Payment Security 101
Learn about payment fraud and how to prevent it
eftsure provides two services:
This Statement relates to each ensure service, and both eftsure services, in this Statement being the Service, except where (and then to the extent that) a paragraph in this Statement is expressly stated to refer to either the eftsure payment verification service or the EftsureID service, in which case the relevant paragraph relates only to that service.
This Statement is in three parts.
Part A addresses our handling of personal information and business confidential information in the course of our business of provision of the eftsure payment verification, including use of our internet site to log-in to the eftsure payment verification service.
Part B addresses our handling of personal information and business confidential information in the course of our business of provision of the EftsureID service, including use of our internet site to log-in to set-up and use the EftsureID service and download and use of the EftsureID app to use the EftsureID service.
Part C is general terms that apply to everything that eftsure does, including how we handle information in the course of operation of our internet site and associated digital marketing, including uses of online tracking code associated with our internet site including uses of online tracking code associated with our internet site.
We will comply with this Statement.
In relation to ‘personal information’ ‘about individuals’, we will also comply with Privacy Laws. Privacy Laws are, in relation to personal information about individuals in Australia, the Privacy Act 1988 (C’th), including the Australian Privacy Principles (APPs), and other Australian federal, state and territory privacy and data protection laws, and in relation to personal information about individuals in New Zealand, the Privacy Act 2020 (NZ), and mandatory codes and other mandatory requirements applicable in Australia and New Zealand respectively.
Some eftsure customers are agencies or other organisations that are regulated by privacy and data protection statutes of Australian States and Territories. We will ensure that eftsure’s handling of ‘personal information’ about individuals, as entrusted to us by entities that are regulated by those statutes, also complies with those Privacy Laws.
We will not reduce our commitments in this Statement as to our processes, practices and standards to protect privacy, confidentiality and information security.
We may modify or amend other provisions of this Statement from time to time. We will display a notice at www.eftsure.com.au stating when any such revisions have been made.
Each eftsure Service is as described at www.eftsure.com.au. That description may be changed or updated from time to time by eftsure.
This Statement should be read together with the terms of provision of each eftsure Service (eftsure Terms), which may either be as available at www.eftsure.com.au, or as we and you agree in a written contract, as applicable.
If you are a customer or prospective customer for an eftsure Service you should also read the eftsure Terms. The eftsure Terms set out other important terms on which we provide each eftsure Service to our customers.
(1) eftsure will maintain business confidentiality and will only disclose information that an eftsure customer deals with particular persons and entities to the limited extent that disclosure is necessary in the course of verification of a payee’s details on behalf of that eftsure customer, or otherwise at the request, or with express consent, of that customer.
(2) eftsure will only use and disclose payee names and account details, and information about payers, for the purpose, and then only in the ways, described in this Statement.
Most of the information that eftsure customers provide to eftsure and that eftsure collects in order to verify payee details is not personal information about individuals. Information about businesses is generally not regulated by Privacy Laws. However, some business information about individuals may also be personal information about individuals.
Eftsure’s data handling processes and systems for collection and handling of payee information are designed for privacy, confidentiality and information security by default and by design, and to minimise handling of information about payees. Eftsure handles confidential information about payee businesses by applying the same privacy, confidentiality and information security standards as we apply to our handling of personal information about individuals.
We retain and use details about completed verifications, including failed verifications, only for the purposes and in the ways described in this Statement.
The eftsure payment verification service supports Australia’s leading businesses by significantly increasing the likelihood that that payments by them go to the right bank account of intended recipients.
Australian inter-bank payment systems do not enable automated checking of a payee’s name against the payee name associated with a bank account. These systems treat a payee’s name as an information field for recording on account statements, but not a required field for verification or verification of a payee’s name against the name recorded in the recipient bank’s system as the holder of the bank account specified in the payment record. Accordingly, funds may be (either inadvertently, or through fraud) deposited into an account that is unrelated to the nominated recipient.
The eftsure payment verification service enables an eftsure customer that is a prospective payer to confirm that a payee’s bank account details as proposed to be used by the payer appear to be correct.
eftsure does this either through direct verification or check against previous verifications conducted by eftsure. This substantially reduces possibility of error or fraud.
The eftsure payment verification service provides assurance to:
our customers, being payers proposing to make direct payments to bank accounts of Australian recipients, that the payment should be received and credited by the recipient bank to the correct recipient, and that this recipient holds a bank account with the details as verified by us, and
The eftsure payment verification service verifies names, email and other contact and account details and account numbers of prospective payees, as provided by customers for checking.
Verifications are undertaken by one of a number of ways, including enquiry made by eftsure of prospective recipients, cross-verification using records of previous verifications that eftsure has conducted in relation to the proposed recipient, and cross-verification by matching multiple requests made by multiple customers.
Upon request by an eftsure customer (as made through the eftsure payment verification service in relation to a proposed payee), the eftsure Service checks the verification status of that proposed payee. If the prospective payee is not then already verified, eftsure attempts to conduct a verification by enquiry of the prospective payee. Following verification, the eftsure payment verification service as provided to that eftsure customer flags the verification result for that particular payee.
