Secure and PSD2 Compliant Payment Collection

You might have heard of Strong Customer Authentication (SCA), a new rule coming into effect on September 14, 2019 in Europe as part of PSD2 regulation.

The new regulations will make it difficult for EU businesses to process card payments unless they have undergone 2-factor authentication by the card holder.

This means simply having the card details alone will no longer be an effective booking guarantee.

Which authentication methods will be available in practice will depend on the technical possibilities of the customer’s bank that issued the card.

What is “Strong Customer Authentication (SCA)”

Card payments will require a different user experience, namely 3D Secure, in order to meet SCA requirements. Authentication with two or more of these elements is required:

Something they KNOW e.g. password or security question

Something they OWN e.g. phone or hardware token

Something they ARE e.g., fingerprint or face ID

What changes with “Strong Customer Authentication (SCA)”
Transactions that don’t follow the new authentication guidelines may be declined by your customers’ banks.

Advantages and disadvantages of “Strong Customer Authentication (SCA)”

Although the additional 2-factor authentication required by SCA may cause some payers to fail to complete their payments, once the 2-factor is completed, the chances of fraud and charge backs will be lowered.

Where and when is “Strong Customer Authentication (SCA)” required

  • India introduced mandatory two-factor authentication for online payments in 2014.
  • Europe enforces Strong Customer Authentication as part of PSD2 from September 14, 2019. The rule applies for bookings from European guests for accommodations in the EU.
  • Australia will enforce stricter authentication requirements to online payments from 2020.
  • Brazil, Mexico and Singapore are planning stricter authentication requirements.

How about other regions or bookings for accommodation in the EU from guest outside the EU?

Nothing changes for businesses in other regions with bookings for accommodations in the EU from guests outside the EU.

How does Beds24 help accommodation businesses to comply to these rules?

Our connection with Stripe can be used with or without Strong Customer Authentication. If you enable Strong Customer Authentication for Stripe it activates 3DS2 authentication for direct bookings from your booking page and for payment requests which you send to guests.

Paypal and Realex will are taking care of the required functionality from their end.

It is still unclear how OTA’s which currently collect guests credit card details on behalf of the accommodation are going to manage the change. Some OTA’s are considering processing cards as MOTO transactions which are out of scope for the new European regulations but possibly less likely to be successfully processed. We will update this post with the latest information.

If you require 3DS2 authentication for off session cards (card not present) like those sent from OTA’s you can send a 3DS2 enabled payment request to guests after they book instead of collecting a card at booking time via the OTA.

Click here for more information about payment processing with Beds24.