Skip to main content Skip to main navigation
Skip to access and inclusion page Skip to search input


Tips to help protect your business against card skimming and card testing to prevent fraud.

What is card skimming?

Card skimming is a crime. It's when criminals use sophisticated techniques to steal or 'skim' data from a customer’s card when it’s processed through an EFTPOS terminal. More experienced criminals will also try to get a customer’s PIN at the same time. Once they have this information, criminals use the stolen data to create fake cards and withdraw funds at ATMs. 

How are cards skimmed? 

An EFTPOS terminal does not save a customer’s card or PIN. To skim cards in your store, a criminal would need to steal your terminal, make changes to it, and put it back, or swap your terminal with one they have already modified. Either way, they need access to your terminal, so it’s important to guard it like you would cash.  

How do I safeguard against skimming? 

You can reduce the risk of skimming by checking your EFTPOS terminal daily to ensure it: 

  • Looks the same as before doesn’t show signs of damage or tampering 
  • Has the same type and number of cables 
  • Has the correct serial number 
  • Prints receipts with the right business name and address 
  • Is clear of any hidden camera. 


How can I report card skimming? 

If you suspect card skimming, you must report it immediately to the Merchant Helpdesk on 1800 029 749 (we’re available 24/7) or contact your Relationship Manager directly.

What is card testing?

Card testing happens when malicious third parties try to use your business website to check if the stolen credit card details are valid. Criminals will typically test the card by making small purchases using stolen credit card details. They check to see if the card is still active and if a transaction is approved using those stolen details. The small purchases are done to avoid the likelihood of a cardholder noticing and reporting it. The approved cards are then used to defraud another merchant for a larger amount or they may resell the validated information on the dark web.  

How can I prevent card testing attacks? 

There are programs on the market that can help to prevent card testing attacks on your website. 

  • Captcha1. Captcha is a type of challenge or response test used to check if the user is human. Contact your online payment gateway provider and ask them to add Captcha to your payment or checkout page.  
  • Fraud Guard1. Fraud Guard helps to detect and block fraud for your business. Contact your Online Payment Gateway to see if Fraud Guard is available. 
  • 3D Secure1. 3D Secure is a tool that provides extra protection for merchants and customers for online payments. 3D Secure is used to authenticate the cardholder during payment processing, like entering a PIN for an ATM or EFTPOS transaction. Contact your payment gateway provider to see if you can use 3D Secure.
  • Be on the lookout for unusual activity early on. If you see a sudden increase in your average daily transactions or credit card declines —make sure you check it.

Are there other ways to protect my business from card testing? 

Talk to your online payment gateway administrator for help with: 

  • Identifying and blocking IP addresses from fraudsters  
  • Deleting and blocking member accounts that fraudsters are using 
  • Refunding any approved fraud sales back onto the original card.  

For more information, call your online payment gateway provider or contact our Merchant Helpdesk on 1800 029 749

Things you should know

1. These are products and services offered by third parties. Westpac does not guarantee or endorse these products or services.