Some of eftsure customers make payments to the same payees: for example, the Australian Taxation Office, Australian Post, airlines, electricity and telecommunications service providers, office supply companies and courier companies and so on. eftsure seeks to avoid multiple contacts of the same prospective payee to confirm the same details. Upon receiving a request from a customer for verification of a prospective payee and bank account, eftsure may conduct cross-verification, using records of payee details as formerly verified by us or by matching multiple requests made by multiple customers. If there is a cross-verification match in relation to a prospective payee, we may elect not make a further verification enquiry of the prospective payee. If there is no cross-verification match, eftsure will undertake the verification process described above.
Eftsure’s verification process depends upon confirmation by a prospective payee of their bank account details, or cross-verification by us in the way described above. If a prospective payee does not elect to confirm their bank account, or cross-verification as above described is not possible, eftsure cannot complete our verification process.
We retain a record of payee details that are verified, and a record of details that we appear incorrect or unverifiable, for disclosure of verification of those details (but not which eftsure customer requested the verification) to an eftsure customer, including any eftsure customer making an enquiry as to the same payee.
The eftsure payment verification service also maintains records as to amounts paid to payees in order to identify and then flag possible duplicate payments or unusual payment amounts and for associated service assurance, billing and administration by eftsure.
Eftsure retains, uses and discloses records of the identity of businesses with verified account details and of failed verifications, only:
(a) The eftsure payment verification service is provided to assure payers that their payments will go to the correct recipient and prospective payees that payments due to them will be properly credited to their nominated account. eftsure considers that this is a use of information about payees that is reasonably within the contemplation of prospective payees.
(b) As service provider to our customers, we rely upon each eftsure customer that entrusts us with proposed payee names and account numbers and other data, including personal information, to provide any notices and obtain any consents as may be required or desirable to enable the eftsure customer to disclose that data, including personal information, to us, so that we may provide the eftsure payment verification service in accordance with this Statement and with Privacy Laws.
(c) APP 3.6 provides that an APP entity must collect personal information about an individual only from that particular relevant individual unless it is unreasonable or impracticable for the entity to collect personal information only from the individual. Whether it is ‘unreasonable or impracticable’ to collect personal information only from the individual concerned depends on the circumstances of the particular case, including whether the individual would reasonably expect personal information about them to be collected directly from them or from another source, the sensitivity of the personal information being collected, any privacy risk if the information is collected from another source, and the time and cost involved of collecting directly from the individual. It is not reasonable or practicable for eftsure to verify that each individual in relation to whom personal information (not being sensitive information) is provided to us by a customer is aware that personal information will be provided by that business to eftsure.
The EftsureID service enables an eftsure customer payee to provide prospective payers with a simple way to verify that that payee’s bank details are correct before the payer makes payments to the payee.
The eftsure customer is allocated an EftsureID. The eftsure customer may then make available that EftsureID to prospective payers, for example, by reproducing the EftsureID on the eftsure customer’s invoice. The prospective payer may elect to scan that EftsureID, or manually enter the EftsureID details into the Eftsure web page at https://id.eftsure.com.au/. To scan the invoice reproducing the EftsureID, the payee must download the eftsureID App from the IOS or Android store.
In the course of provision of the EftsureID service, eftsure:
Except as above described, eftsure will not otherwise disclose records of the identity of businesses with verified account details and of failed verifications, or details as to payers collected in the course of provision of the EftsureID service to any third party, unless the disclosure is to a third party and:
(a) that third party is a group company of ours, in which case we will require that group company to only use and disclose such records in accordance with this Statement, as if a reference in this Statement to us was a reference to that group company,
(b) that third party is a sub-contractor engaged to provide services to us. This may include disclosure to contractors outside of Australia and located in countries whose Privacy Laws do not provide a similar or equivalent level or scope of protection of personal information as Australian Privacy Laws. In this case we will obtain contractual commitments by these sub-contractors to only use and disclose such records for the purposes of providing services to us in accordance with this Statement.
We will not use any personal information about an individual for a secondary purpose unless:
(a) for the purposes described above,
(b) an individual would reasonably expect that we would use or disclose the personal information for that secondary purpose and that purpose is related to the primary purposes for which it was given to us,
(c) that individual has consented to the use of that personal information for the secondary purpose, or
(d) the secondary use or purpose is required or permitted under law, such as in connection with the sale of some or all of our business or assets, or the disclosure is authorised by the Privacy Laws including to lessen or prevent a serious threat to life or health, to protect the personal safety of the public, if authorised or required by law, if we have reason to suspect that unlawful activity has been, is being or may be engaged in, to enforce the law or where necessary to investigate a suspected unlawful activity, or if we have told an individual that personal information about that individual is usually used or disclosed to third parties in this way.
Parts A and B above describes our handling of personal information in the course of provision of the eftsure payment verification service and the EftsureID service respectively, including use of our internet site to log-in to the eftsure payment verification service.
Other ways that we collect personal information about individuals are as follows.
