We use cookies to allow us and selected partners to improve your experience and our advertising. By continuing to browse you consent to our use of cookies. You can understand more and change your cookies preferences here.
When you click on a retailer link on our site, we may earn affiliate commission to help fund our not-for-profit mission.Find out more.
Banks and retailers are set to introduce stringent new security checks, with customers asked for additional verification when shopping online, logging onto their account or making contactless payments.
Yet while the deadline for implementation of the new measures is today, only a handful of banks and retailers are ready, Which? Money has found.
Under new European regulation intended to enhance payment security and reduce fraud, payment providers within the EU are now legally required to check that it's really you making the purchase - known as strong customer authentication (SCA).
Instead of asking only for your name and card details when you shop online, retailers and banks should be making extra checks, such as asking for a one time passcode (OTP) sent via SMS to your mobile. This should reduce 'card not present' fraud, which cost the UK £506m last year.
However, many banks and retailers do not yet have the right systems in place. In response, the regulator approved plans to effectively extend this legal deadline, stating that it will not enforce the new rules until March 2021.
The new regime of strong customer authentication or SCA means that banks must identify every customer using at least two of these independent factors:
If this isn't possible, payments will be declined, although these low-risk payments are exempt:
SCA also affects contactless payments (you'll be asked to enter your Pin more often) as well as online banking login security.
Some banks are already making extra security checks, while others will be introducing them over the next 18 months to March 2021.
Whether you're asked to verify purchases will depend on the bank card you use and where you shop.
Here, we've outlined which banks are making SCA checks for online card payments from today (or have been doing so for some time) and which banks are working on a phased roll-out:
Many banks already ask you to supply security codes generated by a card reader or Pin device to log in to your online accounts. These checks are already SCA-compliant.
If your bank allows you to log in using only a username and passwords or memorable data, this must be phased out before March 2020.
We spoke to major banks and building societies about what they have planned and whether it's in place now, or will be phased in over the next 18 months:
In June, we raised concerns that SCA could leave some people unable to shop online because, in most cases, this will require a mobile phone.
Although 29% of Which? members we surveyed said extra checks will make them feel safer shopping online, 20% said they don't trust mobile phone security. In addition, 13% struggle with poor signal at home and 4% don't own a mobile phone.
It's up to each bank and card issuer which methods they use, however, the FCA has said that customers without phones or mobile reception should not be disadvantaged.
Your bank must make it clear that they offer alternative ways to authenticate yourself. You can see our table above for the various SCA options available.
If you are struggling to receive codes sent by your bank via SMS due to bad reception, some networks offer Wi-Fi Calling which lets you connect via your wireless broadband.