On September 14, 2019, new requirements known as Strong Customer Authentication (SCA) were introduced to increase the security of electronic payments. These requirements apply to transactions where both the business and the cardholders bank are located in the European Economic Area (EEA) and the United Kingdom.
This article describes how 3D Secure works in each part of the system if you are using Cloudbeds Payments, if you are using Stripe, see article: Stripe - Everything about 3D Secure
How does it work?
When there is an action to be performed on credit card details saved in the system (store / authorize / charge), the cardholder has to confirm the request by completing a multi-factor authentication on the card provider's 3D secure web page.
Depending on the institution (bank), different kind of authentication could be requested (fingerprint, passwords, SMS Code, etc).
- When the guest approved the first request, consequent transactions for most cards won’t require 3D Secure authentication.
- Some cards will need to be authenticated for every transaction (this is decided by the card’s bank). In this case, Cloudbeds will send an email with Approve or Decline links for each transaction to the main guest.
See in the sections below different ways the card can be processed and how the 3D Secure presented to the guest.
When making a reservation on Booking Engine using a card that requires 3D Secure, the guest will be redirected to their card provider's web page to perform the authentication.
- As these are actions performed by a third-party, Cloudbeds cannot control it.
- In case your guest cannot complete the authentication process, they need to contact their bank to get more details on why it happened.
We strongly recommend having the CVV option enabled to ensure a smooth process. More details here.
If the authentication is successful, the guest will be redirected to Booking Engine page and the reservation will be created.
If it is denied/failed, the reservation will be created with the status Canceled.
The system will trigger an email to the main guest to Approve or Decline the request to store / authorize / charge the card for the first time.
Cloudbeds will send out 3 different emails based on the use case:
- Authentication Request Email → when Cloudbeds PMS is storing the card
- Authorization Request Email → when Cloudbeds PMS is authorizing the card
- Payment Request Email → when Cloudbeds PMS is charging the card
Notes about the automatic emails:
- It's not possible to send emails to other guests on reservations except the main guest.
- Emails cannot be edited like a custom template.
- Emails are automatically triggered and it's not possible to choose which email is sent - This is decided by Cloudbeds PMS and Payment Gateway logic.
- Both property and the guest receive a confirmation of authentication, authorization or payment when they approve or decline.
- Payment and Authorization request emails contain information about the reservation amount.
- Authentication email (when card is being stored) does not contain any information about the reservation amount
When manually adding a credit card details to a reservation, the system will send an email to the main guest to authenticate the card before it can be charged or authorized.
The guest can either Approve or Decline the authentication request by clicking the links in the email. In case your guest cannot complete the authentication process, they need to contact their bank to get more details on why it happened.
When authorizing a card that has not been authenticated before, the system will send an authorization request email to the main guest.
- Authorizing a card won't process the payment, it will only check and hold the specified amount for a period of time.
- The system auto-void (release) the fund after 7 days for Stripe & 30 days for Cloudbeds Payments.
- Important exception: If your property is in Mexico and the origin of the transaction is Mexico (i.e. the guest’s issuer bank is in Mexico), the authentication will expire after 7 days.
The guest can either Approve or Decline the authorization request by clicking the links in the email. In case your guest cannot complete the authentication process, they need to contact their bank to get more details on why it happened.
If the authentication was approved by the bank, the guest will be redirected to a thank you page. Now you will have the option to charge the guest credit card.
When attempting to charge your guest credit card that has not been authenticated before, the system will send a payment request email to the main guest.
The guest can either Approve or Decline the authentication request by clicking the links in the email. In case your guest cannot complete the authentication process, they need to contact their bank to get more details on why it happened.
- The payment will be pending to be processed in the guest's folio until the guest approve the request. To check the payment see the steps described here: Where can I see the payment with pending approval from guest?
- Pending payment will not be automatically allocated. See more details: Will the pending payment be automatically allocated?
When the guest clicks to Approve, they will be redirected to their bank's page to perform authentication (e.g. password, fingerprint, token, SMS Code, etc.).
If the authentication was approved by the bank, the guest will be redirected to a thank you page. The previously pending for approval payment will be processed and posted in guest's folio inside their reservation.
Certain OTAs send guest card details to Cloudbeds PMS. The card can be charged immediately for the amount of deposit set in the Policy or scheduled to be processed for a later time.
Channel Collect reservation using virtual card is not required to pass 3D Secure since the payment is collected by the channel.
As soon as the card details are received from the OTA, Cloudbeds will send an email to the main guest. Which email is sent depends on the setting in Payment Options page as shown below:
- Do nothing → Authentication request email will be sent
- Process immediately → Payment request email will be sent
- Postpone processing → Authentication request email will be sent
- Authorize immediately → Authorization request email will be sent
- Postpone authorization → Authentication request email will be sent
Notes about the automatic emails:
- It's not possible to send emails to other guests on reservations except the main guest.
- Emails cannot be edited like a custom template.
- Emails are automatically triggered and it's not possible to choose which email is sent - This is decided by Cloudbeds PMS and Payment Gateway logic.
