Archives for : Authorisation

    EFT Syetms and Device Considerations

    EFT devices and systems differ depending on hardware vendor, country and bank / payment aggregator.
    Below is a list of things you may like to consider. This list is off the top of my head so it is probably not complete.

    Looking at the products and relationships us usually a good start.

    Things to consider:

    • Card skimming methods
    • Some EFT POS devices restrict the connection of a skimmer
    • Review levels of associated fraud
    • Review devices and EFT methods
    • Review terminal identification (merchant and customer)
    • Manual processing. (internal and external)
    • eCommerce products
    • PC based software
    • Dedicated server services (Nobil, etc.)
    • Web based engine (Custom objects, Web pop-ups, etc)
    • Authorisation / identification methods (Merchant and customer)
    • TCPIP session hijacking / session spoofing
    • Direct Debit as well as Credit Cards.
    • Swift (methods and controls)
    • Telegraphic transfer (methods and controls)
    • Payment aggregator relationships (eg. Payment Tech, manual processing, cheque scanning, etc.)
    • Internet banking facilities (attack / penetration,  Certificate registration / management, ISP SLA’s, etc.)
    • Implementation of Smart Card and / or alternative customer recognition devices.
    • Outsourcing and associated risks / service level agreements
    • Payment processing
    • Payment clearance
    • Payment switching
    • Reporting (segregation of merchant / customers / aggregators / partners / local / international)
    • Fraud detection and reporting
    • 3rd party acquiring risks
    • Single merchant ID many businesses
    • Allows moneys to be laundered if the payment aggregator does not place appropriate controls on the merchant.
    • Encryption used
    • Internet / trusted partner / inter-bank / extranet
    • Private and / or public certificates
    • Single use certificates
    • Client side certificates
    • Remittance advice processes and controls.
    • EFT disaster recovery and manual fall back procedures (associated security and reconciliation risks)
    • Trusted partner relationships, SLA’s, liabilities and risks.
    • EFT regulatory / legal requirements (inter-bank and government)
    • Refund processing / authorisation. (policies, procedures, controls, etc.)
    • CVV, CVV-2 / CVC-2 processing and management. (
    • Fraud detection mechanism (neural networks, inter-bank / department customer checks, etc)
    • Supported card schemes (AMEX/Visa/Mastercard/Discover/etc )
    • Review EFT floor limits (corporate and SME merchants)
    • Review the ability to withhold merchant settlement until the presence of fraud has been determined.
    • Review customer identification details. Such as (This varies around the world depending on local regulations / privacy laws)
    • Review real-time and batched processing methods and controls (sequence numbers, access to raw data, etc.)
    • Review processing with and without expiry dates. (exception controls and policies)
    • Review exception / fraud reports.
    • Review payment store and forward policies and procedures.
    • Review Pre-Auth and Completion controls.
    • Token based payment (eCash, etc)
    • Merchant reconciliation, reporting methods and controls (paper, Internet, email, PDF, Fax, etc.) and associated security.
    • Real time gross settlement policies, procedures and controls. (IT and amounts)
    • Card issuing policies and procedures. (customer ID checks, etc)
    • Banking infrastructure (ingress / egress) controls and security. (Web, partner, payment switches, outsourced infrastructure, monitoring / reporting.)
    • Use of Internet technologies for inter-bank transfers and remote equipment.
    • Physical security and controls of devices, ATM,s, line encryptors, etc.

    Is there a risk of someone listening or stealing the information from a contactless card?

    One risk with contactless cards is the ability for the card to be activated when it enters a reader’s RF range without the owner being aware of it. To prevent a contactless card activation without the card owner being aware of it, the application can be configured to always ask for the owner’s authorisation (password, PIN or biometric) before providing any user information or processing on the user’s behalf.


    e level of security of communication required between the contactless card and the reader must be defined as part of the system design and security controls must put in place so that un-invited listeners cannot intercept the data in any meaningful way. For example, all of the contactless technologies can use data encryption to protect data on the card and during transmission; this helps to ensure that, if information is intercepted, the information cannot be used by the recipient. It is important that all of the application’s requirements be understood and defined prior to any technology selection and implementation so that the appropriate security features are designed into the system.
    Additionally, the contactless chip is designed to self destruct if anyone tries to hack into it.

    New e-Commerce and Payment Technologies Company

    Recently I came across a new e-Commerce company called EFT Networks, which seems to have an exciting future in the Global Payments Market.

    It looks like they have a good mix of consulting and solution design.


    Electronic Payment

    Designed to enable both credit card and direct debit, EFT Networks electronic payment solutions work effectively across multiple sales channels—including Web, Contact Call Centre, IVR and EFTPOS. Manage your payment processing system in-house or outsource, depending on your business needs.

    Global Payments

    International commerce requires fully integrated global payment and risk management solutions. Requirements span the gamut of payment acceptance considerations from accepting local payment types, pricing in local currencies and dynamically updating prices with changes in exchange rates (dynamic currency conversion), authorising and settling in multiple currencies, to managing fraud and compliance issues such as tax and export regulations. EFT Networks offers a single interface to the global payment network to handle all of these considerations as your business grows.

    ICE – Reporting & Management

    The EFT Networks Enterprise Business Center gives you a single, easy-to-use interface for managing and configuring payment processing services.

    ICE caters for each area of the payment transaction cycle from authentication, authorisation, settlement, dispute resolution and reconciliation – enabling our clients to reduce transaction costs, eliminate fraud, minimise risk, maximise cash flow and increase profitability.


    EFT Networks provides flexible and secure payment and risk management integrations in to host and legacy systems as well as industry-leading software.

    Using industry standards and protocols, our solutions can be customised to suit your exact business requirements


    ICE (Intelligent Communications Exchange)

    At the core is our Intelligent Communications Exchange (ICE) which enables all known transaction enablers from EFTPOS to eCommerce to be routed directly to a client’s bank without intervention for real time acceptance and authentication.

    The EFT Networks ICE operates under a philosophy of total System and Physical redundancy delivering the highest uptime rates possible, whilst the transaction network is protected using Solid State and Application Firewalls on all points of ingress and egress.

    Every transaction processed through EFT Networks is encrypted using 128 bit Secure Socket Layer (SSL) encryption and submitted for authorisation through EFT Networks “Secure Virtual Private Network” (SVPN).

    Our commitment to security is also reflected in our swift compliance with Card Schemes security initiatives such as VerifiedByVisa and MasterCard SecureCode.

    EFT Networks comprehensive suit of online reporting tools combined with daily transaction reports will ensure that our clients always have access to up-to-date management information allowing Business Managers to make quick and well-informed business decisions. The decision making process is simplified even further with the power of daily reports that are customised to be imported into most existing legacy systems.