top of page

Banks and building societies to roll out stronger online shopping security measures

To help protect you and your money from fraudsters, banks and building societies will be asking you to confirm that it’s really you more often when you use your debit or credit card to shop online.

Most regulated banks and building societies in the UK have added extra security checks when you shop online. It’s part of what’s called Strong Customer Authentication (SCA).

Not all retailers will be ready for these changes. So, if you’re shopping online over the next few months, some of your payments may be declined. If this happens, it’s unlikely to be a problem with your card. The retailer should be ready soon and you can contact them to see if you can pay via another way.

By asking you to confirm more of your online payments, they’re keeping you and your money safer. It may be a headache at first as retailers adopt the changes, but in the long-run, it should make online shopping a whole lot more secure.

There are a few ways you can confirm it’s really you when you shop online:

Banking app

This is the easiest way to confirm your identity, so long as you have a compatible smartphone or tablet.

When you get to the online checkout, banks and building societies will send a secure message to your banking app. You can then confirm it’s really you with your fingerprint, facial recognition or by tapping in your pass number.

Watch the below video to see how Nationwide explain this new added security measure. Other banks/building societies may differ, but this will give you a general idea of what to expect. Check with your bank/building society to see if they have a similar method.

One-time passcode (text or landline)

You may receive a unique code from your bank/building society to use at the checkout to confirm it’s really you. They can send this to your mobile or landline using the contact details you’ve given them.

Card reader

If you’ve got a debit card, you can confirm your identity with a card reader. This could be a good option if you don’t have a smartphone or you struggle to get a signal.

Make sure the bank/building society have got your up-to-date contact details. That way, they can send you what you need quickly and there will be no barriers.

You can update your details:

  • on their Banking app

  • on the Internet Bank

  • in branch

  • by calling the number on the back of your card.

Keeping your money and details safe

Remember: your bank or building society will:

  • never ask you online, over the phone or by text for confidential info, such as your full account number, PIN or card reader code

  • never ask you to log directly into the Internet Bank through a link on an email or text or to update your details through a link.

If you think the email looks suspicious, delete it straightaway. Don’t click on the unsubscribe link, as this will alert the scammer that the account is active, and they then may target you with further phishing emails.

You can report suspicious or scam email to Action Fraud.

If you think you’ve revealed your personal or security details, find out what to do from your bank or building society’s website. They will have a Help section with full details of what to do next.



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).



The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page