PSD2 requires Strong Customer Authentication (SCA) to be applied when logging in to payment accounts when using the portal to make payments to a new payee for the first time and to make online transactions. allpay has been preparing for this change by setting up a service to apply SCA to online purchases called 3D Secure (3DS2) and we have also developed new login screens for our portals, which will require an additional One Time Passcode (OTP) to be sent by SMS or email for authorisation by cardholders and portal users.

We will be introducing the SCA changes required both for portal access and for online transactions early in 2020, allowing time for our cardholders to be fully aware of the changes and to ensure that mobile phone numbers and/or email addresses are added to account profiles so that the verification codes can be sent using those details.

Please take a look at the Frequently Asked Questions below on the subject of Strong Customer Authentication and take any necessary actions to ensure you are prepared for the introduction of SCA when you log into the cardholder portal, set up a new payee, or make an online purchase.

Frequently Asked Questions

Strong Customer Authentication when using the Prepaid Card Portal.

What is Strong Customer Authentication?

Strong Customer Authentication (SCA) is designed to strengthen security when you are using the Prepaid Card Portal. You will need to enter an additional verification code when logging in and setting up new payees. It is part of the set of regulatory requirements laid out in the 2nd Payment Services Directive that is being introduced by all payment providers and banks across Europe and will affect anyone who has an online payment account.

Why are you making this change?

This is part of an industry-wide switch from using a single password to stronger ways to authenticate online purchases and use online payment accounts.

What if my email address or mobile phone number isn’t on the Prepaid Card Portal?

Once your details have been registered on the Prepaid Card Portal, they will be updated overnight

If I update my email address or mobile number, will I be able to receive a verification code immediately?

Once your details have been updated on the Prepaid Card Portal, we will be able to deliver a verification code to your new mobile number or email address.

What if I haven’t got a mobile phone?

You will be able to use the Prepaid Card Portal to log in, view your account, and set up new payees as you can choose to receive your verification code via email, but you won’t be able to make online purchases as a six-digit verification code will only be sent using an SMS text message.

If you hold both an email address and mobile number for me, can I decide which option to use to receive my verification code?

Yes. The verification codes will always be delivered to your mobile number if we hold that information on our records.

Is the move to verification codes a decision that allpay has made or are all banks required to do so?

All banks are required to introduce an additional layer of security to help prevent fraud on customers’ accounts. This is an industry-wide change being introduced by Mastercard and Visa that all banks have to follow.

What happens if I have a secondary card linked to my account?

All account holders will require a verification code if they log into the Prepaid Card Portal so we must hold an up-to-date email address for each cardholder on the account. If the secondary cardholder also makes online purchases, they will need to register their mobile phone number too.

Making Online Purchases

What is a Mastercard ID Check?

Mastercard ID check sometimes is referred to as 3DSecure or “one-time passcode”, is related to Strong Customer Authentication. It is an additional layer of security that will be needed when you make online purchases using your prepaid card. It will ensure that your online purchases are verified and help protect you from the risk of online fraud.

What if you haven’t got my mobile number?

If we don’t hold a mobile phone number for you, you will need to register your number on the prepaid card portal by contacting the organisation which provided your card. Without a registered mobile number, you will not be able to authorise online payments from your prepaid card.

Does this affect all of my purchases?

This won’t affect all your online purchases as a verification code is only required for certain online transactions where an additional security check is requested. It doesn’t apply to other types of transactions such as in-store or cash machine transactions.

Will my mobile number be shared with Mastercard?

No. Neither your mobile number nor email address are shared with Mastercard.

Do you need a mobile number for the additional cardholder on my account?

Yes, all account holders and additional cardholders could be sent an OTP whilst shopping online so we must hold an up-to-date mobile number for each cardholder on the account. Any additional cardholders will need to update their details, and this can be done for a short while longer by you by logging into the prepaid portal, going to the Profile section, and editing details there. After that time, they will need to contact the organisation that provided your card and requests the details be updated.

If you hold both an email address and mobile number for me, can I decide which option to use to receive my verification code?

No. The verification codes will always be delivered to your mobile number if we hold that information on our records.

How will verification codes be delivered securely? What security measures are you using?

Sending verification codes by text message is an industry-wide approach and is widely used by banks. Although we understand there are some security concerns around using text messaging, it is considered to be more secure than using email. Please don’t share your verification code with anyone else and you will never be asked to share it with us if we contact you for any reason.

When will verification codes start to be sent?

Very early in 2020 and by the latest by February. Make sure your email address and mobile phone number are registered with the organisation that provided your card well before then.