Banks may soon require you to use your mobile phone to validate online payments – but if you don’t have one, or live in a mobile coverage blackspot, you could be left out in the cold.
From 14 September 2019*, you’ll no longer be able to pay online using just your credit or debit card details, as payment service providers across the EU introduce an additional layer of security to better defend against fraud.
Banks are telling customers to confirm online card payments by entering a unique security code sent by text message or via push notification (if you have the mobile banking app).
While these extra steps should make online payments safer, an exclusive Which? Money investigation has revealed that customers who don’t – or can’t – use a mobile phone may be forced to call their bank or visit their local branch to complete online security checks.
Find out how your bank intends to implement this change.
*UPDATE* On 13 August 2019, the Financial Conduct Authority agreed to give the payments industry more time to implement SCA. There will now be an 18-month managed roll-out, although some banks are already making extra security checks.
Online card security: what is changing?
The requirement to validate payments using your mobile phone are part of plans for ‘strong customer authentication’ under the Payment Services Regulations 2017 (PSD2).
Under these rules, banks will be required to identify every customer using at least two independent factors of authentication, either:
- something only you know (a password or Pin);
- something only you possess (a card reader or registered mobile device); and
- something only you are (a digital fingerprint or voice pattern).
If this isn’t possible, payments will be declined, although low-risk payments are exempt. These will include recurring payments after the initial setup, and transactions below €30 or equivalent (until the cardholder makes more than five exempt payments in a row, or the total value hits €100).
How will banks make these checks?
Encrypted push notifications are the slickest and most secure form of two-factor authentication. These alerts, which are sent through mobile banking apps, confirm the transaction amount and payee, and are authorised by fingerprint ID or other biometrics.
Alternatively, banks can send a one-time passcode by text or email, which must be entered online for authentication. This is less secure than push notifications because messages can be hijacked.
If you don’t have a mobile, codes can potentially be sent to landlines, but only a handful of providers told us they’re considering this.
Which banks are insisting on mobile security checks?
When we asked banks how they’ll adjust security checks for customers without mobiles, it became clear there isn’t a consistent approach.
The most inflexible banks are Santander, M&S Bank, HSBC and First Direct. Customers who don’t use a mobile will have to call their banks using a landline to go through the final stages of the online purchase process. Santander said customers can also access accounts and make payments in their branch.
Other banks said customers can get security codes by landline as well as mobile, including Lloyds Banking Group (Lloyds Bank, Bank of Scotland and Halifax), Tesco Bank and TSB.
Lloyds added that if a mobile/landline number isn’t held, new payees must be added in-branch and some online credit card payments won’t go ahead.
Royal Bank of Scotland Group (RBS, NatWest and Ulster Bank), Co-operative Bank and Nationwide said OTPs can be sent to an email address where a mobile phone isn’t available, though none has plans to use landlines. Codes can be sent via email for M&S Bank, HSBC UK and First Direct customers, but only on a limited or temporary basis.
Nationwide added that it is looking to expand the use of its card readers, which are already used for online banking login.
Meanwhile, customers of Barclays, Clydesdale and Yorkshire Banks (CYBG), Virgin Money and Metro Bank will have to wait and see, as these banks told Which? that the final process is yet to be determined.
One in five Which? members excluded
The aim of the additional security is to reduce card-not-present fraud, by forcing banks to use multiple factors of authentication to confirm that it’s really you making a purchase.
However, when we surveyed 1,838 Which? members in March 2019, nearly one in five told us they could be excluded from making online card payments entirely, either because they don’t own a mobile phone (4%) or have poor mobile phone signal at home (13%).
Reports of patchy reception came in from Which? members all over the UK – including Basingstoke, Cheshire, County Durham, Dorset, Gloucestershire, Newark, Norfolk, Oxfordshire, Sheffield and Suffolk. Some members said messages can take up to two days to come through.
You can check reception in our local area using Which?’s mobile phone coverage checker.
Steve Burgess, 61, Surrey (pictured) feels lets down that his bank of many years, Santander, isn’t offering a viable alternative to mobile security checks:
‘I have been advised that the passcode system will not include the ability to send spoken messages to landline phones, so I’d have to have a mobile. This makes no sense. For one thing, it presumes satisfactory mobile reception at my home; for another, they are surely disenfranchising a swathe of loyal customers, many of whom will be classed as vulnerable.
‘My lifestyle does not require a mobile phone so I have never owned one; and I do all my online banking in arguably the most secure environment – my home, on a laptop which never leaves it.’
Members without phones or a reliable signal said they may be forced to ditch online banking and use local branches to make payments, but previous Which? research shows the UK has lost almost two thirds of its bank branch network in the past 30 years, leaving a fifth of households more than three kilometres from their nearest current account provider.
We’ve also been hearing from people who have been forced to close their accounts because they couldn’t supply a mobile phone number, or feel penalised because they aren’t willing – or able – to embrace the digital revolution: