Everything hotels need to be SCA compliant

Ensuring security and compliance is crucial when running payments at your property. Without proper security measures, digital payments can leave your business and guests vulnerable to fraud. 

That’s where Strong Customer Authentication (SCA) comes into play. Introduced in 2019, SCA adds an extra layer of security to electronic payments within the European Economic Area (EEA), which includes the United Kingdom. 

Here, we discuss the importance of Strong Customer Authentication, the impact it has on your lodging business, and how to ensure you’re SCA compliant.

Authentication factors include: 

1. Something only the guest knows, like a PIN, code, or password
2. Something only the guest has, like a physical payment card or phone 
3. Something part of the guest, such as a face ID, a fingerprint, or an iris scan

Why hotels need Strong Customer Authentication 

72% of online sales in tourism and travel are expected to be made online by 2025. As the online economy grows, regulators are attempting to make online payments safer. In the EEA, the Second Payment Services Directive, or PSD2 regulation, was put in place due to new requirements for authenticating payments online.

PSD2 regulation requires Strong Customer Authentication (SCA) for many online payments made by European customers to help reduce fraud. PSD2’s main goal as it pertains to the hospitality industry is to protect guests and their payments. With the introduction of this standard, guest credit card security is maximized, credit card fraud is reduced, and more transactions are successfully processed.

How SCA affects your business

This regulation affects how you receive guests’ payments before and after their stay. The impact of SCA on your business can vary depending on the type of purchase, whether you charge a customer during or after checkout, and even which bank your guest uses (remember, SCA is only required when both the business and card holder’s bank are in the EEA). 

Several exemptions exist for SCA, including:

• Transactions below 30 Euros 
• Low-risk transactions as identified by your payment provider 
• Monthly recurring subscriptions that are for the same amount each month 
• Safelisted businesses that customers identify for their account 
• Secure corporate payments (corporate cards or corporate virtual credit cards (VCC))

Tips to ensure you receive payments 

The biggest challenge hotels face is processing payments using cards that haven’t been authenticated at the time of purchase/booking. To help solve this challenge, look at how technology can help contact your guests to request authorization on your behalf.

Here are a few tips to ensure you receive payment throughout the guest journey. 

1. Pre-check-in payments. Request complete or partial payment when a guest makes a reservation. Ensure your payment gateway can authenticate a guest’s card while taking their payment.

2. Deferred payments like cancellation and no-show fees. Transactions initiated by the merchant are known as MIT (Merchant Initiated Transactions) and use previously saved card data. For this card transaction to work, SCA must be performed when recording the card details (even if a payment is not taken at that time). 

If cards on file are not pre-authorized, you may be unable to process a payment at a later date. To avoid this problem, attempt to authorize and/or charge guest cards while the guest is present. This can be done by requesting a deposit to cover cancellation and no-show fees.

3. Collect all pending payments at the time of checkout. Using a physical card and PIN is the easiest way to settle all pending charges at the end of a trip. To do this, ensure you have a point-of-sale terminal that supports card-present transactions. 

4. Collect payments once the guest has left. Since these payments run the highest risk of inability to process, we recommend asking guests to pre-authorize payment at check-in for the full amount of their stay, plus any extra expenses, allowing you to charge their card later if necessary. 

5. OTA reservation payments vary depending on the channel. For example, Expedia recommends properties leverage the use of Expedia Collect (virtual card) to eliminate the impact of SCA on reservations made through Expedia.  

Cloudbeds Payments & SCA

Cloudbeds Payments fully supports Strong Customer Authentication. Below, we discuss the different ways that cards can be processed in the Cloudbeds Platform. 

Cloudbeds Booking Engine. When making a reservation on the Cloudbeds Booking Engine using a card that requires 3D Secure, the guest will be directed to their card provider’s web page to perform the authentication. Once the authentication is successful, the guest will be returned to the Booking Engine, and the reservation will be created. 

Cloudbeds Property Management System. For any cards manually entered, the system will automatically email the primary guest to approve or decline the request to store, authorize, or charge the card, depending on the required action. 

OTAs (scheduled payments). Certain OTAs send guest details to Cloudbeds, where the card can be charged immediately for the deposit amount or scheduled to be processed later. When the card details are received, Cloudbeds will email the main guest depending on the required action (nothing, process immediately, postpone processing, authorize immediately, postpone authorization). 

To ensure your guest data is secure and your property is protected from fraud and chargebacks, use a PCI-certified and fully compliant provider like Cloudbeds with SCA, PSD2, and 3DS regulations.