SCA is an element of the new PSD2 legislation that will be introduced across the European Economic Area on 14 September 2019.
From this date, most online transactions between EEA-based businesses and consumers will have to undergo ‘Strong Customer Authentication’. This means implementing more thorough authentication measures to verify that the consumer is the rightful card owner.
Under SCA, cardholders paying online (by card) must be authenticated using at least two of these three methods:
- Something the customer knows (e.g. a password or PIN),
- Something the customer has (e.g. a phone or hardware token),
- Or something the customer ‘is’ (e.g. using face or fingerprint recognition)
What does it mean for me, as a Connectivity Partner?
At Booking.com, we’ve chosen to support affected properties via our Online Payments service – which many properties are already using. This will limit the operational impact for property partners and keep authentication as part of one, fluid payment process.
Many of you contacted us asking if we would be enabling 3DS authentication responses but since we’re able to offer a suitable solution for the majority of properties, we won’t be doing this for now. This means there won’t be any imminent updates to the Reservations API as a result of SCA.
That’s not to say we won’t adjust our approach in future. We’re keeping an eye on the situation and will contact you if the current plan changes.
Why was this decision made?
There are a few reasons for this:
- We believe that authorisation should remain a part of the payment process. Dividing the responsibility for a single payment creates confusion and an unclear experience for guests, properties and Connectivity partners.
- Sharing crypto tokens is not a travel industry standard yet. Additionally, if we were to collect crypto tokens for every reservation, this would also limit our ability to identify exceptions to the regulations. This would make it difficult to maximise reservations for properties. We’ll continue to monitor the market and adjust our plan if we need to.
- Splitting the transaction makes things less transparent for bookers. We want guests to know how much they’ll be charged and for what – always. If we split the process, this becomes less transparent and impacts bookers’ overall experience.
Some countries have announced that they’re delaying SCA implementation. What is Booking.com’s response to this?
While some countries’ regulators did recently announce a delay, the majority of countries will go ahead with SCA launch as planned. There’s also no guarantee that some banks won’t implement it – despite the regulator delay – so we still consider 14 September 2019 the launch date we need to be ready for.
How will Booking.com use Online Payments models to manage SCA?
As mentioned in the email sent to all Connectivity Partners, we currently have two Online Payments models. For a quick recap:
- Model 1. If a property is on this model, guests have the choice of either paying the property directly, or paying online (facilitated by Booking.com). Any payments facilitated by Booking.com are sent to the partner on a virtual credit card (VCC).
- Model 2. If a property is on the second model, Booking.com facilitates all their guests’ payments. Properties on this model receive their payments by bank transfer, rather than virtual credit card.
To see a list of which models your properties are eligible for, please contact our support team at firstname.lastname@example.org.
Here’s how SCA will work for partners on Online Payments Model 1:
(For Model 2, please see below)
Guests will still have the choice of either paying the property directly, or online through Booking.com:
- When a guest pays online, facilitated by Booking.com, we will take care of authenticating their payment transaction. The property won’t need to do anything.
- If a guest chooses to pay the property directly, SCA may apply. These are the potential scenarios:
- If the property normally charges guests’ cards while they’re present, upon check-in or check-out, SCA shouldn’t apply.
- If the property charges guests remotely (for example for pre-payments, deposits, or no-show fees), SCA might apply. While these payments are not facilitated by Booking.com, we’ll support properties to reduce operational impact. Read more about the process below.
How Booking.com will support when guests pay a property directly
At the time of reservation, Booking.com will assess whether a guest’s payment may be subject to SCA.
- If we believe that SCA might apply, we’ll request that the guest pays through our Online Payments service, and we’ll manage the payment on the property’s behalf.
- If we believe that the payment is not subject to SCA, the property’s guests can continue to either pay online or pay them directly – whichever they prefer.
In instances where properties try to charge cards remotely, they may find they’re being declined unexpectedly. This is because card-issuing banks might change how and when they roll out and enforce SCA.
- If your properties experience declined transactions, they can use the invalid credit card process to mark guests’ cards as invalid. In order to help them successfully charge customer cards, we are currently updating our invalid credit card process in line with SCA requirements.
How SCA will work for partners on Online Payments Model 2:
For properties whose payments are exclusively facilitated by Booking.com (Model 2), we will take care of authenticating all customer payments transactions for reservations made on Booking.com.
This means that these properties won’t need to take any action at all when SCA comes into effect.
What will happen with credit card details that are passed to us as Mail Order Telephone Order-type transactions (which are exempt from the new PSD2 directive) that are not technically MOTO?
At the moment, we can’t comment on these transactions. At Booking.com, we don’t endorse this approach and we can’t be 100% sure that it will work.