Card machines are everywhere. They’re used by businesses and individuals to make sales transactions with debit and credit cards. More and more people, however, are wondering whether card machines are really safe to use.
Scams and other types of fraud are a constant presence in the media. This leads many entrepreneurs to worry their device could be used to defraud customers or even directly affect their finances and credibility.
To see if this holds true, let’s look at card machine security and the most common types of scams. We’ll also cover how you can prevent the issues and what to do if they occur in your business.
Machines have several safety measures
To answer that question, let’s first understand how card machines work. In general, it goes like this:
- When a customer makes a payment on a card machine, the machine reads information stored on the card’s magnetic stripe or chip.
- The terminal sends this information to the card issuer, who verifies the transaction and approves or rejects it.
- Once approved, funds are transferred from the customer’s account to the entrepreneur’s account.
As you can see, everything looks straightforward and practical. And since it happens quickly, it’s quite possible you think it’s not safe. But behind the simplicity, there are several security measures aimed at protecting customer information and preventing fraud, such as:
Encryption: This “scrambles” the information transmitted between the card machine and card issuing company in such a way that it can only be decrypted by authorised parties.
Tokenisation: This replaces sensitive information like card numbers with unique tokens, making it harder for hackers to steal and use the data.
In addition, chip card transactions are considered to be more secure than magnetic stripe transactions. This is because the built-in EMV (Europay, Mastercard and Visa) technology makes card cloning more difficult.
Common types of card machine scams
Despite these security measures, card machines are not immune to fraud and scams. In recent years, we’ve heard about several cases around the world carried out in very different ways. Here are some examples, followed by a breakdown of each one:
- Password theft
- Social engineering
- Machine error
- Faulty display
- Device replacement
Skimming involves device inside the terminal
Skimming is a type of fraud where criminals install a device that records card information inside a card machine. The information is then used to create fake cards that can be used for fraudulent transactions.
Password theft is common practice
In some common cases, fraudsters use hidden cameras or fake keypads to steal customers’ PIN codes as they type it on a card machine. They may also ask the customer to enter the PIN before the correct time, making it visible on the terminal’s screen.
Malware installs fraudulent software
Malware is a type of software that can be installed on a card machine to steal customer data. This is the tactic used, for example, in the Brazilian pay-as-you-go scam where a Prilex virus generates a fake error message and the customer is forced to insert their card. When this is done, the malware steals the data and generates fraudulent transactions.
Chip card technology is considered safer than magnetic stripe.
Social engineering a form of manipulation
‘Social engineering’ is a tactic used by fraudsters to manipulate people into providing sensitive information. It is, for example, those fake texts or phone calls pretending to be from your bank or card machine provider asking you to enter passwords or make money transfers.
Claiming there is a “machine error”
A fraudster might claim there was an error with the transaction and ask the customer to repeat the payment in another machine. As a result, the customer ends up paying twice for the same product or service.
Supposedly defective display deceives customer
The fraudster claims that the machine’s display is defective and that the customer therefore sees an incorrect sales total on the display. The customer types the password anyway and ends up paying a higher amount than expected.
Switching terminal allows sales to be stolen
The fraudster buys a card machine identical to the shopkeeper’s and – without the shopkeeper noticing – swaps the terminal at the counter. This way, all payments registered go to the fraudster’s account.
What merchants should do to protect themselves
The above are just a few examples of the types of fraud and scams that can be carried out using card machines.
And although the focus of scams from the card machine is usually directed at the customer, it’s also possible for merchants to be the victim. Or that your card machine is misused to harm other people or companies.
So here’s what you, the merchant, can do to protect yourself:
a) Keep card machines up to date: Make sure your card machines are always up to date with the latest security software and firmware versions. These updates often include security patches and bug fixes that help prevent fraud and data breaches.
b) Train your employees: Keep your employees well-informed on how to detect and prevent card fraud. Make sure they know how to identify suspicious activities and skimming devices, as well as how to properly handle customers’ financial information – which is also required by data protection laws.
c) Be on the lookout for suspicious behaviour: Beware of customers who seem nervous, restless or trying to distract you. Skimmers can work in teams, with one person trying to distract the seller while another installs a fraudulent device in the card machine or changes the terminal.
Keep your card machine securely fastened or out of view when not in use.
d) Check for possible tampering: Look for loose or misaligned parts. Skimmers will often install a device over the card reader slot that appears to be part of the machine but is actually a cover that records card information.
Or they can install a device that protrudes slightly from the machine and can be felt by running your fingers over it. They can also install a small camera or keypad overlay.
e) Use strong passwords: When creating user accounts and other access to financial information on the machine, create strong passwords and change them regularly.
f) Secure the terminals: Secure your card machines (for example, with a mount) to prevent unauthorised access. Keep them in a safe place when not in use and make sure that only authorised personnel have access to them. Do not leave the machine unattended on the counter.
g) Do the daily reconciliation: Make sure that transactions carried out on the card machine match the daily sales recorded in the point of sale (POS) system. You can do that by generating a sales report on the till and X or Z report on the card terminal.
Card machine software often allows for real-time reconciliation. You can also reprint a sales voucher (if the machine offers this type of receipt) and verify that the sale happened correctly.
What to do if you notice security issues
It’s important to note that machine scams can be very sophisticated and difficult to detect. And fraudsters are always creating new ways to deceive customers and sellers.
So if you suspect that your card machine has been compromised, the first steps are as follows:
- Turn off the device and don’t use it until deemed safe again. Meanwhile, use other payment methods.
- Block transactions that look suspicious to you, if applicable.
- Contact the card machine provider so they can guide you on what to do.
- Inform the police via Action Fraud.
We should emphasise that each card machine company has specific procedures that may differ according to the terminal model or situation.
That’s why it’s so important to seek specific advice and not just go with what you’ve heard about. Here are, for example, some suggestions coming from Worldpay:
- Call the Authorisation Centre if suspicious about a card or the person using it, select the “Code 10” option and follow the instructions.
- Never allow third parties to process or authorise transactions on your terminal. This is a breach of contract.
- Cancel the transaction and make a Code 10 call if you receive any “authorisation call” during a transaction. Neither Worldpay nor card issuers will ever call during transactions, so it’s a fraud attempt.
Worldpay also notes that its authorisation centre, police, terminal providers or officials will never call and ask for card details. Such attempts should be declined and reported to the helpdesk.
Are card machines really secure?
The answer is yes, but with some caveats. The number of fraudulent card machine transactions is much smaller than the number of genuine transactions. But card machines are not foolproof.
Fraudsters are constantly creating new ways to steal data and conduct fraudulent transactions. It is therefore essential to stay well-informed and up-to-date on possible scams going around.
Through basic precautions and following the tips above, you can minimise the risk of becoming a victim of fraud and also protect your customers. And this ensures not only the financial health of your business, but also your credibility with customers.