SUBSCRIBE   DONATE LOGIN SHOP
Sponsored Sponsored

EFTPOS machine security: Protecting your business from payment fraud

| | comments |
(Image by Mohamed Hassan, CC0, via Wikimedia Commons)

In the modern Australian retail landscape, accepting card payments is essential and your EFTPOS machine is the gateway to your revenue. However, as payment technology evolves, so do the methods used by fraudsters to target businesses.

Protecting your electronic funds transfer point-of-sale (EFTPOS) terminal and your customer data isn't just a best practice — it's a critical component of maintaining trust, avoiding costly chargebacks, and ensuring the long-term viability of your business.

This article outlines the common types of fraud that can impact Australian merchants and provides clear, actionable steps you can take to safeguard your EFTPOS terminals and your business operations.

Understanding common types of payment fraud

Payment fraud can generally be divided into two main categories: "card-present" fraud, which occurs in-store, and 'card-not-present' (CNP) fraud, which happens remotely. While CNP fraud accounts for the vast majority of card fraud in Australia, in-store fraud involving your terminal is a significant risk that directly impacts your physical operations.

1. Terminal tampering and skimming (Card-Present Fraud) 

This is a physical attack on your EFTPOS terminal.

  • Skimming: Criminals use sophisticated devices, known as 'skimmers,' that are attached to or inside the terminal to steal card data from the magnetic stripe. They often use tiny hidden cameras or keypad overlays to capture the customer's PIN at the same time. The stolen data is then used to create counterfeit cards.
  • Terminal substitution/takeover: A fraudster may steal your actual terminal and replace it with a tampered device that looks and functions normally. Alternatively, a "terminal takeover" occurs when a customer physically tampers with and manipulates your machine to carry out fraudulent activities, often by incorrectly entering card details or manipulating the transaction type.

2. Card-Not-Present (CNP) fraud

CNP fraud occurs when a transaction is processed without the physical card present, typically online, over the phone (MOTO – Mail Order/Telephone Order), or via email. In this scenario, the merchant often holds the liability for fraudulent transactions (a chargeback), which can be very costly.

  • MOTO fraud: This involves a fraudster calling in or placing an order online and providing stolen card details to be manually keyed into the terminal or an online gateway. Manual-keyed transactions are considered high-risk, as cardholder verification is often difficult.
  • Card testing: Fraudsters use automated programs to test stolen card details, making numerous small purchases on a website until an approved transaction confirms the card is valid.

3. Refund scams

Fraudsters exploit the refund process to turn stolen card data or fraudulent sales into cash.

  • Refunding to a different card: A fraudster will make a purchase, often with a stolen card and then later request a refund be processed to a different card (their own) or a different payment channel (like a bank transfer or cash). Always process refunds to the original card used for the purchase to protect your business from this scam.
  • Employee fraud: This high-risk internal threat involves an employee issuing fake credits or refunds to their own account or to a friend's card. 

Essential security measures for your EFTPOS machine

As a merchant, you are responsible for validating the card and verifying the cardholder for all transactions. The physical security of your EFTPOS terminal is paramount.

Physical security checklist 

You and your staff should perform these checks daily and throughout the day:

  1. Keep it visible and secure: Always keep your terminal in a secure location, preferably behind the counter and never leave it unattended. When closing your store, ensure the terminals are securely locked away.

  2. Inspect for tampering: Regularly inspect your terminal for signs of tampering, such as:

  • Any loose or damaged casing.
  • Unusual or additional cables that weren't there before.
  • Unbroken, high-quality security stickers.
  • Anything that obscures or hides the keypad or card slot.
  • An unfamiliar or different machine that has been swapped.

  1. Know your terminal: Keep a record of your terminal's make, model and serial number to quickly identify any substitutions.

  2. Control access: Ensure only authorised and fully trained employees have access to the terminal and your merchant facility passwords.

