PSD2 & Strong Customer Authentication (SCA)
What hotels need to know
From 14 September 2019, a new European directive (PSD2), aimed at making online payments safer, requiring Strong Customer Authentication (SCA), will be in force across the European Economic Area. This means that your guests’ online payments may be affected if your payment methods are not compliant in time.
Does this sound too complex? Let us try to explain what this new law is and how it impacts your guests and hotel business.
What is the scope of the PSD2 regulation?
The PSD2 directive aims to make payments safer, protect your guests and level the playing field for new and existing payment providers. As a result, it requires payment service providers (PSPs) like banks, card issuers and technology solutions to make a significant number of changes to existing operations. It also impacts anyone who makes or receives online payments, including online travel agencies (OTAs), online booking engines and property management systems.
What is SCA?
With PSD2 comes SCA (Strong Customer Authentication), a more rigorous authentication process to validate online payments. It applies when both a guest’s card issuer and your bank (where you receive funds) are located in the EEA.
To be PSD2 compliant, guests need two of the below authentication factors (called two-factor authentication, or 2FA) to approve almost all online payments.
- Something only the guest knows, like a PIN, code, or password
- Something only the guest possesses, such as a physical payment card or mobile phone
- Something the guest is (biometric information), such as a face ID, a fingerprint, or an iris scan
(e.g. password or PIN)
(e.g. phone or hardware token)
(e.g. fingerprint or face recognition)
3D Secure is an often used term when we talk about SCA and it is used by PSPs to perform SCA. It is a set of rules that provides extra protection for merchants and customers for online payments. A transaction using 3D Secure will initiate a redirect to the website of the card issuing bank to authorise the transaction. As part of new PSD2 rules, payment providers will work to implement 3DS2.
How does SCA impact hoteliers & guests?
The Payment Services Directive 2 (PSD2) has implications for the travel and hospitality distribution landscape, particularly for “hotel collect bookings”. Since SCA will require two-factor authentication, it will affect a lot of transactions for hotels – both the pre-stay stage (from the time of booking until the guest arrives at the property) and the post-departure stage.
In a pre-PSD2 world it was sufficient for an online travel agent (OTA) or internet booking engine (IBE) to capture a guest’s card details as a form of guarantee for the booking without performing any authentication to validate the card details or the person entering them.
In a post-PSD2 world all this changes.
From September 14, 2019 the OTA and booking engine have an opportunity to perform SCA when capturing the guests’ card details; regardless if payment is taken at the time of booking or for delayed payments (i.e. deposits, cancellation fees, no shows).For you to successfully perform a transaction with the card (often called a Merchant Initiated transaction – MIT), your guests’ card details, along with proof of SCA having been performed, needs to be passed through the network of delivery intermediaries like OTAs, booking engines and payment gateways. This means that your online payments could be at risk of failing if card details have been captured without SCA being performed and the proof of SCA being performed is not available at the time when the card is charged.
How can hotels prepare for SCA compliance?
Although payment service providers (PSPs), like banks and payment gateways, are responsible for facilitating the authentication process for guests making online payments, there is significant impact on payments and transactions for hotels. We recommend that you review your guest payment flows to assess the impact of SCA on your business. Here are some of the scenarios and suggestions to look out for.
- Ensure your payment gateway can securely authenticate a guest’s card while the guest is making an online payment.
- OTAs will have an opportunity to perform SCA for bookings coming via their channel. Check that your OTAs are passing through the record of SCA along with the guest payment details to avoid disappointment during the later stages of the guest payment flow.
- Check if your OTA will be sending you a virtual card for enabling transactions, since they are outside the scope of SCA.
- Merchant Initiated Transactions (MIT) using saved “Cards on File’” technically fall outside the scope of SCA. However, in case SCA was not performed at the time of capturing the card details, and record of SCA not passed to the payment provider, you may be unable to process the payment at a later time when the card is not present.To ensure you are able to collect payment we recommend that you encourage guests to pay at the time of booking, this includes collecting any deposits to cover pre-payments, cancellation and no-show fees.
- Settle payments directly with the guest using “card present” chip and PIN transactions
- There is a risk you will be unable to process these payments using a card stored on file. We recommend that you, at check in with the guest present, perform a pre-authorisation for the full accommodation amount plus incidentals (i.e. using chip and PIN). This way you can charge the card later in case of any walkout or incidental expenses.
