Here we are, SCA tsunami is arriving, from January 1st 2021 a new regulation on payments for online bookings that requires Strong Customer Authentication (SCA) will come into force. SCA authentication is part of the second European directive on payment services (PSD2)

NB: This is an article from Salvatore Ciotta, Revenue Specialist at Hotelperformance

What is PSD2?

It is the new European directive on payments, designed to promote innovation and development of digital payments, increasing the protection and safety of users in online payment services and so make online purchases safer.

Subscribe to our weekly newsletter and stay up to date

The main aims of the Directive are to combat fraud and increase consumer confidence in digital payments, by modernizing the legislative framework that regulates innovative digital services.

Among the most important security measures that PSD2 introduces there is the SCA, an advanced two-factor customer authentication, which aims to add additional levels of security to electronic payments.

This type of authentication will be required when both the credit card issuer and the payment accounting are made are in the European Economic Area (EEA).

The SCA requires authentication uses two of the following three elements:

How Will The SCA Impact The Hotel Industry?

SCA will unavoidably affect any business that receives online payments from its customers, including the hospitality industry, which will need to update both the procedures and technologies as soon as possible.

The credit card is the main payment method used in the hospitality industry: cheap, flexible useful for prepayment, pre-authorization and reservation guarantee.

Customers are now used to pay for a room online quickly and easily.

From January 1st, the procedure for booking will require an extra step, hoping that it will not increase the risk of the customer leaving the page and not completing the purchase, reducing the conversion rate

Before the coming into effect of the PSD2 Directive, it was sufficient for OTAs or the booking engine to acquire the user’s credit card data to authorize the payment, without the need for subsequent validation of the card or of the person making the payment data.

From January, both for not refundable and refundable bookings, it will no longer be possible to cash out or pre-authorize without double factor recognition (with some small exceptions). By continuing with the old procedure even if a payment process is successful, the customer could easily request and obtain refunds.

Here is what could happen with practical examples:

  • Ms. Smith books a room online from the Hotel website.

At the time of payment she enters the credit card number and proceed with the purchase. The transaction will have to pass a test to assess if SCA (double authentication) is required or not. The test evaluates the risk of fraud, from low to high. If, for example, the transaction is for an amount of less than € 30, it will be rated at low risk and so no authentication will be required, at the condition that the same card has not been used for more than five transactions (or for a total of over 100 €) in the last 24 hours. Note that even with exempt transactions, the bank will always have the last word, and may decide that SCA is also needed for low-risk purchases.

Suppose instead that the total amount is 350 € and she has never booked this hotel before. The test decides that this is potentially a risky transaction and requires Ms Smith to authenticate it twice, that means to provide two of the three types of accepted authentication.

  • Ms. Smith books on an OTA

For bookings received via OTA with the OTA collect model (the OTA collects the money on behalf of the hotel), the existing processes will not change. In this case it is the OTA that collects money from the final guest and provides hotels with a virtual card, so hotels will not need double authentication to process the payment.

For bookings received via OTA with the Hotel collect model, the hotel will need to modify its internal processes and systems to ensure that the payment will be validated: first, the hotel must process these payments through an online payment gateway which is PSD2 compliant. If you don’t have a gateway with this security compliance, you can’t use credit card for either pre-authorization or pre-payment or deposit. When the guest arrives, the payment can be treated as “card present”, skipping the SCA. Obviously this case is very risky as it would allow the customer to cancel the reservation without any penalty even when the property would have the right.

The advice is therefore to incorporate a bank payment gateway both to the Booking Engine (for direct bookings from the site) and to the PMS (for bookings from all other online channels) and for all bookings (flexible and non-refundable). On this way you have ensured that all transactions within the PSD2 go through double authentication (SCA). For not refundable bookings, payment will be made at the time of booking. In the case of flexible bookings, only the authentication will be carried out (not the payment), and always through a payment gateway, a link will be sent to the customer who will proceed independently to the transaction (Pay By Link). Once the customer has authenticated and accepted the pre-authorization, he will not be able to deny the transaction in the future and therefore we will be covered even in the event of a no-show or late cancellation.

What is a payment gateway?

An online payment gateway is an electronic payment channel that allows secure transactions between seller and customer; it authorizes the processing of direct payments or payments by credit card for the accommodation and deals with the encryption of sensitive data, such as credit card numbers, ensuring maximum security in data transmission.

The integration of a payment gateway with the booking engine allows you to receive payments by credit / debit card upon of booking, helping you to guarantee the cash flow, prevent the fraudulent use of credit cards and secure reservations.

To use a payment gateway service, you need to create an account with one of the payment gateway service providers, and then connect the payment gateway with the Booking engine.

The main booking gateways are: Nexi, Paypal, Stripe,, 2Checkout

Usually  commissions are what scares, currently ranging from 1.4% up to 1.9% for European credit cards, while for non-European or Business ones it reaches the 1.9% up to 2.9%. The use of a PSD2 certified payment gateway will entail additional costs, it is true, but they can be transformed into opportunities by bringing some practical advantages to the accommodation facilities, for example there will be a reduction in fraud, a decrease in disputes, a reduction in workload to carry out collection activities, reduction of errors, thus increasing the security of credit card payments.


Some transactions will still be exempt from the SCA, for example:

• contactless payments and all transactions in which the credit card holder is physically present at the time of payment;

• payments for purchases made by telephone or by e-mail (MOTO – Mobile Order and Telephone Order) which will follow the same current logic;

• payments of less than € 30.


Hotels will not be subject to inspections or penalties related to the application of PSD2. They will mainly be the payment gateway and banking or financial industry that will have to adapt and if they do not comply they could be fined. Hospitality operators do not carry out certification or adjustment operations at their own expense(which will instead be carried out by the developers of the technological systems they use), but they can used a banking gateway if they do not want to risk not being able to charge penalties for late cancellations and no show.

Every change is a challenge and as such there is the fear of not being able to make it, but only by tackling it with the right weapons and the right preparation, it will give benefit and satisfaction and the old pos can become just a distant memory.

Read more articles from Hotelperformance