skip to log on skip to main content
VoiceOver users please use the tab key when navigating expanded menus

Merchant security

Fraud minimisation

Fraud is a growing problem for many merchants and can have a substantial financial impact on businesses. Criminals may use cards illegally to make unauthorised purchases at your business.

It's important to be aware that an 'approved transaction' doesn't necessarily mean that the transaction is legitimate, it just means there were sufficient funds in the account.

As a business owner, you face various risks when accepting payments, especially hand keyed transactions.

Hand keyed transactions

A hand keyed transaction usually occurs when the purchaser isn't physically present at the time of purchase. However, it can happen with in-person transactions if you allow an unauthorised person to hand key a credit card number. 

Some common indicators of fraud to look out for are:

Payments to a 3rd Party: This is when a customer offers surplus funds to cover the cost of a fake 3rd party, such a freight or logistics courier. The expectation is that the merchant will forward these funds (often via Western Union or bank account details) on behalf of the customer. This way the customer can obtain funds from the stolen card data by channelling it via a merchant’s facility.

Multiple card details: When a customer offers multiple card details or has multiple declines occur within a short period of time.

High risk locations: Extreme caution should be used when sending goods to, or dealing with customers in the following locations which are generally considered to be high risk; Ghana, Nigeria, Ivory Coast (Western Africa in general), as well as Indonesia and Singapore.

Online merchants

If you have an online facility:

  • Make sure your website has online security tools such as Verified by Visa and MasterCard SecureCode®. If you don’t have these tools active on your site, you can contact us to ask how to activate them.
  • Your website must capture the Card Verification Value, which is the 3 digit security code found on the back of credit cards. This may assist with reducing chargebacks as it helps to ensure that the card is not fraudulent.
  • Establish your own database to store details such as names, addresses, phone numbers, email and IP addresses that have been used in known fraud transactions. Also keep a database of particular locations, such as suburbs and street names, which attract a high rate of fraud.

If you have an online store and use a 3rd party payment gateway provider, contact them for more fraud prevention measures.

Other common merchant risks

External refund fraud

  • An external fraudster may make an order/booking with a merchant with compromised card data. After cancelling the order/booking, they will request a refund to a different card or payment channel (e.g. bank transfer, cash etc.). This other card or payment channel will be the fraudster's own.
  • To protect yourself against external refund fraud, always refund to the card on which the initial sale was made.

Internal refund fraud

  • When internal staff members process refunds onto their personal card out of the merchant’s settlement account.
  • To protect yourself against internal refund fraud, ensure only authorised staff members have access to the merchant cards at all times.

Invalid payment processing

  • Where a business with a valid merchant facility accepts transactions on behalf of another business.
  • This is considered a serious breach of ANZ Merchant Terms and Conditions and is a risky practice that exposes your business to significant loss. 

How to minimise fraudulent transactions

  • Avoid hand keying transactions where the cardholder can't be verified as this shifts the financial liability to the merchant if the transaction is disputed for fraud.
  • Check the appearance of the card for things like damage or alteration.
  • Ensure the transaction has been PIN entered or signature verified by confirming the signature panel of the card.
  • Be alert to customers who appear nervous, unable to identify themselves or ask for the transaction to be split or hand keyed.
  • If you need to hand key a transaction when the card is present, ensure this is done by an authorised person.

 


Refer to the 'Fraud Minimisation, Data Security & Chargeback Guide' for further information to assist you in identifying and minimising fraud and chargebacks to protect your business.

Fraud Minimisation, Data Security & Chargeback Guide (PDF 300kB)

Securing your EFTPOS machine

Fraud and misuse of credit or debit card information is a growing problem for many merchants globally. The loss of customer card data and subsequent misuse may undermine consumer confidence and potentially reduce card usage at your business.

As part of ANZ’s ongoing commitment to providing the most up-to-date information on EFTPOS machine and cardholder data security, a list of best practices for protecting your machine and your customers' information is below.

Your ANZ EFTPOS machine is equipped with a number of in-built innovative security features which are designed to protect your customers’ information. By implementing the recommendations below, you can help protect your business, your customers and your reputation from credit and debit card fraud or misuse.

Protect your EFTPOS machine

  • Always ensure that machines are secure and under supervision during operating hours (including any spare or replacement EFTPOS machines you have).
  • Ensure that only authorised employees have access to your EFTPOS machine and are fully trained on their use.
  • When closing your store or kiosk, always ensure that your EFTPOS machines are securely locked and not exposed to unauthorised access.
  • Never allow your EFTPOS machine to be maintained, swapped or removed without advance notice from ANZ - be aware of unannounced service visits.
  • Only allow authorised ANZ personnel to maintain, swap or remove your EFTPOS machine, and always ensure that security identification is provided.
  • Inspect your EFTPOS machines on a regular basis to ensure that the machine casing is whole with external security stickers remaining unbroken and of a high print quality.
  • Ensure that there are no additional cables running from your EFTPOS machine.
  • Make sure that any CCTV or other security cameras located near your EFTPOS machine(s) can't observe cardholders entering details.

