Automated EFT startup shows impressive growth

Devinity

Senior Member
Joined
Jan 8, 2014
Messages
501

Something doesn't add up here. From your pic it looks like the headphones cost R250 something was charged $189.95 (assuming USD for the headphones) but the sub total = 2,178.95 (doesn't say which currency but assuming ZAR and were other items were purchased?), but you only did an EFT for ZAR1,180... that leaves a ZAR998.95 difference.
 

Praemon

Expert Member
Joined
Jan 11, 2007
Messages
1,588
Something doesn't add up here. From your pic it looks like the headphones cost R250 something was charged $189.95 (assuming USD for the headphones) but the sub total = 2,178.95 (doesn't say which currency but assuming ZAR and were other items were purchased?), but you only did an EFT for ZAR1,180... that leaves a ZAR998.95 difference.

Erm, I think that user was just messing around with their comment. The picture is the header image on the article, presumably just a mock-up supplied by I-Pay themselves, not an actual transaction :p
 

KingMikel

Expert Member
Joined
Aug 18, 2011
Messages
1,113
Okay, thanks for testing it. It is still the same - as I thought (similar to how SID worked) and the proxy scheme is still in place. Proxying it still allows you a man-in-the-middle-attack (especially server side) and considering how the servers are set up and hosted (I am not saying more, but as I business I would stay very far away from this).

Sites like iPay are open to XSS and CSRF and it will be just a matter of time until a phishing attack happens (similar to one of the large banks last year where they had to recycle 30,000 credit cards).

Looks like its similar to SID.
 

Fulcrum29

Honorary Master
Joined
Jun 25, 2010
Messages
49,728
Erm, I think that user was just messing around with their comment. The picture is the header image on the article, presumably just a mock-up supplied by I-Pay themselves, not an actual transaction :p

Yep, it was an bad troll attempt.
 

tbvanderspuy

New Member
Joined
Apr 22, 2017
Messages
5
Hi

By way of introduction, I work for a company called Callpay. We launched an instant EFT gateway in South Africa last year. You can read all about it here - http://ventureburn.com/2017/02/eftsecure-allows-merchants-to-accept-more-payments-faster-than-ever

To give you some deeper insight. We act as a proxy between the customer and their bank. Normal settlement periods always apply and we provide the instant payment notification to the Merchant. This has benefits for both the Merchant and customer. From a Merchant perspective, it allows millions more South Africans to pay them online whilst lowering their very expensive credit card processing fees. For the customer, it is a simple 3 step payment process allowing them to pay using any of their online account - cheque, savings and even credit card accounts to pay in less than 15 seconds.

From a security point of view. Whilst the payment is in process, partial sensitive data comes into contact with our environment. At Callpay, we are subjected to some of the most toughest security measures out there. The environment goes through multiple penetration testers, including external, internal and web application penetration testing. We have vulnerability scans that run daily and are further subject to Payment Card Industry Data Security Standards. We have an appointed firm, Sysnet Global Solutions in Ireland that audits our entire environment and report back to the various banks and card brands. We go through physical audits, with our QSA from Mauritius being down every 6 months for an onsite audit aswell. PCI is required as PAN is in the clear with some banks as they themselves have not yet been able to validate against the stringent measures of PCI DSS. Apart, we have various other scans, compliances and certificates in place. Lastly, data is NEVER stored, we provide the Merchant with a guarantee that the payment was done. We also have a buyers protection program that protects a customer up to R100 000 that is underwritten with an insurer. I cannot vouch for I-Pay security measures, I also know that SID is not PCI compliant and this compliance must be done by each Merchant themselves to become compliant as per their Merchant Agreement. We are a full Level 1 PCI DSS v3.2 compliant Service Provider and descope our Merchants 100% from the stringent PCI DSS compliance measures.
2015 - https://sysnetgs.com/2015/07/callpay-certifies-to-pci-dss-v3-1/
2016 - http://www.itweb.co.za/index.php?option=com_content&view=article&id=159696

In many ways it is even more safe than a card payment. For me, online banking was designed to be online whereas card payments was adapted by the massive card brands to work online. It works well in a physical store with chip and pass pin. The reason is that a Card Not Present (CNP) transaction can be done in two ways - either Mail Order Telephone Order (MOTO) and 3D Secure. This means when your sensitive card credentials is compromised, it can be used anywhere in the world without your consent. With banking, not a single bank will do a once off payment with the customer authorizing that payment. It is basically 3D Secure build into the solution already. Now, it could be possible to charge back a card payment. This in itself can be a very tedious process. As it took many years for consumers to trust entering their credit card payments, people are becoming use to instant EFT's. The eCommerce shop is also very important - the customer place a huge amount of trust in the brand - for payment security aswell. For this reason, it is very important also for Merchants to only work with reputable companies that has the measures in place to keep their customers safe whilst shopping online.

