We take your security and that of your customers very seriously. All of our products are designed to the highest security standards, and security assistance is available 24 hours a day, 7 days a week. Below are some helpful tips for avoiding risk while protecting your business and your customers.

Keep your business safe

Protecting your customers

Customers are changing how they choose to shop. They no longer need to present a card to purchase, and increasingly shop by internet, phone, mail order and fax. With this change comes an increased risk of fraud. Fraudsters can illegally access customer cardholder data through computers used to process transactions.

To protect your business and customers, you need to be aware of how you manage your customer cardholder data, including the security measures you have in place when making transactions, using your computer, and storing customer cardholder data.

There are some simple steps you can take to keep your customers’ cardholder information safe and secure, including:

  • Install anti-virus software on all of your computers.
  • Use passwords on all of your computers that can’t be easily guessed, and change them regularly.
  • Remove customer’s authentication details such as a card validation code.
  • Ensure only authorised people have access to customer card data.
  • Ensure printed receipts don’t include card data.
  • Store all physical records of cardholder data under lock and key.
  • Only keep customer cardholder information if it is protected through encryption and you have a legitimate business reason to do so.
  • If you need to dispose of physical records of card data make sure to shred the documents.
  • If you use another business partner, other than the Bank, to help you with managing cardholder data, make sure they are compliant with the Payment Card Industry Data Security Standard (PCI DSS)

When cybercriminals stole the details of 70 million customers from a large US based retailer, it cost the retailer millions in lost sales, lawsuits and reputational damage.

Learn more

Fraudulent transactions

By accepting cards you provide convenience for both you and your customers, but there are some risks. One key risk is that third parties may use cards or card details fraudulently. You need to be aware of this because fraud could lead to chargebacks and other losses to your business.

Make sure that you have policies and procedures for handling irregular or suspicious transactions. Remind your staff that they must take steps to verify that the cardholder is who they say they are.

For card present transactions (being those transactions where the cardholder are at your business with their card), never accept a card if:

  • the terminal doesn’t recognise the card
  • the card expiry date has passed
  • the card or the signature has been visibly altered or tampered with
  • the signature doesn’t match that on the back of the card
  • the card is damaged.

Card-not-present transactions (being those transactions where the cardholder is not at your business with their card) carry a higher risk of fraud, because you can’t verify whether the person you are dealing with actually has their card with them and the signature matches that on their card.

By carrying out the following checks, you can reduce the likelihood of fraudulent activity:

  • Request the card verification code, more commonly known as CVV2 or CVC2. It is the last 3 digits printed on the signature panel of MasterCard and Visa cards and helps validate that the customer actually has a genuine card.
  • Use a security program such as MasterCard SecureCode or Verified by Visa
  • Ask for comprehensive customer details and do validity checks
  • Follow up with an order confirmation
  • Always use your own courier
  • Ask for identification on delivery and don’t leave goods at unattended addresses
  • Use minimum and maximum transaction amount controls



A chargeback occurs when a cardholder disputes a transaction and the payment is reversed.

This means you won’t be paid for the goods or services relating to the transaction, even if you’ve already provided them. You may also have to pay fees for the chargeback to be investigated and processed.

The credit card issuer (cardholder’s bank) can make a chargeback on a transaction if the:

  • Transaction is illegal or prohibited
  • Card wasn’t valid at the time of the transaction
  • Cardholder didn’t authorise the transaction
  • Cardholder says they’re not liable for the transaction
  • Authorisation for the transaction is declined
  • Sales receipt is changed without the cardholder’s authorisation
  • Transaction was processed to your own credit card
  • Term of your Merchant Agreement is breeched
  • Transaction amount is above your floor limit, but this amount wasn’t authorised
  • Transaction was made to refinance an existing debt or collect a dishonoured cheque.

Generally, a cardholder can dispute a transaction for any of the above reasons. If you can’t prove that the cardholder authorised the transaction, then you’ll be liable for the chargeback.

How can you reduce the risk of customer disputes?

To reduce the risk of chargebacks caused by customer disputes, it’s important to keep your transaction records up to date. This will make it easier for you to find evidence of a specific authorisation.

It’s also a good idea to make sure your invoices, contracts and promotional materials include your:

  • Business name as it appears on the cardholder’s statement
  • Business address
  • Customer service contact details
  • Return and cancellation policy details
  • Debit dates for regular instalments, such as memberships or subscriptions.

On each invoice, you should also include:

  • A complete description of the goods and services you’ve provided
  • A specific delivery time (if relevant).

How can you reduce the risk of fraud?

You can help reduce fraudulent credit card transactions by:

  • Always requesting the card verification code (known as a CVV2 or CVC2) for each transaction
  • Using a security program, such as MasterCard SecureCode or Verified by Visa.

Visa is introducing new chargeback rules for all merchants, cardholders and banks. The new rules will ensure that chargeback processes are applied consistently all over the world. To find out more about these changes, see Changes to Chargeback dispute processing.

