Fraud prevention and security (2024)

The chargeback framework provides a process for cardholders to dispute transactions processed by merchants, most commonly because their card was used without their consent or the merchant didn’t provide the goods and services the cardholder expected.

There are two types of main chargeback types – fraud chargebacks and non-fraud chargebacks.

Fraud chargebacks occur where the cardholder claims that their card was used without their consent. The merchant must then prove the cardholder, and not another person in possession of the card or card details, initiated and completed the transaction.

Non-fraud chargebacks happen where the cardholder claims that the merchant did not provide goods and services as described. The merchant must then prove the goods and/or services were provided in accordance with the agreement between the two parties.

For eCommerce merchants, it is particularly important to ensure that Tyro website requirements are met and all appropriate information is made available to cardholders when making payments. Further information on Tyro website requirements can be found here

Chargebacks are managed in accordance with the regulations set by each card scheme, for example Mastercard and Visa, and they make the ultimate determination of financial liability. Where the regulations permit, Tyro will take steps to defend chargebacks and seek to shift liability from our merchant to the cardholder.

Refer to Tyro’s chargebacks guide for more information.

The authorisation process undertaken by an EFTPOS machine or eCommerce solution confirms that the card used in the payment transaction has not been blocked by the card issuer and has sufficient funds to cover the transaction value.

Authorisation may return an “approval”, however this does not mean that the card is being used by the genuine cardholder, and this is an important consideration when processing Mail Order/Telephone Order (MOTO) and eCommerce transactions. Chargebacks may still be received, even when authorisation/approval is provided.

When providing refunds, only refund to the card used in the corresponding payment transaction and never provide a refund for more than the value of the corresponding sale.

If a merchant processes a payment on a card and then refunds to a different card or by another payment method such as a bank transfer, the different card or other payment destination has immediate access to the funds and a chargeback may be received against the card used in the corresponding payment transaction, leaving the merchant out-of-pocket.

Before refunding card-present transactions, always check the value of the transaction on the EFTPOS paper receipt and never refund to a value above this amount.

FRAUD TREND ALERT: Cash Refunds

There has been an increase in fraudsters pressuring merchants for cash refunds, as well as refunds onto a different card than the one used to make the corresponding payment. It’s important to be vigilant and we encourage you to insist on refunding to the card from which the corresponding payment was made.

An Account Data Compromise (ADC) event occurs when a third party gains unauthorised access to card data held in a physical and/or electronic form. This stolen card data may then be used to commit fraud.

ADC events can be detected in different ways, with the most common way being via a Common Point of Purchase (CPP) event. A CPP occurs when card issuers detect abnormal levels of fraud activity on their cards and triangulate this fraud to a common identifier, for example a specific merchant facility.

ADC events have broad-ranging impacts on the compromised merchant, cardholders, acquirers, and card issuers, and damage the brand and integrity of the card payments eco-system. Depending on the nature and extent of the ADC, the card schemes may warrant that a forensic investigation is required to identify the cause of the compromise and the amount of card data that has been placed at risk. Once an ADC event has been contained, Tyro will prescribe steps required to be taken by the merchant to achieve Payment Card Industry Data Security Standard (PCI DSS) compliance and/or allow card processing to re-commence. This may include compliance validation by way of a Qualified Security Assessor (QSA).

The PCI DSS applies to any entity that accepts or processes payment cards, which importantly includes merchants and their chosen service providers. It is described as the global standard adopted by the payment card brands for all entities that process, store or transmit cardholder data and/or sensitive authentication data.

Larger transacting merchants are required to validate compliance with the PCI DSS on a periodical basis. However, all merchants should take steps to protect card data by ensuring that their systems and those of their service providers, including eCommerce shopping carts, are regularly reviewed for malware and unauthorised access, patched, and virus protected to maintain the integrity of card data being stored, processed, and transmitted. Merchants should avoid storage, processing, and transmission of card data wherever possible.

Use of a Hosted Payment Page (HPP) provided by a PCI DSS compliant payment gateway reduces the scope of the PCI DSS for merchants, however does not eliminate all security threats.

Read more information on the PCI DSS.

