Merchant Security
Reduce the risk of fraud and secure your business operations.
Got a question? Contact supportFraud minimisation
Fraud is a growing problem for many merchants and can have a substantial financial impact on businesses. Criminals may use cards illegally to make unauthorised purchases at your business.
It's important to be aware that an 'approved transaction' doesn't necessarily mean that the transaction is legitimate, it just means there were sufficient funds in the account.
As a business owner, you face various risks when accepting payments, especially hand keyed transactions.
Hand keyed transactions
A hand keyed transaction usually occurs when the purchaser isn't physically present at the time of purchase. However, it can happen with in-person transactions if you allow an unauthorised person to hand key a credit card number.
Some common indicators of fraud to look out for are:
Payments to a 3rd Party: This is when a customer offers surplus funds to cover the cost of a fake 3rd party, such a freight or logistics courier. The expectation is that the merchant will forward these funds (often via Western Union or bank account details) on behalf of the customer. This way the customer can obtain funds from the stolen card data by channelling it via a merchant’s facility.
Multiple card details: When a customer offers multiple card details or has multiple declines occur within a short period of time.
High risk locations: Extreme caution should be used when sending goods to, or dealing with customers in the following locations which are generally considered to be high risk; Ghana, Nigeria, Ivory Coast (Western Africa in general), as well as Indonesia and Singapore.
Online merchants
If you have an online facility:
- Make sure your website has online security tools such as Visa Secure (formerly known as Verified by Visa) and Mastercard Identity Check/Mastercard SecureCode, otherwise known as 3D Secure. If you don’t have these tools active on your site, you can contact us to ask how to activate them.
- Your website must capture the Card Verification Value, which is the 3 digit security code found on the back of credit cards. This may assist with reducing chargebacks as it helps to ensure that the card is not fraudulent.
- Establish your own database to store details such as names, addresses, phone numbers, email and IP addresses that have been used in known fraud transactions. Also keep a database of particular locations, such as suburbs and street names, which attract a high rate of fraud.
If you have an online store and use a 3rd party payment gateway provider, contact them for more fraud prevention measures.
Other common merchant risks
External refund fraud
- An external fraudster may make an order/booking with a merchant with compromised card data. After cancelling the order/booking, they will request a refund to a different card or payment channel (e.g. bank transfer, cash etc.). This other card or payment channel will be the fraudster's own.
- To protect yourself against external refund fraud, always refund to the card on which the initial sale was made.
Internal refund fraud
- When internal staff members process refunds onto their personal card out of the merchant’s settlement account.
- To protect yourself against internal refund fraud, ensure only authorised staff members have access to the merchant cards at all times.
Invalid payment processing
- Where a business with a valid merchant facility accepts transactions on behalf of another business.
- This is considered a serious breach of ANZ Worldline Payment Solutions Merchant Terms and Conditions and is a risky practice that exposes your business to significant loss.
How to minimise fraudulent transactions
- Avoid hand keying transactions where the cardholder can't be verified as this shifts the financial liability to the merchant if the transaction is disputed for fraud.
- Check the appearance of the card for things like damage or alteration.
- Ensure the transaction has been PIN entered or signature verified by confirming the signature panel of the card.
- Be alert to customers who appear nervous, unable to identify themselves or ask for the transaction to be split or hand keyed.
- If you need to hand key a transaction when the card is present, ensure this is done by an authorised person.
Refer to the 'Fraud Minimisation, Data Security & Chargeback Guide' for further information to assist you in identifying and minimising fraud and chargebacks to protect your business.
Securing your EFTPOS machine
Fraud and misuse of credit or debit card information is a growing problem for many merchants globally. The loss of customer card data and subsequent misuse may undermine consumer confidence and potentially reduce card usage at your business.
As part of ANZ Worldline Payment Solutions' ongoing commitment to providing the most up-to-date information on EFTPOS machine and cardholder data security, a list of best practices for protecting your machine and your customers' information is below.
Your ANZ Worldline Payment Solutions EFTPOS machine is equipped with a number of in-built innovative security features which are designed to protect your customers’ information. By implementing the recommendations below, you can help protect your business, your customers and your reputation from credit and debit card fraud or misuse.
Protect your EFTPOS machine
- Always ensure that machines are secure and under supervision during operating hours (including any spare or replacement EFTPOS machines you have).
- Ensure that only authorised employees have access to your EFTPOS machine and are fully trained on their use.
- When closing your store or kiosk, always ensure that your EFTPOS machines are securely locked and not exposed to unauthorised access.
