Protecting your business from payment fraud

In the modern Australian retail environment, accepting card payments is essential and EFTPOS machine It is the gateway to your income. However, as payment technology evolves, so do the methods fraudsters use to target businesses.

Protecting your electronic funds transfer point of sale (EFTPOS) terminal and customer data isn’t just a best practice; It’s a critical component of maintaining trust, avoiding costly chargebacks, and ensuring the long-term sustainability of your business.

This article outlines common types of fraud that can affect Australian merchants and provides clear, actionable steps you can take to protect your EFTPOS terminals and business operations.

Understanding common types of payment fraud

Payment fraud can generally be divided into two main categories: “card present” fraud, which occurs in-store, and “card not present” (CNP) fraud, which occurs remotely. While CNP fraud accounts for the vast majority of card fraud in Australia, in-store fraud involving your terminal is a significant risk that directly impacts your physical transactions.

1. Terminal tampering and skimming (Card-Present Fraud)

This is a physical attack on your EFTPOS terminal.

• Review: Criminals use sophisticated devices known as ‘skimmers’ that are installed on or inside the terminal to steal card data from the magnetic stripe. They often use small hidden cameras or keypad overlays to capture the customer’s PIN at the same time. The stolen data is then used to create fake cards.
• Terminal change/inheritance: A scammer can steal your real terminal and replace it with a tampered device that looks and works normally. Alternatively, “terminal hijacking” occurs when a customer physically tampers with and manipulates your machine to perform fraudulent activities, usually by incorrectly entering card details or changing the transaction type.

2. Card Not Present (CNP) fraud

CNP fraud occurs when a transaction is made without a physical card present, typically online, over the phone (MOTO – Mail Order/Telephone Order), or via email. In this scenario, the merchant often bears responsibility for fraudulent transactions (chargebacks), which can be very costly.

• MOTO scam: This involves a fraudster searching or placing an order online and having the stolen card details manually entered into the terminal or an online gateway. Manual key transactions are considered high risk because cardholder verification is often difficult.
• Card test: Fraudsters use automated programs to test stolen card details and make multiple small purchases on a website until a confirmed transaction confirms the card is valid.

3. Refund scam

Fraudsters take advantage of the redemption process to convert stolen card data or fraudulent sales into cash.

• Refund to a different card: The fraudster will typically make a purchase with a stolen card and then request that the refund be processed to a different card (their own card) or a different payment channel (such as wire transfer or cash). To protect your business from this fraud, always make refunds to the original card used for the purchase.
• Employee fraud: This high-risk insider threat involves an employee issuing a fraudulent credit or refund to their own account or a friend’s card.

Basic security precautions for your EFTPOS machine

As a merchant, it is your responsibility to verify the card and verify the cardholder on all transactions. The physical security of your EFTPOS terminal is paramount.

Physical security checklist

You and your staff should perform these checks daily and throughout the day:

1. Keep visible and safe: Always keep your terminal in a safe place, preferably behind the counter, and never leave it unattended. Make sure the terminals are securely locked when closing your store.

2. Check for tampering: Inspect your terminal regularly for signs of tampering, such as:

• Any loose or damaged case.
• Unusual or additional cables that were not there before.
• Unbroken, high quality security stickers.
• Anything that blocks or obscures the keypad or card slot.
• An unfamiliar or modified machine.

3. Get to know your terminal: Keep track of your terminal’s make, model and serial number to quickly identify changes.

4. Check access: Ensure that only authorized and fully trained employees have access to the terminal and your business facility passwords.

Process best practices

Train your staff on these important steps to detect and prevent fraud during sales:

• Verify the authenticity of the card: Examine the card. Never accept a card that is visibly damaged, altered or expired.
• Avoid manual switching: Never manually key a transaction if a physical card is present. Manually switched transactions carry high risk, and financial liability for fraud often shifts to the merchant. Also, never allow the customer to manually enter card information into the terminal.
• Process refunds correctly: Only issue refunds to the card used for the original purchase. If the customer insists on a refund to a different card or cash, politely decline and ask him to return it with his original card.
• Watch out for suspicious behavior: Be wary of customers who appear nervous, cannot provide identification, or want to split a large transaction into smaller amounts.
• Protect your PIN: Change the default passwords on your terminal and keep all passwords safe and confidential. Consider limiting password information to a small group of senior staff.
• Reject red flags: If the card is declined, do not proceed with the re-authorization attempt. Request an alternative form of payment.

The role of PCI DSS compliance

Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is not just a recommendation; It is a mandatory security standard for all Australian merchants that accept, process, store or transmit cardholder data. Adherence to PCI DSS is typically a contractual requirement in your Merchant Agreement with your acquiring bank and card schemes (Visa, Mastercard, etc.).

PCI DSS is a framework of 12 requirements designed to ensure you maintain a secure payment environment, protect your customers’ sensitive information, and reduce the risk of fraud.

Basic PCI DSS principles regarding EFTPOS:

• Protect cardholder data: Make sure that stored cardholder data is protected, usually through encryption.
• Restrict physical access: Implement strong controls to restrict physical access to cardholder data and payment devices such as your terminal. You must verify that your EFTPOS devices are protected from tampering and alteration.
• Create and maintain a secure network: Ensure that secure systems and networks are in place, which typically include firewalls and strong, regularly changed passwords, not vendor-provided defaults.
• Maintain an information security policy: Have a clear policy on staff training and incident response.

Using a modern, compliant EFTPOS machine with features such as end-to-end encryption can significantly reduce your compliance burden (scope reduction) and minimize your risk exposure. You should also make sure that any third-party providers you use are PCI DSS certified.

Be proactive: Staff training and vigilance

The greatest defense against payment fraud is a well-trained and attentive staff.

• Regular training: Regularly train all new and existing employees on how to spot counterfeit cards, recognize suspicious customer behavior, and follow strict procedures regarding terminal security and processing refunds.
• Daily checks: Add physical terminal controls to your opening and closing procedures. Make sure all terminals are accounted for and appear untampered.
• Know who to call: Have the emergency contact numbers of your merchant support and payment provider ready to immediately report a missing or suspected tampered terminal.

By adopting a proactive security posture, from physically securing your EFTPOS machine to complying with PCI DSS requirements, you protect not only your profits but also the trust your customers place in you.