PSD2 & Strong Customer Authentication (SCA)
What hotels need to know
On 31 December, 2020 (14 September, 2021 in the UK), Strong Customer Authentication (SCA) – under the second Payment Services Directive (PSD2) – is coming into effect in the European Economic Area (EEA). With the new iteration of the Revised Payment Services Directive (PSD2) on the way, you don’t have long to become compliant with Strong Customer Authentication (SCA) before it hits on 31 December 2020. Given that there is a lot of information about PSD2 & SCA in the air, read on to understand what it’s all about.
This new regulation is a good thing and aims to make payments more secure and transparent. It will help protect hoteliers from losses due to disputes arising from fraud.
SiteMinder is ready for SCA when the regulation comes into effect and we are continuing to enhance our payment platform to make it even easier to work with these payments.
Does this sound too complex? Let us try to explain what this new law is and how it impacts your guests and hotel business.
What is the scope of the PSD2 regulation?
The PSD2 directive aims to make payments safer, protect your guests and level the playing field for new and existing payment providers. As a result, it requires payment service providers (PSPs) like banks, card issuers and technology solutions to make a significant number of changes to existing operations. It also impacts anyone who makes or receives online payments, including online travel agencies (OTAs), online booking engines and property management systems.
What is SCA?
With PSD2 comes SCA (Strong Customer Authentication), a more rigorous authentication process to validate online payments. It applies when both a guest’s card issuer and your bank (where you receive funds) are located in the EEA.
To be PSD2 compliant, guests need two of the below authentication factors (called two-factor authentication, or 2FA) to approve almost all online payments.
- Something only the guest knows, like a PIN, code, or password
- Something only the guest possesses, such as a physical payment card or mobile phone
- Something the guest is (biometric information), such as a face ID, a fingerprint, or an iris scan
SOMETHING THE
CUSTOMER KNOWS
(e.g. password or PIN)
SOMETHING THE
CUSTOMER HAS
(e.g. phone or hardware token)
SOMETHING THE
CUSTOMER IS
(e.g. fingerprint or face recognition)
3D Secure is an often used term when we talk about SCA and it is used by PSPs to perform SCA. It is a set of rules that provides extra protection for merchants and customers for online payments. A transaction using 3D Secure will initiate a redirect to the website of the card issuing bank to authorise the transaction. As part of new PSD2 rules, payment providers will work to implement 3DS2.
How does SCA impact hoteliers & guests?
The Payment Services Directive 2 (PSD2) has implications for the travel and hospitality distribution landscape, particularly for “hotel collect bookings”. Since SCA will require two-factor authentication, it will affect a lot of transactions for hotels – both the pre-stay stage (from the time of booking until the guest arrives at the property) and the post-departure stage.
In a pre-PSD2 world it was sufficient for an online travel agent (OTA) or internet booking engine (IBE) to capture a guest’s card details as a form of guarantee for the booking without performing any authentication to validate the card details or the person entering them.
In a post-PSD2 world all this changes.
When the new regulation comes into effect, the OTA and booking engine have an opportunity to perform SCA when capturing the guests’ card details; regardless if payment is taken at the time of booking or for delayed payments (i.e. deposits, cancellation fees, no shows). For you to successfully perform a transaction with the card (often called a Merchant Initiated transaction – MIT), your guests’ card details, along with proof of SCA having been performed, needs to be passed through the network of delivery intermediaries like OTAs, booking engines and payment gateways. This means that your online payments could be at risk of failing if card details have been captured without SCA being performed and the proof of SCA being performed is not available at the time when the card is charged.
How can hotels prepare for SCA compliance?
Although payment service providers (PSPs), like banks and payment gateways, are responsible for facilitating the authentication process for guests making online payments, there is significant impact on payments and transactions for hotels. We recommend that you review your guest payment flows to assess the impact of SCA on your business. Here are some of the scenarios and suggestions to look out for.
- Ensure your payment gateway can securely authenticate a guest’s card while the guest is making an online payment.
- If the OTA is collecting payment, check with the OTA to confirm they are SCA ready as they are responsible for authenticating these payments.