Preparing for SCA but don’t know where to start?
Watch this video to get your guide to all things about the SCA regulation under PSD2 & its impact on your hotel.
You can also download this SCA cheat sheet put together by our in-house experts to keep this information handy.Download our cheat sheet
How will SiteMinder support SCA?
Payments via our booking engine (TheBookingButton) are meeting SCA standards for online payments at the time of booking in the markets where our fully integrated SiteMinder Payments solution is available. Broader EEA expansion of our SCA-compliant payments processing solution is planned during 2020.
The SiteMinder Channel Manager will support the new payment workflows that PSD2 SCA is bringing, this includes the ability to pass virtual credit cards where we do so today. Also, we have future-proofed our channel manager to receive the record of SCA from booking channels and will pass it to a connected PMS, along with the guest card details. When our connectivity partners have the ability to send the record of SCA – we are ready.Contact
Frequently Asked Questions
The Payment Services Directive (PSD2) refers to a ruling passed in the European Economic Area (EEA) to promote a safer payments environment for merchants and consumers. The directive aims to control rising fraud rates in the region, particularly when a cardholder is not in the physical presence of the merchant (e.g. a guest making an online payment).
An important element of PSD2 is the requirement for Strong Customer Authentication (SCA) which officially comes into effect from 14 September 2019.
SCA requires payment service providers to validate that a customer initiating an online payment is legitimately allowed to do so. E.g. Online merchants (such as yourself) must authenticate that a guest making an online booking is the cardholder. This authentication is typically built into an online checkout flow and “challenges” two or more of the elements below:
- What the person knows (e.g. a passcode)
- What the person has (e.g. a phone) and
- What the person (e.g a fingerprint /iris scan)
SCA is applied through a process called 3D Secure (3DS). 3DS is typically initiated by a cardholder’s bank to validate that they initiated a transaction (usually by sending a mobile code sent to the cardholder’s phone). This process has been refined with the introduction of 3DS2 which now reduces the impact on the guest’s online experience.
Having a good understanding of the steps involved in your guests’ payments is key to establish compliance. As a guide, consider your payment flows and the need to be PSD2 compliant during the following steps:
- Payments at booking – full or partial payments at the time of reservation may require SCA while the user is on-session
- Delayed payments – pre-payments prior to check-in, cancellations and no-shows
- Settlement at check-out – balance payments, food and other incidentals
- Post departure payments – guest walkout, delayed minibar charges and damages
A common challenge faced by hotels is that while a guest may enter their card details online when capturing a booking, the card details are securely stored as “Card on File” to allow a hotelier to initiate the payment at a later stage. i.e. when your guest is “off-session” or not online. This makes the actual payment of deposit, balance, extras, cancellations or no-shows difficult as the guest is unlikely to be available to complete SCA. These Card on File payments are at particular risk of being declined by the issuing bank if SCA is not performed. To overcome the challenge with these payments, you should remember to capture the guest’s card details at check-in using a compliant payment method and take a pre-authorisation from the guest that the card will be charged at a later date.
- Technology solutions, such as an online booking engine or PMS, with a compliant online payment gateway
- POS transactions such as chip and PIN transactions, as the user must have their card and PIN
- Apple Pay payments as they involve the user’s mobile phone and their fingerprint or face scan
To reduce card fraud, there is an increased regulatory pressure to change how hotels have fundamentally received payments. With the implementation of SCA, the greatest risk to your hotel business is that non-compliant transactions will be declined and you may see a drop in booking conversions, occupancy and revenue. There are also challenges with managing cancellations & no-shows as these are usually charged as “Card on File” payments which will no longer be possible.
The industry is working very hard to meet the new SCA requirements and SiteMinder is in close contact with business partners like OTAs, PMSs and payment gateways to ensure that our products meet the new demands.
Ultimately, PSD2 and SCA are in the best interest of consumers, your guests and your business. Although there may be an initial impact on conversions, the benefits are expected to greatly outweigh the short term hurdles.
