Thousands without mobiles could be frozen out of online payments

Under new fraud rules, codes will be sent to phones, which could leave some users excluded

Thousands of UK consumers who can’t get a mobile signal at home – or don’t own a mobile phone – face being frozen out of internet shopping as banks are increasingly insisting that online payments are verified by text.

HSBC has told customers they will have to register a mobile phone to enable it to verify future online card payments. And with other banks set to follow its lead, MPs have warned a third of online purchases could fail.

This relates to tougher new European requirements for authenticating online payments laid out in the second payment services directive (PSD2). These come into force on 14 September (see below) and will change the Verified by Visa and Mastercard SecureCode processes used by banks to reduce fraud.

Customers verifying online purchases – or logging in to online banking – will not be able to do so just by inputting a password as they do now. Instead, they will most likely have to input a code sent to them by the payment provider – in most cases by text.

Non-mobile users, and those who cannot get a signal at home, face having to start using card readers that generate a pin every time they make an online purchase from a company they may not have previously bought from. But if you don’t bank online, you may not have a card reader, so you would have to apply for one.

HSBC customer Chris White*, who lives in north Wales, just 20 miles from Chester, has already fallen foul of this. He says he has been told his online shopping days are effectively over because of HSBC’s requirement that all payments are only verified by text.

“Until recently, when it came to making online payments, it would be done by Verified by Visa. But last week HSBC insisted I give my mobile phone number. I am happy to do that – the only problem is that I get zero mobile service at home, meaning I can’t receive the text. Without a code the payment is refused,” he says.

White says he visited his nearest HSBC branch in Mold, only to be informed by staff that nothing could be done. He says they told him he was not the only customer complaining about this.

“I don’t bank online because I don’t trust it,” says White. “But to be told that I can no longer shop online is ridiculous. HSBC will have to find another way to verify its customers like me. It could send a WhatsApp message or email, which will come over the home wifi, but apparently it won’t. What will happen to all those who don’t have a mobile and don’t bank online? They are being treated like second-class citizens by HSBC.”

HSBC told Guardian Money: “We are aware a small number of customers may encounter difficulties receiving OTPs [one-time passcodes] by SMS where mobile signal coverage is poor, and we have put measures in place through our telephone contact centres to confirm payment authentication.”

It now says it will email customers an OTP, but only if they have pre-registered an email address.

The EU regulations appear to have caught the payments industry off-guard, prompting a recent rush of requests to online shoppers for mobile phone numbers – despite the fact that the technology behind mobiles and texts has been proven to be insecure.

The Financial Conduct Authority has indicated it will delay the enforcement of the new rules to give the industry more time to implement them and keep online tills ringing.

In parliament last week, Liberal Democrat MP Chuka Umunna described the rules as a “ticking time bomb for online retail” that could result in nearly a third of online purchases failing. He said it was staggering that the government was not doing more to make the affected parties aware of the issue. The British Retail Consortium said 75% of retailers were unaware it was even happening, he added.

Mastercard, which operates the SecureCode verification process, told Money that around 1% of online purchases triggered the need to input a password. Most security checks occur behind the scenes and don’t require any action on the part of customers. But the trigger figure could rise to 25% when the rules are fully implemented, Mastercard says, meaning banks are going to have to offer alternatives to those who don’t use a mobile or get a decent signal.

The telecoms regulator Ofcom said this week that 3% of UK households don’t receive a phone signal at home, though the true figure may be much higher.

“We make a range of options available, but it is up to the banks to decide on which measures they choose. They decide on how customers verify payments, not us,” says a Mastercard spokesman.

What’s clear is that banks are taking different approaches. Santander told Money that its customers will have to have a mobile phone to receive an authorising code as a text or via its app. Clearly, non-mobile users are going to struggle to make online purchases if that policy is maintained.

Barclays, NatWest/Royal Bank of Scotland and Nationwide said customers would be able to receive their code via their card reader if they did not have a usable mobile phone. Customers who don’t bank online will have to request one, and face the hassle of having to use it.

“We are working on other solutions that will enable customers to keep shopping,” says Nationwide.