- Both property and the guest receive a confirmation of authentication, authorization or payment when they approve or decline.
- Payment and Authorization request emails contain information about the reservation amount.
- Authentication email (when card is being stored) does not contain any information about the reservation amount
Charging a card that needs to be authenticated by 3D secure will trigger a modal where you should enter the guest's email address.
You will see a modal when the email is sent to the guest for authentication, authorization, and payment.
The payment will be added to the house account in grey (pending) and will only be posted after the guest's approval.
- You can check the Email Delivery Log tab, to see if the email was sent to the correct address or to resend the emails.
- Emails triggered in House Account don’t contain any item or reservation information. Check an example below:
Charging a card that needs to be authenticated by 3D secure will trigger a modal where you should enter the guest's email address.
- You can check the Email Delivery Log tab, to see if the email was sent to the correct address or to resend the emails.
- Emails triggered in Groups feature don’t contain any item or reservation information. Please check below an email example:
The payment will be added to the Group as pending and will only be posted after the guest's approval.
Frequently Asked Questions
You can find the payment under the guest's folio inside their reservation. The payment will be pending to be processed until the guest approve the request.
Follow steps to check the payment:
- Inside the guest's reservation, go to Folio
- In the Transactions filter, select Pending
- Click Apply
- The pending payment will be in grey. In the column Type it mentions the credit card and type of the transaction Pending Payment on [gateway name]. If you need to cancel the payment, click the gear icon and select cancel.
Canceling the payment request
If you cancel the payment that is currently pending for guest's approval, the Approve and Decline links that sent in the Payment Request Email will expire and cannot be used anymore.
Follow steps to cancel the payment:
- Inside the guest's reservation, go to Folio
- In the Transactions filter, select Pending
- Click Apply
- The pending payment will be in grey. In the column Type it mentions the credit card and type of the transaction Pending Payment on [gateway name]. If you need to cancel the payment, click the gear icon and select cancel.
Canceling the payment request
If you cancel the payment that is currently pending for guest's approval, the Approve and Decline links that sent in the Payment Request Email will expire and cannot be used anymore. The following error will be displayed:
If you add a new payment using the credit card which already has a pending guest authentication, the following warning message will be displayed.
It's recommended to wait until guest authenticates or cancel the pending payment in the folio before adding additional payments. See the steps above (link to section) to cancel the pending payment.
Pending payments can't be automatically allocated even if the Payment Allocation box is checked. In this case, the payment need to be allocated after the payment is posted (authenticated by the guest) on the guest's folio.
Please refer to this article to learn how to allocate the payment: Allocation of already posted transactions on the folio
Currently, it's not possible - only the main guest will receive the email, but our development team is planning to add this option in future releases.
When the request is declined, the links inside the email become expired. Resending the same payment request email will only send the expired links. You need to attempt another charge to send the new Approve or Decline links.
To check if you have Pending Payments that are waiting for 3D Secure authentication, you can use the following reports:
Payment Processing Report
- Navigate to Payment Processing Report
- When opening up the report you can filter by Pending Status
The system will show you the list of Pending Payments
Payment Ledger Report
- Navigate to Payment Ledger
- When opening up the report you can filter by Pending Transactions
- Or, you can simply sort by Description by clicking on the column name
In such case, the payment will need to be restarted. The following steps need to be taken:
- The guest needs to contact the property directly.
- The property needs to cancel the pending payment. See step: How can I cancel the payment with pending approval from guest?
- The property needs to try charge the card again. This resend the email with Approve and Decline links to the guest.
No, the system does not release the funds when the reservation is cancelled. The property can still capture the fund if it's still within the authorization period and in line with their cancellation policy.
The system auto-void (release) the fund after the authorization period ends (30 days for Cloudbeds Payments).
If the guest denies the payment authorization for Cancellation, No/Show or Non-refundable booking means that the property will not be able to process the charge.
Currently, Cloudbeds PMS is not automating cancellation/no-show policies or the cancellation/ no show fees, so, it's hard to charge if the guest denies the authentication. Here we have a few recommendations to minimize this scenario:
- In Booking Engine terms & conditions, inform your potential guests about Strong Customer Authentication (SCA) and 3D Secure. You can state that the guest is fully responsible for authorizing such charges and failure.
- Contact your OTAs to check if you can use virtual cards as payment options since virtual cards are not required to be authenticated by 3D Secure.
- We recommend you to collect pre-stay deposit before the actual check-in date. This means you will collect the balance in full at the time of booking. You can set/change your Policies here
In House Accounts and Groups, the cards that need to be authenticated by 3D secure will trigger a modal where the Cloudbeds PMS user should enter the guest's email address.
To check if you sent the email to the correct address, please access the Email Delivery Log tab.
If you realized that you sent to a wrong email address, please proceed with the following steps:
- Go to the related House Account or Group Folio and cancel the pending payment. See: How can I cancel the payment with pending approval from guest?
- Try to charge the card again by adding a new payment.
3. Enter the correct email address
Expedia
For further info on how Expedia handles the 3D Secure Regulations, please check further information on our Expedia Connection Guide
Comments
Please sign in to leave a comment.