PSD2 - the second payment directive issued by the EU - effective as of 13th JAN 2018 also included provisions for the Secure Customer Authentication (SCA). The EU Banking Authority added technical requirement descriptions for SCA, hence those regulations got a different effective date, which is SEPT 2019.
What does PSD2/SCA demand?
As of Mid SEPT 2019, an electronic payment transaction triggered by the payer requires the Secure Customer Authentication. Comparable to 3D Secure/Verified by Visa authorisation, the payer is required to authenticate the payment.
Once the customer/payer accepts the obligation to pay, the SCA is required. That event may well differ from the actual payment transaction processing date and time (which is usually done in the background especially in travel agency / tour operator processes).
Payment forms qualifying as 'electronic' may vary from payments on a web page (e.g. using a credit card) , in a mobile app or via a POS Terminal in the travel agency.
What is SCA, anyway?
S for secure in SCA asks for 2 of the 3 following payers features to make sure, it´s really the payment instruments owner:
- Possession - something the payer owns such as the credit card itself, a mobile device+app etc.
- Knowledge - e.g. PIN, Password, Card Number (PAN)
- Inherence - a person's characteristics such as finger print, iris pattern or voice recognition
The examples given for each feature are subject to technical standards and technical progress and may well be extended or replaced by and by. The EU specifically asks for improvements in this sector and to apply those improvements.
The authentication of the payer has to be provided for the transactions of the merchant (e.g. the tour operator). Given that, a travel agency (which does not process the payment but rather transmits the payment data to the tour operator) may not perform the SCA on behalf of a tour operator.