Transaction best practices 

Train your staff on these crucial steps to identify and prevent fraud during a sale:

  • Verify the card's authenticity: Inspect the card. Never accept a card if it is visibly damaged, altered, or if the expiry date has passed.
  • Avoid manual keying: Never hand-key a transaction if the physical card is present. Manual-keyed transactions carry a high risk and the financial liability for fraud often shifts to the merchant. Also, never allow a customer to manually enter their card details into the terminal.
  • Process refunds correctly: Only process a refund back to the exact card that was used for the original purchase. If a customer insists on a refund to a different card or for cash, politely refuse and ask them to return with the original card.
  • Be alert to suspicious behaviour: Be cautious of customers who appear nervous, are unable to provide identification, or request to split a large transaction into smaller amounts.
  • Guard your PIN: Change the default passwords on your terminal and keep any passwords secure and secret. Consider limiting knowledge of the password to a small group of senior staff.
  • Decline red flags: If a card is declined, do not continue to attempt re-authorisation. Ask for an alternative form of payment.

The role of PCI DSS compliance

Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is not just a suggestion; it's a mandatory security standard for all Australian merchants who accept, process, store, or transmit cardholder data. Adherence to the PCI DSS is typically a contractual requirement within your Merchant Agreement with your acquiring bank and the card schemes (Visa, Mastercard, etc).

PCI DSS is a framework of 12 requirements designed to ensure you maintain a secure payment environment, protecting your customers’ sensitive information and reducing fraud risk.

Key PCI DSS principles relevant to EFTPOS:

  • Protect cardholder data: Ensure that any stored cardholder data is protected, often through encryption.
  • Restrict physical access: Implement strong controls to restrict physical access to cardholder data and payment devices like your terminal. You must confirm that your EFTPOS devices are protected from tampering and substitution.
  • Build and maintain a secure network: Ensure secure systems and networks are in place, often involving firewalls and strong, regularly changed passwords, not vendor-supplied defaults.
  • Maintain an information security policy: Have a clear policy for staff training and incident response.

The use of a modern, compliant EFTPOS machine with features like end-to-end encryption can significantly reduce your compliance burden (scope reduction) and minimise your risk exposure. You must ensure that any third-party providers you use are also certified against the PCI DSS. 

Be proactive: Staff education and vigilance

The single greatest defence against payment fraud is a well-trained and vigilant staff.

  • Regular training: Regularly train all new and existing employees on how to spot fraudulent cards, recognise suspicious customer behaviour, and follow strict procedures for terminal security and processing refunds.
  • Daily checks: Incorporate physical terminal inspections into your opening and closing procedures. Ensure all terminals are accounted for and appear untampered with.
  • Know who to call: Have the emergency contact numbers for your merchant support and payment provider readily available to report a missing or suspected tampered terminal immediately.

By adopting a proactive security posture – from physically securing your EFTPOS machine to adhering to PCI DSS requirements – you protect not only your bottom line but also the trust your customers place in you.

 
SPONSORED
CREDIT CARD FRAUD fraud safeguards Clover eftops payment skimming terminal substitution MOTTO fraud card testing
Share Article
Recent articles by
Plovers in Australia: Swooping, season and safety

Everything Australians need to know about plovers: why they swoop, when swooping ...  
The practical guide to ageing well and staying active in Australia

Ageing well is not about slowing down. It is about making informed choices that ...  
Wedding guest dress ideas for Australian country weddings

Australian country weddings have become increasingly popular, offering a relaxed ...  
Join the conversation
comments powered by Disqus

Support Fearless Journalism

If you got something from this article, please consider making a one-off donation to support fearless journalism.

Single Donation

$
News updates

Join the IA newsletter for regular updates on our latest news stories.

SIGN UP

Just in
SHOP AT IA
Shop IA
DONATE

We need YOU!
IA punches above its weight.
Help us sharpen our knuckledusters.
PLEASE DONATE NOW!

Donate Now

Support IAIndependent Australia

Subscribe to IA and investigate Australia today.

Close Subscribe Donate