By clicking a retailer link you consent to third-party cookies that track your onward journey. This enables W? to receive an affiliate commission if you make a purchase, which supports our mission to be the UK's consumer champion.

New online security checks exclude people without mobile phones or decent signal

Why your online payments could be blocked if you don't use a mobile phone
Chiara CavaglieriSenior researcher & writer

Banks may soon require you to use your mobile phone to validate online payments - but if you don't have one, or live in a mobile coverage blackspot, you could be left out in the cold.

From 14 September 2019*, you'll no longer be able to pay online using just your credit or debit card details, as payment service providers across the EU introduce an additional layer of security to better defend against fraud.

Banks are telling customers to confirm online card payments by entering a unique security code sent by text message or via push notification(if you have the mobile banking app).

While these extra steps should make online payments safer, an exclusive Which? Money investigation has revealed that customers who don't - or can't - use a mobile phone may be forced to call their bank or visit their local branch to complete online security checks.

Find out how your bank intends to implement this change.

*UPDATE* On 13 August 2019, the Financial Conduct Authority agreed to give the payments industry more time to implement SCA. There will now be an 18-month managed roll-out, although some banks are already making extra security checks.

Be more money savvy

free newsletter

Get a firmer grip on your finances with the expert tips in our Money newsletter – it's free weekly.

This newsletter delivers free money-related content, along with other information about Which? Group products and services. Unsubscribe whenever you want. Your data will be processed in accordance with our Privacy policy

Online card security: what is changing?

The requirement to validate payments using your mobile phone are part of plans for 'strong customer authentication' under the Payment Services Regulations 2017 (PSD2).

Under these rules, banks will be required to identify every customer using at least two independent factors of authentication, either:

  • something only you know (a password or Pin);
  • something only you possess (a card reader or registered mobile device); and
  • something only you are (a digital fingerprint or voice pattern).

If this isn't possible, payments will be declined, although low-risk payments are exempt. These will include recurring payments after the initial setup, and transactions below u20ac30 or equivalent (until the cardholder makes more than five exempt payments in a row, or the total value hits u20ac100).

How will banks make these checks?

Encrypted push notifications are the slickest and most secure form of two-factor authentication. These alerts, which are sent through mobile banking apps, confirm the transaction amount and payee, and are authorised by fingerprint ID or other biometrics.

Alternatively, banks can send a one-time passcode by text or email, which must be entered online for authentication. This is less secure than push notifications because messages can be hijacked.

If you don't have a mobile, codes can potentially be sent to landlines, but only a handful of providers told us they're considering this.

Find out more:Which? Computing - what is two-factor authentication and should you use it?

Which banks are insisting on mobile security checks?

When we asked banks how they'll adjust security checks for customers without mobiles, it became clear there isn't a consistent approach.

The most inflexible banks are Santander, M&S Bank, HSBC and First Direct. Customers who don't use a mobile will have to call their banks using a landline to go through the final stages of the online purchase process. Santander said customers can also access accounts and make payments in their branch.

Other banks said customers can get security codes by landline as well as mobile, including Lloyds Banking Group (Lloyds Bank, Bank of Scotland and Halifax), Tesco Bank and TSB.

Lloyds added that if a mobile/landline number isn't held, new payees must be added in-branch and some online credit card payments won't go ahead.

Royal Bank of Scotland Group (RBS, NatWest and Ulster Bank), Co-operative Bank and Nationwide said OTPs can be sent to an email address where a mobile phone isn't available, though none has plans to use landlines. Codes can be sent via email for M&S Bank, HSBC UK and First Direct customers, but only on a limited or temporary basis.

Nationwide added that it is looking to expand the use of its card readers, which are already used for online banking login.

Meanwhile, customers of Barclays,Clydesdale and Yorkshire Banks (CYBG), Virgin Money and Metro Bank will have to wait and see, as these banks told Which? that the final process is yet to be determined.

One in five Which? members excluded

The aim of the additional security is to reduce card-not-present fraud, by forcing banks to use multiple factors of authentication to confirm that it's really you making a purchase.

However, when we surveyed 1,838 Which? members in March 2019, nearly one in five told us they could be excluded from making online card payments entirely, either because they don't own a mobile phone (4%) or have poor mobile phone signal at home (13%).

