How to confirm online card payments using a one-time passcode

We're making online payments safer. This is because of changes to the Payment Services Regulations to help prevent fraud. Of course, this is good news but it does mean the next time you're shopping online, you might be asked to confirm it's you when you check out and pay. This way we know it's really you and makes it harder for fraudsters to make payments without your knowledge.

Read our step-by-step to find out how it works.

How to confirm online card payments using a one-time passcode

If you aren't an active app user, we'll send a one-time passcode (OTP) to your mobile phone number to confirm your payment. Here's how it works:

  • Step 1: When making a payment online, before you can complete the payment, a verification screen will pop up with instructions on how you can confirm your identity using a one-time passcode sent via text message to your mobile phone.
  • Step 2: If the mobile phone number shown on the verification screen is correct, select 'Send' or 'Send OTP'.
  • Step 3: Once you've received the text message containing your one-time passcode, enter the code into the verification screen and click 'Submit'.
  • Step 4: You'll then be asked to enter your email address into the verification screen to complete the transaction. Read more about why we ask you to enter this below.

That's it! You'll see a confirmation of your payment on the checkout screen.

Your one-time passcode is 962863 for a payment of GBP 1430.6 to HMRC on card ending 6247. It's valid for 10 mins for this payment only-ref 7690

NEVER share this code with anyone.
Fraudsters pretend to be people you trust, like a company you pay bills to, M&S Bank or even the police. If you receive a one-time passcode for a payment you haven't made, please contact us.

Extra checks when using your card online

When confirming online card payments using a one-time passcode you'll also be required to type your email address into the payment verification page to complete the transaction.

Don't worry, we're not checking your email address here or updating our records. It's how you enter it that matters (including your keystrokes). It's known as behavioural biometric data and it should be unique to you.

We'll record this data and it'll be stored for up to 3 months, so it can be compared against your previous entries. We'll then use this data in future, together with other information like your location and how you use your device, as an added measure to help us check it's really you making the payment and to reduce the risk of fraud.

Frequently asked questions

Why do I need to enter my email address?

This is another measure to reduce the risk of payment fraud. We'll capture how you enter your email address (including your keyboard strokes) as Behavioural biometric data and build a profile based on how you enter your email address. We'll then use this data, alongside information about your device and location, to help us check it's you making a transaction and not a fraudster. A third party, Callsign, will act on our behalf to collect and process your behavioral biometric data. For more information, see our privacy notice.

How does using my behavioural biometric data help protect me from fraud?

We build a profile based on how you enter your email address. If the way you enter your email address doesn't match the way you usually enter your email address, your payment may be declined because we couldn't confirm it was you making the payment.

How do I challenge a declined payment?

We may decline a payment where our fraud checks (including the behavioural biometric check) indicate it may not be you making the payment. If we've got this decision wrong, please contact us.

Why haven't I received my OTP?

Please check if we have your correct mobile phone number. There could also be problems with your mobile network signal. If your number is correct, click the 'Resend OTP' button on screen – you can do this 3 times. If this still doesn't work, call us on 0345 900 0900.

What happens if I change my mobile phone number, or the number shown on screen is wrong?

You'll need to advise us either by updating it via Internet banking or calling us on 0345 900 0900. If you don't update your number, an OTP cannot be delivered to you, and you'll be unable to complete your online purchase. As soon as you've updated your number with us, an OTP can be delivered to you with immediate effect.

Can I confirm my online payments another way?

If you don't want to receive one-time passcodes and complete the additional step by entering your email address, that's ok. We have a couple of alternative options available.

The M&S Banking App* gives regular users a way to securely confirm online payments. Find out more

If you're unable to confirm your payments using the app or via text message, we've introduced an alternative card reader option. Find out more

Call us on 0345 900 0900 to request a Card Reader.

Have a question about our Digital Banking services?

Just ask our Virtual Assistant to see if it can help

* Available on compatible devices. To be able to use all app features, you'll need to ensure that you are running the latest version of our app. In order to download the latest version, you'll need to ensure you are running iOS 12.2 or Android 6 or above. We recommend using the most up to date operating system your device can support. iOS is a trademark of Cisco and used by Apple under licence. Apple is a trademark of Apple Inc, registered in the US and other countries and regions. Android is a trademark of Google LLC