It’s a little-known fact that a new online payment verification system will come into force on 14 September 2019. It’s designed to make online shopping safer and to reduce fraud, but will require a kind of two-factor authentication, typically a one-time passcode (OTP) that's sent to you as a text message.
This is the reason why online retailers are currently asking customers to provide their mobile phone number, although apparently the vast majority of retailers don’t yet know about the new system. That's not a major problem as it's actually your card issuer which is responsible for verifying the payment - and for most people that will be Visa or Mastercard.
Ignoring the fact that SMS isn’t a very secure way to send that code, this is a real problem if you don’t own a mobile phone or you can’t get a mobile signal at home to receive a code.
So what can you do if you want to continue to shop online?
- You won’t always have to enter a code
Under the current ‘Verified by Visa’ and Mastercard SecureCode verification processes, only a small percentage of transactions require you to enter a code, since it is only when the risk of fraud is high that verification is needed.
From 14 September, these will be replaced by the new Strong Customer Authentication (SCA) process.
It will then be standard practice to require extra authentication via a one-time passcode in a text message and only occasionally will an online payment go through without requiring a code.
However, a code won’t be necessary for regular payments, such as Amazon’s subscribe-and-save scheme, or for low-value purchases under £30. It’s also possible that your bank may not ask for a verification code if you’re paying a trusted or ‘whitelisted’ merchant.
In those exception cases, checks will happen automatically in the background and you won’t be asked for a code for some purchases or transactions. But for much of the time, you will. And that means you will need to use one of the following alternatives to SMS.
- Ask your bank to email the code
Some banks already have measures in place for the small number of customers which either don’t have a phone or have no mobile signal.
HSBC, for example, will email you the code, but only if you pre-register your email address. You can also get the code via phone banking.
- Use a code generator for online banking
Nationwide, Barclays and the Royal Bank of Scotland customers can use existing card readers – the type into which you slot your bank card and enter your PIN to generate codes for transferring money to new payees, for example.
That’s fine if you use online banking and have a card reader / code generator, but if you don’t, you’ll have to phone or visit your bank to get one.
- Get an automated phone call on your landline
It’s possible other banks will offer this method by the time the SCA comes into force, but right now only TSB allows customers to get their OTPs via a landline.
- Use a partial password or your fingerprint
While a code in a text message will be the standard method to authenticate payments, the new system does allow for alternatives. You could, for example, enter a few characters from a password or other memorable word, or use some kind of biometric verification such as a fingerprint.
Two out of the three methods are required, as you can see in this handy graphic from PayPal, which will also have to use the new system.
It’s worth getting in contact with your bank to find out what alternatives to SMS it offers for online payments. And if your bank will only send the OTP via SMS, you may well have to open another account with a bank that supports a method you can actually access in order to continue shopping online after 14 September.
Those at college or university would do well to check out our recommendations of the best bank accounts for students.