Back to news home Back arrow

Playing Your Cards Right: Everything you need to know about strong customer authentication

October 15, 2021


By Victoria LaFlamme
Director Product Marketing Americas

You have likely experienced strong customer authentication (SCA) in your personal credit card transactions. Think about when you are asked to add a special code or add a password of some kind before you can complete a transaction.

SCA means that for each electronic payment, subject to some exemptions, the cardholder must be authenticated i.e. verified by at least two out of the following three factors:

  1. Something the cardholder knows (e.g. a password, PIN code, secret fact)
  2. Something that is inherent to the cardholder (e.g. a fingerprint, facial or iris scan)
  3. Something the cardholder has (e.g. a mobile phone, smart card, badge or token)

As we look deeper there are some new terms specific to SCA that you may not be familiar with. When any online card payment includes both the card Issuer and the Acquirer and are both located in the EEA/UK, they are in-scope for SCA.

Strong customer authentication (SCA)

What’s in what’s out?

There are two key areas to focus on when assessing what is in scope or out of scope with SCA: Card types and transaction types.

Card types

SCA requires that a named cardholder must be available to complete the authentication process when SCA is required for a transaction. There are of course instances when this is not possible.  Consider the various types of commercial cards in the marketplace, Notably CTAs/BTAs, lodge and virtual cards that are not issued to an individual named.

When assessing your organization’s issued card(s), it is best to determine whether or not your card(s) require SCA and which card(s) could actually be exempt.

Physical Cards

Subject to SCA:

  • Issued to an individual for use to purchase business related expense (individual corporate card)
  • Commonly used for various travel purchases/reservations (air, hotel, car, rail)

CTA/BTA & Lodge Accounts

Exempt from SCA:

  • A centrally billed and settled account issued to your company, not named to an individual traveler
  • This type of card would typically be added to the travelers profile that your travel management company (TMC) would have access to.
  • Commonly used for air and rail purchases, as well as TMC fees.

Virtual Payments

Exempt from SCA, and most commonly used for hotel bookings:

  • Typically a single use or limited multi-use card number with an expiry date and security code. 
  • A centrally billed and settled account would be issued to your organization and not named to an individual traveler.

It’s important to note that not all transactions are in scope with SCA, and to understand your company’s booking trends and booking channels.  CWT’s reporting makes it easy to slice and dice what you need to know to manage the data and impacts of SCA to your own organization. Remember too that some transactions are completely out of scope of SCA, meaning that authentication rules do not apply to those transactions.

Review your travel program and card payment options as soon as possible. It is key that travel managers work directly with their card issuer to assess your own particular situation. Include your finance team in these conversations, and consider reviewing other card payment options in the marketplace that support adopting an SCA-exempt form of payment.


Media Enquiries:

If you're a journalist looking for assistance with a media query, we're here to help.

Contact us at and one of the team will get back to you as soon as possible.