Blog Post
Hi Mike_MYOB, I would really like an answer to this question (which directly relates to the issue I brought up previously). One of my suppliers today sent an invoice to my company using MYOB's secure payment system, however they didn't have the correct email address so it was forwarded on to my colleague's email address then finally to the admin email which pays the bills. In this chain, every person who opened the email link generated a 'Visa' code which got set to another colleague. Apparently Click to pay has found my linked cards.
Click to Pay has found your linked cards
Enter the code Visa sent to an•••@mycompany.com.au or ••••••••3400 to confirm it's you.
The people that opened the link were only trying to view the invoice NOT pay it.
We should have no linked cards as my Company does not allow the storing of our credit card information.
If the code was input into the form, would a credit card have been debited?, and how would I identify that card if it was in fact linked? (there is no description or 'card ending in ****')
How do I contact Click to pay to remove a stored card? That info should be available in that form.
I require contact info from MYOB info so I can follow up regarding the storing of credit card information and also the fact that a clear attempt was made to debit a credit card (by the generation of a code) when I only wanted to view the invoice not pay it. And I have no way of managing stored credit cards if in fact you have one stored.
This user’s experience clearly demonstrates that MYOB’s so-called “Secure Invoicing” system does not provide strong security.
If an invoice link can trigger a “Click to Pay” process and generate Visa authentication codes simply because multiple people opened the link, that is a serious design flaw. It exposes businesses to the risk of unauthorized payment attempts and shows that MYOB cannot guarantee the safety of stored card information.
Under these circumstances, MYOB demanding sensitive personal and business documents for “verification” is unjustifiable. Security should be proven through robust systems—not imposed through intrusive data collection. Until MYOB can guarantee true security and transparency, it should not restrict core invoicing features or force customers into its payment ecosystem.