Commonwealth Bank of Australia
Skip to main content
Log on to NetBank navigation arrow NetBank Information Netguard
Log on to CommSec navigation arrow CommSec Information
Log on to CommBiz navigation arrow CommBiz Information
Merchant Services


New customers call 1800 730 554
Existing customers call 1800 230 177
Find your local Business Banker
Newsletter

Protecting you and your customers


Fraudulent transactions

By accepting cards you provide convenience for both you and your customers, but there are some risks. One key risk is that third parties may use cards or card details fraudulently. You need to be aware of this because fraud could lead to chargebacks and other losses to your business.

What you can do to minimise fraudulent transactions
Make sure that you have policies and procedures for handling irregular or suspicious transactions. Remind your staff that they must take steps to verify that the cardholder is who they say they are.

For card present transactions, never accept a card if:

  • the terminal doesn’t recognise the card
  • the card expiry date has passed
  • the card or the signature has been visibly altered or tampered with
  • the signature doesn’t match that on the back of the card
  • the card is damaged.

Card-not-present transactions carry a higher risk of fraud, because you can’t verify whether the person you are dealing with actually has their card with them and the signature matches that on their card.

By carrying out the following checks, you can reduce the likelihood of fraudulent activity:

  • Request the card verification code, more commonly known as CVV2 or CVC2. It is the last 3 digits printed on the signature panel of MasterCard and Visa cards and helps validate that the customer actually has a genuine card.
  • Use a security program such as MasterCard SecureCode or Verified by Visa
  • Ask for comprehensive customer details and do validity checks
  • Follow up with an order confirmation
  • Always use your own courier
  • Ask for identification on delivery and don’t leave goods at unattended addresses
  • Use minimum and maximum transaction amount controls
  • If you have an EMV compliant terminal always insert chip cards into the slot at the front end of the terminal


Back to top

Chargebacks

What is a chargeback?
A chargeback is a reversal of a credit card transaction previously credited to your account.

Generally, if a cardholder disputes a transaction and you do not have sufficient evidence to show that the cardholder authorised the transaction, the liability for the chargeback will then rest with you.

This means that the original transaction is reversed and you will not receive payment for the goods or services you may have already delivered. You may also be required to pay fees for investigating and processing the chargeback.

When can a chargeback occur?
We can chargeback a transaction if:

  • it is illegal or prohibited
  • the card was not valid at the time of the transaction
  • the cardholder disputes liability for the transaction for any reason
  • the cardholder did not  authorise the transaction
  • authorisation for the transaction was declined for any reason
  • the sales receipt has been altered without the cardholder’s authority
  • it was processed to your own credit card
  • you breach a term of your Merchant Agreement
  • the transaction amount is greater than your floor limit and you did not get an authorisation
  • it represents the refinance of an existing debt or the collection of a dishonoured cheque.


What you can do to reduce the risk of chargebacks
There are business processes you can implement to help your business reduce the likelihood of receiving a chargeback.

You can reduce the risk of chargebacks caused by customer disputes by keeping good records. This will help you to find specific transactions quickly and easily.

You should include all of the following information in your invoices, contract and promotional materials:

  • your business name as it will appear on the cardholder’s statement
  • your business address
  • customer service contact numbers
  • a complete description of goods and services provided
  • a specific delivery time
  • details of your return and cancellation policy
  • details of debit dates for regular instalments such as memberships or subscriptions.

You can also reduce the risk of chargebacks resulting from fraudulent use of cards by requesting the card verification code, or CVV2/CVC2, and using a security program such as MasterCard SecureCode or Verified by Visa.


Back to top


EFTPOS Skimming

What is EFTPOS skimming?
EFTPOS skimming is when someone illegally copies customer’s card details and PIN. They usually do this by replacing a genuine EFTPOS terminal with a tampered device which looks and works like a normal EFTPOS terminal.

In most instances, the criminal will use the stolen card details to create fake cards and withdraw money from customer’s accounts.

EFTPOS skimming is difficult to detect and is often not identified until we find irregular transactions on customer’s accounts or we find that several affected customers all used the same merchant.

What you can do to reduce your risk of EFTPOS skimming?
View educational videos on EFTPOS skimming to learn how to protect your business and customers. 
 

Back to top


Protecting customer card information

Customers are rapidly changing how they choose to shop. They no longer need to be present to purchase, and increasingly shop by internet, phone, mail order and fax. With this change comes an increased risk of fraud. Fraudsters can illegally access customer card data through computers used to process transactions and unsecured data.

To protect your business and customers, you need to be aware of how you manage your customer card data, including the security measures you have in place when making transactions, using your computer, and storing customer card data.

What you can do to keep customer card information secure
There are some simple steps you can take to keep your customers’ card information safe and secure, including:

  • Install anti-virus software on all of your computers
  • Use passwords on all of your computers that can’t be easily guessed, and change them regularly.
  • You are not required to keep customer’s authentication details such as a card validation code.
  • Ensure that only authorised people have access to customer card data.
  • Ensure printed receipts don’t include card data
  • Store all physical records of cardholder data under lock and key
  • Only keep customer card information on a computer or laptop if you have a legitimate business reason to do so
  • If you do retain card information, ensure that it is password protected
  • If you need to dispose of physical records of card data make sure to shred the documents


Back to top


Chip cards and Europay Mastercard Visa

Europay MasterCard Visa (EMV) is a global electronic transaction standard named after the three organisations that established it. The EMV standard enables EFTPOS terminals worldwide to process chip-based debit and credit cards. Chip cards offer a more secure way to process card transactions.