And for some marketing, EFTsecure is the most advanced instant EFT payment gateway in South Africa. We allow customers to pay online from any of the major 4 banks including Capitec and Investec. We are the only EFT solution that can process refunds, an industry first. Our Merchants can "self-host" the payment solution on their site, in a PCI compliant manner. We complete EFT payments, in real-time, at a fraction of the speed compared to competitors. We offer the lowest processing rates in the industry with a free trial to get you going. Integration is a breeze with our various eCommerce Plugins and we have a full suite of API's for Enterprise Integration. We acquire local and can settle also settle funds in other 170 countries. We have recently partnered with various other service providers, to allow a Merchant to accept bank transfer payments from customers in over 40 countries. We are also busy integrating directly into two banks via API's, also an industry first.

For local payments, EFT payments will be a big part of the future. Our Merchants are already processing between 25%-35% of online payments via instant EFT compared to card and other alternative methods. It is simple for me, we are all South Africans - this includes customers and Merchants. We do not need an international MC or VISA rail to manage our local payments. Think about it.

If you have any questions, feel free to PM me. Also, have a look at www.eftsecure.co.za for your online payments. Let me know, I will personally hook you up with the best deal - promise.

Hope my post give some clarification around instant EFT as a payment method and security behind atleast OUR solution. You can demo the solution here: https://eftsecure.callpay.com/eft/demo?organisation_id=219
 

Thor

Honorary Master
Joined
Jun 5, 2014
Messages
43,657
Hi

By way of introduction, I work for a company called Callpay. We launched an instant EFT gateway in South Africa last year. You can read all about it here - http://ventureburn.com/2017/02/eftsecure-allows-merchants-to-accept-more-payments-faster-than-ever

To give you some deeper insight. We act as a proxy between the customer and their bank. Normal settlement periods always apply and we provide the instant payment notification to the Merchant. This has benefits for both the Merchant and customer. From a Merchant perspective, it allows millions more South Africans to pay them online whilst lowering their very expensive credit card processing fees. For the customer, it is a simple 3 step payment process allowing them to pay using any of their online account - cheque, savings and even credit card accounts to pay in less than 15 seconds.

From a security point of view. Whilst the payment is in process, partial sensitive data comes into contact with our environment. At Callpay, we are subjected to some of the most toughest security measures out there. The environment goes through multiple penetration testers, including external, internal and web application penetration testing. We have vulnerability scans that run daily and are further subject to Payment Card Industry Data Security Standards. We have an appointed firm, Sysnet Global Solutions in Ireland that audits our entire environment and report back to the various banks and card brands. We go through physical audits, with our QSA from Mauritius being down every 6 months for an onsite audit aswell. PCI is required as PAN is in the clear with some banks as they themselves have not yet been able to validate against the stringent measures of PCI DSS. Apart, we have various other scans, compliances and certificates in place. Lastly, data is NEVER stored, we provide the Merchant with a guarantee that the payment was done. We also have a buyers protection program that protects a customer up to R100 000 that is underwritten with an insurer. I cannot vouch for I-Pay security measures, I also know that SID is not PCI compliant and this compliance must be done by each Merchant themselves to become compliant as per their Merchant Agreement. We are a full Level 1 PCI DSS v3.2 compliant Service Provider and descope our Merchants 100% from the stringent PCI DSS compliance measures.
2015 - https://sysnetgs.com/2015/07/callpay-certifies-to-pci-dss-v3-1/
2016 - http://www.itweb.co.za/index.php?option=com_content&view=article&id=159696

In many ways it is even more safe than a card payment. For me, online banking was designed to be online whereas card payments was adapted by the massive card brands to work online. It works well in a physical store with chip and pass pin. The reason is that a Card Not Present (CNP) transaction can be done in two ways - either Mail Order Telephone Order (MOTO) and 3D Secure. This means when your sensitive card credentials is compromised, it can be used anywhere in the world without your consent. With banking, not a single bank will do a once off payment with the customer authorizing that payment. It is basically 3D Secure build into the solution already. Now, it could be possible to charge back a card payment. This in itself can be a very tedious process. As it took many years for consumers to trust entering their credit card payments, people are becoming use to instant EFT's. The eCommerce shop is also very important - the customer place a huge amount of trust in the brand - for payment security aswell. For this reason, it is very important also for Merchants to only work with reputable companies that has the measures in place to keep their customers safe whilst shopping online.

