Re: Santander must also not be hashing passwords
I use Santander online and mobile app. Both request 8 digit customer ID (which you can persist for convenience) and full PIN, not selected characters from it. The mobile app won't allow you to set up new payments either and the online version sends a code via SMS you need to enter to create a new payment.
Not saying any of this is vastly secure but it sounds like Tesco have really let the security aspect slip, probably because it's difficult and a bit more expensive to deploy properly.