PSD2: A Guide to Strong Customer Authentication

In an industry like short-term rentals, payments are a key part of the booking process. Not only do owners like you want to accept them quickly and securely on your website, but also guests want the peace of mind that their credit card details are safe.

For any property owners operating in the European Economic Area (EEA), you may have already heard about the Revised Payment Services Directive (PSD2). These new rules will better protect customers when they pay online and will signal a step towards a single, digital market in the EU.

To better understand what this means, we want to share an overview of what it is and how it will impact businesses that use Lodgify in the EEA.

What is Strong Customer Authentication (SCA)?

Strong Customer Authentication (SCA) is a new European regulatory requirement that aims to reduce fraud and make online payments more secure by introducing an extra level of authentication at the checkout. This makes it harder for fraudulent transactions to take place.

SCA will come into full effect on September 14th, 2019 and will require authentication to use at least two of the following three:

  • Something the customer knows (e.g. password or PIN)
  • Something the customer has (e.g. phone or hardware token)
  • Something the customer is (e.g. fingerprint or face recognition)

For example, instead of simply entering a password or PIN, SCA would prompt a customer to enter a code that their banking app generates as a second layer of security.

The main advantage of this new authentication method (3D Secure 2 or 3DS2) is that it will offer a smoother user experience by minimizing some of the friction that authentication generally adds on to the checkout flow.

When is Strong Customer Authentication required?

The SCA regulation will apply to customer-initiated online transactions where both the business and the cardholder’s bank are located in the EEA. This means that most credit card payments and bank transfers will require SCA.

On the other hand, merchant-initiated transactions will not require strong customer authentication. That means it will not affect any recurring direct debits and other scheduled payments.

As the directive is for EEA member states only, if you are a rental host in a non-European country and you receive bookings and payments from European guests, SCA will not affect these transactions.

What transactions are exempt from SCA?

It is important to understand that not all transactions will be challenged with SCA. Some low-risk payments will be exempted, for example:

Payments under €30

Any transaction under €30 is a “low value” transaction and may not require SCA. That said, banks will need to request further authentication if the exemption has been used five times since the cardholder’s last successful authentication, or if the sum of the previous exempted payments is over €100.

Fixed-amount subscriptions

When a customer makes a series of recurring payments for the same amount to the same business, the first payment will require SCA, but subsequent billing cycles (renewals) may be exempted.

Scheduled payments

Any payments made with saved cards, such as scheduled payments for an upcoming booking, will likely qualify as “merchant-initiated transactions” and will probably not require SCA. However, to use merchant-initiated transactions, you will need to authenticate the card when you save its details or when the customer makes the first payment.

Trusted beneficiaries

When a customer completes authentication for a payment, they will have the option to “whitelist” a business they trust to skip this process next time. The customer’s bank will include these businesses on a list of “trusted beneficiaries” in their account, so that they won’t need SCA for future purchases.

Lodgify and Strong Customer Authentication

If you are Lodgify customer in the EEA who accepts payments via Stripe or Lodgify Payments, you do not need to do anything to keep your account working as usual.

If you don’t currently have a payment gateway connected, but are thinking about activating one in the future (and you are located in an EEA country), you can choose Stripe or Lodgify Payments in the payment section of your account.

Which modules of Lodgify will be challenged by SCA?

Every time you initiate a transaction in Lodgify for your account (i.e. purchase a subscription or add-on), it will require SCA. Subsequent billing cycles (i.e. subscription renewals) will not require further authentication.

Additionally, every time a guest initiates a transaction on your website (i.e. makes a booking), it will require SCA.

Which modules of Lodgify will not be challenged by SCA?

Merchant-initiated transactions, such as scheduled payments, refunds and damage protection pre-authorization will not require Strong Customer Authentication.

As well as this, if you take bookings and payments via third-party sites (i.e. virtual card from and use the Channel Manager to synchronize these with your Lodgify account, these transactions will not be subject to SCA.

Strong Customer Authentication will help to reduce fraud and increase security for customer-initiated online payments within the European Economic Area, giving your guests the confidence and trust they need to book your property online.

What do you think about this article?

5/5 - (5 votes)
Show Comments (0)

Your email address will not be published. Required fields are marked *

Ready to take more direct bookings?

No set up fees, no credit card details, no obligation. Try Lodgify free for 7 days.