Some of our service providers that analyse and augment personal information for us provide their services from outside Australia and may store personal information outside Australia. We will take reasonable steps to ensure that those service providers do not breach all applicable Australian Privacy Laws in relation to personal information that they handle on our behalf.
(a) We use tracking code (‘cookies’, pixels or other technology) and collect device identifiers to track access to, and use of, our internet site. The information collected using tracking code and device identifiers is handled by us to mitigate risks that this tracking code might be used to identify a person using a browser or device. We use tracking code to provide a better user experience for users when using our internet site and to improve our internet site. We do not use tracking code to identify a person using a browser or device.
(b) We may also receive tracking code data, device identifiers, log information and other information, from ad serving services or advertising networks and relating to use by other persons of third-party internet sites serviced by those ad serving services or advertising networks. We also use this received tracking code to provide a better user experience for users when using our internet site and to improve our internet site. We do not use tracking code to identify a person using a browser or device.
(c) Our internet site uses technologies of third-party partners, such as NextRoll, to help us recognize your browser device and understand how you use our internet site so that we can improve our services to reflect your interests and serve you advertisements about the products and/or services that are likely to be of more interest to you. Specifically, these partners collect information about your activity on our internet site to enable us to:
(d) We may share data, such as hashed email derived from emails or other online identifiers collected on our internet site with our advertising partners. This allows our partners to recognize and deliver you ads across devices and browsers. To read more about the technologies used by NextRoll and their cross device capabilities please refer to https://www.nextroll.com/privacy.
(e) Our partners such as NextRoll may use non-cookie technologies that may not be impacted by browser settings that block cookies. Your browser may not permit you to block such technologies. For this reason, you may if you wish use the following third party tools to decline the collection and use of information for the purpose of serving you interest based advertising:
(f) Links to other internet sites: Sometimes our internet site contains links to other internet sites. When you access an internet site other than our internet site, we are not responsible for the privacy practices of that site. We recommend that you review the privacy policies of each internet site you visit.
We use personal information to provide products and services and conduct our business.
Please be aware that if you unsubscribe from a mailing list, we will continue to send you important messages that are not marketing communications, such as safety or administrative messages.
(a) Where we collect personal information from an individual directly, we take steps to ensure that the personal information we collect, use and disclose is accurate, up to date and complete. These steps include maintaining and updating any personal information when we are advised by an individual that their information has changed.
(b) Where we collect personal information about an individual from a third party, we rely on that third party to ensure that information it collects is accurate, up to date and complete, subject however to the verification procedures which are at the core of the eftsure service as above described.
(c) An individual may request access to personal information about that individual that is held by us. Subject to any permitted exception under the Privacy Laws, we shall give that individual access to that personal information.
(d) If an individual notifies us that personal information about that individual as held by us is not accurate, we will take reasonable steps to correct that information. To the extent that we have received any personal information indirectly (for example, from a business for which we act as sub-contractor), we may notify that business that it has received a request from an individual to access or correct the personal information it has provided to us.
(e) If you require access to your personal information, please contact www.eftsure.com.au/contact-us.html. Before we provide you with access to your personal information we will require some proof of identity.
(f) For most requests, your information will be provided free of charge, however, we may charge a reasonable fee if your request requires a substantial effort on our part.
(g) If we refuse to provide you with access to the information, we will provide you with reasons for the refusal and inform you of any exceptions relied upon under the APPs (unless it would be unreasonable to do so).
(h) We take reasonable steps to ensure that your personal information is accurate, complete, and up-to-date whenever we collect or use it. If the personal information we hold about you is inaccurate, incomplete, irrelevant or out-of-date, please contact us and we will take reasonable steps to either correct this information, or if necessary, discuss alternative action with you.
We retain personal information after we have used the personal information for the purposes for which we collected or received it.
If we retain such personal information, it will only be used for the following purposes:
(a) as required by or under Australian law, or a court / tribunal order;
(b) as required for professional indemnity insurance; and
(c) in accordance with our back-up archive policy.
When no longer required, eftsure uses its best endeavours to ensure that all such information will be destroyed in a secure manner and in a reasonable time frame.
The security of your personal and confidential business information is important to us.
We take appropriate industry recognised steps to prevent personal and confidential business information we hold from misuse, interference or loss, and from unauthorised access, modification or disclosure. This protection includes the use of technologies and processes such as access control procedures, network firewalls, encryption and physical security.
(a) If an individual:
(i) would like to access or inquire about any personal information we hold about that individual;
(ii) has a query in relation to this Statement; or
(iii) would like to make a complaint about out handling of an individual’s personal information,
please contact us using the details below.
A: Level 6/122 Walker Street
North Sydney NSW 2060
T: 1300 985 976
(b) If you wish to make a complaint about an alleged breach of the Privacy Laws, we ask that you send us your complaint in writing to the email address listed above. We endeavour to respond to complaints within a reasonable period (usually 30 days). If you are not satisfied with our response, you may make a complaint to the Office of the Australian Information Commissioner by phoning 1300 363 992 or by email at email@example.com.
This Statement was last updated on 4 December 2022.
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.