Strong Customer Authentication (SCA) and 3D Secure 2.0: Everything you need to know

Follow

Starting September 14, 2019, new European regulatory requirements called Strong Customer Authentication (SCA) will introduce requirements for 2-factor authentication on many payments in the European Economic Area (EEA).

This article discusses this new regulation and how it will impact (or not impact) Cloudbeds customers.

Additionally, on August 13 2019, the UK regulator granted an 18 month phase-in period to give banks and businesses more time to prepare for these new requirements. As a result, we don’t expect banks to fully require SCA for payments from UK cards until March 2021.

Although we anticipate a fragmented and gradual enforcement of SCA across countries and banks, we still recommend preparing your payment flows as early as possible to help avoid an increase in declined payments once SCA is enforced.

Executive Summary

  • On September 14, 2019, a new regulation called Strong Customer Authentication will be introduced in Europe for electronic payments.
  • SCA is essentially 2-Factor Authentication for card transactions.  
  • A card payment will be in scope of the regulation if BOTH the cardholder’s bank and the business’s payment provider are both located in the European Economic Area (EEA)
  • Several exemptions exist for SCA, including:
    • Transactions below 30 Euros
    • Low-Risk transactions as identified by the Payment Provider (Stripe, etc)
    • Monthly recurring subscriptions that are for the same amount each month
    • Whitelisted businesses that the customer identifies for their account
    • Secure Corporate Payments (corporate cards, corporate payments made via virtual cards as used in the travel sector)
  • A minority of card issuing banks in the EEA may require SCA for all payments regardless of business location
  • The widely adopted method of complying with the SCA’s requirements is by using 3D Secure 2.0
Frequently Asked Questions
Will the SCA apply to me?
Properties outside of the European Economic Area

In short, No.

Simply stated, the SCA will only apply to businesses if both the following are true:

  1. The business's payment provider is located in the EEA (European Economic Area)
  2. The cardholder's (guest's) bank is located in the EEA

If your property is located outside of Europe, then almost certainly your payment gateway/provider is not located in Europe either.  In that case, the SCA will not apply to you.  

Properties inside the European Economic Area

In short, Yes.

For properties inside the EEA, payments made by guests using a cardholder bank that is also located in the EEA will be subject to the SCA as described in the Executive Summary above.

What about the UK's 18 month extension?

On August 13 2019, the UK regulator granted an 18 month phase-in period to give banks and businesses more time to prepare for these new requirements. As a result, we don’t expect banks to fully require SCA for payments from UK cards until March 2021.

Although we anticipate a fragmented and gradual enforcement of SCA across countries and banks, we still recommend preparing your payment flows as early as possible to help avoid an increase in declined payments once SCA is enforced.

Which Payment Processors will support 3D Secure 2.0 on Cloudbeds?
  • We are actively developing a 3D Secure 2.0 integration with our Stripe Direct gateway connection that will be fully compliant with the upcoming SCA requirements.
  • In addition to Stripe, we plan to integrate with another payment gateways that will support 3D Secure 2.0 in the future (mid-2020).  More information on this payment gateway will be available soon.
How will OTA reservation payments work with the SCA?

In short, this answer will vary from OTA to OTA.  Cloudbeds recommends that you engage directly with your connected OTA's to determine how they will leverage and support 3D Secure 2.0 for guest reservation payments.

Example: Expedia

In Expedia's case, they recommend that properties leverage the use of Expedia Virtual Card (Expedia Collect) to eliminate the impact of SCA on reservations received through Expedia:

Guidelines for Properties that will be impacted by the SCA
If you are already using Stripe Direct as your Cloudbeds Payment Gateway

Once 3D Secure for Stripe is completed, we will notify you of any potential changes to your payment workflows.  In the meantime, Cloudbeds recommends that all properties impacted by the SCA to sign up for and follow Stripe's updates and recommendations by reading and subscribing to Stripe's Guide to the SCA.

What if I am impacted by the SCA and not using Stripe Direct?

Several payment gateway connections that Cloudbeds has connected to utilize a 3rd party system to tokenize and store payment data. That 3rd party system does not support 3D Secure 2.0, so payments made on those gateways will fail if they are impacted by the SCA.

While it is technically feasible for you to accept non-SCA payment transactions using one of these payment gateways, Cloudbeds strongly recommends that you switch to our Stripe payment integration so that you can leverage 3D Secure 2.0 for all SCA-impacted payment transactions.  

In summary: If you remain on a payment gateway that does not support 3D Secure 2.0, a significant portion of your guest payments may fail.

What if I'm impacted by the SCA and Stripe is not available in my country?

Cloudbeds is in the process of integrating with Stripe in order to provide payment processing support for the SCA.  However, due to regulatory reasons, there are a very few countries that cannot be serviced by Stripe.  

If your property is located in one of the following countries, payments routed through Cloudbeds that fall under the SCA will fail.  

  • Bulgaria
  • Czech Republic
  • Hungary
  • Gibraltar
  • Cyprus

If your property is located in one of the affected countries, payments routed through Cloudbeds that fall under the SCA will fail. If you have a business-entity based out of one of the 34 countries supported by Stripe, you might also be able to sign up for an account with them and connect it with your Cloudbeds account.

In case you are not able to migrate to Stripe, we recommend that you utilize a separate, non-integrated, payment gateway for SCA-related guest payments. Any transactions processed with this non-integrated gateway will need to be manually recorded within Cloudbeds.  Payments that do not fall under the SCA (guests outside of the EEA) can still be processed using your current gateway connection.

Additionally, Cloudbeds is developing connections to additional payment gateways that will support Strong Customer Authentication in the future.  We will identify whether or not these payment solutions will support properties in your country as we get closer to finalizing the connections.

In the meantime, please do not hesitate to reach out if you have any other questions.

What if I am using the non-direct integration with Stripe on Cloudbeds?

A few properties are using an older version of the Stripe connection that does not leverage the latest Stripe integration, and therefore will not support 3D Secure 2.0 for SCA.  

If you are one of those properties, we will be in contact with you to migrate to the newer, Direct version of the Stripe integration prior to September 14 2019.  We are able to do this on our end with very little impact to your operations.

Possible Payment Flow Chart

The following theoretical payment flow chart is designed to help property owners understand how payments may function when the SCA goes into effect.  

ALERT: This payment flow is not set in stone and may change prior to the SCA going into effect.  Cloudbeds recommends that all properties impacted by the SCA to sign up for and follow Stripe's updates and recommendations by reading and subscribing to Stripe's Guide to the SCA.

Guest Payment Scenarios

Legend

Have more questions? Contact Support

Comments

Powered by Zendesk