Help us improve our website by completing a quick survey. Start survey now

Upgrade your browser for the best CommBank website experiences. Click here.

Close

PROTECTING YOUR BUSINESS

We take your security and that of your customers very seriously. All of our products are designed to the highest security standards, and security assistance is available 24 hours a day, 7 days a week. Below are some helpful tips for avoiding risk while protecting your business and your customers.

Keep your business safe

Protecting your customers

Customers are changing how they choose to shop. They no longer need to present a card to purchase, and increasingly shop by internet, phone, mail order and fax. With this change comes an increased risk of fraud. Fraudsters can illegally access customer cardholder data through computers used to process transactions.

To protect your business and customers, you need to be aware of how you manage your customer cardholder data, including the security measures you have in place when making transactions, using your computer, and storing customer cardholder data.

There are some simple steps you can take to keep your customers’ cardholder information safe and secure, including:

  • Install anti-virus software on all of your computers.
  • Use passwords on all of your computers that can’t be easily guessed, and change them regularly.
  • Remove customer’s authentication details such as a card validation code.
  • Ensure only authorised people have access to customer card data.
  • Ensure printed receipts don’t include card data.
  • Store all physical records of cardholder data under lock and key.
  • Only keep customer cardholder information if it is protected through encryption and you have a legitimate business reason to do so.
  • If you need to dispose of physical records of card data make sure to shred the documents.
  • If you use another business partner, other than the Bank, to help you with managing cardholder data, make sure they are compliant with the Payment Card Industry Data Security Standard (PCI DSS)

When cybercriminals stole the details of 70 million customers from a large US based retailer, it cost the retailer millions in lost sales, lawsuits and reputational damage.

Learn more

Fraudulent transactions

By accepting cards you provide convenience for both you and your customers, but there are some risks. One key risk is that third parties may use cards or card details fraudulently. You need to be aware of this because fraud could lead to chargebacks and other losses to your business.

Make sure that you have policies and procedures for handling irregular or suspicious transactions. Remind your staff that they must take steps to verify that the cardholder is who they say they are.

For card present transactions (being those transactions where the cardholder are at your business with their card), never accept a card if:

  • the terminal doesn’t recognise the card
  • the card expiry date has passed
  • the card or the signature has been visibly altered or tampered with
  • the signature doesn’t match that on the back of the card
  • the card is damaged.

Card-not-present transactions (being those transactions where the cardholder is not at your business with their card) carry a higher risk of fraud, because you can’t verify whether the person you are dealing with actually has their card with them and the signature matches that on their card.

By carrying out the following checks, you can reduce the likelihood of fraudulent activity:

  • Request the card verification code, more commonly known as CVV2 or CVC2. It is the last 3 digits printed on the signature panel of MasterCard and Visa cards and helps validate that the customer actually has a genuine card.
  • Use a security program such as MasterCard SecureCode or Verified by Visa
  • Ask for comprehensive customer details and do validity checks
  • Follow up with an order confirmation
  • Always use your own courier
  • Ask for identification on delivery and don’t leave goods at unattended addresses
  • Use minimum and maximum transaction amount controls

 

Chargebacks

A chargeback is a reversal of a card transaction previously credited to your account.

Generally, if a cardholder disputes a transaction and you do not have sufficient evidence to show that the cardholder authorised the transaction, the liability for the chargeback will then rest with you.

This means that the original transaction is reversed and you will not receive payment for the goods or services you may have already delivered. You may also be required to pay fees for investigating and processing the chargeback.

A chargeback of a transaction can occur if:

  • it is illegal or prohibited
  • the card was not valid at the time of the transaction
  • the cardholder disputes liability for the transaction for any reason
  • the cardholder did not  authorise the transaction
  • authorisation for the transaction was declined for any reason
  • the sales receipt has been altered without the cardholder’s authority
  • it was processed to your own credit card
  • you breach a term of your Merchant Agreement
  • the transaction amount is greater than your floor limit and you did not get an authorisation
  • it represents the refinance of an existing debt or the collection of a dishonoured cheque

There are business processes you can implement to help your business reduce the likelihood of receiving a chargeback.

You can reduce the risk of chargebacks caused by customer disputes by keeping good records. This will help you to find specific transactions quickly and easily.

You should include all of the following information in your invoices, contract and promotional materials:

  • your business name as it will appear on the cardholder’s statement
  • your business address
  • customer service contact numbers
  • a complete description of goods and services provided
  • a specific delivery time
  • details of your return and cancellation policy
  • details of debit dates for regular instalments such as memberships or subscriptions

You can also reduce the risk of chargebacks resulting from fraudulent use of cards by requesting the card verification code, or CVV2/CVC2, and using a security program such as MasterCard SecureCode or Verified by Visa.

