Maintaining secrecy and security of your Passcodes and Devices is very important, as whoever has access to them may be able to perform transactions on your account and DEFT Facility. By following these requirements, you can assist in preventing unauthorised transactions on your account.
Failure to observe these requirements may mean that you are liable for losses caused by unauthorised transactions.
7.1 Inform us of any security compromise ASAP
You must inform us as soon as you become aware of any Passcode or Device having potentially been misused, lost or stolen, had their security breached, or you otherwise suspect the security or secrecy of them may be compromised.
You can contact us 24 hours a day, seven days a week by calling us on 13 31 74.
You must give us any information that you have or can reasonably obtain regarding the loss, misuse, theft or other compromising circumstance.
7.2 Keep your devices and card details secure
You must take all reasonable steps to protect the security of your Devices – eg computers, mobile phones, tablets or any other device which can access DEFT.
Reasonable steps include:
- protecting your Devices from viruses;
- not maintaining or automating passwords within your Device;
- taking care to prevent anyone from seeing your card details when you use them to make a payment;
- setting screen locks, strong passwords and ensuring that others do not have access to the use of your Device; and
- logging out from DEFT at the end of each session.
If you use biometric information to access your Device, you must ensure that no other person’s biometric information is stored on the Device. Subject to clause 7.4(a), we will treat as authorised, and you will be responsible for, any transactions performed using the biometric information of someone else that has been used to access the Device.
You acknowledge that, for security purposes, we reserve the right at any time to log you out of DEFT, for example if you are inactive for a period of time after having logged on.
7.3 Keep all Passcodes secret
To protect your Passcodes you must:
- not disclose any Passcode to anyone, including a family member or friend;
- take care to prevent anyone seeing a Passcode being entered into a telephone or Device;
- try to commit all Passcodes to memory and not record them by any means (including by storing them on a Device) without making a reasonable attempt to disguise them;
- not write or indicate your Passcode (whether disguised or not) on your Device, or on other articles which could be lost or stolen simultaneously with the Device (eg a phone case) unless you have made a reasonable attempt to disguise or protect the security of the Passcode;
- not choose a Passcode which can be easily guessed including, for example, a Passcode that uses repeated characters, consecutive numbers, or a Passcode that represents a recognisable part of your name, birth date, telephone number, driver’s licence number or similar;
- change all Passcodes at regular intervals;
- not act with extreme carelessness in failing to protect the security and secrecy of your Passcode(s); and
- report any disclosure, loss, theft, misuse or suspected breach in the security of your Passcode(s) in accordance with section 7.1.
The following are examples of what IS a reasonable attempt at disguising a Passcode:
- hiding or disguising the Passcode:
– within the place you have recorded it, or amongst other records; or
– in a place where such a code would not be expected to be found;
- keeping any record of the Passcode in a securely locked container; or
- preventing unauthorised access to an electronically stored record of the Passcode.
The following are examples of what is NOT a reasonable attempt at disguising a Passcode – recording it:
- in reverse order;
- as a telephone number in a place where no other numbers are recorded;
- as a telephone number where the Passcode is in its correct sequence;
- as a sequence of numbers or letters with any of them marked to indicate the Passcode;
- as a date (including a birth date) or as an amount; or
- in any other way that can be easily identified.
Where you are able to set your own Passcode you must not select:
- a numeric code which represents your date of birth; or
- an alphabetical code which is a recognisable part of your name.
7.4 Unauthorised transactions and when you are responsible for them
Your liability for unauthorised transactions is determined in accordance with the ePayments Code. We have reflected the main provisions within this section. Where there is any inconsistency between this section and provisions of the ePayments Code then the ePayments Code prevails. This section 7.4 also prevails to the extent of any inconsistency between other provisions of this PDS.
An unauthorised transaction is one which is not authorised by you, and occurs without your knowledge or consent – eg you notice a transaction on your statement which you know nothing about.
Whereas an authorised transaction is one which is authorised by you and occurs with your knowledge and consent. Unfortunately, some scams fall into this category because the scammer has convinced you as to the legitimacy of the transaction or payment details and you’ve authorised the payment to occur.
In order to minimise the risk of an unauthorised transaction occurring, you must follow the security requirements set out in sections 7.1 – 7.3. If you don’t and this contributes to an unauthorised transaction occurring, then you may be held responsible for those transactions.
If you unreasonably delay informing us about the security compromise of any Passcode or Device, then you may be held responsible for any unauthorised transactions that result.
a. When you are not liable
You are not liable for loss arising from an unauthorised transaction that occurs:
- after you have informed us that the relevant Passcode or Device has been compromised (eg lost, stolen, misused);
- before you received a Passcode, where the Passcode was required to perform the unauthorised transaction;
- due to the same transaction being incorrectly debited or credited more than once to the same account;
- due to the fraudulent or negligent conduct of our employees or agents;
- due to the fraudulent or negligent conduct of any; companies involved in the electronic transaction system or merchants in the system, or their employees or agents;
- where access to DEFT had been enabled without entering a Passcode; or
- where it is clear that you did not contribute to the loss.
You can help limit your liability by observing the security requirements in sections 7.1 – 7.3.
System or equipment malfunction
You are not liable for loss caused by the failure of any system or equipment to complete a transaction, which is shown as being accepted by that system or equipment. However, to the extent that you should reasonably have been aware that any system or equipment was unavailable or malfunctioning, our liability is limited to correcting errors in your Account and refunding any fees or charges that you have incurred as a result.
b. When you are liable
You are liable for losses arising from unauthorised transactions that occurred before we are notified of the breach of security in relation to a Passcode where:
- you haven’t followed the security requirements in sections 7.1 – 7.3;
- you’ve acted with extreme carelessness in failing to protect the security or secrecy of a Passcode;
- you’ve unreasonably delayed informing us about a breach of security or secrecy in relation to any Passcode (although you will only be liable for the losses that occur after you become aware, or should reasonably have become aware, of the breach of security); or
- you’ve committed fraud.
However, you are not liable for that portion of the loss on any one day, or in any period, that exceeds any applicable daily, or periodic, transaction limit of DEFT.
In any assessment of liability we must prove on the balance of probability that these events caused the loss, taking into account any other contributing causes.
Except where this PDS or the ePayments Code provides otherwise, you are responsible for all authorised transactions which are carried out with your knowledge and/or consent.
If we are unable to be contacted by phone because our lines are unavailable, you will not be liable for unauthorised transactions which could have been prevented had we been contactable, provided we are told within a reasonable time after our telephone facilities become available again.
Where your liability is limited
Where a Passcode is required to perform a transaction and we do not establish that you have contributed to the loss in the ways set out above, then your liability for loss arising from an unauthorised transaction that occurs before you tell us about the breach of security in respect of a Passcode or Device is limited to $150 or such lesser amount as determined in accordance with the ePayments Code.