eftpos is the safe and convenient way for your customers to pay using their own money. Because it is based on a PIN rather than a signature, it has one of the lowest fraud rates in the world.
Unlike most credit cards, eftpos does not have a 'charge-back' regime in which the merchant carries the loss associated with a fraudulent transaction. If a fraudulent eftpos transaction does occur, you as the merchant will usually only bear the loss if the fraud is a result of non-compliance.
But no matter how secure a card payment system is, fraud is a risk for any merchant. Attempts at card skimming in particular have been widely detected. Skimming is where personal details are illegally captured from the card’s magnetic stripe and then used to produce counterfeit duplicate cards. Often, fraudsters attempt to capture the user's PIN by "shoulder-surfing" or the use of hidden cameras.
Here are some tips to help safeguard your business from card fraud:
Keep a list of all eftpos terminals on your premises, detailing:
- The make, model and serial number
- Where each terminal is kept
- Any stickers on the terminal and where they are placed
- The type of cables connected to the terminal.
Conduct daily checks of your eftpos terminals:
- Take careful note of the little things that are unique to your terminal and the surrounding area at the start of each shift to ensure there has been no tampering
- Check for any new or unknown items of electronic equipment connected to the eftpos terminal
- Check the cables, ensure the serial number is the same, ensure receipts are printed with your correct business details, and the area is clear of hidden cameras.
Take action to prevent card fraud:
- Don't leave your terminal unattended. If necessary, lock the terminal away if you have to leave the register area
- Give your staff a check list to complete on each shift, including checking cables haven't been tampered with
- Verify the credentials of service staff or "official" visitors to your premises. Don't allow unannounced service visits or inspections
- Make sure that connection of a new terminal or one that has been secured overnight is only done by authorised personnel, and preferably two staff members
- Only use terminals that have been approved by the Australian Payments Clearing Association and are listed on its website.
- Always use a legitimate distributor (such as your bank) and be wary of refurbished terminals
- Dispose of old terminals securely – try to return them to the original vendor (most likely your bank).
Protect against risk of PIN capture:
- Check false ceilings above where your terminal is kept
- Check boxes near the eftpos terminal containing leaflets and charity donations
- Be alert to any changes to the area around the eftpos terminal - they may mean a hidden camera
- Make sure your surveillance camera covers the area in which your eftpos terminal is located, but is not able to record PINs being entered by your customers.
Take extra care where:
- There is only one staff member working on the premises
- Your business is in an isolated or remote location
- Your business is left unattended or closed for a period
- Terminals are occasionally unattended
- Wireless terminals are in use (it can be harder to keep track of these terminals at all times).
To protect your eftpos terminal connections:
- Ensure the point at which your eftpos terminal connects to the network is not easily accessible to the general public. This will make it more difficult for criminals to simply "plug in" and activate a replacement eftpos terminal
- Make sure a warning notification or alarm activates when an eftpos terminal is removed or replaced in the network
- Make sure that your policies and procedures include a requirement that when an eftpos terminal is connected or reconnected, authorisation must be given before it can "go live".
Suggestions for protecting your employees:
- Don't allow staff access to CCTV equipment
- Perform background checks on new staff
- Allow only senior staff to replace terminals and perform checks, and if possible have two staff members undertake these activities together
- Conduct random checks to ensure staff members are complying with these guidelines.
If you suspect an eftpos terminal has been tampered with or if you notice anything suspicious, disconnect the terminal immediately and contact your eftpos services provider (normally your bank). Keep the eftpos terminal in a secure place so that any evidence, such as fingerprints, is preserved.
Tips sourced by Australian Payments and Clearing Association, click here for more.