What is Strong Customer Authentication?

Updated 21 hours ago

In 2019, the European Union (EU) adopted a new legislation under the Payment Service Directive (PSD2) to reduce fraud and make transactions more secure for online businesses located in the European Economic Area (EEA).

A part of this legislation - Strong Customer Authentication (SCA) - requires all online businesses, including Booking.com, to implement more thorough authentication measures on transactions when both the cardholder and the business’ bank are located in the EEA.

These measures ensure that the customer (in this case, your guest) is the right card owner. If no SCA is provided, banks are legally required to decline the payment.

Strong Customer Authentication means that your guests’ identity will need to be verified in a thorough manner. In other words, the guest needs to prove that they are the card owner by using two of the three methods* of authentication shown below:

 

Image
graphic_strong_customer_authentication

*Something that the customer knows (password or PIN), has (phone) or is (fingerprint).

 

Note: From 1 January 2021, depending on the implementation per country, banks will decline payments that require Strong Customer Authentication but don’t meet these criteria.

 

Even though the legislation came into effect on 14 September 2019, a new deadline of 1 January 2021 was introduced to enable a smoother transition period for online businesses providing these SCA measures. While SCA is expected to be rolled out starting 1 January 2021, each country will set its own timeline to implement the legislation.

Jump to:

 

When will Strong Customer Authentication apply?

How will Booking.com support me?

    - Payments partially managed by Booking.com

    - All payments managed by Booking.com

Why is the new legislation called PSD2?

In which territories will SCA under PSD2 apply?

What does it mean for your country?


 

When will Strong Customer Authentication apply?

Strong Customer Authentication will apply if you’re charging a credit or debit card that is issued by a European Economic Area (EEA) entity and you’re also based within the EEA. Whenever you attempt to charge a card that is not physically inserted into your Point of Sale (POS) machine, Strong Customer Authentication will need to be applied.


 

How will Booking.com support me?

Any reservations that are facilitated via Online Payments will have Strong Customer Authentication taken care of by Booking.com. 

Payments partially managed by Booking.com

 

If you’re already using Online Payments with some of your payments facilitated by Booking.com, this is how we’ll support you:

When you won’t need to worry about SCA

When a guest pays through our Online Payments service, we will authenticate their payment transaction and you’ll receive a virtual credit card from us which you’ll be able to charge as before. Virtual credit cards from Booking.com are out of scope of SCA, meaning these are not allowed to be blocked by the bank.

If a guest chooses to pay you directly, and you charge their card at check-in or check-out in their presence, you can continue to do so. SCA shouldn’t apply.

When SCA may apply

If you charge guests’ cards remotely (for example for pre-payments, deposits, or no-show fees), SCA may apply.

While Booking.com doesn’t process these payments, we will support you to ensure you face minimal operational impact due to SCA. At the time of reservation, Booking.com will assess whether a guest’s payment may be subject to SCA:

  • If we believe SCA might apply, we will request that the guest pay through our Online Payments service.
  • If we believe that the payment is not subject to SCA, your guests can continue to either pay online or pay you directly. In case you’re still unable to charge a guest’s card remotely, you can mark it as invalid and we will attempt to recover the payment.

All payments managed by Booking.com

 

If you have all your payments facilitated by Booking.com, you don’t need to take any action. We’ll take care of authenticating all your customers’ payment transactions for reservations made on Booking.com.

What if I don’t want to use Online Payments or Payments by Booking.com?

We can only support you with SCA if you sign up for a Payments product. If you choose not to sign up for a Payments product, you’ll need to manage your guests’ payments and perform SCA where applicable. For more information, contact your bank or payment service provider, or take a look at the links we’ve shared in the ‘Next steps’ section, below. 

What should I do if I’m not eligible for Online Payments or Payments by Booking.com?

Please contact your bank or payment service provider, who’ll be able to advise you on the new PSD2 legislation and how to make sure you’re meeting the SCA requirements. You can also take a look at the links we’ve shared in the ‘Next steps’ section, below. 

What should I do if I experience declined transactions?

If you experience declined transactions, you can use the invalid credit card process to mark guest cards as invalid. In order to help you successfully charge customer cards, we are currently enhancing the invalid credit card process in line with SCA requirements. We’ll provide you with regular updates about this solution.

Next steps

We’ll post more content that informs you about Strong Customer Authentication and supports you in clarifying how the legislation can impact you, and how you can prepare for its introduction.

In the meantime, you can learn more about SCA from the European CommissionAdyen, Stripe or JPMorgan


 

Why is the new legislation called PSD2?

PSD2 stands for Payment Service Directive 2, an iteration of the current payment service directive. The iteration calls for even stronger customer authentication for online payments/purchases. Strong Customer Authentication is referred to as SCA. So PSD2 is the regulation itself and SCA refers to the actions needed to comply with PSD2.


 

In which territories will SCA under PSD2 apply?

Within Europe, meaning whenever the business a customer is looking to purchase something from is located within countries in the EEA and the customer’s bank or credit card company is also located within the EEA.

PSD2 applies to the following countries:

  • Austria 
  • Belgium 
  • Bulgaria 
  • Croatia 
  • Republic of Cyprus 
  • Czech Republic 
  • Denmark 
  • Estonia 
  • Finland 
  • France 
  • Germany 
  • Greece 
  • Hungary 
  • Iceland 
  • Ireland 
  • Italy 
  • Latvia 
  • Liechtenstein 
  • Lithuania 
  • Luxembourg 
  • Malta 
  • Monaco 
  • Netherlands 
  • Norway 
  • Poland 
  • Portugal 
  • Romania 
  • Slovakia 
  • Slovenia 
  • Spain
  • Sweden
  • Switzerland
  • UK

 

What does it mean for your country?

Not all countries follow the same enforcement timelines. Keep on checking this page for the latest country updates.

Country

Enforcement date

France

March 14, 2021

Germany

March 15, 2021

UK

September 14, 2021

The extended grace period only applies to domestic payments taken within the country itself. That means if a business in these countries collects any cross-border payments from elsewhere in the EEA, SCA may still apply to those.

What do you think of this page?

Work-friendly Programme

Add more work-friendly facilities to increase your visibility at no extra cost.

Learn more