Visa debit and credit cardholders will increasingly find they have to enter a one-time passcode sent via text message to complete online purchases.
Mastercard customers will also see changes to the security they encounter at the checkout over the next few months, as static passwords are phased out in favour of two-factor authentication.
Which? looks at why online payment security is changing and what to do to ensure you’re not caught out.
Why is online payment security changing?
The second Payment Services Directive or PSD2 requires all banks to introduce stronger customer authentication for online purchases by September 2019.
At the moment Visa asks customers to input characters from their ‘Verfied by Visa’ password, while Mastercard makes users enter their SecureCode.
Mastercard says currently just 1-2% of online transactions require a password using Mastercard SecureCode to authenticate a cardholder at the checkout.
However, it says that this will jump sharply under the new rules, with one in four online transactions needing an additional form of customer authentication in the future.
Find out more: Best banks for dealing with fraud
How is Visa implementing the rules?
Visa has set out guidelines for the banks that issue its cards on how to ensure they are complying in time for the 14 September 2019 deadline.
It stressed that it’s up to banks how they implement this, but has suggested the use of a one-time password sent via SMS to the customer’s phone, valid for a single transaction.
A Visa spokesperson told Which?: ‘This will strengthen and simplify authentication for online payments. It means that customers will increasingly see the use of one-time passwords when they make online payments with a Visa card.’
How is Mastercard implementing the rules?
Mastercard, the other major company powering card transactions in the UK, will also need the banks that issue its cards to follow the new guidelines.
However, Mastercard doesn’t think that one-time passwords are the best solution. It believes biometric authentication – where you use something such as your fingerprint – will provide a more seamless experience for customers.
It says it has asked all its issuing partner banks to get ready with a biometric solution to offer customers by April 2019.
What you need to do
First Direct, which issues customers with Visa cards, looks set to be the first bank to implement the new rules, and it’s encouraging customers to make sure their details are up to date.
In a letter to customers, it states:
‘To make sure you get this OTP [One-Time Passcode] when you need it, we need you to provide your mobile phone number. You can do this by sending us a message using the ‘anything else’ option via online banking, or give us a call on the number below so we can update it for you.
‘It’s also important we have your correct email address – if we don’t have your mobile phone number, we may be able to email the OTP to you instead. You can check and update your email address via online banking or by giving us a call on the number below.
‘We’re sorry we need to ask you to do this, but if we don’t have the right contact details and we can’t confirm a transaction’s genuine, we may not be able to process it and we really don’t want to get to that stage.’
Which? contacted the other major banks to ask how they would be implementing the new rules.
HSBC said it was too early to provide details, but said that it would provide support to customers on any changes needed.
RBS said that it would communicate the changes that will be implemented under PSD2 before the September deadline.
Santander said it’s looking at a number of options for its broad range of business and personal customers. Solutions that are being considered include biometrics, tokens and one-time passcodes.
Is two-factor authentication safer?
It’s becoming clear that passwords alone are no longer enough to protect people from fraudsters.
Weak passwords can easily be guessed or gleaned from social media sites, and many people end up writing complex passwords down as they’re too hard to remember.
Two-factor authentication, which combines something you know like a password or Pin with something you get from a card reader or mobile phone, is fast being adopted to offer more security.
However, one-time passcodes aren’t infallible as has been proven by the rise of spoof text scams, where fraudsters mimic text messages from banks and trick you into calling a number, and handing over genuine one-time passcodes to ‘protect your account’.
Read our investigation: how text message scammers pose as your bank to rip you off, for more on how this con works.
This means you will still need to take care with the enhanced process your bank chooses to adopt. In particular, treat unexpected emails or texts with caution and don’t click on suspicious links.
Find out more: How to spot a scam
What to do if you’re unhappy with the change
If you’re not happy with how your bank is choosing to implement the PSD2 rules, you should contact them to discuss your options.
Your bank may be able to offer you a different solution that will fit in with its requirement to set up two-factor authentication.
A Visa spokesperson said: ‘Although all Visa card-issuing banks will support this increased level of security, alternatives are available should customers feel uncomfortable or unable to use their bank’s first choice solution.’
Find out more: How to complain about your bank
This article has been updated with a revised quote from Visa