Hotels are impacted when card present transactions are processed through the property management system, and when Hotels make and receive payments online. When it comes to online payments, they are often processed direct through the hotel’s website, via online travel agencies (OTAs), and/or through online booking engines.

Compliance deadlines are fast approaching, as they come into effect on 31st December 2020 (14th September 2021 in the UK). As a result, it’s imperative that hotels are preparing now.

SCA is not there to intentionally cause disruption, nor is it trying to catch anyone out. Its launch to the payments ecosystem is to make transactions more secure to protect both merchants and guests. This is especially the case when it comes to making payments online to tackle the rise in online fraud.

Preparing for SCA compliance and the upcoming deadlines is still achievable. This will help avoid declined payments and lost revenue, and reduce hassle for guests during the payments experience.

The importance of SCA for hoteliers

From booking to check-in, check-out and beyond, SCA requires two-factor, or multi-factor authentication across the guest journey. If proof of SCA is not captured when the card is charged, or SCA is not captured during an online payment, transactions are at risk of being declined.

At the time of booking online, intermediaries such as an OTA or a booking engine, will have the opportunity to perform SCA when capturing the guest’s card details. This is regardless of whether full payment or a deposit is taken or not at the time of booking.

Previously, it was acceptable for an OTA or booking engine to capture a guest’s card details as a form of guarantee for the booking. This could occur without carrying out any authentication to check the card details or the cardholder.

So for Hotels to perform a transaction with the card – a Merchant Initiated Transaction (MIT) - the guest’s card details, and the proof of completed SCA, must to be passed through the OTA or booking engines and the payment gateway. Online payments risk being declined if card details have been captured without SCA. Or if the proof of SCA is unavailable at the time when the card is actually charged.

To learn more about the background of SCA compliance, details on SCA exemptions, or what transactions are out of scope for SCA, please read more in our blog ‘Making digital payments in Europe more secure: PSD2 and Strong Customer Authentication (SCA).’

SCA across the guest journey

While we are here to help support clients achieve SCA compliance, it’s important that Hotels assess their own payment models first. We have processes in place to support different scenarios, or if hotels need best practice guidance to ensure they are meeting the new directive requirements correctly.

The following outlines some of our recommendations at different stages of the guest journey:

Booking Direct with the Hotel

When a transaction is in scope, authentication must take place at booking, unless any exemptions apply.

Payments can be processed online via the hotel website, in app, or through payment via a secure URL link, with Pay by Link. (More on this tool below).

Authentication of online payments is performed via 3D Secure, or smartphone biometrics e.g. fingerprint.

Alternatively, a phone payment through the virtual terminal (MOTO) can be processed with Card Verification Value (CVV) and Address Verification Service (AVS) serving as the authentication checks.

If no payment is taken during booking, then a card verification with a zero value authorisation will generate a scheme transaction reference number. This is the reference numbers that’s required for future MITs. This authorisation should be flagged as a MIT so issuers don’t decline it, asking for proof of SCA.

If it’s not possible to flag as a MIT and store the scheme reference, we can flag as MOTO. To do this the MIT agreement must be in place with cardholder and hotel.

Indirect booking through an intermediary such as an OTA

When a transaction is in scope, authentication must take place at booking, unless any exemptions apply. As above, the same payment channels can be used, either an online payment or payment through a virtual terminal.

Once again, if no payment is taken during the booking process, then a card verification with a zero value authorisation will generate a scheme transaction reference number.

If OTA’s cannot send encrypted card details and a scheme transaction reference, we recommend the Hotel send the guest a Pay By Link to confirm their booking before check-in. This can be processed for either a small deposit, full pre-payment or a card verification with zero value authentication. As Pay By Link is an online payment, authentication is performed via 3D Secure, or smartphone biometrics e.g. fingerprint.

The hotel should now enter into a direct MIT Agreement with the guest. This covers the hotel in case of future MITs such as no shows or VIP check-in.

Check-in and during the guest stay

Once the guest arrives at the hotel, it is best practice to authenticate at check-in. This can be done with a Pre-Authorisation Chip & PIN transaction, and setting up a new MIT agreement with the guest.

Additional charges throughout the guest’s stay can be processed as a top-up transaction by MIT. This is as long as authentication has already taken place, and the MIT agreement is in place.

In the case of a VIP guest or loyalty card guest where Card on File is normally used, authentication is needed here also.

Hotels should update their Terms & Conditions with the VIP/Loyalty guest as a MIT requires the agreement to be in place. Once again, if it’s not possible to flag these payments as a MIT and store the scheme reference, we can flag as MOTO in the interim.

Check-out and after the guest stay

In the scenario where the guest is physically present at check-out, and the guest stay amount is the same as original preauthorisation, the hotel should simply process a completion.

If the guest is physically present at check-out, and the guest stay amount is more than original preauthorisation, the hotel has two options:

1. cancel the original preauthorisation and process a new payment transaction for the full amount OR
2. complete that preauthorisation, and do another transaction for the difference

In the scenario of Express check-out, this can still go ahead. This is as long as authentication has already taken place and the MIT agreement is in place for any additional changes.

The transaction should be flagged as a MIT with the original Scheme Transaction Reference.

The same conditions apply for No Show and Cancellation charges. These transactions should be flagged as a MIT with the original Scheme Transaction Reference.

MOTO flagging recommendations

We are happy to discuss with you the process for flagging MOTO and MIT transactions and storing scheme transaction references. Please see our general recommendations below:

• When a MOTO flag is needed, and the booking agent or PMS/POS can flag a transaction as MOTO, then no further action is required
• If a payment comes through a Card Present account, and the transaction cannot be flagged as MOTO by the PMS/POS, it will be flagged as ‘Pan Key Entry’. In this case, we will add the MOTO flag to the transaction, before it is submitted
• If a payment comes through a Card Not Present account, eg. Ecom online web booking, and the transaction cannot be flagged as MOTO, it will be flagged as ‘Non Authenticated E-Commerce’. In this case, we will add the ECOM/MOTO flag to the transaction, before it is submitted.

Getting Ready

You may still be working through the payments assessment in your hotel in preparation for the upcoming deadlines. Failure to prepare in time could result in declined payments, missed bookings, or disruption for potential guests who will go elsewhere to spend.

If you believe you may not be not ready for SCA, you cannot flag transactions correctly in your system, or that perhaps your PoS or PMS providers may not be ready yet, there’s still time and support available to you.