Visa will require text message confirmation for online card purchases

Online shoppers purchasing goods via credit or debit card will soon have to enter a one-time passcode sent directly to their mobile phone via text message to complete certain transactions, This is Money can reveal.

It will replace the current system which sees those shopping on the internet having to enter characters from a ‘Verified by Visa’ password they’ve created for some transactions.

The move is likely to frustrate some who may receive bad mobile phone signal in their home, or may not trust a text message system to make payments.

It also creates a fraud worry, as This is Money has in the past revealed how easy it is for fraudsters to spoof messages from banks and other financial institutions to dupe unwitting victims.

Safety vs frustration: The move is said to help protect people when paying online – but many will find it an added level of frustration

HSBC-owned bank First Direct has written to its customers saying: ‘We wanted to let you know about an industry wide security upgrade that’s being made to the Verified by Visa authentication process which helps protect you when you pay online with your debit or credit card.

‘When you do this, you can be asked to enter characters from your Verified by Visa password for some transactions, but soon this will be replaced by a one-time passcode sent directly to your mobile phone via text message.’

It goes on to ask them to confirm their mobile number, adding: ‘We’re sorry we need to ask you to do this but if we don’t have the right contact details and we can’t confirm a transaction’s genuine, we may not be able to process it and we really don’t want to get to that stage.’

Customers of all banks that issue Visa debit and credit card will be hit by the change.

One This is Money reader Richard, who asked for only his first name to be published, said: ‘I have a hideously bad mobile signal in my house.

What is two-factor identification?

Two-factor authentication is a second layer of security which is used to protect an account, system – and in this case, transactions online.

It increases the safety of online accounts by requiring two types of information from the user, such as a password or PIN, an e-mail account, credit and debit card or fingerprint, before the user can log-in or transact.   


‘It’s a trip outside to the bottom of the garden or if that doesn’t work it will be a 400 metre walk to the top of the hill to get a good enough signal to authenticate the transaction.’

He added that he also has fears over the security of the new OTP system.

Security experts recommend using two-factor authentication to secure online accounts, but some warn that SMS messages have security problems and are the least secure option.

However, that said, the SMS option is more secure than having no two-factor authentication whatsoever, according to the experts.

Big change: It will hit anyone who uses a Visa - the choice most banks use to issue debit cards to current account customers

Big change: It will hit anyone who uses a Visa – the choice most banks use to issue debit cards to current account customers

Visa told This is Money: ‘In the interests of customer security, many industries are moving away from the use of static passwords for the authentication of online transactions. 

‘An alternative to static passwords is OTP, whereby a password or code that is valid for a single login is sent to the customer’s mobile phone. 

‘This means of authentication is becoming increasingly familiar to those who shop online.

‘The payments industry is no exception in looking to enhance security for customers. 

‘At Visa, we recently introduced a new rule designed to encourage card issuers to move away from the use of passwords which will strengthen authentication for online payments, and this means that customers will increasingly see the use of OTPs when they make online payments with a Visa card.

‘Although all Visa card-issuing banks will support this increased level of security, alternatives are available should customers feel uncomfortable or unable to use a OTP. 

‘Customers should contact their card-issuing bank to discuss their options.’ 

It is not clear what the alternatives may be, but it is worth contacting your bank if you are unhappy with the move to see what it can offer.