Safely accept payments online.

Use a gateway hosted page for your website

A payment gateway provider can set up a gateway hosted e-commerce page that integrates with your website. This means when the cardholder makes a payment, they are redirected from your website to a secure payment page hosted by the gateway. The cardholder can then submit their card details on the page and once payment is complete, they are redirected back to your site.

It's important to start working with us early on when you’re setting up your payments page so that we can understand your requirements and make sure you're meeting your Payment Card Industry Data Security Standard (PCI DSS) compliance obligations. Westpac does not permit the use of merchant hosted payment pages.

Westpac supports most major payment gateway providers including:

• Verifone
• Worldline
• Windcave
• Mastercard® Payment Gateway Services
• CyberSource
• Datacom
• Paystation.

Use Online EFTPOS to accept payments made by a smartphone

Online EFTPOS is a service provided by Worldline that enables your customers to pay online with their smart phone. Customers enter their mobile number and select their bank on your payments page, then they approve a payment notification within their mobile banking app. Your customers never need to expose their payment or banking credentials.

You can find out more about Online EFTPOS and how to set it up for your business here.

Use batch processing to process multiple online card payments at once

Batch credit or debit card processing is a facility offered by some payment gateway providers that allows you to process multiple credit or debit card payments (a batch) at once. This facility can be used to process different amounts or recurring payments of the same amount.

You can upload a batch of payments directly into a PCI DSS compliant payment gateway provider which removes the need to manually transmit and store volumes of credit card information. Talk to your gateway provider to find out if they offer batch processing and whether you’re eligible for this facility.

Stolen or counterfeit cards

Check your online order for these potential red flags:

• Unusual customer details (different delivery details to the card details or the contact person’s name is different from the name on the credit card used for the purchase).
• Larger than usual purchase orders.
• Purchase orders consisting of several of the same items or big-ticket items.
• Orders placed where card numbers used are very similar and/or use sequential card numbers.
• Orders that request rush shipping or overnight delivery.
• Multiple orders shipped to a single address.
• Orders shipped to a country you do not normally deal with.
• Orders shipped to a country where the goods would be readily available in the local market.
• Pressure to deliver goods immediately or unusual delivery instructions.
• A large amount of gift cards or vouchers.

How to help protect against stolen or counterfeit card fraud

• Enable 3D Secure. This is an additional security layer for online credit and debit card transactions. Contact your payment gateway provider to set up 3D Secure.

Refund fraud

Be alert to these requests

• Claims to have overpaid by mistake and requests a partial refund (this is a common card fraud in charities).
• Asks for the amount to be refunded to a different card or payment method such as cash or transfer to a bank account.
• Uses pressure tactics to get the refund quickly.   

How to help protect against refund fraud:

• Ensure refunds are processed to the original card used for the transaction.
• Don’t refund money to new cards, Western Union, international money transfers or bank accounts.
• Have a refund policy in place.
• Read our refund fraud article.

BIN attack

• A BIN is the Bank Identification Number – the first six digits of a card. This tells you where the card was issued, in what country and by what bank or financial institution. 
• A BIN attack (also referred to as card testing, brute force or an enumeration attack) involves a fraudster taking the first six digits of a card (the BIN) then using software to automatically generate the remaining numbers and test these combinations through online payment channels to see which card numbers are correct and if the cards are active.

What are the risks of a BIN attack?

• The banks whose cards have been used in the fraud may restrict card payments to your business because of fraud concerns. This could prevent genuine customers from making card payments to you. 
• There will be an operational impact – successful transactions will need to be refunded and orders cancelled. Otherwise the rightful cardholders could raise payment disputes (chargebacks) with you and you could be liable for the associated card scheme fines.
• Depending on the nature of the attack, your ability to take card payments may be suspended until fraud prevention measures can be put in place, or even cancelled outright. This could damage your reputation.

Be alert to these signs of a BIN attack:

• Zero dollar or similar small dollar value amounts with high rates of declines. The declines will often outweigh the approved transactions and the volume of these transactions will be high – from ten a day to thousands of cards in the space of a couple of hours. When reviewing the transactions, check the expiry date and security code that is being used. Often fraudsters will use the same or similar expiry dates and security codes. 
• Multiple transactions on a single card within 24 hours.
• Unusual cards or locations – think about where your customers are usually located. If you’re suddenly getting orders from all over the world, that should raise a red flag.

How to help prevent BIN attacks

• Enable 3D Secure. This is an additional security layer for online credit and debit card transactions. 3D Secure needs to be set up by your payment gateway provider.
• Enable a CAPTCHA test to tell humans and bots apart. It’s easy for humans to solve, but not bots and other malicious software. Ask your payment gateway provider and web developer how to implement this.  
• Set fraud rules for your website. Overseas IP blockers and BIN blockers can prevent transactions from certain countries. You can also restrict the number of payment attempts from a single card within a time frame through your payment facility. Contact your payment gateway and web hosting provider to find out more about these options.

Employee fraud warning signs

Employee fraud

Your business is financially responsible for all card fraud, whether this is carried out by an employee, a cardholder or both in collusion.

Employee refund fraud

• A common type of fraud involves employees issuing refunds to their own account.
• To avoid detection, they may create a large debit transaction on a fraudulent card and refund it to their own card.
• It’s likely to take weeks, even months, before the fraud is detected. 

How to protect against employee fraud

• Closely monitor all refunds. Check that all refunds and corresponding debits relate to the same card number. Particular attention should be paid to large refunds.
• Have a separate authoriser of refunds in addition to the person who physically processes a refund.
• Ensure all refunds have appropriate documentation of customer information (name and contact details) and the reason for return or dispute.
• Match refunds to returned or disputed goods or services and verify with the customers that goods or services were returned or disputed.
• Send all refund transactions to a central office for review.
• Fully investigate refunds without matching sales.

General best practice tips to help prevent card fraud

• Reconcile your transactions daily rather than monthly.
• Establish a policy of manager approval or peer review of bank statements to identify suspicious activity.
• Conduct regular internal audits at random times and intervals.
• Audit bookkeeping and accounting processes quarterly.
• Limit employee access to sensitive data and payment systems.

Report suspicious transactions.

If you suspect a suspicious transaction has been made through your merchant facility, contact Merchant Assist.

What's the difference between an account data compromise (ADC) and card fraud?

An ADC is when an unauthorised person gains access to your business environment or payment facility to steal valuable information (like card payment data) with the intention to commit fraud. Card fraud is when stolen card payment data is used to make a fraudulent transaction.