- Merchant Initiated Transactions (MIT) using saved “Cards on File’” technically fall outside the scope of SCA. However, in case SCA was not performed at the time of capturing the card details, and record of SCA not passed to the payment provider, you may be unable to process the payment at a later time when the card is not present.To ensure you are able to collect payment we recommend that you encourage guests to pay at the time of booking, this includes collecting any deposits to cover pre-payments, cancellation and no-show fees.
- Settle payments directly with the guest using “card present” chip and PIN transactions
- There is a risk you will be unable to process these payments using a card stored on file. We recommend that you, at check in with the guest present, perform a pre-authorisation for the full accommodation amount plus incidentals (i.e. using chip and PIN). This way you can charge the card later in case of any walkout or incidental expenses.
Preparing for SCA but don’t know where to start?
Watch this video to get your guide to all things about the SCA regulation under PSD2 & its impact on your hotel.
How will SiteMinder support SCA?
Payments via our booking engine (TheBookingButton) are meeting SCA standards for online payments at the time of booking in the markets where our fully integrated SiteMinder Payments solution is available.
The SiteMinder Channel Manager is ready for SCA when the regulation comes into effect and we are continuing to enhance our payment platform to make it even easier to work with these payments.
ContactFrequently Asked Questions
The Payment Services Directive (PSD2) refers to a ruling passed in the European Economic Area (EEA) to promote a safer payments environment for merchants and consumers. The directive aims to control rising fraud rates in the region, particularly when a cardholder is not in the physical presence of the merchant (e.g. a guest making an online payment).
An important element of PSD2 is the requirement for Strong Customer Authentication (SCA) which, after a change to the deadline, is scheduled to come into effect from 31 December 2020. With the exception of the United Kingdom where the deadline is 14 September 2021.
SCA requires payment service providers to validate that a customer initiating an online payment is legitimately allowed to do so. E.g. Online merchants (such as yourself) must authenticate that a guest making an online booking is the cardholder. This authentication is typically built into an online checkout flow and “challenges” two or more of the elements below:
- What the person knows (e.g. a passcode)
- What the person has (e.g. a phone) and
- What the person (e.g a fingerprint /iris scan)
SCA is applied through a process called 3D Secure (3DS). 3DS is typically initiated by a cardholder’s bank to validate that they initiated a transaction (usually by sending a mobile code sent to the cardholder’s phone). This process has been refined with the introduction of 3DS2 which now reduces the impact on the guest’s online experience.
Having a good understanding of the steps involved in your guests’ payments is key to establish compliance. As a guide, consider your payment flows and the need to be PSD2 compliant during the following steps:
- Payments at booking – full or partial payments at the time of reservation may require SCA while the user is on-session
- Delayed payments – pre-payments prior to check-in, cancellations and no-shows
- Settlement at check-out – balance payments, food and other incidentals
- Post departure payments – guest walkout, delayed minibar charges and damages
A common challenge faced by hotels is that while a guest may enter their card details online when capturing a booking, the card details are securely stored as “Card on File” to allow a hotelier to initiate the payment at a later stage. i.e. when your guest is “off-session” or not online. This makes the actual payment of deposit, balance, extras, cancellations or no-shows difficult as the guest is unlikely to be available to complete SCA. These Card on File payments are at particular risk of being declined by the issuing bank if SCA is not performed. To overcome the challenge with these payments, you should remember to capture the guest’s card details at check-in using a compliant payment method and take a pre-authorisation from the guest that the card will be charged at a later date.
- Technology solutions, such as an online booking engine or PMS, with a compliant online payment gateway
- POS transactions such as chip and PIN transactions, as the user must have their card and PIN
- Apple Pay payments as they involve the user’s mobile phone and their fingerprint or face scan
To reduce card fraud, there is an increased regulatory pressure to change how hotels have fundamentally received payments. With the implementation of SCA, the greatest risk to your hotel business is that non-compliant transactions will be declined and you may see a drop in booking conversions, occupancy and revenue. There are also challenges with managing cancellations & no-shows as these are usually charged as “Card on File” payments which will no longer be possible.
The industry is working very hard to meet the new SCA requirements and SiteMinder is in close contact with business partners like OTAs, PMSs and payment gateways to ensure that our products meet the new demands.
