Terminal Takeover

What is a terminal takeover?

This is when a scammer physically takes over your HICAPS terminal and rekeys a transaction amount or pays for goods and services using a stolen card number. To do this they temporarily take physical possession or control of the HICAPS terminal.

In this scam, the details of a stolen card are manually entered or 'hand-keyed' into the HICAPS terminal by the criminal to make a fraudulent purchase.

The scammer could also enter the details of a stolen card into the terminal and key in a purchase amount significantly larger than the original amount, then demand an immediate refund to be paid onto another card.

You can see if a transaction has been 'hand-keyed' by the letter indicator in brackets as shown on the receipt below:

In the above example, the '(m)' displayed after the last 4 digits of card shows that the transaction was 'hand-keyed'. When refunding, make sure to always refund to the same card.

The below codes indicate the card payment method:

(c) Contact - applies to cards swiped and inserted.
(t) Tap - card was tapped.
(m) Manual entry - card details were hand-keyed.
(f) Technical fallback - the terminal was offline at the time of the transaction, and the transaction will be re-attempted at settlement.

How can I prevent terminal takeover? 

• Ensure all HICAPS equipment and terminals can’t be accessed easily by the general public. Always keep terminals securely behind the counter or within your line of sight. 
• Train your staff about the risks associated with terminal takeover and techniques used by criminals to distract employees.
• Limit who has access to process refunds. The password must be always kept safe and secure.
• Always check the amount entered has not changed. Criminals can temporarily take control of a terminal and then cancel the transaction and hand key in a purchase amount significantly larger than the original amount. They may then demand an immediate refund onto another card. Check for any changes to the agreed purchase amount.

Terminal Theft

What is a terminal theft?

Terminal theft is when criminals steal the physical HICAPS terminal and replace it with a compromised terminal that looks the same. 

What will Criminals do when they steal your terminal?

Criminals can attempt to process refunds to their own card with the potential added risk of: 

1. processing compromised cards, exposing merchants to chargebacks; and

2. refunding the unauthorised settlements from the compromised cards to their own card

How can I prevent terminal theft? 

• Always ask for work photo identification (ID) from any person claiming to represent HICAPS or Verifone.
• Check the serial numbers on the terminals match the serial numbers displayed on the terminal screen.
• Prohibit unauthorised people from accessing terminals.
• Train staff about the risks associated with terminal tampering and techniques used by criminal to distract employees.
• Keep a list of the terminals that includes the model and serial number. This list and terminals should be checked regularly for any changes or evidence of tampering.
  
  

Refund Scams

What is a refund scam? 

A refund scam can happen when a customer asks for a refund or gives you another card that was not used to make the original sale. It’s a requirement in your Terms and Conditions to only refund to the same card that was used for the original purchase.

How can I prevent refund scams? 

• Refunds can only be processed by entering a refund password. You'll be issued a refund password when you set up your Trinity Terminal with HICAPS.
• Please keep this password secure and limit who has access to processing refunds You can refer to HICAPS Trinity User Guide for more information about setting up a password before you set up your Trinity Terminal. 
• Always check to ensure the refund amount entered has not changed. Criminals can pretend to use their card but instead of entering the PIN into the terminal, they temporarily take control of the terminal. Criminals then cancel the transaction and hand key in a purchase amount significantly larger than the original amount, and then demand an immediate refund on another card. Check for any changes to the agreed purchase amount.
• You should not process any third-party transactions. One way criminals try to access cash from stolen cards is by convincing a business owner to accept a card payment and transfer funds to a third party. It’s important to never accept payments on behalf of anyone else.

Password security tips

Tips to keep your password safe 

• Ensure the password is not visible to customers.
• Do not write the password on the terminal or keep it near the terminal.
• Change the password when an employee leaves or if you have a high turnover of staff. You should change your password on a regular basis.
• Consider allowing only managers or supervisors to process refunds or limit the number of people who know the refund password.

If you need further information about using your terminal, head to : HICAPS Trinity Terminal User Guide

Industry partners

We’ve partnered with industry and regulatory bodies to help keep you safe and provide up to date information.

• Australian Government - Australian Cyber Security Centre, opens in new window
• Australian Competition and Consumer Commission (ACCC) – Scamwatch, opens in new window
• Australian Banking Association, opens in new window
• New Payments Platform

Find out more about NAB's Merchant EFTPOS security Card and payment fraud | protect your business - NAB

Learn how to protect your business and customers from scams, fraud and cyber-attacks.

Learn more about protecting your business by using our free security toolkit.

·        Security tips for your business | Free toolkit and help guides - NAB

·        Cyber Security Toolkit for Business (nab.com.au)

·        Securing your EFTPOS terminal and protecting your business - NAB