And for some marketing, EFTsecure is the most advanced instant EFT payment gateway in South Africa. We allow customers to pay online from any of the major 4 banks including Capitec and Investec. We are the only EFT solution that can process refunds, an industry first. Our Merchants can "self-host" the payment solution on their site, in a PCI compliant manner. We complete EFT payments, in real-time, at a fraction of the speed compared to competitors. We offer the lowest processing rates in the industry with a free trial to get you going. Integration is a breeze with our various eCommerce Plugins and we have a full suite of API's for Enterprise Integration. We acquire local and can settle also settle funds in other 170 countries. We have recently partnered with various other service providers, to allow a Merchant to accept bank transfer payments from customers in over 40 countries. We are also busy integrating directly into two banks via API's, also an industry first.

For local payments, EFT payments will be a big part of the future. Our Merchants are already processing between 25%-35% of online payments via instant EFT compared to card and other alternative methods. It is simple for me, we are all South Africans - this includes customers and Merchants. We do not need an international MC or VISA rail to manage our local payments. Think about it.

If you have any questions, feel free to PM me. Also, have a look at www.eftsecure.co.za for your online payments. Let me know, I will personally hook you up with the best deal - promise.

Hope my post give some clarification around instant EFT as a payment method and security behind atleast OUR solution. You can demo the solution here: https://eftsecure.callpay.com/eft/demo?organisation_id=219
Oh wow, sounds pretty neat I will need to give you guys a spin.

Edit: Fees nowhere to be found.
 
Last edited:

Praemon

Expert Member
Joined
Jan 11, 2007
Messages
1,588
Hi

By way of introduction, I work for a company called Callpay...

/snip

That's great and all, but customers are still breaching their banks' agreements by sharing their login details with a 3rd-party. It's good that you guys have PCI DSS certification, which helps. But in the unlikely situation that you're comprised, liability will fall firmly on the customer due to them breaching their contract with their banks, and the amounts at stake are much higher than a credit card, if a limit is set.

Unfortunately I think this is the only 100% effective method to do "instant" EFTs though until banks provide APIs, which won't happen anytime soon. So I guess it's whether merchants and customers are willing to take the risk, or use a more error prone method like PayFast.
 

MagicDude4Eva

Banned
Joined
Apr 2, 2008
Messages
6,479
By way of introduction, I work for a company called Callpay. <snip>

I hope you are not the same guy who ran mytrade.co.za (and if you are, I do hope that your business ethics have involved since then and you are nowadays refraining from insults like you used to dish out on Silicon Cape - no reason to dig that up, but you and I know exactly what was going on).

Slagging off competitors such as SID or i-Pay and questioning their security / PCI compliance is not just unprofessional but also a moot point. Lets remember that PCI stands for Payment Card Industry and is generally not a requirement for EFT processing but rather indicates that a company has a level of commitment to security. A PCI certification is however unnecessary if a company does not store or process credit card information (which I assume is not the case with an EFT payment gateway)

FWIW and to satisfy my curiosity:
- As a payment company I would expect that all your sites are HTTPS and possibly use a stronger cert (EV perhaps than just a Comodo SSL)
- Although you mention PCI, it would be worthwhile to note where your payment information is processed (as far as I can see it's AWS - would love to see that PCI certification and audit).
- How would you do "physical audits" if your sites are hosted with AWS in Ireland?
- I am also curious how a payment plugin can be self-hosted on anyone's server in a PCI compliant manner - this is impossible. The plugin itself might be PCI compliant, but there is no guarantee that the hoster is.
- I think it would be worthwhile to mention any local compliance (such as registration with PASA or similar)
- Your website is broken as it can be - https://www.webpagetest.org/result/170425_J9_CJ9/

Sorry to say, but I will be as critical about this as about some of your previous ventures - the above reads very much just a lot of marketing vapor ware and some of the claims are irrelevant to EFT payment processing.
 

tbvanderspuy

New Member
Joined
Apr 22, 2017
Messages
5
That's great and all, but customers are still breaching their banks' agreements by sharing their login details with a 3rd-party. It's good that you guys have PCI DSS certification, which helps. But in the unlikely situation that you're comprised, liability will fall firmly on the customer due to them breaching their contract with their banks, and the amounts at stake are much higher than a credit card, if a limit is set.