TSB is the only bank so far to say that it will offer automated calls to landlines – the obvious solution for those in White’s shoes.

A number of big retailers such as Amazon have been asking customers to hand over mobile numbers. Online shoppers can expect a host of similar requests in the coming weeks and months, say payment experts.

It is unclear what impact Brexit could have on the requirement to introduce these rules. But it seems unlikely the UK’s regulators would row back on a policy that is designed to make online payments safer and reduce fraud.

* Not his real name

How the new rules work

A new regime – known as strong customer authentication (SCA) – will require customers to be “authenticated” by at least two different methods from three options. These categories are: something only the payer knows, such as a password or pin. Something only the payer has, such as a mobile phone or card reader. Or something personal to the payer, such as a fingerprint, or their voice or face, or bizarrely something as obscure as the angle at which they hold their phone.

So a password and a fingerprint would meet the rules, but a password and a pin would not. A password and a generated code sent as a text or via an app, would. The rules apply to online shopping as well as logging into online banking

There will be exemptions – for example, for “low value” purchases (under €30), and recurring payments where the amount stays the same. However, a customer who made a series of smaller purchases could trigger the requirement to input a code.

While the new regulations are likely to make some transactions more cumbersome in the short term, it is expected that fingerprint and facial recognition will help in the future.

It is understood the regime will allow consumers to set up a list of “trusted beneficiaries” – basically, retailers or other companies that the cardholder trusts and uses regularly which could be exempt from the SCA rules.

UK Finance, the trade body for the banking sector, says it expects providers will have appropriate solutions in place to allow their customers to authenticate themselves, amid concern for the elderly and those who don’t or can’t use a mobile.

“This could mean your bank or provider using a number of verification methods including, for example, a phone call, text, banking app and/or card readers to check your identity,” says a spokesman.


Miles Brignall

The GuardianTramp

Related Content

Article image
UK online shoppers face more identity checks as new anti-fraud rules kick in
Under changes coming in on 14 March, retailers will have to verify customer is who they claim to be

Miles Brignall

12, Feb, 2022 @7:00 AM

Article image
Cash in on cashback: shop around for the best deals
There are plenty of options if you want to switch current accounts or your phone or broadband provider

Rupert Jones

21, May, 2022 @10:00 AM

Article image
Ikea ruined my daughter’s surprise with late furniture delivery
I took time off to decorate her bedroom but the items did not arrive on time

Rebecca Smithers

30, Sep, 2018 @6:00 AM

Article image
The modern alternative to gift vouchers and cards
When HMV went into administration in 2013, it refused to honour its gift vouchers. Here are some smart ways to give the gift of choice

Rebecca Smithers and Jill Papworth

29, Nov, 2014 @7:00 AM

Article image
Homebuyer loses £300,000 to fraudsters – but gets it back after we step in
Guardian Money takes on the case of a woman tricked into moving her savings into the wrong account

Donna Ferguson

18, Jul, 2020 @6:00 AM

Article image
We need legal advice for our HSBC mortgage but no one will give it
At least 20 solicitors we’ve approached say it’s ‘a low fee for a high risk’

Liz Phillips

04, Jul, 2016 @6:00 AM

Article image
The £45,000 deposit for our first home was stolen and the banks did nothing
Imagine the horror of losing all to fraudsters who hacked emails and diverted the cash to a bogus account

Miles Brignall

24, Aug, 2019 @6:00 AM

Article image
‘It’s discrimination’: millions of Britons frozen out in the digital age
From banking to shopping and parking, consumers without access to tech are left frustrated

Miles Brignall

26, Nov, 2022 @7:00 AM

Article image
Black Friday: a shopper’s guide
We look at how to make the most of the busiest shopping day of the year, plus some of the best deals already available

Rupert Jones

19, Nov, 2016 @7:00 AM

Article image
I sent money to a friend using Barclays’ Pingit app, but it never arrived
An international transfer of £792 in euros in May still hasn’t turned up in my friend’s account

Rebecca Smithers

25, Jun, 2017 @5:59 AM