Strong Customer Authentication (SCA), Mobile App, OTP & E-Pin

Strong Customer Authentication (SCA) is a requirement which forms part of the Payments Service Directive (PSD2) as transposed locally in Directive 1 of the Central Bank of Malta. This Directive aims to reduce fraud and make online payments safer through enhanced security.

SCA needs to have at least two of three elements:

Knowledge: Something only you know e.g. PIN or Password;

Possession: Something only you have e.g. Phone or device;

Inheritance: Something only you are e.g. Biometric (fingerprint or Face/Voice ID).

Currently you receive an SMS with a code to the mobile phone number registered with the Bank. This code is than used to verify your online purchases – this is known as an SMS One Time Password (OTP) which is a one factor authentication method. We are now introducing a two-factor authentication for a stronger security process which is safer and secure for online purchases.

In a staggered approach, starting from 22 June, the Bank started migrating customers to SCA where a two-factor authentication process is required to authorise online card payments. As from the 28 October even those currently using OTP will be required to use a two-factor authentication method by using their Phone Banking PIN together with the current OTP received on their mobile devices.

Going forward, if you make any online purchases using your HSBC credit and/or debit card, you would be required to verify these transactions using SCA - i.e. a two factor authentication process.

We have introduced new enhancements to our existing HSBC Mobile Banking App which will allow you to verify and authenticate all your online purchases through our mobile app. Alternatively, you can still authenticate transactions through the OTP and E-Pin method referred to in the next question.

Although we do recommend our customers to use HSBC Mobile Banking App, which is safe and a secure means of authorising your purchases, we understand that not everyone will be comfortable to use this service. If you still wish to continue making online purchases without using the HSBC Mobile Banking App, you will have to authenticate your card purchases using your 6-digit HSBC Malta phone banking PIN (E-Pin) followed by a 6-digit one-time password (OTP) that we will send to your mobile number held on our records while you are completing your purchase. This change will come into effect as from 28 October 2021.

If you do not wish to download the HSBC Mobile App and do not know your 6-digit HSBC phone banking PIN, kindly call us on +356 2380 8219 Monday to Friday 08.00 to 16.00 excluding public holidays. We suggest that you contact us at your earliest ahead of 28 October 2021 and allow a few days to receive your phone banking PIN.

If you only use the HSBC Online Banking service, you will need to download the HSBC Mobile Banking App and register for this service. The App is user-friendly, it gives you ease of access to your accounts 24/7, provides security and swiftness when effecting banking transactions.

You can download the HSBC Mobile Banking App through GooglePlay or App Store. To register for the HSBC Mobile Banking App, will only take a couple of minutes.

To activate and begin using the Mobile Banking App, you will also need a Secure Key. This is mailed to you upon registration and can take a couple of days to arrive by post to the registered address on our system.

No - this service is free of charge.

No, once you have downloaded the HSBC Mobile Banking App you cannot utilise the latter service. It will only be available for those who do not have the HSBC app installed.

If you decide to uninstall the HSBC Mobile Banking App, you would need to register for the SMS service and Phone Banking.

HSBC Personal customers going forward will need to either use HSBC Mobile Banking App which is fee free and available for download through GooglePlay or App Store or a PIN solution which will be available in due course. You will not be able to use both services.

For Business customers, specifically HSBC Fusion customers, those who do not have mobile banking will automatically be receiving a phone banking PIN to be used in conjunction with the current OTP authentication method.

Download the HSBC Mobile Banking App through GooglePlay or App Store. You can also find out more on our Mobile Banking page.

To register for Mobile Banking, you will need to be an Online Banking User first.

Then once you have downloaded the application, you will need to register by inputting your personal details. An activation code will be sent to your registered mobile number.

Create your log on details.

Have a look at our helpful video guide on registering for mobile banking.

You can only activate your registration once you receive your Secure key. Note that this is mailed to you to your registered mailing address with the bank and will take a couple of days.

When you receive the Secure Key - activate by using your log in credential details, your Secure Key and a one-time code sent to your registered mobile phone number.

As you go through the steps to approve a purchase online, you will need to log into you HSBC Mobile Banking App at the same time. You will be prompted with a pop-up screen to authenticate your purchase.

Select – 'Approve or Decline';

Enter your HSBC Mobile Banking App log in (Password, Biometric or Fingerprint);

Transaction ‘Approved’ notification or if cancelled ‘Payment Cancelled’ notification;

Go back to merchant website.

In order to communicate effectively with our customers, we use email, mobile or post. It is important that all your details held with us are correct and up to date in order for you not to miss any important notification or correspondence.

If you wish to update your details, you need to visit any of our HSBC Branches. Find your nearest branch.

HSBC will never ask for your payment security details such as your PIN numbers. These are yours to keep securely and cannot be shared. They are to be used only by you when you are effecting payments or requiring a payment-related service.

HSBC will never ask for your passwords and will never send links to reset or change your passwords.

If you are ever in receipt of a call, email, SMS or contacted via digital platforms (e.g. Facebook or Instagram), do not divulge your security details (such as your PINs or One-Time Passwords) - Hang up the call, don't click any suspicious links provided.

If you are asked to transfer money - verify the details of who is requesting the payment and what it is for before doing so.

If you are asked to divulge your SMS OTP PIN or Phone Banking PIN - never reveal it. This is an important security detail and should never be disclosed to third parties.

Always verify the source of a query and never divulge your security details.

Visit our online security centre for more tips and advice.

Call us immediately on +356 21483809 to stop your card.

Further details on the changes being made to our General Terms and Conditions can also be obtained from www.hsbc.com.mt/changes. Please take time to go through these changes and feel free to contact us should you require additional information or further assistance.

Other changes to the Card Conditions of Use to explain our two-factor authentication process in more detail are being introduced. The Card Account Fees document is also being updated to explain that going forward for cash advances with a credit card, credit interest will be charged not only on the amount advanced but also on the transaction fee itself applicable to that cash advance.

Our updated General Terms and Conditions are uploaded on our website and available for you to download for free. Alternatively, you can ask for a copy of our updated General Terms and Conditions from any of our branches or by calling us on +356 2380 8219 Monday to Friday 08.00 to 16.00 excluding public holidays.