What is Strong Customer Authentication?
In 2019, the European Union (EU) adopted a new legislation under the Payment Service Directive (PSD2) to reduce fraud and make transactions more secure for online businesses located in the European Economic Area (EEA).
A part of this legislation - Strong Customer Authentication (SCA) - requires all online businesses, including Booking.com, to implement more thorough authentication measures on transactions when both the cardholder and the business’ bank are located in the EEA.
These measures ensure that the customer (in this case, your guest) is the right card owner. If no SCA is provided, banks are legally required to decline the payment.
Strong Customer Authentication means that your guests’ identity will need to be verified in a thorough manner. In other words, the guest needs to prove that they are the card owner by using two of the three methods* of authentication shown below:
*Something that the customer knows (password or PIN), has (phone) or is (fingerprint).
Note: From 1 January 2021, depending on the implementation per country, banks will decline payments that require Strong Customer Authentication but don’t meet these criteria.
Even though the legislation came into effect on 14 September 2019, a new deadline of 1 January 2021 was introduced to enable a smoother transition period for online businesses providing these SCA measures. While SCA is expected to be rolled out starting 1 January 2021, each country will set its own timeline to implement the legislation.
Strong Customer Authentication will apply if you’re charging a credit or debit card that is issued by a European Economic Area (EEA) entity and you’re also based within the EEA. Whenever you attempt to charge a card that is not physically inserted into your Point of Sale (POS) machine, Strong Customer Authentication will need to be applied.
Any reservations that are facilitated via Online Payments will have Strong Customer Authentication taken care of by Booking.com.
If you’re already using Online Payments with some of your payments facilitated by Booking.com, this is how we’ll support you:
When you won’t need to worry about SCA
When a guest pays through our Online Payments service, we will authenticate their payment transaction and you’ll receive a virtual credit card from us which you’ll be able to charge as before. Virtual credit cards from Booking.com are out of scope of SCA, meaning these are not allowed to be blocked by the bank.
If a guest chooses to pay you directly, and you charge their card at check-in or check-out in their presence, you can continue to do so. SCA shouldn’t apply.
When SCA may apply
If you charge guests’ cards remotely (for example for pre-payments, deposits, or no-show fees), SCA may apply.
While Booking.com doesn’t process these payments, we will support you to ensure you face minimal operational impact due to SCA. At the time of reservation, Booking.com will assess whether a guest’s payment may be subject to SCA:
- If we believe SCA might apply, we will request that the guest pay through our Online Payments service.
- If we believe that the payment is not subject to SCA, your guests can continue to either pay online or pay you directly. In case you’re still unable to charge a guest’s card remotely, you can mark it as invalid and we will attempt to recover the payment.
If you have all your payments facilitated by Booking.com, you don’t need to take any action. We’ll take care of authenticating all your customers’ payment transactions for reservations made on Booking.com.
What if I don’t want to use Online Payments or Payments by Booking.com?
We can only support you with SCA if you sign up for a Payments product. If you choose not to sign up for a Payments product, you’ll need to manage your guests’ payments and perform SCA where applicable. For more information, contact your bank or payment service provider, or take a look at the links we’ve shared in the ‘Next steps’ section, below.
What should I do if I’m not eligible for Online Payments or Payments by Booking.com?
Please contact your bank or payment service provider, who’ll be able to advise you on the new PSD2 legislation and how to make sure you’re meeting the SCA requirements. You can also take a look at the links we’ve shared in the ‘Next steps’ section, below.
What should I do if I experience declined transactions?
If you experience declined transactions, you can use the invalid credit card process to mark guest cards as invalid. In order to help you successfully charge customer cards, we are currently enhancing the invalid credit card process in line with SCA requirements. We’ll provide you with regular updates about this solution.
We’ll post more content that informs you about Strong Customer Authentication and supports you in clarifying how the legislation can impact you, and how you can prepare for its introduction.
PSD2 stands for Payment Service Directive 2, an iteration of the current payment service directive. The iteration calls for even stronger customer authentication for online payments/purchases. Strong Customer Authentication is referred to as SCA. So PSD2 is the regulation itself and SCA refers to the actions needed to comply with PSD2.
Within Europe, meaning whenever the business a customer is looking to purchase something from is located within countries in the EEA and the customer’s bank or credit card company is also located within the EEA.
PSD2 applies to the following countries:
- Republic of Cyprus
- Czech Republic
Not all countries follow the same enforcement timelines. Keep on checking this page for the latest country updates.
March 14, 2021
March 15, 2021
September 14, 2021
The extended grace period only applies to domestic payments taken within the country itself. That means if a business in these countries collects any cross-border payments from elsewhere in the EEA, SCA may still apply to those.
Guest Policies & Payments
- Setting up no-credit card details on your most flexible rate
- Can I set up the same policies for all of my properties in one go?
- How can I set up the grace period?
- How can I change the breakfast type?
- No credit card details for domestic bookers
- Managing my services charges
- Last-minute bookings without credit cards
- How can I update my property’s WiFi internet settings in the extranet?
- How can I make changes to my property's policies?
- Why are there restrictions for setting up policies?
- Can I change or add policies myself?
- What type of policies can I set up?
- How to set up standard children rates
- Setting up cancellation policies
- Making changes to your parking policies
- How can I set up ‘no credit-card details for domestic bookers’?
- How do I handle property damage by guests?
- How can I view guest credit card details using Pulse?
- Do I supply guests with invoices?
- How can I access guests’ credit card details?
- How can I set up pre-authorisation for guests’ credit cards?
- How can I set up a damage deposit?
- How do I mark a credit card as invalid?
- How can I change my payment preferences and which credit cards I accept?
- How can I make changes to deposit and pre-payment information?
- I'd like to set up a prepayment deposit. How can I do this?
- How do I handle guest payments?
- The guest hasn't paid the deposit/pre-payment. Can I cancel the booking?
- What is Strong Customer Authentication?
- Can I charge credit card and/or payment fees on bookings I receive through Booking.com?
- Can I mark credit cards as invalid in Pulse?
- Introducing payment solutions from Booking.com
- Payments - FAQs and all you need to know
- How can I join Payments by Booking.com?
- How much does it cost to use Payments by Booking.com?
- What to know about virtual credit cards (VCCs)
- Receiving bank transfer payments via Payoneer in Japan
- Temporary changes for virtual credit card activation date (VCC)
- How and when do I refund a virtual credit card (VCC) ?
- Cost savings and earlier activation dates for virtual credit cards
- Card validation and fee collection solution
- Card validation and fee collection solution for connected partners