New regulations for card payments will begin on 14 September 2019 in Europe as part of the second Payment Services Directive (PSD2).
In short, any online card payment will need multi-factor authentication to prevent fraud. This Strong Customer Authentication (SCA) means that in addition to the card number the guest will need to use one of the following three elements to prove that the charge is legitimate:
A) Something the customer knows (ex. a PIN or password)
B) Something the customer has (ex. a phone or hardware token)
C) Something the customer is (ex. fingerprint or facial recognition)
If you charge a guest's card without having the card and guest physically present (pre-payments, cancellation fees, no-show fees) one of the elements above will HAVE to be part of the payment process, or you will no longer be able to process the payment. On 14 September banks will begin declining charges that do not meet these requirements.
This change only applies when both the hostel and the guest's bank/credit card company are located in the EEA.