Protect your business from merchant fraud

Check the credit card to ensure it has:

• a name which matches the customers identity
• the card is currently valid (a card can only be used from the first day of the ‘valid from’ month to the last day of the ‘until end’ month)
• the hologram appears three-dimensional and isn’t suspicious or made of inferior material
• the card hasn’t been tampered with or damaged
• the magnetic stripe is smooth and free from signs of tampering
• the signature panel shows no signs of tampering
• the card has been signed
• the embossing should not be flattened (unless it is not an embossed card)
• the embossing should be clear and even.

If a card appears to be fraudulent, you should request an alternate form of payment. 

• The client’s signature on the transaction receipt should match the signature on the card, if signature authorisation is required.
• Credit cards should be signed on the signature panel in order to accept payment with a signature authorisation.
• If the signature panel on a card is blank, you should ask the cardholder for additional identification information, but not record it. If you are satisfied that the information you are given is true and correct, you should ask the cardholder to sign the card before accepting the transaction.
• Most card issuers now have chip enable technology, so the card should be entered into the reader in the first instance. If the client asks for the card number to be entered manually or to be processed via a swipe on the magnetic strip, caution should be taken.

• Check that the last four digits of the card number on the credit card match those details printed on the transaction receipt.
• Check that an approval number or approval code is printed on the transaction receipt.

Be alert for cardholders acting suspiciously who:

• appear nervous, overly talkative or in a hurry
• arrive at closing time
• try to rush you or disturb your concentration
• carry the card loose or by itself
• have no means of identification
• make numerous tap and go purchases
• ask for transactions to be split
• ask for transactions to be manually entered
• sign the transaction receipt slowly or unnaturally.

Other potential areas that could present a fraud risk include the following:   

Refunds

• A common type of fraud involves employees issuing credits (refunds) to their own account via your terminal. To guard against this type of fraud, we recommend you closely monitor all refunds, checking that all refunds correspond to a legitimate sale and are refunded back to the original purchase card.
• Your merchant terminals will have a refund pin. We suggest resetting the default pin this as soon as you receive the terminal and store this safetly with a limited number of people authorised to use it. 

Offline transactions

• Offline transactions are transactions that are processed when the terminal is offline. An offline transaction may occur due to a technical issue where the terminal cannot connect with the bank. Offline transactions are processed later than would normally be the case due to this malfunction. An offline transaction is easy to identify as the transaction receipt has the word ‘offline’ printed on it.
• Repeated offline transactions are uncommon and if this occurs you should seek advice by calling the Merchant Support Team on 1800 183 879.

To further protect your business against fraud:

• only process refunds to the same credit card used in the original transaction
• don’t transfer cash to a bank account as a refund for a card payment
• don’t let anyone service, remove or install your terminal(s) without first providing proper identification and never reveal any passwords. If you are concerned with the identity of a technician, please contact the Merchant Support Team on 1800 183 879
• keep passwords and pin numbers secured
• don’t allow equipment to be used by unauthorised persons
• store all equipment and transaction records in a safe, secure environment and do not divulge cardholder information (e.g. card numbers). Please note you must also comply with all data security standards as noted in the Macquarie Merchant Services Terms and Conditions
• if your terminal is stolen, lost or misuse, contact your relationship manager or call us on 1800 183 879 for assistance.

Finally, always put the safety of you and your staff first.

When accepting a card not present order, you need to obtain:

• the credit card number
• Card validation code (CVC) number
• name of the bank
• expiry date
• full name, address, and contact number of the cardholder (including landline contacts).

Other ways you can minimise fraud include:

• refuse to proceed with an order if the authorisation has been declined
• refuse to split a transaction after authorisation has been declined.

If you believe you’re processing a fraudulent transaction, track and note the details of the order to prevent repeat occurrence, including by tracking IP or email addresses.

For card not present transactions, you must instruct the cardholder to locate and quote the CVC which is the three digits on the signature panel of their card. For American Express cards, this authorisation number is four digits and printed on the face of the card.

If you experience the below, you may be processing a suspicious transaction:

• multiple cards are presented with multiple declines within a short time span 
• multiple cards being used which may appear to be sequential with only the last four digits changing
• orders are from internet addresses using free email services
• orders are placed where the client states or admits the card they’re using isn’t theirs
• orders are cancelled, and a refund is requested to be made to a different account than the one used to place the order
• orders are placed to be collected in person at a later date. You should sight the card upon collection of the purchase.

When accepting mail order sales, you’re responsible for the handling and retention of the customer’s details and all privacy and confidentiality matters which may occur with the sale.

To ensure credit card details remain confidential, you must provide an appropriate envelope or instruct your clients to place their order coupons/ application forms in sealed envelopes.

Please note there are high risks involved with card-less transactions. Disputes may occur because substantial card security and validation checks weren’t conducted.

If you’re suspicious, we recommend asking the customer to provide an alternative method of payment. It’s your responsibility to confirm the customer is the authorised cardholder.

Ensure that any goods purchased online, over the phone or via post are dispatched immediately to the cardholder after processing the order. This will help reduce the potential for the transaction being disputed due to non-receipt of goods.

If your business doesn’t usually service foreign customers, use caution when shipping goods to an address outside of Australia. Requests for goods to be shipped internationally are commonly associated with fraud.

If you’re dealing with a new customer, or receive a significantly large order, we also recommend processing this order with caution.

You should establish a fair policy for dealing with refunds and disputes about transactions (in accordance with any guidelines or instructions as required by the card schemes).

You should provide a customer with their transaction receipt immediately after completing the order in accordance with the relevant Department of Fair-Trading regulations (applicable to your state).

You should always keep records of card-less transactions in addition to what’s recorded on the transaction receipt which include the following:

• cardholder’s name (as it appears on the card)
• cardholder’s address (not a GPO Box)
• type of card
• a truncated version of the card number and card valid
• from/to dates
• authorised dollar amount to be debited
• contact telephone number
• details of goods or services required
• transaction date.

We recommend taking the time to properly investigate international orders, and orders from customers who you haven’t previously done business with.

If you suspect your website has become a target for fraud, we recommend closing your site for a short period of time to conduct an investigation and ascertain where the fraud is coming from.

You should also discuss additional security measures with your service provider or IT expert, to ensure your site is secure.

You’re required to immediately notify the Merchant Support Team on 1800 183 879 if an unauthorised entity has accessed or retrieved transaction data. This allows procedures to be implemented immediately to reduce the usage of compromised data, protecting your clients, and reducing the potential financial loss for you and others.