Thousands of UK consumers who can’t get a mobile signal at home – or don’t own a mobile phone – face being frozen out of internet shopping as banks are increasingly insisting that online payments are verified by text.
HSBC has told customers they will have to register a mobile phone to enable it to verify future online card payments. And with other banks set to follow its lead, MPs have warned a third of online purchases could fail.
This relates to tougher new European requirements for authenticating online payments laid out in the second payment services directive (PSD2). These come into force on 14 September (see below) and will change the Verified by Visa and Mastercard SecureCode processes used by banks to reduce fraud.
Customers verifying online purchases – or logging in to online banking – will not be able to do so just by inputting a password as they do now. Instead, they will most likely have to input a code sent to them by the payment provider – in most cases by text.
Non-mobile users, and those who cannot get a signal at home, face having to start using card readers that generate a pin every time they make an online purchase from a company they may not have previously bought from. But if you don’t bank online, you may not have a card reader, so you would have to apply for one.
HSBC customer Chris White*, who lives in north Wales, just 20 miles from Chester, has already fallen foul of this. He says he has been told his online shopping days are effectively over because of HSBC’s requirement that all payments are only verified by text.
“Until recently, when it came to making online payments, it would be done by Verified by Visa. But last week HSBC insisted I give my mobile phone number. I am happy to do that – the only problem is that I get zero mobile service at home, meaning I can’t receive the text. Without a code the payment is refused,” he says.
White says he visited his nearest HSBC branch in Mold, only to be informed by staff that nothing could be done. He says they told him he was not the only customer complaining about this.
“I don’t bank online because I don’t trust it,” says White. “But to be told that I can no longer shop online is ridiculous. HSBC will have to find another way to verify its customers like me. It could send a WhatsApp message or email, which will come over the home wifi, but apparently it won’t. What will happen to all those who don’t have a mobile and don’t bank online? They are being treated like second-class citizens by HSBC.”
HSBC told Guardian Money: “We are aware a small number of customers may encounter difficulties receiving OTPs [one-time passcodes] by SMS where mobile signal coverage is poor, and we have put measures in place through our telephone contact centres to confirm payment authentication.”
It now says it will email customers an OTP, but only if they have pre-registered an email address.
The EU regulations appear to have caught the payments industry off-guard, prompting a recent rush of requests to online shoppers for mobile phone numbers – despite the fact that the technology behind mobiles and texts has been proven to be insecure.
The Financial Conduct Authority has indicated it will delay the enforcement of the new rules to give the industry more time to implement them and keep online tills ringing.
In parliament last week, Liberal Democrat MP Chuka Umunna described the rules as a “ticking time bomb for online retail” that could result in nearly a third of online purchases failing. He said it was staggering that the government was not doing more to make the affected parties aware of the issue. The British Retail Consortium said 75% of retailers were unaware it was even happening, he added.
Mastercard, which operates the SecureCode verification process, told Money that around 1% of online purchases triggered the need to input a password. Most security checks occur behind the scenes and don’t require any action on the part of customers. But the trigger figure could rise to 25% when the rules are fully implemented, Mastercard says, meaning banks are going to have to offer alternatives to those who don’t use a mobile or get a decent signal.
The telecoms regulator Ofcom said this week that 3% of UK households don’t receive a phone signal at home, though the true figure may be much higher.
“We make a range of options available, but it is up to the banks to decide on which measures they choose. They decide on how customers verify payments, not us,” says a Mastercard spokesman.
What’s clear is that banks are taking different approaches. Santander told Money that its customers will have to have a mobile phone to receive an authorising code as a text or via its app. Clearly, non-mobile users are going to struggle to make online purchases if that policy is maintained.
Barclays, NatWest/Royal Bank of Scotland and Nationwide said customers would be able to receive their code via their card reader if they did not have a usable mobile phone. Customers who don’t bank online will have to request one, and face the hassle of having to use it.
“We are working on other solutions that will enable customers to keep shopping,” says Nationwide.
TSB is the only bank so far to say that it will offer automated calls to landlines – the obvious solution for those in White’s shoes.
A number of big retailers such as Amazon have been asking customers to hand over mobile numbers. Online shoppers can expect a host of similar requests in the coming weeks and months, say payment experts.
It is unclear what impact Brexit could have on the requirement to introduce these rules. But it seems unlikely the UK’s regulators would row back on a policy that is designed to make online payments safer and reduce fraud.
* Not his real name
How the new rules work
A new regime – known as strong customer authentication (SCA) – will require customers to be “authenticated” by at least two different methods from three options. These categories are: something only the payer knows, such as a password or pin. Something only the payer has, such as a mobile phone or card reader. Or something personal to the payer, such as a fingerprint, or their voice or face, or bizarrely something as obscure as the angle at which they hold their phone.
So a password and a fingerprint would meet the rules, but a password and a pin would not. A password and a generated code sent as a text or via an app, would. The rules apply to online shopping as well as logging into online banking
There will be exemptions – for example, for “low value” purchases (under €30), and recurring payments where the amount stays the same. However, a customer who made a series of smaller purchases could trigger the requirement to input a code.
While the new regulations are likely to make some transactions more cumbersome in the short term, it is expected that fingerprint and facial recognition will help in the future.
It is understood the regime will allow consumers to set up a list of “trusted beneficiaries” – basically, retailers or other companies that the cardholder trusts and uses regularly which could be exempt from the SCA rules.
UK Finance, the trade body for the banking sector, says it expects providers will have appropriate solutions in place to allow their customers to authenticate themselves, amid concern for the elderly and those who don’t or can’t use a mobile.
“This could mean your bank or provider using a number of verification methods including, for example, a phone call, text, banking app and/or card readers to check your identity,” says a spokesman.