To overcome any challenges until the industry has fully caught up with compliant solutions, consider alternative payment workflows that are exempt from SCA or ways to make it easier to capture SCA. Approaches include:
- Getting payments in person (when the credit card and PIN are sure to be present),
- Capturing payments upfront through your booking engine (to minimise the risk of not being able to charge cards on file), or
- Distributing your inventory via OTAs that issue a virtual card (as they are exempt from the regulation).
The main exemptions to SCA include:
- Low value transactions – any transaction below €30 can receive a low value exemption and go through without SCA. However, there is a velocity limit of five consecutive transactions, or a cumulative limit of €100. After these limits have been reached, SCA is required again.
- Whitelisting – after the first SCA verified purchase, a consumer can whitelist a merchant so that subsequent transactions do not require SCA. Merchants need to implement 3DS2 (see glossary) in order to fully turn on whitelisting functionality.
- Corporate payments and virtual credit cards – corporate cards that are not in the cardholder’s name and virtual credit cards are exempt from SCA.
- Merchant initiated transactions (MIT) – payments made with saved cards when the customer is not present in the checkout flow (sometimes called “off-session”) may qualify as merchant-initiated transactions. These payments technically fall outside the scope of SCA. In practice, marking a payment as a “merchant-initiated transaction” will be similar to requesting an exemption. And like any other exemption, it will still be up to the bank to decide whether authentication is needed for the transaction.
MOTO (Mobile Order Telephone Order) transactions – this transaction type is excluded because it’s currently very difficult to use two-factor authentication over the phone, via fax and mail.
OTAs will have an opportunity to perform SCA at the time of booking during card capture.
During the lead up to 14 September 2019 we are expecting that OTAs will advise their customers and partners on how they will support the PSD2 directive. We anticipate that a number of OTAs will transition their partners in the EEA to “OTA collect” payment models and supply a Virtual Credit Card (VCC) instead of providing the guest’s card details to accommodation providers. Virtual Credit Cards are exempt from SCA, so this solution, while possibly not ideal for some, will be functional.
We advise that you contact your OTA partners to ensure that they are working with payment providers to get compliant by September 14th.
The UK’s (Financial Conduct Authority) FCA has confirmed it will be providing an 18-month ‘phased implementation’ of SCA enforcement in the UK, starting from 14 September 2019. This means that the FCA will not take enforcement action against issuing banks and payment service providers in the UK if they do not meet the relevant requirements for SCA from 14 September 2019. SCA is still expected to come into full effect at the end of the 18-month period. Further, given that it is the issuing (cardholder’s) bank that decides whether or not to accept/decline a payment, if the cardholder’s bank is not in the UK (eg. a guest travelling from another EU country), there remains the risk that payments from these guests will decline if they do not meet SCA requirements.
Only if your property is located in one of the countries in the European Economic Area (EEA) it’s likely you will be subject to these new regulations. SCA will only apply when both a guest’s card issuer and your bank are located in an EEA country.
However similar variants to PSD2 SCA can be expected to be implemented across the globe over the coming years.
You can find more information about PSD2 and SCA at
We recommend that you reach out to your payment provider and check how they are going to reach compliance in time for the September 14 deadline.
|PSD2||Payment Services Directive 2 was introduced by the European Union to unify and create a single market for European payments.|
|SCA||Strong Customer Authentication is a requirement of the PSD2 law to make online payments more secure and reduce payment fraud.|
|3DS||(Also called 3D Secure) is authentication process used by an issuing bank to validate a cardholder. This process typically relates to a guest receiving a mobile code which then needs to be captured into a response page before the payment can be processed.|
|3DS2||is a refined version of the 3DS process which provides a more frictionless experience for the guest. This has become the standard for new payment service providers in complying with PSD2|
|EU||The European Union which consists of 28 member states.|
|EEA||European Economic Area, which is EU countries and Norway, Iceland and Liechtenstein.|
|SEPA||Single Euro Payments Area regulation which was set down by the European banking authority, which consists of standards and technical rules for payment services and infrastructure in Europe.|
|MIT||Merchant Initiated Transaction is where the merchant tries to collect the payment on the customer’s behalf in their absence.|
|VCC||Virtual Credit Cards – A virtual credit card (VCC) is a virtual credit card number (VCN) typically used for online purchases, and often for single-use transactions.|
|MOTO||Mail order / telephone order channel.|
|OLO||One Leg-Out — transactions are described as OLO when any one of the following applies: