Everything you need to know about Strong Customer Authentication

Updated 2 months ago | 5 min read time

As part of the second Payment Services Directive (PSD2), Strong Customer Authentication (SCA) requires businesses to verify guests’ identity thoroughly when they make an online transaction. 

Guests can use two of three methods to verify their identity and prove that they are the card owner: something that they know (password or PIN), something they have (phone or hardware token) or something they are (fingerprint or facial recognition).

What’s in this article:

Strong Customer Authentication and the Payment Service Directive

In 2019, the European Union (EU) adopted the second Payment Services Directive 2 (PSD2) legislation to reduce fraud and make transactions more secure for online businesses located in the European Economic Area (EEA), as well as the UK. The legislation calls for stronger customer authentication for online payments/purchases. 

Part of this legislation, Strong Customer Authentication (SCA), requires us to implement thorough authentication measures on transactions when both the card issuer and the seller’s acquiring bank are located in the EEA. These measures ensure that your guest is the actual card owner. If SCA isn’t provided, banks are legally required to decline the payment.

Even though the legislation came into effect on 14 September 2019, it needed to be implemented into local laws, so each EEA country had different dates to roll out PSD2. Throughout the last few years banks have begun implementing and enforcing SCA. You can learn more about SCA from the European Commission, Adyen, Stripe or JPMorgan

From 1 January 2021, depending on the country, card issuers will decline payments that require SCA but don’t meet these criteria.

When Strong Customer Authentication applies

For payments from customers that you are collecting yourself, SCA will apply if you’re charging a credit or debit card that is issued by a card issuer located in the EEA and your card processor is also based within the EEA. 

SCA applies to online sales. This means that whenever you charge a card that is not physically inserted into your Point of Sale (POS) machine, SCA will need to be applied.

How Payments by Booking.com supports you

We will take care of SCA for any reservations that are facilitated via Payments by Booking.com. If all your payments are facilitated by Booking.com, you don’t need to take any action. 

We perform all SCA-related secondary authentication for prepaid reservations and for non-prepaid reservations. This ensures that we’re able to charge a guest credit card on your behalf if we need to – something that would be extremely challenging for your business for remote transactions.

When a guest pays through Payments by Booking, we will authenticate their payment transaction and you will continue to receive virtual credit cards from us, which you’ll be able to charge as before. SCA does not apply to these virtual credit cards, meaning these are not allowed to be blocked by the bank. Bank transfer payouts will continue as normal.

If a guest chooses to pay you directly and you charge their card at check-in or check-out in their presence, you can continue to do so. SCA does not apply. For all such non-prepaid reservations, we automatically validate guest credit cards on your behalf and collect any necessary SCA-related data. Therefore, in the event that you are owed any no-show or late-cancellation fee, we are able to attempt charging their cards and pay you out. You can read more about our card validation service here.

Strong Customer Authentication if you don’t use Payments by Booking.com

We can only support you with SCA if you sign up for a Payments product. If you choose not to sign up for a Payments product, you’ll need to manage your guests’ payments and perform SCA yourself on any credit card details you receive. 

If you are not eligible for Payments by Booking.com, please contact your bank or payment service provider. They will be able to advise you on the new PSD2 legislation and how to make sure you’re meeting the SCA requirements. 

Where Strong Customer Authentication applies

SCA applies within the EEA, as well as the UK. It is relevant when a business works with an EEA-based card acquirer and a customer’s bank or credit card company is also located within the EEA.

Under PSD2, SCA applies to the following countries:

  • Austria 
  • Belgium 
  • Bulgaria 
  • Croatia 
  • Republic of Cyprus 
  • Czech Republic 
  • Denmark 
  • Estonia 
  • Finland 
  • France 
  • Germany 
  • Greece 
  • Hungary 
  • Iceland 
  • Ireland 
  • Italy 
  • Latvia 
  • Liechtenstein 
  • Lithuania 
  • Luxembourg 
  • Malta 
  • Monaco 
  • Netherlands 
  • Norway 
  • Poland 
  • Portugal 
  • Romania 
  • Slovakia 
  • Slovenia 
  • Spain
  • Sweden
  • Switzerland – if you are located in Switzerland but using a EEA acquirer, SCA can apply
  • UK – not EEA but also enforces SCA

Not all countries follow the same enforcement timelines. 

Strong Customer Authentication for non-EEA partners

If you are located outside of EEA, SCA may still apply. For example, if you are working with an EEA-based card acquirer and you charge guests’ cards remotely (for example for pre-payments, deposits or no-show fees), then SCA will apply. 

Declined transactions due to Strong Customer Authentication

If you experience declined transactions and you are located outside of the EEA, you can use the invalid credit card process to mark guest cards as invalid. If in doubt, please check with your payment service provider to find out which transactions are in the scope of SCA. 

For EEA partners that use Payments by Booking.com, we manage card validation for the non-prepaid reservations where this is relevant. When we find a card invalid, we give guests 24 hours to update it. If they do not update it with a card that we can validate, we mark it as invalid and allow you to cancel the reservation. You will see a ‘Cancel reservation’ button in your reservation details if the card is invalid. You can find more details here.

Is this article helpful?