What is Strong Customer Authentication?
In 2019, the European Union (EU) adopted new legislation under the Payment Service Directive (PSD2) to reduce fraud and make transactions more secure for online businesses located in the European Economic Area (EEA).
A part of this legislation—Strong Customer Authentication (SCA)—requires all online businesses, including Booking.com, to implement more thorough authentication measures on transactions when both the card holder’s and the business’s bank are located in the EEA.
These measures ensure that the customer (in this case, your guest) is the rightful card owner. If no SCA is provided, banks are legally required to decline the payment.
Strong Customer Authentication means your guests’ identities will need to be verified thoroughly. In other words, the guest needs to prove that they’re the card owner by using two of the three methods* of authentication shown below:
*Something that the customer knows (password or PIN), has (phone), or is (fingerprint).
Note: From January 1, 2021, depending on the implementation of each country, banks will decline payments that require Strong Customer Authentication but don’t meet these criteria.
Even though the legislation went into effect on September 14, 2019, a new deadline on January 1, 2021 was introduced to enable a smoother transition period for online businesses that provide these SCA measures. While SCA is expected to be rolled out on January 1, 2021, each country will set its own timeline to implement the legislation.
Strong Customer Authentication will apply if you’re charging a credit or debit card that’s issued by a European Economic Area (EEA) entity and you’re based in the EEA. Whenever you attempt to charge a card that isn’t physically inserted into your Point of Sale (POS) machine, Strong Customer Authentication will need to be applied.
Any reservations facilitated by Payments by Booking.com will have Strong Customer Authentication performed by Booking.com.
If you’re already using Online Payments with some of your payments facilitated by Booking.com, this is how we’ll support you:
When you won’t need to worry about SCA
When a guest pays through our Online Payments service, first we’ll authenticate their payment, then send you a virtual credit card that you can to charge as usual. Virtual credit cards from Booking.com are out of the scope of SCA, so they aren’t allowed to be blocked by the bank.
If a guest pays you in person, and you charge their card at check-in or check-out, you can continue to do so. SCA shouldn’t apply.
When SCA may apply
If you charge guests’ cards remotely (for example for pre-payments, deposits, or no-show fees), SCA may apply.
While Booking.com doesn’t process these payments, we’ll support you to minimize operational impact on you due to SCA. At the time of reservation, Booking.com will assess whether a guest’s payment could be subject to SCA:
- If we believe SCA might apply, we’ll ask the guest to pay through our Online Payments service.
- If we believe the payment isn’t subject to SCA, your guests can continue to pay either online or you directly. In case you’re unable to charge a guest’s card remotely, you can mark it as invalid and we’ll attempt to recover the payment.
If you have all your payments facilitated by Booking.com, you don’t need to take any action. We’ll take care of authenticating all your customers’ payment transactions for reservations made on Booking.com.
What if I don’t want to use Online Payments or Payments by Booking.com?
We can only support you for SCA if you sign up for a Payments product. If you don’t sign up for one, you’ll need to manage your guests’ payments and perform SCA when necessary. For more info, contact your bank or payment service provider, or take a look at the links in the “Next steps” section below.
What should I do if I’m not eligible for Online Payments or Payments by Booking.com?
Contact your bank or payment service provider, who can advise you on the new PSD2 legislation and how to make sure you meet the SCA requirements. You can also take a look at the links in the “Next steps” section below.
What should I do if I get declined transactions?
If you get declined transactions, you can use the invalid credit card process to mark guest cards as invalid. To help you successfully charge customer cards, we’re currently enhancing the invalid credit card process to align with SCA requirements. We’ll share regular updates about this solution with you.
We’ll post more content informing you about Strong Customer Authentication and clarifying how the legislation could impact you, as well as how you can prepare for its introduction.
PSD2 stands for Payment Service Directive 2, an iteration of the current payment service directive. The iteration calls for even stronger customer authentication for online payments/purchases. Strong Customer Authentication is referred to as SCA. So PSD2 is the regulation itself whereas SCA refers to the actions needed to comply with PSD2.
Within Europe, meaning the business from which a customer wants to purchase something is in a country within the EEA, and the customer’s bank/credit card company is also located within the EEA.
PSD2 applies to the following countries:
- Republic of Cyprus
- Czech Republic
Not all countries follow the same enforcement timelines. Check this page regularly for the latest country updates.
March 14, 2021
March 15, 2021
September 14, 2021
The extended grace period only applies to domestic payments taken within the country itself. That means if a business in these countries collects any cross-border payments from elsewhere in the EEA, SCA may still apply to them.
Guest Policies & Payments
- Setting up no-credit card details on your most flexible rate
- Can I set up the same policies for all of my properties all at once?
- How can I set up a grace period?
- How can I change the breakfast type?
- No credit card details for domestic bookers
- Managing my services charges
- Last-minute bookings without credit cards
- How can I update my property's WiFi internet settings on the Extranet?
- How can I make changes to my property's settings?
- Why are there restrictions for setting up policies?
- Can I change or add policies myself?
- What types of policies can I set up?
- How to set up policies, rooms, rates, and facilities for children
- Adding and changing cancellation policies
- Making changes to your parking policies
- How do I set up "no credit card details for domestic bookers"?
- How do I handle property damage by guests?
- How can I view guest credit card details using Pulse?
- Do I supply guests with invoices?
- How can I access guest credit card details?
- How do I set up pre-authorization for guests' credit cards?
- How can I set up a damage deposit?
- How do I mark a credit card as invalid?
- How do I change my payment preferences and which credit cards I accept?
- How do I make changes to deposit and pre-payment information?
- I want to set up a prepayment deposit. How can I do this?
- How do I handle guest payments?
- The guest hasn't paid the deposit/pre-payment. Can I cancel the booking?
- What is Strong Customer Authentication?
- Can I charge credit card and/or payment fees on bookings I receive through Booking.com?
- Can I mark credit cards as invalid in Pulse?
- Introducing payment solutions from Booking.com
- Payments: FAQs and all you need to know
- How do I join Payments by Booking.com?
- How much does using Payments by Booking.com cost?
- What to know about virtual credit cards (VCCs)
- Temporary changes for virtual credit card activation date (VCC)
- How and when do I refund a virtual credit card (VCC) ?
- Cost savings and earlier activation dates for virtual credit cards
- Card validation and fee collection solution
- Card validation and fee collection solution for connected partners