If you thought GDPR was difficult for your hotel, get ready for SCA


On September 14th 2019, a new regulation called Strong Customer Authentication (SCA) will come into effect. This will require businesses to make changes to the way they collect payments. This also includes all hotels and booking sites.

So many businesses are still not yet aware of this change. If you are one of them, this article will give you an overview of this new regulation and what you can do about it.

What is SCA?

SCA (Strong Customer Authentication) is a new EU regulation that aims to reduce fraudulent credit and debit card payments in e-commerce transactions. This is according to José Antonio Luján on his article on We Are Marketing. By the time that it takes effect, banks will start to reject payments that don't fulfill the requirements of the law. 

What are the acceptable authentications?

Allen Snook of Woo Commerce gave a clear answer on this. SCA allows for three different authentication methods — something the customer knows, something the customer has, and something the customer is. To succeed, a transaction has to use two of the three.

Are there any exemptions to SCA?

The authentication of online transactions will soon become a norm. However, there are still some exemptions. They are as follows:

  1. Low-value transactions
  2. Recurring payments
  3. Transaction risk analysis
  4. Trusted beneficiaries
  5. Corporate payments

These exemptions are explained in detail by Martin Koderisch of Edgar, Dunn & Company. Check out his article on his Advito blog here.

So, what do I need to do now?

They say the only permanent thing in this world is change. With changes come a new set of responsibilities and things to do. Here's a video that you can watch from Lily McIlwain, Head of Marketing at Triptease. She discussed here steps that needed to be urgently taken to start the process of compliance in time for the impending September deadline of SCA.

Summary. What steps should you take now?

Triptease wrote a fantastic summary on their website

  • Recognise that you might get a drop in conversion rate in September.
  • Speak to your booking engine and payment provider: they should have a plan for setting up two-factor authentication on your hotel's website. Bear in mind that you might need up to fifteen days to integrate some of the systems, so provision for some lead time.
  • Check that your PMS is ready for the change: additional infrastructure may be required to handle different verification values put in through various distribution channels.
  • Reassess your relationship with third-party partners within your distribution chain. Wholesalers and OTAs may need to make changes to the way they handle data, and any consequences of them not implementing SCA properly will ultimately hit your hotel the hardest.
  • Evaluate the impact that SCA may have on the customer experience on your direct channel. Whilst merchant-initiated transactions for no-shows or additional charges are exempt from the legislation, this needs to be communicated clearly to prospective guests or your hotel could face substantial reputational damage.


Want to prepare your business so you don’t need to rely on OTAs? I have created a Free 5 Step email guide to marketing to help you! Sign up at www.boostly.co.uk/free



Share this post