What is a MOTO payment?

MOTO payments are also known as 'card not present' payments because your customer does not need to be physically in store to make the payment. They provide the required card details over the phone and the payment can then be processed using a virtual terminal or a physical terminal.

What is a physical terminal?

A physical terminal allows you to manually enter card details into your EFTPOS terminal. Most EFTPOS terminals have the capability to process card not present payments but this function needs to be approved and switched on by your bank.

What is a virtual terminal?

A virtual terminal is a secure online portal that is supplied by a payment gateway provider. The portal will allow you to login online securely and manually enter your customer's card details.

Westpac supports most major gateway providers including:

Tips to help keep your MOTO facility secure.

Take the following steps to help protect your payment facility and reduce the risk of an account data compromise.

What to do

When to do it

Who is responsible?

If you're using a physical terminal, ensure that it's PCI DSS compliant and within its lifecycle (don't use an outdated terminal)

At set up, and annually thereafter

Merchant / Terminal provider

If you're using a virtual terminal (online portal) ensure that it is PCI DSS compliant and does not record card numbers

At set up, and annually thereafter

Merchant / Gateway provider

Check your terminal or gateway provider's compliance status by asking for their Certificate of Compliance (COC). This will provide the validation date and expiry date of their PCI DSS compliance

At set up, and annually thereafter

Merchant / Gateway provider / Terminal provider

Don't store any card information such as the cardholder PIN or CVV (3 digits on the back of the card)



Only allow authorised staff to process MOTO payments



Ensure controls are in place to identify who has accessed your payment system and create a plan for when you detect unauthorised access

At set up, and annually thereafter


Create a unique user ID and password for each staff member that has access to your system

At set up


Establish a complex password policy*. If a user has attempted to log in unsuccessfully more than six times, lock their account and reset their password after 30 minutes. This will give you time to investigate whether they are an authorised user

Passwords should be changed every 90 days


Change default password to system, application and devices

At set up


Develop an Incident Response Plan



Establish staff security awareness training

At the start of employment, and annually thereafter


Conduct staff background check

At the start of employment


*For example passwords must be seven characters in length and contain a capital and lower-case letter, number and symbol.

Tips to help prevent card fraud & payment disputes (chargebacks).

  • Only accept card information over the phone (not via email or any other channel) and process transactions immediately while the customer is on the phone
  • Ensure you have consent from the cardholder before the transaction is processed
  • Provide purchase receipts to the customer
  • Clearly disclose surcharges where applicable to the customer
  • Be aware of unusual customer purchase behaviour, such as large orders or rush orders
  • Don't manually key in the card details when the cardholder can pay using your website payment page or is physically present and able to pay by using your terminal.

Learn more about chargebacks here.

What's the difference between an account data compromise (ADC) and card fraud?

An ADC is when an unauthorised person gains access to your business environment or payment facility to steal valuable information (like card payment data) with the intention to commit fraud. Card fraud is when stolen card payment data is used to make a fraudulent transaction.

Get help.

New customers

Call the Westpac Merchant Onboarding team on 0800 888 066, option 3 weekdays between 8:30am - 5pm.

0800 888 066

Existing customers

Contact your Westpac Relationship Manager or Merchant Assist on 0800 888 066, option 4 weekdays between 8:30am - 5pm.

0800 888 066

Things you should know.

The information on this page is intended as a guide only. We make no warranty or representation, express or implied, regarding the accuracy of any information, statement or advice contained on this page. We recommend you seek independent advice before acting or relying on any of the information on this page. All opinions, statements and analysis expressed are based on information current at the time of writing from sources which Westpac believes to be authentic and reliable. Westpac issues no invitation to anyone to rely on this material.

Mastercard® is a registered trade mark and the circles design is a trade mark of Mastercard International Incorporated.

Links to other sites are provided for convenience only and Westpac accepts no responsibility for the availability or content of such websites.