Strong Customer Authentication (SCA): what it means for hotels
Pleasures and pains of one of the main payment instruments for hotels
The credit card is one of the main payment instruments used in the hotel sector: a convenient, flexible instrument that is not too expensive for the hotelier.
Among other things, it meets technical requirements such as the need to pre-pay for a stay or issue a pre-authorisation, i.e. "freezing" the amount for a certain number of days on the guest's credit card to guarantee the reservation.
But not all that glitters is gold.
All hoteliers ran into a few complaints from chargeback offices which, on the grounds of fraudulent use, unauthorised transaction or other, returned the money to the customer.
The common circumstance for these cancellations is "remote" transactions, i.e. without physically inserting the customer's credit card into the POS.
On the other hand, how could a hotelier physically use the credit card of a guest who perhaps prepaid for a reservation three months in advance? How could he pre-authorise an amount as a guarantee before the guest's arrival?
Thus, the banking circuit recognises the right of the hotel operator to carry out transactions remotely but then, in the event of a dispute, only protects the owner of the credit card.
Let's leave aside for a moment the complaints made to hotels in the event of a guest not showing up and being charged the full amount: in this case, some payment gateways substitute their contractual conditions for those accepted by the customer at the time of booking and consider that the maximum amount chargeable to the defaulting customer is that of a single night and not the entire stay.
However, as of 1 January 2021, the PSD2 regulation will definitively come into force: remote transactions will have to be carried out using SCA (Strong Customer Authentication) criteria.
In order to secure an electronic transaction, it will be necessary to use at least two of these three elements:
- a password or a PIN: something encrypted that the user knows can be a keyword rather than a code or a security question;
- something that is in the possession of the user and that the user can use, typically a device such as a smartphone or a bank token;
- identification with something physical: such as a fingerprint or biometric facial features.
Without these authentication factors, the transaction you make will be worth little more than scrap paper.
How can the problem be solved?
Let's start with the hotel website: in this case the best procedure is to activate a payment gateway for prepaid rates.
At the time of booking, it will be the customer himself who will make the payment transaction in accordance with PSD2 regulations and it will be difficult to challenge the transaction as fraudulent or unauthorised (however, the case of a "no-show" limited to one night remains to be dealt with).
Regardless of the SCA, we have always recommended this option: even for our host, making the transaction directly on a payment gateway site is a peace of mind factor. And then there is the time saving for the hotel, which does not have to process payments manually.
For the Flexy Rates, our advice is to include in the policy the payment of a deposit a few days before arrival (to be carefully assessed according to the circumstances) and to send, again using a payment gateway, a link to the client who will proceed with the transaction independently (Pay By Link).
How to manage bookings coming from OTAs?
Of course, they will suggest that you adopt their Virtual Cards.
But we also know that this will not only make hotels more dependent on the 'big boys', but will also allow them to adopt somewhat unscrupulous commercial policies.
The solution, again, exists and you can continue to manage your payments independently in accordance with the PSD2 directives.
Feel free to contact us for more information and we will be happy to share our views.