payment and the associated data. If he integrates the payment methods into his process landscape, he is responsible for implementing the security precautions. If he uses a payment service provider, he makes use of this service by the payment provider.

PCI/DSS - PSD2 - AML

Accepting payments assigns different requirements to companies. In this case, companies must comply with the Payment Services Directive. In particular, the PSD2 (Payment Services Directive 2) calls for Strong Customer Authentication (SCA) as part of the renewal of this directive. SCA prevents fraud by ensuring a persons entitlement to use the chosen payment method. A company storing or processing credit card data must comply with PCI/DSS. An annual third party audit determines compliance. Cash payments are subject to Anti Money Laundering (AML) regulations. Payments exceeding €10,000 trigger an increased duty of care within the framework of the KYC (Know Your Customer) processes. This value was reduced from €15,000 to €10,000 under the fifth Money Laundering Directive.