- Never allow your EFTPOS machine to be maintained, swapped or removed without advance notice from ANZ Worldline Payment Solutions - be aware of unannounced service visits.
- Only allow authorised ANZ Worldline Payment Solutions personnel to maintain, swap or remove your EFTPOS machine, and always ensure that security identification is provided.
- Inspect your EFTPOS machines on a regular basis to ensure that the machine casing is whole with external security stickers remaining unbroken and of a high print quality.
- Ensure that there are no additional cables running from your EFTPOS machine.
- Make sure that any CCTV or other security cameras located near your EFTPOS machine(s) can't observe cardholders entering details.
Report suspicious behaviour
Notify merchant support anytime on 1800 039 025 immediately if:
- Your EFTPOS machine is missing
- You, or any member of your staff, is approached to perform maintenance, swap or remove your EFTPOS machine without prior notification from ANZ Worldline Payment Solutions and/or Security Identification is not provided
- Your EFTPOS machine prints incorrect receipts or has incorrect details
- Your EFTPOS machine is damaged or appears to be tampered with
- You notice any other unusual or suspicious circumstances or behaviour.
Data security and PCI DSS
Protecting cardholder data is important to you and your customers. If you don't protect payment card data you can be subject to attacks from fraudsters, not to mention the risk of damage to your brand and reputation.
If you want to accept payments via payment cards such as credit cards then you need to understand and comply with the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS applies to all merchants that store, process and/or transmit Payment Card Data.
PCI DSS Compliance is your responsibility. Complying with PCI DSS forms part of your Merchant Agreement.
Read the full set of PCI DSS requirements:
Data Security Standard: Requirements and Security Assessment Procedures
Where do I start?
PCI DSS consists of 6 core principles which are accompanied by 12 requirements. Becoming PCI DSS compliant means that you can show that you have addressed all of the elements that apply to you.
ANZ Worldline Payment Solutions recommends that you engage a Qualified Security Assessor (QSA) to assist you in meeting the obligations prescribed by PCI Security Standards Council. We also recommend that you engage service providers that are listed on the Visa and MasterCard Service Provider lists.
| THE 6 CORE PRINCIPLES | THE 12 PCI DSS REQUIREMENTS |
|---|---|
| Build and Maintain a Secure Network | 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters |
| Protect Cardholder Data | 3. Protect stored data by using methods such as lock and key, data masking or data encryption 4. Encrypt transmission of cardholder data & sensitive information across public networks |
| Maintain a Vulnerability Management Program | 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications |
| Implement Strong Access Control Measures | 7. Restrict access to data on a need to know basis 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data |
| Regularly Monitor and Test Networks | 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes |
| Maintain an Information Security Policy | 12. Maintain a policy that addresses information security |
Guidelines for securing cardholder data for your eCommerce website
Security across merchant websites is typically not considered by merchants or is considered to be too expensive to install. Merchants should be aware that the risk of stolen card data may ruin their businesses reputation, therefore security should be a priority. The 'Guidelines for Securing Cardholder Data for your eCommerce Website' explains:
- The available options for the installation of using a PCI DSS compliant payment gateway.
- Which of the available integration options outsource the security and the risk.
Guidelines for Securing Cardholder Data for your eCommerce Website (PDF 195kB)
Information and extra resources
Get smart about fraud online
Australian Payments Network, with the support of the Australian Crime Commission and the Australian Federal Police, has developed Get Smart About Card Fraud Online - a convenient and free source of facts, tips and video case studies that can help you to be more informed about the risks of online card fraud. It also outlines steps you can take to prevent impacts to your business. For more information, go to Get Smart About Card Fraud Online.
The PCI Security Standards Council
The PCI Security Standards Council produces some excellent resources for merchants in relation to PCI DSS.
Payment Security Educational Resources
More information
If you are suspicious of either the purchaser or transaction, contact merchant support before shipping the goods or providing the services, even if the transaction has been authorised or approved.
For more information on merchant security and fraud minimization, contact us on 1800 039 025. We're available 24 hours a day, 7 days a week.
Visit the following websites for more information:
Need assistance?
Contact our Merchant Support team, available 24/7.
Important Information
For ANZ business account holders, funds are available on the same day for online transactions, processed through the terminal and settled before 9pm (AEST). For non-ANZ business account holders, for online transactions processed through the terminal, ANZ Worldline Payment Solutions will transfer the funds to the merchant’s bank on the following business day and the availability of the funds will be determined by the merchant’s bank. For transactions processed offline or via Paper Merchant Vouchers, these settlement times do not apply.