EFTPOS skimming

EFTPOS skimming is when someone illegally copies customer’s card details and PIN. They usually do this by replacing a genuine EFTPOS terminal with a tampered device which looks and works like a normal EFTPOS terminal.

In most instances, the criminal will use the stolen card details to create fake cards and withdraw money from customer’s accounts.

EFTPOS skimming is difficult to detect and is often not identified until we find irregular transactions on customer’s accounts or we find that several affected customers all used the same merchant.

View educational videos on EFTPOS skimming to learn how to protect your business and customers.

Europay MasterCard Visa

Europay MasterCard Visa (EMV) is a global electronic transaction standard named after the three organisations that established it. The EMV standard enables EFTPOS terminals worldwide to process chip-based debit and credit cards. Chip cards offer a more secure way to process card transactions.

Business risk & mitigation

The Business Risk and Mitigation program is designed to educate you on illegal transactions and how it can affect your business.

Types of illegal or brand-damaging transactions include:

  • Transactions relating to child pornography, bestiality or other extreme sexual content
  • Transactions that involve non-consensual and violent sexual conduct
  • Transactions relating to counterfeit and copyright infringing merchandise
  • Transactions that breach local and/or international laws including, but not limited to, the online sale of tobacco, prescription pharmaceuticals and gambling

If you have been found to have processed illegal transactions, there are a number of consequences which may apply to you, such as:

  • The Card Schemes such as Visa and MasterCard may impose significant fines
  • The Bank may terminate your merchant facility
  • Your business may be listed on a Credit Card Scheme Database preventing you from operating a merchant facility in any future business

You can follow a few simple steps to safeguard your business including:

  • Only process transactions for your own business
  • Do not accept or process any transactions for another person or business
  • If you run a website, do not allow another website operator to link to your site so their transactions are processed through your site

Internet security

MasterCard SecureCode and Verified by Visa are online security programs designed to make internet transactions safer. MasterCard SecureCode and Verified by Visa are an easy, cost-effective way of promoting customer confidence in internet transactions by authenticating the cardholder at the point of purchase with a password.

  • Greater confidence in online payments by enhancing the security and integrity of internet transactions
  • Facilitates growth in online shopping
  • Reduction in fraud exposure
  • Reduction in chargeback liability
  • Less operational expenses (fraud and dispute handling)

  • Ease of use
  • Reduced risk of unauthorised card use
  • Cardholder’s identity is verified by their own bank
  • Customer can choose to make payments only on merchant sites that have implemented the programs

MasterCard SecureCode and Verified by Visa were designed to alleviate online security concerns. It is a small additional step in the payment process which verifies the identity of the cardholder.

Step 1: The cardholder (customer) shops at a merchant website and proceeds to initiate card payment.

Step 2: The cardholder is directed to the payment page where they enter their card details and click submit.

Step 3: The cardholder is automatically linked to their appropriate issuing bank to verify their identity.

Step 4: If the cardholder has registered for MasterCard SecureCode or Verified by Visa with their issuing bank, they will be required to enter a password or code.

If the cardholder has not registered for MasterCard SecureCode or Verified by Visa with their issuing bank, they will be required to do one of two things:

  • Click on continue to proceed without a password
  • Register for MasterCard SecureCode or Verified by Visa at the time of payment

Step 5: If the password is entered correctly, the cardholder is authenticated and the transaction is sent for authorisation.

To implement MasterCard SecureCode and Verified by Visa you are required to use one of our e-Commerce payment services such as BPOINT or CommWeb. New customers are able to apply at sign up and existing customers need to call the merchant helpdesk to enable this feature.

Online merchant security

Reduce your business’s exposure to online payment fraud and free your business from security concerns, by implementing the highest industry security standards available. Partner with the Commonwealth Bank to protect your business and your customers from fraud by following these simple steps.

Learn more

Resources to help you protect your business

Get Smart about Card Fraud Online is a training module that has been designed by APCA (Australian Payments Clearing Association) to raise awareness of the real risks of online card fraud and the simple steps you can take to protect your business and customers against it.

To report any suspicious activity, call us on 1800 230 177, 24 hours a day, 7 days a week.

As detailed in your merchant agreement, the card schemes have special requirements for some industries such as accommodation and car rental.

To find out if special requirements apply to your business, visit the MasterCard and Visa websites.

Security needs to be considered with all of your other banking services such as ATMs, online banking, credit and debit cards and cheques. For more information on security and privacy, please visit our Security Centre

Other sources for obtaining information about IT security and e-crime include the Australian Computer Emergency Response Team and Australian Federal Police.  

We can help

New customers

Call 1800 730 554 8am - 6pm (Sydney/Melbourne time)

Important information

As this advice has been prepared without considering your objectives, financial situation or needs, you should, before acting on the information, consider its appropriateness to your circumstances. Please view our Merchant Agreement, Financial Services Guide and Operator and User Guides at our Merchant Support Centre.

Loading…