By clicking a retailer link you consent to third-party cookies that track your onward journey. This enables W? to receive an affiliate commission if you make a purchase, which supports our mission to be the UK's consumer champion.

New online security checks kick in today: what will your bank require?

Payment providers are due to introduce measures to enhance payment security and reduce fraud over the next 18 months
Chiara CavaglieriSenior researcher & writer

Banks and retailers are set to introduce stringent new security checks, with customers asked for additional verification when shopping online, logging onto their account or making contactless payments.

Yet while the deadline for implementation of the new measures is today, only a handful of banks and retailers are ready, Which? Money has found.

Under new European regulation intended to enhance payment security and reduce fraud, payment providers within the EU are now legally required to check that it's really you making the purchase - known as strong customer authentication (SCA).

Instead of asking only for your name and card details when you shop online, retailers and banks should be making extra checks, such as asking for a one time passcode (OTP) sent via SMS to your mobile. This should reduce 'card not present' fraud, which cost the UK £506m last year.

However, many banks and retailers do not yet have the right systems in place. In response, the regulator approved plans to effectively extend this legal deadline, stating that it will not enforce the new rules until March 2021.

Be more money savvy

free newsletter

Get a firmer grip on your finances with the expert tips in our Money newsletter – it's free weekly.

This newsletter delivers free money-related content, along with other information about Which? Group products and services. Unsubscribe whenever you want. Your data will be processed in accordance with our Privacy policy


What is strong customer authentication (SCA)?

The new regime of strong customer authentication or SCA means that banks must identify every customer using at least two of these independent factors:

  • something only you know (a password or Pin)
  • something only you possess (a card reader or registered mobile device)
  • and something only you are (a digital fingerprint or voice pattern).

If this isn't possible, payments will be declined, although these low-risk payments are exempt:

  • low-value payments under u20ac30 or equivalent in pounds (until you make more than five exempt payments in a row, or the total value hits u20ac100),
  • recurring payments, so if you take out a subscription you'll only be asked to prove your identity once,
  • direct debits set up for regular bills.
  • Your bank may also allow you to add any online shopping site that you trust to a 'whitelist', meaning it will not continue asking for authentication after the first check.

SCA also affects contactless payments (you'll be asked to enter your Pin more often) as well as online banking login security.

How banks are implementing security checks

Some banks are already making extra security checks, while others will be introducing them over the next 18 months to March 2021.

Whether you're asked to verify purchases will depend on the bank card you use and where you shop.

Here, we've outlined which banks are making SCA checks for online card payments from today (or have been doing so for some time) and which banks are working on a phased roll-out:

What about online banking login?

Many banks already ask you to supply security codes generated by a card reader or Pin device to log in to your online accounts. These checks are already SCA-compliant.

If your bank allows you to log in using only a username and passwords or memorable data, this must be phased out before March 2020.

We spoke to major banks and building societies about what they have planned and whether it's in place now, or will be phased in over the next 18 months:

  • Barclays will soon ask for OTPs and memorable words, or PINsentry (card reader or app) codes every time you login (phased).
  • Clydesdale and Yorkshire Bank will ask for OTPs via SMS, landline and mobile app or Pin Device authentication from today.
  • Coventry Building Society will introduce SCA via automated phone call in 2020 (phased).
  • First Direct will enforce SCA checks for every online banking login at a later date (phased).
  • HSBC has asked you to use your digital/physical Secure Key plus password every time you log in since 23 August 2019.
  • Lloyds Banking Group (Halifax and Bank of Scotland) will ask you to verify yourself via the app or by entering a OTP supplied via SMS or landline (phased).
  • M&S Bank has already implemented SCA for current account logins, with credit cards to follow soon. Later this year, you will able to order a physical M&S Pass if you don't use the mobile banking app.
  • Monzo will ask you to re-verify yourself by entering your Pin or biometric ID (fingerprint) every three months. You'll also be asked for your Pin when you use a new device.
  • NS&I will verify your identity via automated phone call in certain scenarios (phased).
  • Nationwide will stop letting you log in using memorable data in favour of card reader logins or OTPs sent via SMS (phased).
  • RBS/NatWest customers must use their card readers or enter OTPs sent via SMS for all online banking logins from today.
  • Santander will introduce SCA checks for login in the first quarter of 2020, although it will be introducing full entry of a security number soon (phased).
  • The Co-operative Bank introduced OTPs sent via SMS/email earlier this month.
  • TSB told Which? changes to online banking login are likely to be introduced from 14 March 2020 (phased).
  • Yorkshire Building Society has introduced OTPs sent via SMS or automated phone call.

