Have you been asked by your bank recently to input a one-time passcode in order to complete an online transaction?
It seems more and more of us have, as lenders and credit card companies gradually start to roll out new measures to reduce card fraud known as Strong Customer Authentication (SCA).
On Monday, John Lewis alerted customers to potential changes they might see when making payments in its stores or via its website.
A number of banks and credit card providers – as well as the likes of Apple and payments solution provider Stripe – have also published advice.
What is Strong Customer Authentication?
SCA originates from an EU directive designed to reduce payment card fraud across the continent.
Banks and retailers had been expected to introduce the measures on 14 September, when the law will officially change, but many were not ready.
Instead the Financial Conduct Authority has effectively delayed it, saying it won’t enforce the law until March 2021.
However, it still expects providers to introduce the measures in a staggered approach over the next 18 months – although when you start noticing changes will depend on who you bank with and where you shop.
An estimated £671m was lost to fraud on UK payment cards in 2018, a 19% increase on the previous year.
How will it work?
Under SCA, if an online shopper spends more than about £28 in one transaction, payment providers will be required to ask for an extra form of verification.
This will usually be sent by your bank as a one-time password by text to a mobile phone.
Alternative forms of verification could include a thumbprint on a smartphone or voice recognition.
Shoppers will also see changes in stores: for example, you may find yourself occasionally being asked to enter your pin number when making either a contactless payment or using a mobile wallet.
Why was it delayed?
Retailers and banks lobbied the government saying the 14 September start date was unrealistic.
According to the British Retail Consortium, the fact providers would not have been ready would have created “significant disruption to online payments”.
As a result, it estimated the number of e-commerce transactions carried out in the UK would have dived by 25-30%.
“The technical solutions weren’t going to be ready on time, nor the guidance to go with them,” said Andrew Cregan, the consortium’s payments policy advisor.
“You could have seen online transactions abandoned due to people simply not receiving the passcode if their bank didn’t hold the correct phone number or if there was no mobile signal.”
That said, providers are increasingly likely to contact you to remind you about SCA changes over the next 18 months.
Asked about John Lewis’s decision to contact its customers this week, a spokeswoman for the retailer said: “We are trying to give customers the heads-up, so there won’t be any barriers to transacting. We want to be on the front foot.”