Skip to main content

The Second Payment Service Directive drafted by the EU, was supposed to come into force this September, now it has been postponed, giving all EU countries the opportunity to start getting ready to apply the extra authentication Strong Customer Authentication to all online transactions. 

A bit of history

In 2007 the PSD1 was implemented, whereby the directive established the same set of rules for all the countries of the EU covering non-cash transactions and online payments. And included a new set of payment providers other than banks called Payment Services. 

Now the EU has reviewed the legislation to improve it and include new digital payment services such as those made through mobile devices. And has given a bigger role to the European Banking Authority to coordinate authorities and draft the technical standards. 

Though at the end, this new legislation, actually focuses on adding extra security measures to prevent fraud and chargebacks in online payments, as we had previously mentioned in our blog A Picture of the Current Situation With Online Payments

According to the European Central Bank, they report that 73% of fraud resulted from card-not-present payments (CNPs), this included internet payments, as opposed to point of sale transactions with 19% and 8% through ATMs. 

Moving forward…

What are the benefits of applying the SCA?

It will reduce the possibility of online fraud. 

It can become an opportunity for competitive differentiation.

According to a study made by Stripe 60% of European online shoppers are in favour of SCA, so consumers see it as a positive step.

Here we will explain to you all you need to know about PSD2 in order to be well informed and also what you, as a vacation rental agency, need to consider:  

So let’s get right to the point…

First of all the, Secure Customer Authentication came up due to the new EU regulation PSD2, which had to be reviewed due to the growth of online payment transactions and the different devices used to do so. 

What exactly is SCA?

It is an extra payment verification when the customer makes a payment online. For this  extra verification they need 2 out of the 3 following authentications: 

  1. Something a user knows. So they will have to insert a password or pin. 
  2. Something only the user has. That could be a credit card, mobile phone or wearable device through which they make the payments. 
  3. Something the user is. This talks about biometrics, which means either facial recognition, fingerprint or iris scan. 

What is 3D Secure?

3D Secure is a security check from credit cards, it is also known as ¨Visa Secure¨ or ¨Mastercard Identity Check¨. 3DS1 has been used by travel providers to prevent fraud but right now the first version is about 20 years old. So EMVCo (an organization conformed of 6 main card networks) has created the second version 3DS2.

3DS1 was created in 2001 because the other security measures in place such as AVS and CVC still had high fraud and chargeback risks.

3DS1 VS 3DS2

Without going into too many technical details, the main difference between the two versions is that 3DS2 has features that enhance the customer experience in the checkout payment flow, it is more secure and supports mobile and app device purchases. 

Even though the main strategy to cover SCA is activating the 3D Secure with your bank or payment provider, you should also take into account the exemptions and the forms of payments that fall out of scope of the extra verification. 

Forms of payments out of scope of SCA

One-leg Transactions

This regulation only applies to financial entities who provide payment services in the EU. So for example, if a US card holder makes a payment on an EU country based website, SCA will not apply. 

MOTO (Mail or Telephone Order) 

The transactions made through the phone or via mail order do not need to have an extra authentication.

MIT (Merchant Initiated) 

This means that the transaction is done when the cardholder is not present. The payments that fall under the scope of the European Banking Authority and that do not have to go through the extra authentication are: 

  • Utility payments such as household bills, paid TV and mobile subscriptions. 
  • Car/bike sharing transactions.
  • Digital service subscriptions (e.g. Spotify, Netflix etc.).
  • Insurance payments.

The payments above are direct debits whereby the customer is offline, so the EBA considers that an authentication as such can´t be made because they have given a previous consent to charge through a contract. 

Be aware though, that payments that are made with registered-on-file cards with merchants, do have to go through the extra authentication. A good example is when a customer registers their card on a website or app and triggers the payment through a purchase button. 

This is because the EBA considers that this purchase is made online by the consumer without previous consent, therefore needs an extra security layer. 

Only businesses that charge customers, when they are not present in the check-out payment flow, using the saved payment credentials (with previous consent) qualify as merchant initiated. 


Low Value Payments

Those purchases that are under 30 EUR will be exempt, but there is a catch here because SCA will be requested by the customer´s bank, if these transactions are made more than five times or reach a total amount of 100 EUR. 

