How we shop online is changing from today

Online shoppers should expect changes in the way they shop from today, in a move to combat online fraud.  

The changes are a result of new Strong Customer Authentication (SCA) requirements, a set of rules that will change how you confirm your identity when making online purchases.   

While SCA rules have applied to a small number of transactions for some time, the proportion of transactions for which SCA requirements apply has been steadily increasing since the start of this year as merchants and Payment Service Providers (PSPs) readied to meet the enforcement date, when all transactions must be SCA-compliant. 

Today’s deadline comes almost three years after the SCA requirements were announced in September 2019.

As increasing amounts of purchases are being made digitally, it is hoped SCA will help reduce fraud and better protect customers and their money when shopping online. 

Customers will now be asked to prove their identity when making a purchase, by confirming two of the following three ‘factors’: 

• Something they are – like a fingerprint or facial ID
• Something they know – like a passcode or password
• Something they have – like a mobile phone

In practice, this could mean customers are asked to verify a purchase via text message, receiving a passcode which they are then prompted to enter on screen.

Other confirmations could include answering an automated phone call to your landline or mobile, or through an app on your smartphone.  

Some types of transactions are exempt from strong customer authentication, meaning customers may not always be asked to complete extra security steps.

These may be purchases deemed ‘low-risk’ of fraudulent activity, such as when buying low-cost items, or repeated purchases such as subscriptions. 

Retailers are ready for the change, having been preparing their systems for many months to process these extra security checks.

Successful roll out of the new regulations will also require banks to be prepared for the changes.  

Tom Ironside, Director of Business & Regulation at the British Retail Consortium, said:

“Retailers have been working hard to prepare for the Strong Customer Authentication requirements, ensuring online purchases are both as safe and easy as possible.”

“The BRC and our members have worked with suppliers to ensure multiple fraud checks are performed behind the scenes and any additional friction is kept to a minimum. Customers should be reassured that buying online has never been safer.” 

According to consumer watchdog WHICH? scammers will see SCA as a fresh opportunity so it’s important that banks protect cardholders against any emerging threats.

“We could see a spike in fake texts, calls and emails claiming to be from ‘your bank’ using the new security checks as the hook. A few SCA-related phishing emails did the rounds back in 2019.” WHICH? states

With so many banks relying on SMS, we’re also concerned about the increased threat of Sim-swap fraud – where criminals trick your mobile network provider into transferring your phone number to a Sim card that they control.

This means they can intercept messages from your bank and potentially hack into your account.

Starling told Which? it has ‘made a conscious decision’ not to send one-time password’s (OTP) via SMS because it does not believe this is secure.

Banks must ensure customers are fully aware of these risks and use other tools at their disposal to frustrate scammers, such as behavioural biometrics where security systems can recognise the unique way you use your phone or laptop.