Everything you need to know about Strong Customer Authentication

Updated 4 weeks ago | 5 min read
Save

As part of the second Payment Services Directive (PSD2), Strong Customer Authentication (SCA) requires businesses to verify guests’ identity thoroughly when they make an online transaction. 

Guests can use two of three methods to verify their identity and prove that they are the card owner – something they know (password or PIN), something they have (phone or hardware token), or something they are (fingerprint or facial recognition).


In this article:


Strong Customer Authentication and the Payment Service Directive

In 2019, the European Union (EU) adopted the second Payment Services Directive 2 (PSD2) legislation to reduce fraud and make transactions more secure for online businesses located in the European Economic Area (EEA), as well as in the UK. The legislation calls for stronger customer authentication for online payments/purchases. 

Part of this legislation, Strong Customer Authentication (SCA), requires us to implement thorough measures on transactions when both the card issuer and the seller’s acquiring bank are located in the EEA. These measures ensure that your guest is the actual card holder. If SCA isn’t provided, banks are legally required to decline the payment.

Even though the legislation went into effect on September 14, 2019, it needed to be implemented into local laws, so each EEA country had different dates to roll out PSD2. Throughout the last few years, banks have begun implementing and enforcing SCA. You can learn more about SCA from the European Commission, Adyen, Stripe or JPMorgan

As of January 1, 2021, depending on the country, card issuers decline payments that require SCA but don’t meet these criteria.


When Strong Customer Authentication applies

For payments from customers that you collect yourself, SCA will apply if you’re charging a credit or debit card issued by an issuer located in the EEA and your card processor is also based in the EEA. 

SCA applies to online sales. This means whenever you charge a card that isn’t physically inserted into your Point of Sale (POS) machine, SCA will apply.


How Payments by Booking.com supports you

We’ll take care of SCA for any reservations facilitated via Payments by Booking.com. If all your payments are facilitated by Booking.com, you don’t need to take any action. 

We perform all SCA-related secondary authentication for both prepaid and non-prepaid reservations. This way we can charge a guest credit card on your behalf if we need to – something that would be extremely challenging for your business for remote transactions.

When a guest pays through Payments by Booking, we’ll authenticate their payment transaction and you’ll continue to receive virtual credit cards from us, which you’ll be able to charge like before. SCA doesn’t apply to these virtual credit cards, which banks aren’t allowed to block. Bank transfer payouts will continue as normal.

If a guest chooses to pay you directly and you charge their card at check-in/-out, you can continue to do so. SCA doesn’t apply.


Strong Customer Authentication if you don’t use Payments by Booking.com

We can only support you with SCA if you sign up for a Payments product. If you don’t sign up for a Payments product, you’ll need to manage your guests’ payments and perform SCA on any credit card details you receive. 

If you aren’t eligible for Payments by Booking.com, contact your bank or payment service provider. They’ll advise you on the new PSD2 legislation and how to make sure you’re meeting the SCA requirements. 


Where Strong Customer Authentication applies

SCA applies within the EEA, as well as in the UK. It’s relevant when a business works with an EEA-based card acquirer and a customer’s bank or credit card company is also located within the EEA.

Under PSD2, SCA applies to the following countries:

  • Austria 
  • Belgium 
  • Bulgaria 
  • Croatia 
  • Republic of Cyprus 
  • Czech Republic 
  • Denmark 
  • Estonia 
  • Finland 
  • France 
  • Germany 
  • Greece 
  • Hungary 
  • Iceland 
  • Ireland 
  • Italy 
  • Latvia 
  • Liechtenstein 
  • Lithuania 
  • Luxembourg 
  • Malta 
  • Monaco 
  • Netherlands 
  • Norway 
  • Poland 
  • Portugal 
  • Romania 
  • Slovakia 
  • Slovenia 
  • Spain
  • Sweden
  • Switzerland – if you’re located in Switzerland but using an EEA acquirer, SCA can apply
  • UK – not EEA but also enforces SCA

Not all countries follow the same enforcement timelines. 


Strong Customer Authentication for non-EEA partners

If you’re located outside of EEA, SCA may still apply. For example, if you’re working with an EEA-based card acquirer and you charge guests’ cards remotely (e.g. for pre-payments, deposits, no-show fees), then SCA will apply. 


Declined transactions due to Strong Customer Authentication

If you experience declined transactions and are located outside the EEA, you can use the invalid credit card process to mark guests’ cards as invalid. If in doubt, check with your payment service provider to find out which transactions fall within the scope of SCA. 

For EEA partners that use Payments by Booking.com, we manage card validation for the non-prepaid reservations wherever relevant. When we find a card invalid, we give guests 24 hours to update it. If they don’t update it to a card that we can validate, we mark it as invalid and let you cancel the reservation. You’ll see a “Cancel reservation” button in your reservation details if the card is invalid. You can find more details here.

Is this article helpful?