EFTPOS skimming

EFTPOS skimming is when someone illegally copies customer’s card details and PIN. They usually do this by replacing a genuine EFTPOS terminal with a tampered device which looks and works like a normal EFTPOS terminal.

In most instances, the criminal will use the stolen card details to create fake cards and withdraw money from customer’s accounts.

EFTPOS skimming is difficult to detect and is often not identified until we find irregular transactions on customer’s accounts or we find that several affected customers all used the same merchant.

View educational videos on EFTPOS skimming to learn how to protect your business and customers.

MasterCard SecureCode & Verified by Visa

MasterCard SecureCode and Verified by Visa are online security programs designed to make internet transactions safer. MasterCard SecureCode and Verified by Visa are an easy, cost-effective way of promoting customer confidence in internet transactions by authenticating the cardholder at the point of purchase with a password.

  • Greater confidence in online payments by enhancing the security and integrity of internet transactions
  • Facilitates growth in online shopping
  • Reduction in fraud exposure
  • Reduction in chargeback liability
  • Less operational expenses (fraud and dispute handling)

  • Ease of use
  • Reduced risk of unauthorised card use
  • Cardholder’s identity is verified by their own bank
  • Customer can choose to make payments only on merchant sites that have implemented the programs

MasterCard SecureCode and Verified by Visa were designed to alleviate online security concerns. It is a small additional step in the payment process which verifies the identity of the cardholder.

Step 1: The cardholder (customer) shops at a merchant website and proceeds to initiate card payment.

Step 2: The cardholder is directed to the payment page where they enter their card details and click submit.

Step 3: The cardholder is automatically linked to their appropriate issuing bank to verify their identity.

Step 4: If the cardholder has registered for MasterCard SecureCode or Verified by Visa with their issuing bank, they will be required to enter a password or code.

If the cardholder has not registered for MasterCard SecureCode or Verified by Visa with their issuing bank, they will be required to do one of two things:

  • Click on continue to proceed without a password
  • Register for MasterCard SecureCode or Verified by Visa at the time of payment

Step 5: If the password is entered correctly, the cardholder is authenticated and the transaction is sent for authorisation.

To implement MasterCard SecureCode and Verified by Visa you are required to use one of our e-Commerce payment services such as BPOINT or CommWeb. New customers are able to apply at sign up and existing customers need to call the merchant helpdesk to enable this feature.

Business risk & mitigation

The Business Risk and Mitigation program is designed to educate you on illegal transactions and how it can affect your business.

Types of illegal or brand-damaging transactions include:

  • Transactions relating to child pornography, bestiality or other extreme sexual content
  • Transactions that involve non-consensual and violent sexual conduct
  • Transactions relating to counterfeit and copyright infringing merchandise
  • Transactions that breach local and/or international laws including, but not limited to, the online sale of tobacco, prescription pharmaceuticals and gambling

If you have been found to have processed illegal transactions, there are a number of consequences which may apply to you, such as:

  • The Card Schemes such as Visa and MasterCard may impose significant fines
  • The Bank may terminate your merchant facility
  • Your business may be listed on a Credit Card Scheme Database preventing you from operating a merchant facility in any future business

You can follow a few simple steps to safeguard your business including:

  • Only process transactions for your own business
  • Do not accept or process any transactions for another person or business
  • If you run a website, do not allow another website operator to link to your site so their transactions are processed through your site

Europay Mastercard Visa

Europay MasterCard Visa (EMV) is a global electronic transaction standard named after the three organisations that established it. The EMV standard enables EFTPOS terminals worldwide to process chip-based debit and credit cards. Chip cards offer a more secure way to process card transactions.

Online merchant security

Reduce your business’s exposure to online payment fraud and free your business from security concerns, by implementing the highest industry security standards available. Partner with the Commonwealth Bank to protect your business and your customers from fraud by following these simple steps.

Learn more

Resources to help you protect your business

Get Smart about Card Fraud Online is a training module that has been designed by APCA (Australian Payments Clearing Association) to raise awareness of the real risks of online card fraud and the simple steps you can take to protect your business and customers against it.

To report any suspicious activity, call us on 1800 230 177, 24 hours a day, 7 days a week.

As detailed in your merchant agreement, the card schemes have special requirements for some industries such as accommodation and car rental.

To find out if special requirements apply to your business, visit the MasterCard and Visa websites.

Security needs to be considered with all of your other banking services such as ATMs, online banking, credit and debit cards and cheques. For more information on security and privacy, please visit our Security Centre

Other sources for obtaining information about IT security and e-crime include the Australian Computer Emergency Response Team and Australian Federal Police.  

We can help

Ready to apply

Call 1800 730 554 8am - 6pm (Sydney/Melbourne time)


Important information

As this advice has been prepared without considering your objectives, financial situation or needs, you should, before acting on the information, consider its appropriateness to your circumstances. Please view our Merchant Agreement, Financial Services Guide and Operator and User Guides at our Merchant Support Centre.