Find out more about EMV and chip cards.

Back to top


Business Risk and Mitigation program

What is the Business Risk and Mitigation program?
The Business Risk and Mitigation program is designed to educate you on illegal transactions and how it can affect your business.

What types of transactions does the program cover?
Types of illegal or brand-damaging transactions include:

  • Transactions relating to child pornography, bestiality or other extreme sexual content
  • Transactions that involve non-consensual and violent sexual conduct
  • Transactions relating to counterfeit and copyright infringing merchandise
  • Transactions that breach local and/or international laws including, but not limited to, the online sale of tobacco, prescription pharmaceuticals and gambling


What are the consequences for processing these types of transactions?
If you have been found to have processed illegal transactions, there are a number of consequences which may apply to you, such as:

  • The Card Schemes such as Visa and MasterCard may impose significant fines
  • The Bank may terminate your merchant facility
  • Your business may be listed on a Credit Card Scheme Database preventing you from operating a merchant facility in any future business


What you can do to safeguard your business
You can follow a few simple steps to safeguard your business including:

  • Only process transactions for your own business
  • Do not accept or process any transactions for another person or business
  • If you run a website, do not allow another website operator to link to your site so their transactions are processed through your site


Back to top
 

Internet security

What is MasterCard SecureCode and Verified by Visa?
MasterCard SecureCode and Verified by Visa are online security programs designed to make internet transactions safer. MasterCard SecureCode and Verified by Visa are an easy, cost-effective way of promoting customer confidence in internet transactions by authenticating the cardholder at the point of purchase with a password.

How do you benefit?

  • Greater confidence in online payments by enhancing the security and integrity of internet transactions
  • Facilitates growth in online shopping
  • Reduction in fraud exposure
  • Reduction in chargeback liability
  • Less operational expenses (fraud and dispute handling).


How do your customers benefit?

  • Ease of use
  • Reduced risk of unauthorised card use
  • Cardholder’s identity is verified by their own bank
  • Customer can choose to make payments only on merchant sites that have implemented the programs.


How do MasterCard SecureCode and Verified by Visa work?
MasterCard SecureCode and Verified by Visa were designed to alleviate online security concerns. It is a small additional step in the payment process which verifies the identity of the cardholder.

Step 1: The cardholder (customer) shops at a merchant website and proceeds to initiate card payment.

Step 2: The cardholder is directed to the payment page where they enter their card details and click submit.

Step 3: The cardholder is automatically linked to their appropriate issuing bank to verify their identity.

Step 4: If the cardholder has registered for MasterCard SecureCode or Verified by Visa with their issuing bank, they will be required to enter a password or code.

If the cardholder has not registered for MasterCard SecureCode or Verified by Visa with their issuing bank, they will be required to do one of two things:

  • Click on continue to proceed without a password
  • Register for MasterCard SecureCode or Verified by Visa at the time of payment

Step 5: If the password is entered correctly, the cardholder is authenticated and the transaction is sent for authorisation.

How do I get enabled for MasterCard SecureCode and Verified by Visa?
To implement MasterCard SecureCode and Verified by Visa you are required to use one of our e-Commerce payment services such as eVolve, BPOINT or CommWeb. New customers are able to apply at sign up and existing customers need to call the merchant helpdesk to enable this feature.

Back to top
 

Other security and privacy resources

Security needs to be considered with all of your other banking services such as ATMs, online banking, credit and debit cards and cheques. For more information on security and privacy, please visit our Security Centre

Other sources for obtaining information about IT security and e-crime include the Australian Computer Emergency Response Team and Australian Federal Police.
 

Back to top
 

Industry-specific requirements

As detailed in your merchant agreement, the card schemes have special requirements for some industries such as accommodation and car rental.

To find out if special requirements apply to your business, visit the MasterCard and Visa websites.

Back to top

Get Smart About Card Fraud Online

Get Smart About Card Fraud Online is a training module that has been designed by APCA (Australian Payments Clearing Association) to raise awareness of the real risks of online card fraud and the simple steps you can take to protect your business and customers against it.

Get Smart about Card Fraud Online provides tips, information, advice and video case studies for doing business online.

For more information please visit APCA or you can call us on 1800 230 177, 24 hours a day, 7 days a week.

Back to top

To report any suspicious activity, contact the merchant helpdesk immediately on 1800 230 177, 24 hours a day, 7 days a week.


  • Important information
    As this advice has been prepared without considering your objectives, financial situation or needs, you should, before acting on this advice, consider its appropriateness to your circumstances. View our Financial Services Guide (PDF 218KB). Full terms and conditions are available on application. Bank fees and charges are payable.

BetterBusiness


What's new

Apply online

Talk to us

  • New customers call
    1800 730 554
    8am - 6pm AEST
  • Existing customers call
    1800 230 177
    (24/7 365)


Tools & resources

Did you Know?

It’s now faster and easier to buy EFTPOS stationery at our new online shop.

didYouKnow_merchantservices