This invention uses separate, parallel communication channels to authorise and authenticate a transaction. A primary data channel (PSTN, radio or the like) is used to communicate between the merchant terminal and the bank, and a parallel data channel (a mobile phone network for instance) is used for the authentication process. In the example, the transaction is initiated (on a primary data channel), using a POS terminal as a transaction processing client. The transaction processing server and financial services provider fulfill their normal functions. At this point, the process loops into a transaction authorisation component using the parallel data channel, that requires authentication of the transaction initiator (the card holder). In the example, communications on the parallel data channel are by way of SMS. In the authorisation process, the card holder receives an SMS requesting authorisation of the transaction. If the card holder is not the transaction initiator, the card holder can cancel the transaction. If the transaction can be authorised, an authentication process is initiated in which the mobile phone is programmed to require the entry of a normally secret code (such as a personal identification number (PIN)) that serves to authenticate the card holder and to give final authorisation of the transaction.