FRAUD TREND ALERT: Compromised Data

Fraudsters are targeting eCommerce shopping carts as a means to capture card data and use this data to commit fraud. Merchants should ensure that patching is maintained on shopping carts and systems environments are regularly reviewed for malware and unauthorised access, patched and virus protected.

Never increase the value of a payment transaction to cover monies owed by a cardholder to an unknown third party such as a courier service, and never make payments to these third parties via money or bank transfers.

Fraudsters use Funds Transfer Fraud as a mechanism to extract cash from merchants, generally by placing larger value orders over the phone. This often results in monies being transferred to (say) a courier engaged in the fraudulent activity, and a fraud chargeback being received because the card used in the payment transaction was stolen.

FRAUD TREND ALERT: Funds Transfer Fraud

There has been a notable increase in fraudsters targeting restaurants, cafes, event managers, pharmacies, and motor mechanics with this fraud method. If you’re asked to inflate the value of a transaction to cover a third-party payment for a courier, florist, caterer, wedding planner, musician, celebrant, vehicle transporter, etc. and if this is an add-on cost to a higher value Mail Order Telephone Order (MOTO) transaction, then please be aware that this may be a scam.

EFTPOS machines have security features to protect merchants from fraud. To benefit from these security features, always tap or dip the card and refrain from using MOTO functionality when the cardholder is present.

If a card fails to be read by the EFTPOS machine when tapped or dipped, request a different card from the cardholder.

A magnetic stripe transaction should only be processed when directed by the EFTPOS machine. Please ensure the card looks genuine and is being correctly tapped or dipped into the EFTPOS machine before allowing use of the magnetic stripe, as the cardholder may be seeking to by-pass authentication provided by contactless and dipped transactions.

Note that transactions should never be split into smaller amounts, especially when this is requested by the cardholder, as this may result in chargebacks.

When merchants dip the card and ask the cardholder to key their PIN, they should maintain focus on the EFTPOS machine at all times and never allow the cardholder to operate the EFTPOS machine when unattended. This will prevent the cardholder from cancelling the authenticated chip transaction, engaging the MOTO functionality on the EFTPOS machine if this is enabled, and processing a card-not-present transaction that leaves the merchant vulnerable to fraud chargebacks.

When unattended, specifically out of business hours, ensure the EFTPOS machine is stored safely to avoid theft and manipulation and check the EFTPOS machine each day for any signs of tampering.

FRAUD TREND ALERT: EFTPOS Machine Manipulation

There is evidence of fraudsters pretending to tap their Smartphone on the EFTPOS machine to give the impression that they are performing a contactless transaction, whilst pressing buttons on the EFTPOS machine to activate MOTO and hand-key the transaction. It’s important for merchants to maintain control of their EFTPOS machine at all times and avoid being distracted when cardholders are asked to key their PIN. If you have Mail Order Telephone Order (MOTO) enabled on your merchant facility and would like to have this functionality removed, please contact Tyro Customer Support on 1300 108 976.

MOTO transactions are riskier than card-present transactions and are more likely to result in a chargeback. In the event of a chargeback, it is the merchant’s responsibility to prove that the actual cardholder (and not a fraudster in possession of the card details) initiated and completed the transaction, meaning that the risk of MOTO transactions resides with the merchant, not Bendigo Bank, Tyro or the cardholder.

MOTO transactions should only be processed when the value of the transaction sits within the merchant’s risk appetite for loss. It is often said that if a purchase (or sequence of purchases) seems too good to be true, then it probably is, and caution should be taken before shipping goods or providing services. MOTO payments should never be processed when the cardholder is present, because this bypasses the security features provided by the EFTPOS machine.

If a merchant has MOTO enabled on their merchant facility and would like to have this functionality removed, they should contact Tyro Customer Support on 1300 108 976.

eCommerce transactions are riskier than card-present transactions and are more likely to result in a chargeback. In the event of a chargeback, it is the merchant’s responsibility to prove that the actual cardholder (and not a fraudster in possession of the card details) initiated and completed the transaction, meaning that the risk of eCommerce transactions resides with the merchant, not Bendigo Bank, Tyro or the cardholder.

eCommerce transactions should only be processed when the value of the transaction sits within the merchant’s risk appetite for loss. It is often said that if a purchase (or sequence of purchases) seems too good to be true, then it probably is, and caution should be taken before shipping goods or providing services.

