Skip to main content

PSD2, SCA, and 3DS: The Essential Guide to Secure Payments in Avantio

Discover what PSD2, SCA, and 3DS mean, how they affect your payments in Avantio, and learn how to apply them to guarantee secure transactions and comply with current regulations.

Written by Sandra Álvarez
Updated over 4 months ago

Why online payment security is key to your business

In today’s digital environment, having a secure and efficient payment platform is not just a competitive advantage—it’s a necessity. Understanding how payment gateways compatible with Avantio work, all aligned with current regulations, is essential to ensure reliable transactions.

Solutions that integrate tokenization (replacing sensitive card data with a unique code or token) and comply with SCA (Strong Customer Authentication), PSD2, and 3DS (3D Secure) standards offer significant benefits for both businesses and customers by strengthening security and improving the payment experience.

3DS, SCA, and PSD2: what they mean and why they matter for online payments

In recent years, European regulations have strengthened the security of electronic payments to protect both companies and consumers. Here are three key concepts you should know:

PSD2 (Payment Services Directive 2)

This European directive regulates payment services (it applies when both the bank and the traveler are in Europe; it does not apply outside of Europe). Its main goal is to increase security, reduce fraud, and encourage innovation in digital payments. It applies to the card payments that Avantio Payments processes for your website and manual bookings.

SCA (Strong Customer Authentication)

SCA is one of the authentication requirements introduced by PSD2. It means that, to approve an online payment, the customer must identify themselves using at least two of the following factors:

  • Something they know (password or PIN).

  • Something they have (mobile phone or token).

  • Something they are (fingerprint or facial recognition).

3DS (3D Secure)

This is the security technology developed by Visa and Mastercard that enables SCA for card payments. When paying online, the customer may be redirected to a bank page to enter a code, confirm through the bank’s app, or use biometric verification. This adds an extra layer of protection and reduces the risk of fraud and chargebacks.

Advantages

  • Customer trust: Users feel safer when buying on platforms that protect their data. Strong authentication reduces rejections due to suspected fraud, improving the purchasing experience.

  • Better conversion rates: While adding security steps may seem like a barrier, well-implemented SCA and 3DS minimize friction. Tokenization enables faster and safer payments for future transactions, boosting customer loyalty.

  • Regulatory compliance: Complying with PSD2 not only prevents penalties but also positions your company as responsible and trustworthy. Staying up to date with European regulations is key for operating in international markets.

Types of transactions

In the vacation rental industry, there are different types of transactions depending on how the charge is initiated. Understanding these distinctions helps you know how payments are processed and what level of security applies. The three most common types are CIT, MIT, and MOTO.

Cardholder Initiated Transaction (CIT)

  • What it is: A transaction where the guest enters their card details and makes the payment directly.

  • Example in Avantio: The guest pays the first installment of the booking on your website.

  • What you should know: Always requires strong authentication (SCA), such as PIN, SMS, or 3D Secure (bank validation screen).

Merchant Initiated Transaction (MIT)

  • What it is: A transaction carried out without the guest’s direct participation at that moment.

  • Example in Avantio: The second payment of a web booking.

  • What you should know: It can only be performed if the customer has previously authorized the charge during an earlier payment (CIT).

Mail Order / Telephone Order (MOTO)

  • What it is: The charge is made using card data provided by the portal (OTA).

  • Example in Avantio: An OTA sends card details for processing.
    What you should know: This type does not allow strong authentication (SCA), making it more vulnerable to fraud or chargebacks. You need this transaction type active in your payment gateway if you work with virtual cards.

  • Understanding these differences allows you to collect payments securely, comply with regulations, and build trust with your guests. Review the related guides to configure Avantio Payments step by step.

Frequently Asked Questions

Why doesn’t a second booking payment usually require customer authentication?

Because this payment falls under the MIT (Merchant Initiated Transaction) category—it’s initiated by the merchant, as long as the customer gave consent during the original transaction (CIT).

What is the purpose of double authentication for portal bookings in the Apay configuration?

In this case, bookings coming from portals (via Channel Manager) under PSD2 are not required to go through authorization, since they are considered MOTO transactions. The configuration implemented in Apay provides extra security for these bookings, prompting the system to request authorization for each launched payment.

What level of risk do payments from OTAs carry?

As MOTO payments, they don’t allow strong authentication (SCA), making them more vulnerable to fraud or chargebacks. If the portal provides the real guest card, you can configure Avantio Payments to request authorization (SCA) before each charge. If you work with a virtual card, ensure this transaction type is enabled in your payment gateway.

How does tokenization contribute to security and customer loyalty?

It replaces sensitive card data with a unique code or token, reducing the risk of fraud while allowing faster and more secure future payments. This promotes repeat bookings. All gateways integrated with Avantio Payments use tokenization.

What benefits does PSD2 compliance bring beyond avoiding penalties?

Complying with PSD2 positions your business as responsible and trustworthy, increasing customer confidence and making it easier to operate in international markets.

If an extra service not included in the booking is added, will authorization (SCA) be required?

Yes. If a new charge is added (for example, an extra service requested after the booking), the system will request the traveler’s authorization again, as it’s an additional amount to the original booking. The payment will be processed automatically, just like previous ones, but with the extra authorization step included.

Related Articles
Avantio Payments: Setup and Payment Automation
Premium Payment Platforms in Avantio: Boost Your Bookings with the Best Integration
Manage Your Legacy Transactions and Migrate Safely to Avantio Payments
Set Up Avantio Payments and Automate Your Payment Notifications
Integrated Payment Gateways: Flexibility and Security for Your Business
Did this answer your question?