Ensuring security and compliance is crucial when running payments at your property. Without proper security measures, digital payments can leave your business and guests vulnerable to fraud.
Thatβs where Strong Customer Authentication (SCA) comes into play. Introduced in 2019, SCA adds an extra layer of security to electronic payments within the European Economic Area (EEA), which includes the United Kingdom.
Here, we discuss the importance of Strong Customer Authentication, the impact it has on your lodging business, and how to ensure youβre SCA compliant.
What is Strong Customer Authentication?
Strong Customer Authentication is a strict process used to validate online payments. This process is required when your guestβs card and bank are from the EEA.
Using 3D Secure, a set of rules that provides extra protection for businesses and consumers, guests must provide two of three possible authentication factors to authorize payment at your property.
Authentication factors include:Β
- Something only the guest knows, like a PIN, code, or password
- Something only the guest has, like a physical payment card or phone
- Something part of the guest, such as a face ID, a fingerprint, or an iris scan
Why hotels need Strong Customer Authentication
72% of online sales in tourism and travel are expected to be made online by 2025. As the online economy grows, regulators are attempting to make online payments safer. In the EEA, the Second Payment Services Directive, or PSD2 regulation, was put in place due to new requirements for authenticating payments online.
PSD2 regulation requires Strong Customer Authentication (SCA) for many online payments made by European customers to help reduce fraud. PSD2βs main goal as it pertains to the hospitality industry is to protect guests and their payments. With the introduction of this standard, guest credit card security is maximized, credit card fraud is reduced, and more transactions are successfully processed.
How SCA affects your business
This regulation affects how you receive guests’ payments before and after their stay. The impact of SCA on your business can vary depending on the type of purchase, whether you charge a customer during or after checkout, and even which bank your guest uses (remember, SCA is only required when both the business and card holderβs bank are in the EEA).
Several exemptions exist for SCA, including:
- Transactions below 30 Euros
- Low-risk transactions as identified by your payment provider
- Monthly recurring subscriptions that are for the same amount each month
- Safelisted businesses that customers identify for their account
- Secure corporate payments (corporate cards or corporate virtual credit cards (VCC))
Tips to ensure you receive payments
The biggest challenge hotels face is processing payments using cards that havenβt been authenticated at the time of purchase/booking. To help solve this challenge, look at how technology can help contact your guests to request authorization on your behalf.
Here are a few tips to ensure you receive payment throughout the guest journey.
1. Pre-check-in payments. Request complete or partial payment when a guest makes a reservation. Ensure your payment gateway can authenticate a guestβs card while taking their payment.
2. Deferred payments like cancellation and no-show fees. Transactions initiated by the merchant are known as MIT (Merchant Initiated Transactions) and use previously saved card data. For this card transaction to work, SCA must be performed when recording the card details (even if a payment is not taken at that time).
If cards on file are not pre-authorized, you may be unable to process a payment at a later date. To avoid this problem, attempt to authorize and/or charge guest cards while the guest is present. This can be done by requesting a deposit to cover cancellation and no-show fees.
3. Collect all pending payments at the time of checkout. Using a physical card and PIN is the easiest way to settle all pending charges at the end of a trip. To do this, ensure you have a point-of-sale terminal that supports card-present transactions.
4. Collect payments once the guest has left. Since these payments run the highest risk of inability to process, we recommend asking guests to pre-authorize payment at check-in for the full amount of their stay, plus any extra expenses, allowing you to charge their card later if necessary.
5. OTA reservation payments vary depending on the channel. For example, Expedia recommends properties leverage the use of Expedia Collect (virtual card) to eliminate the impact of SCA on reservations made through Expedia.
Cloudbeds Payments & SCA
Cloudbeds Payments fully supports Strong Customer Authentication. Below, we discuss the different ways that cards can be processed in the Cloudbeds Platform.
Cloudbeds Booking Engine. When making a reservation on the Cloudbeds Booking Engine using a card that requires 3D Secure, the guest will be directed to their card providerβs web page to perform the authentication. Once the authentication is successful, the guest will be returned to the Booking Engine, and the reservation will be created.
Cloudbeds Property Management System. For any cards manually entered, the system will automatically email the primary guest to approve or decline the request to store, authorize, or charge the card, depending on the required action.
OTAs (scheduled payments). Certain OTAs send guest details to Cloudbeds, where the card can be charged immediately for the deposit amount or scheduled to be processed later. When the card details are received, Cloudbeds will email the main guest depending on the required action (nothing, process immediately, postpone processing, authorize immediately, postpone authorization).
To ensure your guest data is secure and your property is protected from fraud and chargebacks, use a PCI-certified and fully compliant provider like Cloudbeds with SCA, PSD2, and 3DS regulations.
Process payments securely with Cloudbeds.
Published on 13 September, 2019 | Updated on 3 September, 2025