What if I don't have a mobile or decent signal?

In June, we raised concerns that SCA could leave some people unable to shop online because, in most cases, this will require a mobile phone.

Although 29% of Which? members we surveyed said extra checks will make them feel safer shopping online, 20% said they don't trust mobile phone security. In addition, 13% struggle with poor signal at home and 4% don't own a mobile phone.

It's up to each bank and card issuer which methods they use, however, the FCA has said that customers without phones or mobile reception should not be disadvantaged.

Your bank must make it clear that they offer alternative ways to authenticate yourself. You can see our table above for the various SCA options available.

If you are struggling to receive codes sent by your bank via SMS due to bad reception, some networks offer Wi-Fi Calling which lets you connect via your wireless broadband.

More on this

Related articles

About Us

Which? Limited is registered in England and Wales to 2 Marylebone Road, London NW1 4DF, company number 00677665  and is an Introducer Appointed Representative (FRN 610689) of the following:


1. Inspop.com Ltd for the introduction of non-investment motor, home, travel and pet insurance, who are authorised and regulated by the Financial Conduct Authority (FCA) to provide advice and arrange non-investment motor, home, travel and pet insurance products (FRN310635). Inspop.com Ltd is authorised and regulated by the Financial Conduct Authority (FCA) to provide advice and arrange non-investment motor, home, travel and pet insurance products (FRN310635) and is registered in England and Wales to Greyfriars House, Greyfriars Road, Cardiff, South Wales, CF10 3AL, company number 03857130. Confused.com is a trading name of Inspop.com Ltd. 


2. LifeSearch Partners Limited (FRN656479), for the introduction of Pure Protection Contracts and Private Health Insurance, who are authorised and regulated by the FCA to provide advice and arrange Pure Protection Contracts and Private Health Insurance Contracts.  LifeSearch Partners Ltd is registered in England and Wales to 3000a Parkway, Whiteley, Hampshire, PO15 7FX, company number 03412386.


3. HUB Financial Solutions, for the introduction of equity release advice and an annuity comparison service, who are authorised and regulated by the Financial Conduct Authority (‘FCA’) to provide advice and guidance on financial products for those who have retired or are approaching retirement (FCA Firm Reference Number: 455713). HUB Financial Solutions is registered in England and Wales to Enterprise House, Bancroft Road, Reigate, Surrey RH12 7RP, company number 05125701.


4. Alan Boswell Insurance Brokers Ltd (FRN 301), for the introduction of non-investment landlord insurances, who are authorised and regulated by the Financial Conduct Authority to provide advice and arrange insurance contracts. Alan Boswell insurance brokers Ltd is registered in England at Prospect House, Rouen Rd, Norwich NR1 1RE, company number 02591252.


Other financial services:

Mortgage service provided by London & Country Mortgages (L&C), Unit 26 (2.06), Newark Works, 2 Foundry Lane, Bath BA2 3GZ. London & Country are authorised and regulated by the Financial Conduct Authority (registered number: 143002). The FCA does not regulate most Buy to Let mortgages. Your home or property may be repossessed if you do not keep up repayments on your mortgage.


We do not make, nor do we seek to make, any recommendations or personalised advice on financial products or services that are regulated by the FCA, as we’re not regulated or authorised by the FCA to advise you in this way. In some cases, however, we have included links to regulated brands or providers with whom we have a commercial relationship and, if you choose to, you can buy a product from our commercial partners. 


If you go ahead and buy a product using our link, we will receive a commission to help fund our not-for-profit mission and our campaigns work as a champion for the UK consumer. Please note that a link alone does not constitute an endorsement by Which?.