What is an in-store payment?

In-store payments are also known as 'card present' payments. These types of payments are made in a face-to-face environment where the customer inserts, swipes or taps their credit or debit card on your EFTPOS terminal to complete the transaction.

Tips to help keep your EFTPOS terminal secure.

Take the following steps to help protect your payment facility and reduce the risk of an account data compromise.

What to do

When to do it

Who is responsible

Use a PCI DSS compliant terminal that is within its lifecycle (don't use an outdated terminal)

At set up, and annually thereafter.

Merchant/terminal provider.

Change default password of your EFTPOS terminal.

At set up.

Merchant.

Create a plan for when you detect unauthorised access.

At set up, and annually thereafter.

Merchant.

Keep your terminal secure outside of normal business hours by switching it off and locking it away in a safe place.

Daily.

Merchant.

Ensure only authorised people within your business know how to operate the terminal and have access to it.

Daily.

Merchant.

Inspect your terminal for signs of damage or tampering. Check cabling hasn't been tampered with, stickers haven't been removed or replaced and that there are no additional/unknown items or electronic equipment connected to the terminal.

Daily.

Merchant.

Ensure your EFTPOS terminal is up to date with the latest software and firmware.

When notification is received or within a month of release.

Terminal provider.

Establish an inventory control of your terminals. Keep a record of how many terminals are used by your business, their physical locations, software and firmware versions, serial numbers, model numbers and the details of your terminal provider.

Annually.

Merchant.

Conduct staff background check.

At the start of employment.

Merchant.

 

Develop an Incident Response Plan.

Annually.

Merchant.

 

Tips to help prevent card fraud.

Stolen or counterfeit cards

Be alert if the cardholder:

  • Makes an excuse for not having a PIN for their card (such as ‘it hasn’t been activated’, 'I’ve forgotten it’ or ‘I don’t know my PIN’) then asks you to key in the card number instead of swiping or inserting the physical card through your EFTPOS terminal. This may mean the cardholder has a counterfeit card and knows that processing a ‘card not present’ transaction through your terminal does not require a PIN.
  • Returns to make an additional purchase within a short time frame.
  • Makes purchases without regard to size, quality or price.
  • Doesn’t ask the usual questions related to high value goods.
  • Purchases large quantities of a particular item such as gift cards.
  • Admits it’s not their card being used.
  • Requests that the cost of the transaction be split across several cards.
  • Appears flustered or in a hurry.
  • Provides a card that doesn’t look genuine.
  • Attempts to exceed the contactless card limit by tapping their card multiple times.

It’s important to note these behaviours can have a perfectly reasonable explanation. For example, the customer may be a business owner that wants to reward a large team and therefore needs 150 gift cards. Or the customer may have forgotten to buy their family member a birthday present and is running late for the party. However, these behaviours may also be a sign that the customer is trying to commit fraud.

If you have concerns with the purchase, you have the right to refuse to provide the goods or services. If you have already processed the transaction, you can contact Merchant Assist for help.

How to help protect against stolen or counterfeit card fraud

  • Ensure the cardholder authorises the card transaction by using a PIN when a card is swiped or inserted.
  • Don’t split the transaction across cards.
  • Don’t accept cards that don’t appear genuine.

Refund fraud

Be alert to these requests:

  • Claims to have overpaid by mistake and requests a partial refund (this is a common card fraud in charities).
  • Asks for the amount to be refunded to a different card or payment method such as a cash refund or transfer to a bank account.
  • Tries to get a refund for a product bought at a different store and then asks for the amount to be refunded to a different card or payment method (targeting large businesses with multiple store locations).
  • Uses pressure tactics to get the refund quickly.

How to help protect against refund fraud:

  • Ensure refunds are processed to the original card used for the transaction.
  • Don’t refund money to new cards, Western Union, international money transfers or bank accounts.
  • Have a refund policy in place.
  • Read our refund fraud article.

Employee fraud

It’s important to know that your business is financially responsible for all card fraud, whether this is carried out by an employee, a cardholder or both in collusion.

Employee refund fraud

  • A common type of fraud involves employees issuing refunds to their own account.
  • To avoid detection, they may create a large debit transaction on a fraudulent card and refund it to their own card.
  • It’s likely to take weeks, even months, before the fraud is detected. 

How to help protect against employee fraud

  • Follow the tips for keeping your EFTPOS terminal secure.
  • If you apply for a refund function on your terminal, ensure that only authorised people within the business know how to use it.
  • Store your refund card securely.
  • If your refund function is operated by a PIN or password, ensure only authorised staff members have access.
  • Closely monitor all refunds. Check that all refunds and corresponding debits relate to the same card number. Particular attention should be paid to large refunds.
  • Have a separate authoriser of refunds in addition to the person who physically processes a refund.
  • Ensure all refunds have appropriate documentation of customer information (name and contact details) and reason for return or dispute.
  • Match refunds to returned or disputed goods or services and verify with the customer that goods or services were returned or disputed.
  • Send all refund transactions to a central office for review.
  • Fully investigate refunds without matching sales.

General best practice tips to help prevent card fraud

  • Reconcile your transactions daily rather than monthly.
  • Establish a policy of manager approval or peer review of bank statements to identify suspicious activity.
  • Conduct regular internal audits at random times and intervals.
  • Audit bookkeeping and accounting processes quarterly.
  • Limit employee access to sensitive data and payment systems.
  • Never process transactions on behalf of another merchant or company.
  • If you need to store cardholder data for a legal reason, make sure you meet Payment Card Industry Data Security Standards (PCI DSS) requirements.

Report suspicious transactions

If you suspect a suspicious transaction has been made through your merchant facility, contact Merchant Assist.

What's the difference between an account data compromise (ADC) and card fraud?

An ADC is when an unauthorised person gains access to your business environment or payment facility to steal valuable information (like card payment data) with the intention to commit fraud. Card fraud is when stolen card payment data is used to make a fraudulent transaction.

Get in touch.

New customers

Call the Westpac Merchant Services team on 0800 888 066 (option 1), weekdays from 8:30am to 5pm, or email  merchant@westpac.co.nz

Existing customers

Contact your Westpac Relationship Manager, or contact our Merchant Services team on 0800 888 066 (option 2), weekdays from 8.30am to 5pm, or email merchant@westpac.co.nz

0800 888 066

  • Option 1. New or additional merchant facilities, or to change ownership of an existing facility.
  • Option 2. General enquiries on your existing merchant facility including suspicious transactions.
  • Option 3. Westpac Get Paid on-the-go or Westpac Get Paid in-store technical support.
  • Option 4. Westpac Get Paid online technical support.
  • Option 5. Terminal faults that aren't related to Westpac Get Paid.

Things you should know.

The information on this page is intended as a guide only. We make no warranty or representation, express or implied, regarding the accuracy of any information, statement or advice contained on this page. We recommend you seek independent advice before acting or relying on any of the information on this page. All opinions, statements and analysis expressed are based on information current at the time of writing from sources which Westpac believes to be authentic and reliable. Westpac issues no invitation to anyone to rely on this material.

Links to other sites are provided for convenience only and Westpac accepts no responsibility for the availability or content of such websites.