Banks and retailers are set to introduce stringent new security checks, with customers asked for additional verification when shopping online, logging onto their account or making contactless payments.
Yet while the deadline for implementation of the new measures is today, only a handful of banks and retailers are ready, Which? Money has found.
Under new European regulation intended to enhance payment security and reduce fraud, payment providers within the EU are now legally required to check that it’s really you making the purchase – known as strong customer authentication (SCA).
Instead of asking only for your name and card details when you shop online, retailers and banks should be making extra checks, such as asking for a one time passcode (OTP) sent via SMS to your mobile. This should reduce ‘card not present’ fraud, which cost the UK £506m last year.
However, many banks and retailers do not yet have the right systems in place. In response, the regulator approved plans to effectively extend this legal deadline, stating that it will not enforce the new rules until March 2021.
What is strong customer authentication (SCA)?
The new regime of strong customer authentication or SCA means that banks must identify every customer using at least two of these independent factors:
- something only you know (a password or Pin)
- something only you possess (a card reader or registered mobile device)
- and something only you are (a digital fingerprint or voice pattern).
If this isn’t possible, payments will be declined, although these low-risk payments are exempt:
- low-value payments under €30 or equivalent in pounds (until you make more than five exempt payments in a row, or the total value hits €100),
- recurring payments, so if you take out a subscription you’ll only be asked to prove your identity once,
- direct debits set up for regular bills.
- Your bank may also allow you to add any online shopping site that you trust to a ‘whitelist’, meaning it will not continue asking for authentication after the first check.
SCA also affects contactless payments (you’ll be asked to enter your Pin more often) as well as online banking login security.
How banks are implementing security checks
Some banks are already making extra security checks, while others will be introducing them over the next 18 months to March 2021.
Whether you’re asked to verify purchases will depend on the bank card you use and where you shop.
Here, we’ve outlined which banks are making SCA checks for online card payments from today (or have been doing so for some time) and which banks are working on a phased roll-out:
What about online banking login?
Many banks already ask you to supply security codes generated by a card reader or Pin device to log in to your online accounts. These checks are already SCA-compliant.
If your bank allows you to log in using only a username and passwords or memorable data, this must be phased out before March 2020.
We spoke to major banks and building societies about what they have planned and whether it’s in place now, or will be phased in over the next 18 months:
- Barclays will soon ask for OTPs and memorable words, or PINsentry (card reader or app) codes every time you login (phased).
- Clydesdale and Yorkshire Bank will ask for OTPs via SMS, landline and mobile app or Pin Device authentication from today.
- Coventry Building Society will introduce SCA via automated phone call in 2020 (phased).
- First Direct will enforce SCA checks for every online banking login at a later date (phased).
- HSBC has asked you to use your digital/physical Secure Key plus password every time you log in since 23 August 2019.
- Lloyds Banking Group (Halifax and Bank of Scotland) will ask you to verify yourself via the app or by entering a OTP supplied via SMS or landline (phased).
- M&S Bank has already implemented SCA for current account logins, with credit cards to follow soon. Later this year, you will able to order a physical M&S Pass if you don’t use the mobile banking app.
- Monzo will ask you to re-verify yourself by entering your Pin or biometric ID (fingerprint) every three months. You’ll also be asked for your Pin when you use a new device.
- NS&I will verify your identity via automated phone call in certain scenarios (phased).
- Nationwide will stop letting you log in using memorable data in favour of card reader logins or OTPs sent via SMS (phased).
- RBS/NatWest customers must use their card readers or enter OTPs sent via SMS for all online banking logins from today.
- Santander will introduce SCA checks for login in the first quarter of 2020, although it will be introducing full entry of a security number soon (phased).
- The Co-operative Bank introduced OTPs sent via SMS/email earlier this month.
- TSB told Which? changes to online banking login are likely to be introduced from 14 March 2020 (phased).
- Yorkshire Building Society has introduced OTPs sent via SMS or automated phone call.
What if I don’t have a mobile or decent signal?
In June, we raised concerns that SCA could leave some people unable to shop online because, in most cases, this will require a mobile phone.
Although 29% of Which? members we surveyed said extra checks will make them feel safer shopping online, 20% said they don’t trust mobile phone security. In addition, 13% struggle with poor signal at home and 4% don’t own a mobile phone.
It’s up to each bank and card issuer which methods they use, however, the FCA has said that customers without phones or mobile reception should not be disadvantaged.
Your bank must make it clear that they offer alternative ways to authenticate yourself. You can see our table above for the various SCA options available.
If you are struggling to receive codes sent by your bank via SMS due to bad reception, some networks offer Wi-Fi Calling which lets you connect via your wireless broadband.