In the case of Vacation Rental agencies, this exemption applies for example when the customer pays for an extra via their website, if the extra service falls under the amount mentioned above. But if the same customer pays for the same extra more than 5 times or reaches the amount above, the authentication has to be made accordingly through their PSP or bank. 


This exemption applies when the customer initiates a transaction and the merchant is included in a list of trusted beneficiaries. This exemption takes into consideration remote as well as face to face payments. Though, take into consideration that the client will have to go through an initial authentication before being in this list. 

So how does it work? Basically, issuing banks will be adding a new tick box into the 3DS Iframe which will ask ¨Do you trust this travel provider? ¨, once the customer ticks the box the company is whitelisted. So the good news, is that there will only be one initial friction in the payment flow. 

But what you need to consider with this exemption is that  at a technical level, it is difficult to implement. Therefore not all issuers will be able to have it ready by September. 

Corporate Payments

In the case of B2B corporate payments, the authentication will not take place if they already have a secure payment process in place or if they use corporate cards that are not used by persons such as lodged cards and virtual cards. 

Low Risk Transactions

This exemption, also known as TRA (Transaction Risk Analysis), can be implemented by the Payment Service Providers or banks whereby they can apply a real-time risk analysis to define if SCA is applicable. 

Nevertheless, in the case of this exemption, PSPs and banks also have to go through an additional checkpoint if they are going to use the real time risk analysis, they need to make sure that their fraud rates for card payments do not exceed the following thresholds*: 

  • 0.13% to exempt transactions below €100
  • 0.06% to exempt transactions below €250
  • 0.01% to exempt transactions below €500

According to Stripe, this exemption will be the preferred one by businesses and the one that will most likely be used by banks. 

In order to implement these exemptions you need to talk to your payment service provider to see if they have an exemption engine.

Borja Santos, the Head of Spain and Portugal at Stripe, explains how these exemption engines work : 

We use machine learning to decide which is the best exemption to provide in order to maximise authorisation rate and avoid stepping up to authentication. Whereas other vendors will allow users to select an exemption, we can predict the most useful exemption for any given transaction and apply it dynamically.

What will happen with the complex payment ecosystem of the travel sector?

The implementation of the new way to authenticate is quite straightforward with e-commerce platforms where full payment is done in a single transaction, but did they take into consideration all the different payment scenarios, especially that of the travel sector?

The travel sector is a space where there are many players that interact with each other. And some of the big players include OTA´s and Metasearch Engines, where airlines, vacation rentals and other services related to travel are offered.

In the case of vacation rental agencies the payment processes may vary according to the conditions of the reservation, where there are different payment deadlines. 

Furthermore if they are connected through a Channel Manager with an OTA, Marketplace or Metasearch Engine there are many variables that they need to consider since payment conditions may vary across channels where a three-way communication may be involved between payment service providers, pms systems and the booking engines of the channels themselves. 

There are still many factors and technicalities that the EBA has not considered and that will be a challenge in the months to come for the travel industry. 

How can the vacation rental agencies prepare for SCA?

With so many challenges ahead, the best way that the vacation rental agencies can prepare is to first of all understand all the parameters that involve the new regulation. 

Furthermore, they need to contact their bank in order to verify that they work with 3DS and request that they activate it for them. 

If you work with a payment service provider you can contact them for more information on the implementation of 3DS and find out if an exemption strategy is applicable. 

SCA is an opportunity that gives the vacation rental agencies a competitive advantage

The PSD2 regulation and the extra authentication SCA should not be seen as a threat but rather as an opportunity for the agencies to assure payment security and gain a competitive advantage. 

According to our CEO Manuel Giner, he sees the regulation PSD2 and the extra authentication as more of an opportunity than a threat: 

The aims pursued by the directive, reduction of fraud and costs are very successful, although they will take time to fully comply.

PSD2 is an opportunity to adopt an advanced payment platform that apart from complying with PSD2 and increasing payment security, helps us to be more efficient and competitive.

This new authentication opens up new possibilities for property managers, who can now adopt more flexible payment policies and increase the conversion of their website.

Avantio is also preparing for the arrival of the new regulation and will be able to offer solutions. With Avantio Payments the vacation rental agencies will be able to have automated 3D Secure payments through our vacation rental management system. 

For more information about this solution, you can contact one of our Account Managers here.

Related content How will OTAs implement the new PSD2 directive?

Sustainable Vacation Rentals