If  Strong customer suthentication (SCA) is required at the time of booking which is more than 90 days before the guest’s arrival, will hotels be able to process the payment at location with an expired authentication token? If not, can an SCA be renewed and who would be responsible for doing so?

It appears from Regulation (EU) 2018/389 – RTS on strong customer authentication and secure communication, that SCA will only be valid for 90 days. In the hotel industry, it is not uncommon for a reservation to take place more than 90 days in advance of the guest’s arrival at the hotel, with reservations regularly being made more than a year in advance. With this type of payment, there is a specific time-frame foreseen in between booking a room and when the actual reservation takes place, to which the customer agrees in advance.

Article 97(1)(b) of Directive 2015/2366/EU (PSD2) prescribes that payment service providers (PSPs) shall apply strong customer authentication (SCA) where the payer initiates an electronic payment transaction.

PSD2 and the Commission Delegated Regulation (EU) 2018/389 do not specify a timeframe for the validity of an SCA applied at the time when a payer initiates an electronic payment transaction. Accordingly, PSD2 and the Delegated Regulation do not restrict the possibility for SCA to be applied more than 90 days in advance of a future-dated payment transaction.