Everything you need to know about Strong Customer Authentication
As part of the second Payment Services Directive (PSD2), Strong Customer Authentication (SCA) requires businesses to verify guests’ identity thoroughly when they make an online transaction.
Guests can use two of three methods to verify their identity and prove that they are the card owner: something that they know (password or PIN), something they have (phone or hardware token) or something they are (fingerprint or facial recognition).
What’s in this article:
Strong Customer Authentication and the Payment Service Directive
In 2019, the European Union (EU) adopted the second Payment Services Directive 2 (PSD2) legislation to reduce fraud and make transactions more secure for online businesses located in the European Economic Area (EEA), as well as the UK. The legislation calls for stronger customer authentication for online payments/purchases.
Part of this legislation, Strong Customer Authentication (SCA), requires us to implement thorough authentication measures on transactions when both the card issuer and the seller’s acquiring bank are located in the EEA. These measures ensure that your guest is the actual card owner. If SCA isn’t provided, banks are legally required to decline the payment.
Even though the legislation came into effect on 14 September 2019, it needed to be implemented into local laws, so each EEA country had different dates to roll out PSD2. Throughout the last few years banks have begun implementing and enforcing SCA. You can learn more about SCA from the European Commission, Adyen, Stripe or JPMorgan.
From 1 January 2021, depending on the country, card issuers will decline payments that require SCA but don’t meet these criteria.
When Strong Customer Authentication applies
For payments from customers that you are collecting yourself, SCA will apply if you’re charging a credit or debit card that is issued by a card issuer located in the EEA and your card processor is also based within the EEA.
SCA applies to online sales. This means that whenever you charge a card that is not physically inserted into your Point of Sale (POS) machine, SCA will need to be applied.
How Payments by Booking.com supports you
We will take care of SCA for any reservations that are facilitated via Payments by Booking.com. If all your payments are facilitated by Booking.com, you don’t need to take any action.
We perform all SCA-related secondary authentication for prepaid reservations and for non-prepaid reservations. This ensures that we’re able to charge a guest credit card on your behalf if we need to – something that would be extremely challenging for your business for remote transactions.
When a guest pays through Payments by Booking, we will authenticate their payment transaction and you will continue to receive virtual credit cards from us, which you’ll be able to charge as before. SCA does not apply to these virtual credit cards, meaning these are not allowed to be blocked by the bank. Bank transfer payouts will continue as normal.
If a guest chooses to pay you directly and you charge their card at check-in or check-out in their presence, you can continue to do so. SCA does not apply. For all such non-prepaid reservations, we automatically validate guest credit cards on your behalf and collect any necessary SCA-related data. Therefore, in the event that you are owed any no-show or late-cancellation fee, we are able to attempt charging their cards and pay you out. You can read more about our card validation service here.
Strong Customer Authentication if you don’t use Payments by Booking.com
We can only support you with SCA if you sign up for a Payments product. If you choose not to sign up for a Payments product, you’ll need to manage your guests’ payments and perform SCA yourself on any credit card details you receive.
If you are not eligible for Payments by Booking.com, please contact your bank or payment service provider. They will be able to advise you on the new PSD2 legislation and how to make sure you’re meeting the SCA requirements.
Where Strong Customer Authentication applies
SCA applies within the EEA, as well as the UK. It is relevant when a business works with an EEA-based card acquirer and a customer’s bank or credit card company is also located within the EEA.
Under PSD2, SCA applies to the following countries:
- Austria
- Belgium
- Bulgaria
- Croatia
- Republic of Cyprus
- Czech Republic
- Denmark
- Estonia
- Finland
- France
- Germany
- Greece
- Hungary
- Iceland
- Ireland
- Italy
- Latvia
- Liechtenstein
- Lithuania
- Luxembourg
- Malta
- Monaco
- Netherlands
- Norway
- Poland
- Portugal
- Romania
- Slovakia
- Slovenia
- Spain
- Sweden
- Switzerland – if you are located in Switzerland but using a EEA acquirer, SCA can apply
- UK – not EEA but also enforces SCA
Not all countries follow the same enforcement timelines.
Strong Customer Authentication for non-EEA partners
If you are located outside of EEA, SCA may still apply. For example, if you are working with an EEA-based card acquirer and you charge guests’ cards remotely (for example for pre-payments, deposits or no-show fees), then SCA will apply.
Declined transactions due to Strong Customer Authentication
If you experience declined transactions and you are located outside of the EEA, you can use the invalid credit card process to mark guest cards as invalid. If in doubt, please check with your payment service provider to find out which transactions are in the scope of SCA.
For EEA partners that use Payments by Booking.com, we manage card validation for the non-prepaid reservations where this is relevant. When we find a card invalid, we give guests 24 hours to update it. If they do not update it with a card that we can validate, we mark it as invalid and allow you to cancel the reservation. You will see a ‘Cancel reservation’ button in your reservation details if the card is invalid. You can find more details here.
-
Guest Policies & Payments
-
- Allowing guests to book without credit card details
- Can I set up the same policies for all of my properties in one go?
- How can I set up the grace period?
- Managing my services charges
- Updating your internet, pets and parking policies
- Setting up or changing your property’s policies
- Setting up cancellation policies
-
- Do I supply guests with invoices?
- Accessing guests’ credit card details
- How can I set up pre-authorisation for guests’ credit cards?
- Everything you need to know about damage policy options
- Handling invalid credit cards
- How can I change my payment preferences and which credit cards I accept?
- Setting up a prepayment policy
- How do I handle guest payments?
- Everything you need to know about Strong Customer Authentication
- Understanding the new cash payment feature in your Guest Payment Options
- Payments: FAQs
-
- Introducing payment services from Booking.com
- Payments by Booking.com: FAQs
- Understanding Payments by Booking.com
- How much Payments by Booking.com costs
- Everything you need to know about virtual credit cards
- Refunding virtual credit cards (VCCs)
- Understanding when your virtual credit cards are activated
- Card validation and fee collection solution
- Card validation and fee collection solution for connected partners
- US Payments Ranking Benefit: how extra visibility in search results works for US properties using Payments by Booking.com
- Booking Holdings Financial Services
- Activating and processing payments with Booking Holdings Financial Services
- Identifying and verifying property owners for Booking Holdings Financial Services
- Submitting a complaint about Booking Holdings Financial Services
- FAQ: Booking Holdings Financial Services
- Booking Holdings Financial Services Payments Agreement
- Payments FAQs for property management companies in the US and Canada