(Airline, Rail, Hotel)
(Travel Agency, OTS, Portals, Meta Searcher)
The service provider remunerates a travel agency, travel portal etc. for the mediation of a service. This can be a percentage or in the form of a fee or a combination. The contracting parties arrange for payment according to the agreement. If the service provider makes the direct collection (see also Service Provider/Customer), he will usually receive the travel price from the customer by direct debit, bank transfer or by different payment systems. In the case of agency collection (see also Agent / Customer) by the agent, the customer also pays via offered payment systems, such as credit card, direct debit, etc. in the travel agency or travel portal. In the case of down payments and remaining payments, the service provider or agent may store payment information to simplify the process of remaining payment. If credit card information is stored, PCI/DSS certification is required.
If the tour operator collects the money (direct collection), the relationship is the same as between the service provider and the customer. In addition, however, the tour operator must also conduct payment strams with partnering service providers.
If the intermediary is responsible for debt collection (agency debt collection), the intermediary must implement processes and payment procedures that meet the necessary regulatory requirements, as mentioned in the section on service providers and intermediaries. The agent has either directly installed payment methods himself or uses the services of online payment services that offer different payment methods. If he uses online payment services, the payments take place on the servers of the service. Thus, regarding credit cards and PSD2, the intermediary must be able to rely on the online payment service for fulfilment of regulatory requirements. If he processes payments himself, the intermediary needs internal processes that guarantee secure processing of payments.
The tour operator must pay the service provider the agreed purchase price for the service. Depending on the agreement, payment is made by invoice in agreed quotas at certain times or directly at the time of sale to the customer (dynamic tour operators).
The service provider also sells directly to customers. Customers usually pay using payment systems (Paypal, immediate bank transfer or similar) and credit cards, bank transfer or direct debit. In the case of down payments and remaining payments, the service provider may store payment information to simplify the process of remaining payment. Storing or processing credit card information requires PCI/DSS certification. As of 14.9.2019, suitable processes for SCA (Strong Customer Authentication) must also be in place.
Moreover, the seller can choose whether to process digital payments himself or hire a service provider. In both cases, the seller must ensure the security of the payment and the associated data. If he integrates the payment methods into his process landscape, he is responsible for implementing the security precautions. If he uses a payment service provider, he makes use of this service by the payment provider.
PCI/DSS - PSD2 - AML
Accepting payments assigns different requirements to companies. In this case, companies must comply with the Payment Services Directive. In particular, the PSD2 (Payment Services Directive 2) calls for Strong Customer Authentication (SCA) as part of the renewal of this directive. SCA prevents fraud by ensuring a persons entitlement to use the chosen payment method. A company storing or processing credit card data must comply with PCI/DSS. An annual third party audit determines compliance. Cash payments are subject to Anti Money Laundering (AML) regulations. Payments exceeding €10,000 trigger an increased duty of care within the framework of the KYC (Know Your Customer) processes. This value was reduced from €15,000 to €10,000 under the fifth Money Laundering Directive.