Blog Post
Hi Mike_MYOB, I would really like an answer to this question (which directly relates to the issue I brought up previously). One of my suppliers today sent an invoice to my company using MYOB's secure payment system, however they didn't have the correct email address so it was forwarded on to my colleague's email address then finally to the admin email which pays the bills. In this chain, every person who opened the email link generated a 'Visa' code which got set to another colleague. Apparently Click to pay has found my linked cards.
Click to Pay has found your linked cards
Enter the code Visa sent to an•••@mycompany.com.au or ••••••••3400 to confirm it's you.
The people that opened the link were only trying to view the invoice NOT pay it.
We should have no linked cards as my Company does not allow the storing of our credit card information.
If the code was input into the form, would a credit card have been debited?, and how would I identify that card if it was in fact linked? (there is no description or 'card ending in ****')
How do I contact Click to pay to remove a stored card? That info should be available in that form.
I require contact info from MYOB info so I can follow up regarding the storing of credit card information and also the fact that a clear attempt was made to debit a credit card (by the generation of a code) when I only wanted to view the invoice not pay it. And I have no way of managing stored credit cards if in fact you have one stored.
This user’s experience clearly demonstrates that MYOB’s so-called “Secure Invoicing” system does not provide strong security.
If an invoice link can trigger a “Click to Pay” process and generate Visa authentication codes simply because multiple people opened the link, that is a serious design flaw. It exposes businesses to the risk of unauthorized payment attempts and shows that MYOB cannot guarantee the safety of stored card information.Under these circumstances, MYOB demanding sensitive personal and business documents for “verification” is unjustifiable. Security should be proven through robust systems—not imposed through intrusive data collection. Until MYOB can guarantee true security and transparency, it should not restrict core invoicing features or force customers into its payment ecosystem.
Hey DR321
If you haven't already, please raise a case from your My Account dashboard for this so the team can investigate further for you.
Hi AmandaMYOB, I have just raised a case, and already called support. Unfortunately phone support could not help me because I am the Customer, not the person who issued the invoice. I was told to tell my supplier to call MYOB and to withhold payment until the issue was sorted.
My Company ONLY accepts invoices as PDF, and as I said in a previous comment, I don't want invoices sent from MYOB to contain payment links, links to unpaid invoices, or 'LInk to MYOB' UNLESS I CHOOSE TO. My Customers can pay by EFT, Credit card using MY merchant facility or Cash. I don't want or need MYOB's help to receive payment. With Suppliers I will only pay with EFT, BPay, or credit card directly to the supplier.
In this case the supplier has not received payment because MYOB invoices were all going to junk mail, so they decided to send an invoice to my colleague's personal email. Even more annoying is the fact that I have brought up this scenario in a previous comment, your answer will be its the suppliers fault for forwarding on the bill to the wrong person.
Again I am questioning the security of Secure Invoicing
