What is Strong Customer Authentication?

On 14 September 2019, new legislation called Payment Service Directive 2 (PSD2) will come into effect – aiming to reduce fraud and make online payments more secure. This means that when charging (or authorising) a card that is not physically present, or when charging cards remotely, you’ll have to perform Strong Customer Authentication (SCA). 

Strong Customer Authentication means that your guests’ identity will need to be verified in a thorough manner. In other words, the guest needs to prove that they are the card owner by using two of the three methods* of authentication shown below:

 

Image
graphic_strong_customer_authentication

*Something that the customer knows (password or PIN), has (phone) or is (fingerprint).

 

Note: From 14 September 2019, banks will decline payments that require Strong Customer Authentication but don’t meet these criteria.

 

Jump to:

When will Strong Customer Authentication apply?

How will Booking.com support me?

All payments managed by Booking.com

Why is the new legislation called PSD2?

What is SCA under the new PSD2 directive?

In which territories will SCA under PSD2 apply?


 

When will Strong Customer Authentication apply?

Strong Customer Authentication will apply if you’re charging a credit or debit card that is issued by a European Economic Area (EEA) entity and you’re also based within the EEA. Whenever you attempt to charge a card that is not physically inserted into your Point of Sale machine, Strong Customer Authentication will need to be applied.


 

How will Booking.com support me?

Any reservations that are facilitated via Online Payments will have Strong Customer Authentication taken care of by Booking.com. 

Payments partially managed by Booking.com

If you’re already using Online Payments with some of your payments facilitated by Booking.com, this is how we’ll support you:

  • If a guest pays through our Online Payments service, we’ll take care of authenticating their payment transaction. You won’t need to do anything.
  • If a guest chooses to pay you directly, SCA may apply. If you normally charge guests’ cards in person at check-in or check-out, you can continue to do this the same way. SCA shouldn’t apply.  If you charge guests remotely (e.g. for pre-payments, deposits, or no-show fees), SCA may apply. In these cases, we’ll support you and do our best to minimise operational impact.

 

All payments managed by Booking.com

If you’re using Online Payments and have all your payments facilitated by Booking.com, you don’t need to take any action. We’ll authenticate all payment transactions for your Booking.com reservations.

What if I don’t want to use Online Payments?

We can only support you with SCA if you sign up for Online Payments. If you choose not to sign up for Online Payments, you’ll need to manage your guests’ payments and handle Strong Customer Authentication requirements. For more information, contact your bank or take a look at the links we’ve shared in the ‘Next steps’ section, below. 

What should I do if I’m not eligible for Online Payments?

Please contact your bank, who’ll be able to advise you on the new PSD2 legislation and how to make sure you’re meeting the SCA requirements. You can also take a look at the links we’ve shared in the ‘Next steps’ section, below. 

What should I do if I experience declined transactions?

If you experience declined transactions, you can use the invalid credit card process to mark guest cards as invalid. In order to help you successfully charge customer cards, we are currently enhancing the invalid credit card process in line with SCA requirements. We’ll provide you with regular updates about this solution.

Next steps

We’ll post more content that informs you about Strong Customer Authentication and supports you in clarifying how the legislation can impact you, and how you can prepare for its introduction.

In the meantime, you can learn more about SCA from Adyen, Stripe or JPMorgan


 

Why is the new legislation called PSD2?

PSD2 stands for Payment Service Directive 2, an iteration of the current payment service directive. The iteration calls for even stronger customer authentication for online payments/purchases. Strong Customer Authentication is referred to as SCA. So PSD2 is the regulation itself and SCA refers to the actions needed to comply with PSD2.


 

What is SCA under the new PSD2 directive?

Strong Customer Authentication (SCA) means that customers will need to take extra steps during the payment process for purchasing anything online, or when a card is not physically inserted into a Point of Sale machine. By doing this, the customer will prove that they are the cardholder – hence reducing fraud.


 

In which territories will SCA under PSD2 apply?

Within Europe, meaning whenever the business a customer is looking to purchase something from is located within countries in the EEA and the customer’s bank or credit card company is also located within the EEA.

PSD2 applies to the following countries:

  • Austria 
  • Belgium 
  • Bulgaria 
  • Croatia 
  • Republic of Cyprus 
  • Czech Republic 
  • Denmark 
  • Estonia 
  • Finland 
  • France 
  • Germany 
  • Greece 
  • Hungary 
  • Iceland 
  • Ireland 
  • Italy 
  • Latvia 
  • Liechtenstein 
  • Lithuania 
  • Luxembourg 
  • Malta 
  • Monaco 
  • Netherlands 
  • Norway 
  • Poland 
  • Portugal 
  • Romania 
  • Slovakia 
  • Slovenia 
  • Spain
  • Sweden
  • UK.