Fraud can occur in many different ways and there is no silver bullet when it comes to fraud prevention. That said, merchants should apply caution when processing:

• Unusually high-value orders
• Multiple transactions on the same card to different shipping addresses, or the use of multiple cards with the same shipping address
• Multiple different cards originating from the same email address or IP address
• Multiple transactions on the same card in a short time period, especially for large value items
• Orders with different billing and shipping addresses, especially for large value items
• Bulk orders, especially for high-value goods or infrequently purchased high-quality items
• Orders with unusual addresses or addresses that can’t be verified
• Orders requiring expedited shipping, particularly for large value items or duplicate items
• Orders from higher risk jurisdictions, especially where the goods being sold are commonly available in that jurisdiction
• Refunds when the cardholder requests the refund to a different card or cards

Care should also be taken when processing Click & Collect transactions, where cardholders pay online and collect in store, specifically where this involves the sale of alcohol or high-value goods. Merchants should have procedures in place to validate the identity of the cardholder. For example, by sighting the physical card and checking that the card is genuine and the name on the card matches the identification provided by the person collecting the goods, and confirm the age of the individual collecting the goods when there are applicable age restrictions.

When shipping goods, it is advisable to request cardholders to sign for deliveries and provide photo ID, however this does not guarantee protection in the event of a chargeback.

Fraudsters test the validity of stolen card credentials by using automated scripts to process large volumes of transactions through eCommerce merchant facilities. Each time the transaction is sent by the eCommerce Facility to the card issuer for authorisation, the fraudster receives an approve or decline decision and can determine whether the card is still active. Card testing is most common at charity merchants and utility organisations, however, other merchant categories can be targeted.

Tyro recommends the use of CAPTCHA/reCAPTCHA technology in the purchasing flow on merchant websites to disrupt the use of automated scripts, and validate that the cardholder is human, and limit the potential for chargebacks.

Each business is assigned a PCI DSS level, which is determined by the number of transactions processed per year and the nature of these transactions. High transacting businesses are considered to be Level 1 and low transacting merchants are considered to be Level 4.

Tyro will seek to determine your PCI DSS level at the time of on-boarding, however this level may change over time.

Criminals seek to steal card data from one merchant and use this data to commit fraud against other merchants, leading to financial loss for these other merchants and inconvenience for the cardholders whose data has been stolen. These attacks are formally known as Account Data Compromise (ADC) events, or less formally as hacking events, and acquirers are required by the card schemes to investigate these events in order to understand the manner in which card data was stolen and the extent to which card credentials were placed at risk.

By protecting card data, merchants reduce the potential for criminal activity, protect themselves and their customers, and assist in protecting the integrity of the card payments ecosystem.

Compliance with the PCI DSS is an ongoing journey and requires consistent activity and investment.

Level 3 and 4 merchants should start by considering the Prioritised Approach made available by the Payment Card Industry Security Standards Council (PCI SSC) and noted below.

Level 1 and 2 merchants should also consider the Prioritised Approach, however they should also engage the services of appropriately qualified security professionals to assist them on their compliance journey.

Non-compliance with the PCI DSS may leave you vulnerable to a hacking event and compromise the good name of your business and the credentials of your customers.

If you are unable to validate compliance with the PCI DSS in an agreed time-frame, whether this requirement relates to your PCI DSS level or actions required to be taken following a hacking event, Tyro may withdraw your merchant facility and this may hamper your efforts to obtain merchant services from another acquirer.

Merchants falling victim to hacking events or failing to validate PCI DSS compliance may also be liable for card scheme fines.

All merchants should take steps to protect card data by ensuring that their systems and those of their service providers, including eCommerce shopping carts, are regularly reviewed for malware and unauthorised access, patched, and virus protected to maintain the integrity of card data being stored, processed, and transmitted.

Tyro recommends that eCommerce merchants avoid storage, processing, and transmission of card data wherever possible, and instead opt for storage of card data in a PCI DSS compliant environment by way of a Hosted Payment Page (HPP).

Find more detailed information on PCI DSS and your obligations as a Bendigo Bank EFTPOS or eCommerce powered by Tyro customer, please access the Tyro website.