We're making online payments safer. This is because of changes to the Payment Services Regulations to help prevent fraud. Of course, this is good news but it does mean the next time you're shopping online, you might be asked to confirm it's you when you check out and pay. This way we know it's really you and makes it harder for fraudsters to make payments without your knowledge.
Read our step-by-step to find out how it works.
How do one-time passcodes work?
If you aren't an active app user, we'll send a one-time passcode (OTP) to your mobile phone number to confirm your payment. Here's how it works:
- Step 1: When making a payment online, before you can complete the payment, a verification screen will pop up with instructions on how you can confirm your identity using a one-time passcode sent via text message to your mobile phone.
- Step 2: If the mobile phone number shown on the verification screen is correct, select 'Send' or 'Send OTP'.
- Step 3: Once you've received the text message containing your one-time passcode, enter the code into the verification screen and click 'Submit'.
- Step 4: You'll then be asked to enter your email address into the verification screen to complete the transaction. Read more about why we ask you to enter this below.
That's it! You'll see a confirmation of your payment on the checkout screen.
NEVER share this code with anyone.
Fraudsters pretend to be people you
trust, like a company you pay bills to, M&S Bank or even the police. If you receive a
one-time passcode for a payment you haven't made, please contact
us.
Staying safe when using your card online
When confirming online card payments using a one-time passcode you'll also be required to type your email address into the payment verification page to complete the transaction. Don't worry, we're not checking your email address here or updating our records, it's how you enter it that matters (including your keystrokes). It's known as behavioral biometric data and it should be unique to you.
We use a third party, Callsign, who help us protect your payments from fraud by recording how you enter your email address (including keystrokes). We'll then use this data in future, together with other information like your location, your device and how you use it, to help us check it's really you making the payment and to reduce the risk of fraud. The data is collected (via your device browser) and stored by Callsign.
As fraud attempts have become more advanced, it is in the substantial public interest to enhance fraud prevention measures.
If we decline a payment based on our fraud checks (including behavioral biometric data) and you think we got this wrong, you can contact us to let us know if was you making the payment request.
Frequently asked questions
Why do I need to enter my email address?
This is another measure to reduce the risk of payment fraud. We'll capture how you enter your email address (including your keyboard strokes) as Behavioural biometric data and build a profile based on how you enter your email address. We'll then use this data, alongside information about your device and location, to help us check it's you making a transaction and not a fraudster. A third party, Callsign, will act on our behalf to collect and process your behavioral biometric data. For more information, see our privacy notice.
How does using my behavioural biometric data help protect me from fraud?
We build a profile based on how you enter your email address. If the way you enter your email address doesn't match the way you usually enter your email address, your payment may be declined because we couldn't confirm it was you making the payment.
How do I challenge a declined payment?
We may decline a payment where our fraud checks (including the behavioural biometric check) indicate it may not be you making the payment. If we've got this decision wrong, please contact us.
Why haven't I received my OTP?
Please check if we have your correct mobile phone number. There could also be problems with your mobile network signal. If your number is correct, click the 'Resend OTP' button on screen – you can do this 3 times. If this still doesn't work, call us on 0345 900 0900.
What happens if I change my mobile phone number, or the number shown on screen is wrong?
You'll need to advise us either by updating it via Internet banking or calling us on 0345 900 0900. If you don't update your number, an OTP cannot be delivered to you, and you'll be unable to complete your online purchase. As soon as you've updated your number with us, an OTP can be delivered to you with immediate effect.
Can I confirm my online payments another way?
If you don't want to receive one-time passcodes and complete the additional step by entering
your email address, that's ok. We have a couple of alternative options
available.
The M&S Banking App* gives regular users a way to securely confirm
online payments. Find out
more
If you're unable to confirm your payments using the app or via text
message, we've
introduced an alternative card reader option. Find out
more
Call us on 0345 900 0900 to
request a Card Reader.
Have a question about our Digital Banking services?
Just ask our Virtual Assistant to see if it can help
* Available on compatible devices. To be able to use all app features, you'll need to ensure that you are running the latest version of our app. In order to download the latest version, you'll need to ensure you are running iOS 12.2 or Android 6 or above. We recommend using the most up to date operating system your device can support. iOS is a trademark of Cisco and used by Apple under licence. Apple is a trademark of Apple Inc, registered in the US and other countries and regions. Android is a trademark of Google LLC