Fraud and Security tips for Merchants
Fraud is on the rise and you’re the first line of defence to safeguard your business. Here are some tips to help keep your business safe.
How can I keep my business safe from fraud?
1. Follow the rules. Always stick to the terms of your merchant agreement and the rules set out by each of the card schemes.
2. Only process genuine cardholders. Make sure a payment is made by the rightful cardholder. An authorisation will not guarantee payment if it is not made by the genuine cardholder. We recommend taking steps to validate the identity of the cardholder where possible.
3. Minimise chargebacks. Be aware of how and why chargebacks may occur to help minimise risk.
4. Refund right. Only process refunds to the card that the initial sale was made on to protect yourself from refund scams.
5. Protect targeted goods. Be careful handing over or shipping goods such as electrical goods, jewellery and computers. Fraudsters often make such purchases with stolen cards - as these items can often be resold quickly and easily.
6. Keep data secure. It is your responsibility to ensure your customers’ payment details remain safe and secure. Learn more at Your Guide to the Payment Card Industry Data Security Standards (PCIDSS)
7. Be scam aware. Keep up with the types of scams that could impact your business by registering with Scam Watch and the Australian Cyber Security Centre (ACSC).
What are the types of fraud?
Terminal takeover
What is a terminal takeover?
A terminal takeover happens when a customer tampers with and takes control of your EFTPOS machine and uses it to carry out fraudulent activities.
How can I prevent terminal takeover?
- Always keep your terminal in sight.
- Educate your frontline staff about this type of fraud.
- Make sure your customers only use the terminal keys to enter a PIN, not a card number.
- Ensure you have the Mail Order and Telephone Order (MOTO) functionality disabled when it is not needed, or you may be liable for chargebacks. If you need help to disable MOTO functionality, please contact our Merchant Helpdesk on 1300 130 190.
Terminal theft
What is terminal theft?
Terminal theft is when criminals steal the physical EFTPOS terminal and replace it with a compromised terminal that looks the same. They then can attempt to process refunds to their own accounts or process transactions using stolen cards.
How can I prevent terminal theft?
- Keep terminals securely behind the counter.
- Educate your staff about fraud and the risks associated with a terminal.
- Create a strong terminal password and keep the 'lock' feature on when the terminal is unattended.
- Keep a list of your terminals, including their make, model, and serial number. Inspect your terminals regularly for any changes or evidence of tampering.
Refund scams
What is a refund scam?
A refund scam can happen when a customer asks for a cash refund or gives you another card that was not used to make the original sale.
How can I prevent refund scams?
Refunds can only be processed by entering a refund password. You will be issued with a refund password when you sign up with BankSA Bank. This password will be a generic number. You are strongly advised to change this password by contacting the Merchant Helpdesk on 1300 130 190.
Tips to keep your password safe
- Ensure your new password is not visible to customers.
- Do not write your password on your terminal.
- Change your password when an employee leaves your business or if you have a high turnover of staff.
- Consider allowing only managers or supervisors to provide refunds.
- Limit the number of people who know your password.
- Change your passwords regularly to prevent unauthorised use of your merchant facility.
Mail Order and Telephone Order (MOTO) fraud
MOTO transactions are made without a physical card or PIN. That’s why businesses that process MOTO transactions have a higher risk of criminal activity, fraud, and chargebacks..
How can I prevent MOTO fraud?
Here’s how you can help to reduce online payment and MOTO fraud:
- Ask for photo ID. If your customer is collecting goods in person, you can confirm their identity matches the card used to make the purchase.
- Check the billing address. Ensure the delivery and billing addresses are consistent. For example, is it a local billing address with a delivery address that is overseas?
- Request the CVV. Ask your customer to provide the CVV2 (Visa®) or CVC2 (Mastercard®). It’s the three-digit number located on the signature panel of the credit card. If the customer is not in possession of the card, it is unlikely they will know this number.
- Get a signature. Ask for a signed receipt from the cardholder when the goods are delivered.
- Be cautious. Is an international card being used for a domestic purchase? Are multiple cards used for a single purchase? These could be signs of fraud.
- Request the name of the cardholder’s bank. Fraudsters who have compromised account details may not be aware of these details, so it may be worthwhile asking them to verify this.
- Check for a declined response. Don’t continue to attempt an authorisation after receiving a ‘decline’ for the transaction.
- Follow the framework. Be aware of the AusPayNet Card Not Present Fraud Mitigation Framework which defines the approach to reduce the growing level of online card fraud in Australia.