eftpos is the safe and convenient way for your customers to pay using their own money. We have offered PIN-based security since eftpos was first launched in the mid-1980s, and still have the lowest fraud rates in Australia today. eftpos Members are now rolling out eftpos-only cards with eftpos Tap & Pay functionality for extra simplicity and speed at the checkout, and greater security against skimming with an EMV Chip.
If a fraudulent eftpos transaction does occur, you as the merchant will usually only bear the loss if the fraud is a result of non-compliance with our Rules or your own actions.
But no matter how secure a card payment system is, fraud is a risk for any merchant. Attempts at card skimming in particular have been widely detected.
Skimming is where personal details are illegally captured from the card’s magnetic stripe and then used to produce counterfeit duplicate cards. Often, fraudsters attempt to capture the user's PIN by "shoulder-surfing" or the use of hidden cameras.
eftpos chip technology aims to provide consumers with more payment choices and improve security against skimming fraud on eftpos-only cards.
Here are some additional tips to help safeguard your business from card fraud:
Keep a list of all payment terminals on your premises, detailing:
- The make, model and serial number,
- Where each terminal is kept,
- Any stickers on the terminal and where they are placed, and
- The type of cables connected to the terminal.
Conduct daily checks of your payment terminals:
- Take careful note of the little things that are unique to your terminal and the surrounding area at the start of each shift to ensure there has been no tampering,
- Check for any new or unknown items of electronic equipment connected to the eftpos terminal, and
- Check the cables, ensure the serial number is the same, ensure receipts are printed with your correct business details, and the area is clear of hidden cameras.
Take action to prevent card fraud:
- Don't leave your terminal unattended. If necessary, lock the terminal away if you have to leave the register area,
- Give your staff a check list to complete on each shift, including checking cables haven't been tampered with,
- Verify the credentials of service staff or "official" visitors to your premises. Don't allow unannounced service visits or inspections,
- Make sure that connection of a new terminal or one that has been secured overnight is only done by authorised personnel, and preferably two staff members,
- Only use terminals that have been approved by the Australian Payments Network Limited (AusPayNet) and are listed on its website,
- Don't let customers hold the terminal if they have anything else in their hands,
- Always use a legitimate distributor (such as your bank) and be wary of refurbished terminals, and
- Dispose of old terminals securely – try to return them to the original vendor (most likely your bank).
Protect against risk of PIN capture:
- Check false ceilings above where your terminal is kept,
- Check boxes near the eftpos terminal containing leaflets and charity donations,
- Be alert to any changes to the area around the eftpos terminal - they may mean a hidden camera or skimming device, and
- Make sure your surveillance camera covers the area in which your eftpos terminal is located, but is not able to record PINs being entered by your customers.
Take extra care where:
- There is only one staff member working on the premises,
- Your business is in an isolated or remote location,
- Your business is left unattended or closed for a period,
- Terminals are occasionally unattended, and
- Wireless terminals are in use (it can be harder to keep track of these terminals at all times).
To protect your payment terminal connections:
- Ensure the point at which your terminal connects to the network is not easily accessible to the general public. This will make it more difficult for criminals to simply "plug in" and activate a replacement eftpos terminal,
- Make sure a warning notification or alarm activates when a terminal is removed or replaced in the network, and
- Make sure that your policies and procedures include a requirement that when a terminal is connected or reconnected, authorisation must be given before it can "go live".
Suggestions for protecting your employees:
- Don't allow staff access to CCTV equipment,
- Perform background checks on new staff,
- Allow only senior staff to replace terminals and perform checks, and if possible have two staff members undertake these activities together, and
- Conduct random checks to ensure staff are complying with these guidelines.
If you suspect a payment terminal has been tampered with or if you notice anything suspicious, disconnect the terminal immediately and contact your services provider (normally your bank). Keep the terminal in a secure place so that any evidence, such as fingerprints, is preserved.
Tips sourced by Australian Payments Network Limited, click here for more.