Report suspicious behaviour

Notify merchant support anytime on 1800 039 025 immediately if:

  • Your EFTPOS machine is missing
  • You, or any member of your staff, is approached to perform maintenance, swap or remove your EFTPOS machine without prior notification from ANZ and/or Security Identification is not provided
  • Your EFTPOS machine prints incorrect receipts or has incorrect details
  • Your EFTPOS machine is damaged or appears to be tampered with
  • You notice any other unusual or suspicious circumstances or behaviour.

Support tools

Safeguard against skimming (PDF 1.24 MB)

Securing your EFTPOS Terminal (PDF 61kb)

ANZ Merchant Services Terminal Security (PDF 103kb)

Terminal checklist sticker (PDF 140kB)

Terminal record form (PDF 128kb)

Data security and PCI DSS

Protecting cardholder data is important to you and your customers. If you don't protect payment card data you can be subject to attacks from fraudsters, not to mention the risk of damage to your brand and reputation.

If you want to accept payments via payment cards such as credit cards then you need to understand and comply with the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS applies to all merchants that store, process and/or transmit Payment Card Data.

PCI DSS Compliance is your responsibility. Complying with PCI DSS forms part of your Merchant Agreement.

Read the full set of PCI DSS requirements:

Data Security Standard: Requirements and Security Assessment Procedures (PDF 1.52MB)

Where do I start?

PCI DSS consists of 6 core principles which are accompanied by 12 requirements. Becoming PCI DSS compliant means that you can show that you have addressed all of the elements that apply to you.

ANZ recommends that you engage a Qualified Security Assessor (QSA) to assist you in meeting the obligations prescribed by PCI Security Standards Council. We also recommend that you engage service providers that are listed on the Visa and MasterCard Service Provider lists. 

 

7. Restrict access to data on a need to know basis
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
12. Maintain a policy that addresses information security
12. Maintain a policy that addresses information security
12. Maintain a policy that addresses information security
PCI DSS compliance
The 6 Core Principles The 12 PCI DSS Requirements
Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data 3. Protect stored data by using methods such as lock and key, data masking or data encryption
4. Encrypt transmission of cardholder data & sensitive information across public networks
Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures 7. Restrict access to data on a need to know basis
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security

Guidelines for securing cardholder data for your eCommerce website

Security across merchant websites is typically not considered by merchants or is considered to be too expensive to install. Merchants should be aware that the risk of stolen card data may ruin their businesses reputation, therefore security should be a priority. The 'Guidelines for Securing Cardholder Data for your eCommerce Website' explains:

  • The available options for the installation of using a PCI DSS compliant payment gateway.
  • Which of the available integration options outsource the security and the risk.

Guidelines for Securing Cardholder Data for your eCommerce Webster (PDF 1.02MB) 

Extra resources

The PCI Security Standards Council

The PCI Security Standards Council produces some excellent resources for merchants in relation to PCI DSS.
Payment Security Educational Resources

ANZ Fraud and Security Email Bulletins

From time to time ANZ will send important information to help you protect your business against fraud.
Fraud and Security Email Bulletin (8 May 2017) (PDF 44kB)

Information and resources

Get smart about fraud online

APCA (Australian Payments Clearing Association), with the support of the Australian Crime Commission and the Australian Federal Police, has developed Get Smart About Card Fraud Online - a convenient and free source of facts, tips and video case studies that can help you to be more informed about the risks of online card fraud. It also outlines steps you can take to prevent impacts to your business. For more information, go to APCA's Get Smart About Card Fraud Online.

More information

If you are suspicious of either the purchaser or transaction, contact merchant support before shipping the goods or providing the services, even if the transaction has been authorised or approved.

For more information on merchant security and fraud minimization, contact us on 1800 039 025. We're available 24 hours a day, 7 days a week.

Visit the following websites for more information:

Remember: Your security comes first – don't take any chances.

Keep current on different fraud types and scenarios that can affect your business by visiting Scam Watch or Stay Smart Online

Need to speak to someone?

1800 039 025

We're available 24/7

Any advice does not take into account your personal needs and financial circumstances and you should consider whether it is appropriate for you.

ANZ recommends you read the applicable Terms and Conditions and the ANZ Financial Services Guide (PDF 334kB) before acquiring the product.