Reports of patchy reception came in from Which? members all over the UK - including Basingstoke, Cheshire, County Durham, Dorset, Gloucestershire, Newark, Norfolk, Oxfordshire, Sheffield and Suffolk. Some members said messages can take up to two days to come through.

You can check reception in our local area using Which?'s mobile phone coverage checker.

Steve Burgess, 61, Surrey (pictured) feels lets down that his bank of many years, Santander, isn't offering a viable alternative to mobile security checks:

'I have been advised that the passcode system will not include the ability to send spoken messages to landline phones, so I'd have to have a mobile. This makes no sense. For one thing, it presumes satisfactory mobile reception at my home; for another, they are surely disenfranchising a swathe of loyal customers, many of whom will be classed as vulnerable.

'My lifestyle does not require a mobile phone so I have never owned one; and I do all my online banking in arguably the most secure environment - my home, on a laptop which never leaves it.'

Members without phones or a reliable signal said they may be forced to ditch online banking and use local branches to make payments, but previous Which? research shows the UK has lost almost two thirds of its bank branch network in the past 30 years, leaving a fifth of households more than three kilometres from their nearest current account provider.

We've also been hearing from people who have been forced to close their accounts because they couldn't supply a mobile phone number, or feel penalised because they aren't willing - or able - to embrace the digital revolution:

More on this

Related articles

About Us

Which? Limited is registered in England and Wales to 2 Marylebone Road, London NW1 4DF, company number 00677665  and is an Introducer Appointed Representative (FRN 610689) of the following:


1. Inspop.com Ltd for the introduction of non-investment motor, home, travel and pet insurance, who are authorised and regulated by the Financial Conduct Authority (FCA) to provide advice and arrange non-investment motor, home, travel and pet insurance products (FRN310635). Inspop.com Ltd is authorised and regulated by the Financial Conduct Authority (FCA) to provide advice and arrange non-investment motor, home, travel and pet insurance products (FRN310635) and is registered in England and Wales to Greyfriars House, Greyfriars Road, Cardiff, South Wales, CF10 3AL, company number 03857130. Confused.com is a trading name of Inspop.com Ltd. 


2. LifeSearch Partners Limited (FRN656479), for the introduction of Pure Protection Contracts and Private Health Insurance, who are authorised and regulated by the FCA to provide advice and arrange Pure Protection Contracts and Private Health Insurance Contracts.  LifeSearch Partners Ltd is registered in England and Wales to 3000a Parkway, Whiteley, Hampshire, PO15 7FX, company number 03412386.


3. HUB Financial Solutions, for the introduction of equity release advice and an annuity comparison service, who are authorised and regulated by the Financial Conduct Authority (‘FCA’) to provide advice and guidance on financial products for those who have retired or are approaching retirement (FCA Firm Reference Number: 455713). HUB Financial Solutions is registered in England and Wales to Enterprise House, Bancroft Road, Reigate, Surrey RH12 7RP, company number 05125701.


4. Alan Boswell Insurance Brokers Ltd (FRN 301), for the introduction of non-investment landlord insurances, who are authorised and regulated by the Financial Conduct Authority to provide advice and arrange insurance contracts. Alan Boswell insurance brokers Ltd is registered in England at Prospect House, Rouen Rd, Norwich NR1 1RE, company number 02591252.


Other financial services:

Mortgage service provided by London & Country Mortgages (L&C), Unit 26 (2.06), Newark Works, 2 Foundry Lane, Bath BA2 3GZ. London & Country are authorised and regulated by the Financial Conduct Authority (registered number: 143002). The FCA does not regulate most Buy to Let mortgages. Your home or property may be repossessed if you do not keep up repayments on your mortgage.


We do not make, nor do we seek to make, any recommendations or personalised advice on financial products or services that are regulated by the FCA, as we’re not regulated or authorised by the FCA to advise you in this way. In some cases, however, we have included links to regulated brands or providers with whom we have a commercial relationship and, if you choose to, you can buy a product from our commercial partners. 


If you go ahead and buy a product using our link, we will receive a commission to help fund our not-for-profit mission and our campaigns work as a champion for the UK consumer. Please note that a link alone does not constitute an endorsement by Which?.