Ultimately, PSD2 and SCA are in the best interest of consumers, your guests and your business. Although there may be an initial impact on conversions, the benefits are expected to greatly outweigh the short term hurdles.
To overcome any challenges until the industry has fully caught up with compliant solutions, consider alternative payment workflows that are exempt from SCA or ways to make it easier to capture SCA. Approaches include:
- Getting payments in person (when the credit card and PIN are sure to be present),
- Capturing payments upfront through your booking engine (to minimise the risk of not being able to charge cards on file), or
- Distributing your inventory via OTAs that issue a virtual card (as they are exempt from the regulation).
The main exemptions to SCA include:
- Low value transactions – any transaction below €30 can receive a low value exemption and go through without SCA. However, there is a velocity limit of five consecutive transactions, or a cumulative limit of €100. After these limits have been reached, SCA is required again.
- Whitelisting – after the first SCA verified purchase, a consumer can whitelist a merchant so that subsequent transactions do not require SCA. Merchants need to implement 3DS2 (see glossary) in order to fully turn on whitelisting functionality.
- Corporate payments and virtual credit cards – corporate cards that are not in the cardholder’s name and virtual credit cards are exempt from SCA.
- Merchant initiated transactions (MIT) – payments made with saved cards when the customer is not present in the checkout flow (sometimes called “off-session”) may qualify as merchant-initiated transactions. These payments technically fall outside the scope of SCA. In practice, marking a payment as a “merchant-initiated transaction” will be similar to requesting an exemption. And like any other exemption, it will still be up to the bank to decide whether authentication is needed for the transaction.
MOTO (Mobile Order Telephone Order) transactions – this transaction type is excluded because it’s currently very difficult to use two-factor authentication over the phone, via fax and mail.
OTAs will have an opportunity to perform SCA at the time of booking during card capture.
During the lead up to 14 September 2019 we are expecting that OTAs will advise their customers and partners on how they will support the PSD2 directive. We anticipate that a number of OTAs will transition their partners in the EEA to “OTA collect” payment models and supply a Virtual Credit Card (VCC) instead of providing the guest’s card details to accommodation providers. Virtual Credit Cards are exempt from SCA, so this solution, while possibly not ideal for some, will be functional.
We advise that you contact your OTA partners to ensure that they are working with payment providers to get compliant by September 14th.
Only if your property is located in one of the countries in the European Economic Area (EEA) it’s likely you will be subject to these new regulations. SCA will only apply when both a guest’s card issuer and your bank are located in an EEA country.
However similar variants to PSD2 SCA can be expected to be implemented across the globe over the coming years.
You can find more information about PSD2 and SCA at
- European Banking Authority Opinion Piece on SCA & PSD2
- Stripe’s Guide to Strong Customer Authentication
- European Commission Press Release
We recommend that you reach out to your payment provider and check how they are going to reach compliance in time for the September 14 deadline.
Definitions
PSD2 | Payment Services Directive 2 was introduced by the European Union to unify and create a single market for European payments. |
SCA | Strong Customer Authentication is a requirement of the PSD2 law to make online payments more secure and reduce payment fraud. |
3DS | (Also called 3D Secure) is authentication process used by an issuing bank to validate a cardholder. This process typically relates to a guest receiving a mobile code which then needs to be captured into a response page before the payment can be processed. |
3DS2 | is a refined version of the 3DS process which provides a more frictionless experience for the guest. This has become the standard for new payment service providers in complying with PSD2 |
EU | The European Union which consists of 28 member states. |
EEA | European Economic Area, which is EU countries and Norway, Iceland and Liechtenstein. |
SEPA | Single Euro Payments Area regulation which was set down by the European banking authority, which consists of standards and technical rules for payment services and infrastructure in Europe. |
MIT | Merchant Initiated Transaction is where the merchant tries to collect the payment on the customer’s behalf in their absence. |
VCC | Virtual Credit Cards – A virtual credit card (VCC) is a virtual credit card number (VCN) typically used for online purchases, and often for single-use transactions. |
MOTO | Mail order / telephone order channel. |
OLO | One Leg-Out — transactions are described as OLO when any one of the following applies:
|