Safely accept in-store card payments.

In-store payments are also known as 'card present' payments. These types of payments are made in a face-to-face environment where the customer inserts, swipes or taps their credit or debit card on your EFTPOS terminal to complete the transaction.

Stolen or counterfeit cards

Be alert if the cardholder:

• Makes an excuse for not having a PIN for their card (such as ‘it hasn’t been activated’, 'I’ve forgotten it’ or ‘I don’t know my PIN’) then asks you to key in the card number instead of swiping or inserting the physical card through your EFTPOS terminal. This may mean the cardholder has a counterfeit card and knows that processing a ‘card not present’ transaction through your terminal does not require a PIN.
• Returns to make an additional purchase within a short time frame.
• Makes purchases without regard to size, quality or price.
• Doesn’t ask the usual questions related to high value goods.
• Purchases large quantities of a particular item such as gift cards.
• Admits it’s not their card being used.
• Requests that the cost of the transaction be split across several cards.
• Appears flustered or in a hurry.
• Provides a card that doesn’t look genuine.
• Attempts to exceed the contactless card limit by tapping their card multiple times.

It’s important to note these behaviours can have a perfectly reasonable explanation. For example, the customer may be a business owner that wants to reward a large team and therefore needs 150 gift cards. Or the customer may have forgotten to buy their family member a birthday present and is running late for the party. However, these behaviours may also be a sign that the customer is trying to commit fraud.

If you have concerns with the purchase, you have the right to refuse to provide the goods or services. If you have already processed the transaction, you can contact Merchant Assist for help.

How to help protect against stolen or counterfeit card fraud

• Ensure the cardholder authorises the card transaction by using a PIN when a card is swiped or inserted.
• Don’t split the transaction across cards.
• Don’t accept cards that don’t appear genuine.

Refund fraud

Be alert to these requests:

• Claims to have overpaid by mistake and requests a partial refund (this is a common card fraud in charities).
• Asks for the amount to be refunded to a different card or payment method such as a cash refund or transfer to a bank account.
• Tries to get a refund for a product bought at a different store and then asks for the amount to be refunded to a different card or payment method (targeting large businesses with multiple store locations).
• Uses pressure tactics to get the refund quickly.

How to help protect against refund fraud:

• Ensure refunds are processed to the original card used for the transaction.
• Don’t refund money to new cards, Western Union, international money transfers or bank accounts.
• Have a refund policy in place.
• Read our refund fraud article.

Employee fraud

It’s important to know that your business is financially responsible for all card fraud, whether this is carried out by an employee, a cardholder or both in collusion.

Employee refund fraud

• A common type of fraud involves employees issuing refunds to their own account.
• To avoid detection, they may create a large debit transaction on a fraudulent card and refund it to their own card.
• It’s likely to take weeks, even months, before the fraud is detected. 

How to help protect against employee fraud

• Follow the tips for keeping your EFTPOS terminal secure.
• If you apply for a refund function on your terminal, ensure that only authorised people within the business know how to use it.
• Store your refund card securely.
• If your refund function is operated by a PIN or password, ensure only authorised staff members have access.
• Closely monitor all refunds. Check that all refunds and corresponding debits relate to the same card number. Particular attention should be paid to large refunds.
• Have a separate authoriser of refunds in addition to the person who physically processes a refund.
• Ensure all refunds have appropriate documentation of customer information (name and contact details) and reason for return or dispute.
• Match refunds to returned or disputed goods or services and verify with the customer that goods or services were returned or disputed.
• Send all refund transactions to a central office for review.
• Fully investigate refunds without matching sales.

General best practice tips to help prevent card fraud

• Reconcile your transactions daily rather than monthly.
• Establish a policy of manager approval or peer review of bank statements to identify suspicious activity.
• Conduct regular internal audits at random times and intervals.
• Audit bookkeeping and accounting processes quarterly.
• Limit employee access to sensitive data and payment systems.
• Never process transactions on behalf of another merchant or company.
• If you need to store cardholder data for a legal reason, make sure you meet Payment Card Industry Data Security Standards (PCI DSS) requirements.

Report suspicious transactions

If you suspect a suspicious transaction has been made through your merchant facility, contact Merchant Assist.

What's the difference between an account data compromise (ADC) and card fraud?

An ADC is when an unauthorised person gains access to your business environment or payment facility to steal valuable information (like card payment data) with the intention to commit fraud. Card fraud is when stolen card payment data is used to make a fraudulent transaction.