Unfortunately I think this is the only 100% effective method to do "instant" EFTs though until banks provide APIs, which won't happen anytime soon. So I guess it's whether merchants and customers are willing to take the risk, or use a more error prone method like PayFast.

The banks are all in the process of looking at open API's. We are currently engaged with more than one bank on direct API's. It will take a while, most probably have to wait until PSD2 in Europe has been completed. The main reason is that the banks are very scared to loose control over transaction banking.

I see your thought around error prone methods such as instant EFT through Payfast. There is shortfalls such as only 4 banks being supported and then you as the Merchant are prone to "Sorting at Source". This is completely prohibited by PASA and the Payment Systems Act, a potential risk you need to carry as a Merchant.
 

tbvanderspuy

New Member
Joined
Apr 22, 2017
Messages
5
FWIW and to satisfy my curiosity:

Hey Magicdude

I dropped you a PM. Appreciate your post.

This is the exact reason I made my post, to display the security behind the scenes. If you or anyone else has more questions around the type of solution and any security questions - feel free to PM me any time. Together we grow our knowledge and consumers understanding that will quicker lead to eliminating fears of online shopping.

For now, time to go and get ready for AfrikaBurn
 

SauRoNZA

Honorary Master
Joined
Jul 6, 2010
Messages
43,866
Why would you want to use this instead of just your debit/credit card?
 

Idiosyncratic

Expert Member
Joined
Oct 10, 2015
Messages
2,330
... then you as the Merchant are prone to "Sorting at Source". This is completely prohibited by PASA and the Payment Systems Act, a potential risk you need to carry as a Merchant.

Please clarify this - what is "Sorting at Source"?
 
Joined
Dec 7, 2010
Messages
78,906
Please clarify this - what is "Sorting at Source"?

Sort at Source is when a merchant is multi-banked (banked at multiple banks) and use the bank which matches yours to process a transaction, thus eliminating inter-bank interchange fees.
 
Joined
Dec 7, 2010
Messages
78,906
That's great and all, but customers are still breaching their banks' agreements by sharing their login details with a 3rd-party. It's good that you guys have PCI DSS certification, which helps. But in the unlikely situation that you're comprised, liability will fall firmly on the customer due to them breaching their contract with their banks, and the amounts at stake are much higher than a credit card, if a limit is set.

Unfortunately I think this is the only 100% effective method to do "instant" EFTs though until banks provide APIs, which won't happen anytime soon. So I guess it's whether merchants and customers are willing to take the risk, or use a more error prone method like PayFast.

When Authenticated Collections is in full swing and implemented in the envisioned way... merchants will be able to easily get paid via EFT. Yes, it won't be instant, but it will be more secure and assurance of payment more definite.
 

tbvanderspuy

New Member
Joined
Apr 22, 2017
Messages
5
When Authenticated Collections is in full swing and implemented in the envisioned way... merchants will be able to easily get paid via EFT. Yes, it won't be instant, but it will be more secure and assurance of payment more definite.

+1 - Agree 100%, it would go a long way.
 

Pho3nix

The Legend
Joined
Jul 31, 2009
Messages
29,598
When Authenticated Collections is in full swing and implemented in the envisioned way... merchants will be able to easily get paid via EFT. Yes, it won't be instant, but it will be more secure and assurance of payment more definite.

When is this happening though :(
 

Praemon

Expert Member
Joined
Jan 11, 2007
Messages
1,588
When Authenticated Collections is in full swing and implemented in the envisioned way... merchants will be able to easily get paid via EFT. Yes, it won't be instant, but it will be more secure and assurance of payment more definite.

I don't see how Authenticated Collections will help merchants for day to day transactions though? From what I understand, it's just a mechanism for the consumer to approve debit orders. Debit orders are still costly, and can't be used for day to day transactions. So great for companies that have subscription models, but no real benefit to retailers and other businesses.
 
Joined
Dec 7, 2010
Messages
78,906
I don't see how Authenticated Collections will help merchants for day to day transactions though? From what I understand, it's just a mechanism for the consumer to approve debit orders. Debit orders are still costly, and can't be used for day to day transactions. So great for companies that have subscription models, but no real benefit to retailers and other businesses.
Call centre and online it will work, but not in store, agree
 
Top