Strong Customer Authentication (SCA) is a new requirement of the second Payment Services Directive (PSD2), which aims to add extra layers of security to electronic payments within European Economic Area (EEA) and the United Kingdom.
This article discusses everything about the new regulation and how it impacts (or does not impact) Cloudbeds customers.
- The SCA requirement came into force on 14 September 2019 in Europe for electronic payments.
- The widely adopted method of complying with the SCA’s requirements is by using 3D Secure 2.0
- A card payment will be in scope of the regulation if BOTH the cardholder’s bank and the business’s payment provider are located in the European Economic Area (EEA).
- Several exemptions exist for SCA, including:
- Transactions below 30 Euros.
- Low-Risk transactions as identified by the Payment Provider (Stripe, etc).
- Monthly recurring subscriptions that are for the same amount each month.
- Whitelisted businesses that the customer identifies for their account.
- Secure Corporate Payments (corporate cards, corporate payments made via virtual cards as used in the travel sector).
- A minority of card issuing banks in the EEA may require SCA for all payments regardless of business location.
Frequently Asked Questions
Will the SCA apply to me?
In short, No.
Simply stated, the SCA will only apply to businesses if both the following are true:
- The business's payment provider is located in the EEA (European Economic Area).
- The cardholder's (guest's) bank is located in the EEA
If your property is located outside of Europe, then almost certainly your payment gateway/provider is not located in Europe either. In that case, the SCA will not apply to you.
In short, Yes.
For properties inside the EEA, payments made by guests using a cardholder bank that is also located in the EEA will be subject to the SCA as described in the Executive Summary above.
As of 14 March 2020, firms should already be complying with requirements for SCA with respect to online and mobile banking.
The UK regulator previously agreed to give firms extra time to implement SCA in response to concerns about industry readiness, and to limit the impact on consumers and merchants. They have decided to extend the deadline by 6 months to 14 March 2022.
In short, this answer will vary from OTA to OTA. Cloudbeds recommends that you engage directly with your connected OTA's to determine how they will leverage and support 3D Secure 2.0 for guest reservation payments.
In Expedia's case, they recommend that properties leverage the use of Expedia Virtual Card (Expedia Collect) to eliminate the impact of SCA on reservations received through Expedia:
Guidelines for Properties that are impacted by the SCA
Learn how 3D Secure works with each payment processor:
Several payment gateway connections integrated with Cloudbeds integrated utilize a third-party system to tokenize and store payment data. That third-party system does not support 3D Secure 2.0, so payments made on those gateways will fail if they are impacted by the SCA.
While it is technically feasible for you to accept non-SCA payment transactions using one of these payment gateways, Cloudbeds strongly recommends that you switch to Cloudbeds Payments or Stripe so that you can leverage 3D Secure 2.0 for all SCA-impacted payment transactions.
If you remain on a payment gateway that does not support 3D Secure 2.0, a significant portion of your guest payments may fail.
The following theoretical payment flow chart is designed to help property owners understand how payments function with SCA.
Guest Payment Scenarios
For more detailed information, please visit: