What is a MOTO payment?

MOTO payments are also known as 'card not present' payments because your customer does not need to be physically in store to make the payment. They provide the required card details over the phone and the payment can then be processed using a virtual terminal or a physical terminal.

What is a physical terminal?

A physical terminal allows you to manually enter card details into your EFTPOS terminal. Most EFTPOS terminals have the capability to process card not present payments but this function needs to be approved and switched on by your bank.

What is a virtual terminal?

A virtual terminal is a secure online portal that is supplied by a payment gateway provider. The portal will allow you to login online securely and manually enter your customer's card details.

Westpac supports most major payment gateway providers including:

Tips to help keep your MOTO facility secure.

Take the following steps to help protect your payment facility and reduce the risk of an account data compromise.

What to do

When to do it

Who is responsible?

If you're using a physical terminal, ensure that it's PCI DSS compliant and within its lifecycle (don't use an outdated terminal).

At set up, and annually thereafter.

Merchant / Terminal provider.

If you're using a virtual terminal (online portal) ensure that it's PCI DSS compliant and does not record card numbers.

At set up, and annually thereafter.

Merchant / Gateway provider.

Check your terminal or gateway provider's compliance status by asking for their Certificate of Compliance (COC). This will provide the validation date and expiry date of their PCI DSS compliance.

At set up, and annually thereafter.

Merchant/Gateway provider/Terminal provider.

Ensure controls are in place to identify who has accessed your payment system and create a plan for when you detect unauthorised access.

At set up, and annually thereafter.

Merchant.

Create a unique user ID and password for each staff member that has access to your system.

At set up.

Merchant.

Change default password to system, application and devices.

At set up.

Merchant.

Don't store any card information such as the cardholder PIN or card verification code (three digits on the back of the card).

Daily.

Merchant.

Only allow authorised staff to process MOTO payments.

Daily.

Merchant.

Establish a complex password policy*. If a user has attempted to log in unsuccessfully more than six times, lock their account and reset their password after 30 minutes. This will give you time to investigate whether they are an authorised user.

Passwords should be changed every 90 days.

Merchant.

Develop an Incident Response Plan

Annually.

Merchant.

Conduct staff background check.

At the start of employment.

Merchant.

Establish staff security awareness training.

At set up, and annually thereafter.

Merchant.

 *For example passwords must be seven characters in length and contain a capital and lower-case letter, number and symbol. 

Tips to help prevent card fraud & payment disputes (chargebacks).

Stolen or counterfeit cards

 Be alert if the cardholder: 

  • Makes purchases over the phone without regard to size, quality or price.
  • Doesn’t ask the usual questions related to high value goods.
  • Purchases large quantities of a particular item such as gift cards.
  • Provides unusual customer details (different delivery details to the card details or their name is different from the name on the credit card used for the purchase).
  • Makes larger than usual purchase orders.
  • Places orders consisting of several of the same items or big-ticket items.
  • Makes multiple orders for delivery to a single address.
  • Requests delivery of goods to a country you do not normally deal with.
  • Requests delivery of goods to a country where the goods would be readily available in the local market.
  • Pressurises you to deliver goods immediately, overnight or provides unusual delivery instructions.

It’s important to note these behaviours can have a perfectly reasonable explanation. For example, a rugby fan may decide to forgo the free delivery option for a new TV because that would cause the TV to arrive too late for the start of the game. However, these behaviours may also be a sign that the customer is trying to commit fraud. 

If you have concerns with the purchase, you have the right to refuse to provide the goods or services. If you have already processed the transaction, you can contact Merchant Assist for help.

Refund fraud

Be alert to these requests:

  • Claims to have overpaid by mistake and requests a partial refund (this is a common card fraud in charities).
  • Asks for the amount to be refunded to a different card or payment method.
  • Uses pressure tactics to get the refund quickly. 

How to help protect against refund fraud:

  • Ensure refunds are processed to the original card used for the transaction.
  • Don’t refund new cards, Western Unions, international money transfers or bank accounts.
  • Have a refund policy in place.
  • Read our refund fraud article.

Employee fraud warning signs

Employee fraud

It’s important to know that your business is financially responsible for all card fraud, whether this is carried out by an employee, a cardholder or both in collusion.

Employee refund fraud

  • A common type of fraud involves employees issuing refunds to their own account.
  • To avoid detection, they may create a large debit transaction on a fraudulent card and refund it to their own card.
  • It’s likely to take weeks, even months, before the fraud is detected. 

How to protect against employee fraud 

  • Closely monitor all refunds. Check that all refunds and corresponding debits relate to the same card number. Particular attention should be paid to large refunds.
  • Have a separate authoriser of refunds in addition to the person who physically processes a refund.
  • Ensure all refunds have appropriate documentation of customer information (name and contact details) and the reason for return or dispute.
  • Match refunds to returned or disputed goods or services and verify with the customers that goods or services were returned or disputed.
  • Send all refund transactions to a central office for review.
  • Fully investigate refunds without matching sales.

 General best practice tips to help prevent card fraud

  •  Reconcile your transactions daily rather than monthly.
  • Establish a policy of manager approval or peer review of bank statements to identify suspicious activity.
  • Conduct regular internal audits at random times and intervals.
  • Audit bookkeeping and accounting processes quarterly.
  • Limit employee access to sensitive data and payment systems.
  • Never process transactions on behalf of another merchant or company.

Report suspicious transactions

If you suspect a suspicious transaction has been made through your merchant facility, contact Merchant Assist.

Chargebacks

Learn more about chargebacks here.

What's the difference between an account data compromise (ADC) and card fraud?

An ADC is when an unauthorised person gains access to your business environment or payment facility to steal valuable information (like card payment data) with the intention to commit fraud. Card fraud is when stolen card payment data is used to make a fraudulent transaction.

Get in touch

New customers

Call the Westpac Merchant Services team on 0800 888 066 (option 1), weekdays from 8:30am to 5pm, or email  merchant@westpac.co.nz

Existing customers

Contact your Westpac Relationship Manager, or contact our Merchant Services team on 0800 888 066 (option 2), weekdays from 8.30am to 5pm, or email  merchant@westpac.co.nz

0800 888 066

  • Option 1. New or additional merchant facilities, or to change ownership of an existing facility.
  • Option 2. General enquiries on your existing merchant facility including suspicious transactions.
  • Option 3. Westpac Get Paid on-the-go or Westpac Get Paid in-store technical support.
  • Option 4. Westpac Get Paid online technical support.
  • Option 5. Terminal faults that aren't related to Westpac Get Paid.

Things you should know.

The information on this page is intended as a guide only. We make no warranty or representation, express or implied, regarding the accuracy of any information, statement or advice contained on this page. We recommend you seek independent advice before acting or relying on any of the information on this page. All opinions, statements and analysis expressed are based on information current at the time of writing from sources which Westpac believes to be authentic and reliable. Westpac issues no invitation to anyone to rely on this material.

Mastercard® is a registered trademark and the circles design is a trademark of Mastercard International Incorporated.

Links to other sites are provided for convenience only and Westpac accepts no responsibility for the availability or content of such websites.