POLi Payments

POLi Payments Pty Ltd (formerly known as Centricom) is an online payments company based in Melbourne, Australia. It is the developer and provider of POLi, an online payment system that is used by merchants and customers in Australia and New Zealand. POLi Payments was acquired by SecurePay Holdings, a fully owned subsidiary of Australia Post, in December 2014.

POLi enables customers to pay for goods or services directly from a merchant's website without the need for a credit card, but by using a direct connection to the user's internet banking. A benefit is that the merchant receives an instant receipt and that customers do not have to register to use POLi. The service is used in Australia and New Zealand with its largest merchants being Jetstar, Virgin Australia, Air New Zealand, Sportsbet and Sportingbet.

The service has attracted widespread criticism from banks     and others. The service has also been implicated in enabling payments that could be used for illegal gambling.

In 2023, Australia Post announced they would close the Australian arm of POLi Payments in September.

History
POLi Version 3 was released in July 2012 and enabled payments on Macs and mobile devices; neither was possible on previous versions. The implementation logs into a user's online banking interface from an automated virtual machine using a user's provided bank credentials, in order to direct debit the purchase amount.

Version 2 is a .NET Framework ClickOnce application. This version is still operational in New Zealand Payments for several banks. This version to was built with security at the expense of user experience, as the process of downloading the .NET ClickOnce application is poor, and requires additional plugins for Firefox and Chrome.

POLi Version 1 was an ActiveX control. This version was used by some, but never gained traction due to security concerns with ActiveX. This version is no longer operational. Greg Day, a security analyst at McAfee stated "Using ActiveX for online payments is the kind of thing that would make me run a mile. [It] is probably the most used route for hackers to get in ... and steal personal information.". Since 2008 the system has been operating on the .NET technology platform. This still gives rise to possible security breaches via downloading untrusted software, and the possible infiltration of malware.

In July 2023, Australia Post announced that the Australian arm of POLi Payments would close down at the end of September that year.

Security concerns
Although POLi Payments stresses that security is a high priority, concerns remain regarding exposing the user's banking credentials to POLi, and liability for fraudulent transactions.

ASB Bank, one of New Zealand's largest banks, has responded to POLi with a release stating that POLi is "spoofing/mirroring" their on-line banking pages and capturing customer information, and "due to the serious security and fraud risks" recommending that their customers not use it. The release also claims that ASB has asked POLi to remove support for ASB customers from their service. POLi responded to the ASB advisory with an announcement, refuting the claims, and apparently reverting the version of the payment system.

ANZ New Zealand, Bank of New Zealand, Kiwibank, Commonwealth Bank, Westpac, Bank of Queensland, Bank Australia and Police Bank are also warning customers against using POLi.

ANZ and Kiwibank have further advised that use of POLi invalidated the bank's online guarantee, potentially making the customer liable for any losses if their online banking account were to be compromised. POLi's terms and conditions note "We are not making any representation that we or POLi™ have the approval or, an affiliation with, or any licence from or agreement with your financial institution to operate or make POLi™ available for use by you."

Unlike payments via credit cards, payments made via POLi cannot be reversed by the bank, nor are users protected under chargeback rules usually associated with major purchases undertaken using Credit or Debit Card payments. As a result, users may experience issues in seeking refunds or reimbursements for services not delivered, such as cancelled air flights or tickets.

Version 1 and 2 that used the ActiveX and .NET platforms have additional security concerns regarding the integrity of this software and compatibility with non-Windows platforms.