I had this posted to the ebanking/technology area, but since I am new to bankers online I decided to post it here as well.

The Merchant Capture solution being presented requires, software to be installed at the client site, using a broadband connection and password to submit files to host processor. Additionally, these files will be encrypted and are being sent to the processor via port 80 (http) not 443(https). Is this subject to Multi-factor Authentication - since the check images (w/customer information and signature) will be electronically transmitted over the Internet encrypted? I have questioned this and the VP of R&D in the eBusiness department indicates since the merchant site is using software installed on their PC and a password is required to make connection to the transmission point, he doesn’t believe that this falls into a program that needs multi-factor authentication. Please advise

I learned that multi-factor authentication is not required simply because a bank offers internet banking services to its customers. The interagency guidance suggests that the multi-factor authentication principles should be considered for all electronic banking activities (so it could be interpreted to include merchant capture systems). Regardless, if your bank performs a risk assessment in regard to merchant capture activities ... and it's determined that the existing controls and processes adequately protect the integrity, security and reliability of the data files ... then it seems you could argue that multi-factor authentication measures are not necessary (based on the sufficiency of the layered security and/or other controls in place). Otherwise, your bank may want to pursue other security measures (e.g., multi-factor authentication) if existing controls and processes are not adequate.