POS Security for Merchants: The Complete Guide
Terminal tampering, POS malware, employee fraud, chargebacks, PCI compliance — the complete guide to protecting your business and your customers.
Last Updated: February 2026
Disclaimer: This article is for educational purposes. If you suspect your POS system has been compromised, disconnect affected terminals, preserve evidence, and contact your acquiring bank and law enforcement. Do not attempt to investigate malware yourself.
Quick Definition: Point-of-sale (POS) fraud is any scheme that exploits your payment terminal, payment process, or business operations to steal card data, cash, or merchandise. It includes external threats (terminal tampering, CNP fraud) and internal ones (employee theft, insider fraud).
What Is POS Fraud?
For merchants, POS fraud is a multi-front problem. Unlike ATM fraud — which is primarily a consumer-facing risk — POS fraud puts the merchant in a direct line of fire: through chargebacks, regulatory penalties, reputational damage, and the cost of replacing compromised hardware.
Small and mid-sized merchants are particularly exposed. They often lack the dedicated security resources of large retailers, yet they process significant card volume and carry the same PCI DSS compliance obligations.
This guide covers the full spectrum: physical terminal security, digital threats, employee risk, fraud in your online store, and chargeback management.
The POS Threat Landscape
Terminal Tampering
Physical tampering involves a criminal attaching, inserting, or swapping a device on your payment terminal to capture card data and PINs. Methods include:
- Overlay skimmers: Placed over the card slot to read magnetic stripe data
- PIN pad overlays: A thin layer over the keypad that captures PIN presses
- Internal devices: Inserted via a compromised or swapped terminal — these are planted during distraction attacks on staff, or during supply chain interference with unverified equipment
Who does it: Organised skimming rings that typically target multiple merchants in a geographic area over a short period.
When it happens: Tampering is most likely when staff attention is divided — during busy periods, early morning before opening, or late evening. Overnight attacks on unmanned terminals are common.
POS Malware (High-Level Awareness)
POS malware infects the software running on a payment terminal or the system it is connected to. At a high level, it is designed to intercept card data as it is processed, before encryption takes effect — a technique sometimes called "memory scraping."
What you need to know: POS malware attacks typically require initial access to your network or terminal — through a phishing email to an employee, an unsecured remote access tool, or an unpatched operating system.
The defence is in your network and update hygiene. A patched, segmented network and properly configured terminals dramatically reduce your exposure. POS Security for Merchants: The Complete Guide
Employee and Insider Fraud
Insider threats are a significant source of merchant losses. They include:
- Skimming by employees: An employee uses a handheld or concealed device to skim cards during transactions, or takes photos of card details
- Cash theft: Voids, refunds, and "no-sale" transactions used to extract cash
- Return fraud facilitation: Processing fraudulent returns for accomplices
- Data theft: Copying customer payment information for later use or sale
The uncomfortable reality: Most insider fraud is perpetrated by trusted, long-term employees — not new hires. Access controls and separation of duties are your primary defences.
Card-Not-Present (CNP) Fraud
If you sell online, by phone, or by mail order, CNP fraud is your primary card threat. CNP fraud occurs when a criminal uses stolen card details to make purchases without presenting the physical card.
Since there is no card to verify, and you as the merchant bear the liability for most CNP chargebacks, this is both a fraud and a financial risk.
Chargeback Fraud and Friendly Fraud
A chargeback is a reversal of a transaction initiated by the cardholder through their bank. Legitimate chargebacks arise when:
- A transaction was not authorised
- Goods were not delivered as described
- A merchant error occurred
Friendly fraud is a chargeback filed by someone who did receive what they ordered but claims otherwise. It is also called first-party misuse. While some friendly fraud is deliberate, some is accidental (e.g., a family member's purchase not recognised on a statement).
The cost: Beyond the refunded amount, you typically pay a chargeback fee, and excessive chargeback rates can trigger your payment processor to increase fees or terminate your account.
Refund and Return Abuse
Return fraud takes many forms:
- Returning stolen merchandise for cash/credit
- Returning used or worn items (wardrobing)
- Receipt fraud — using another customer's receipt
- Price switching — attaching lower-price labels before return
- Refund fraud — processing refunds to cards not used for the original purchase
Common Myths About POS Security
| Myth | Reality |
|---|---|
| "EMV chip payments mean I can't be skimmed." | EMV chip is harder to clone, but PIN pad overlays still capture PINs. Terminals can also be physically swapped. |
| "My payment processor handles all the security." | You share PCI DSS responsibility. Your physical terminal security, network, and staff practices are your responsibility. |
| "Chargebacks are just the cost of doing business." | Excessive chargeback rates can result in higher processing fees, reserves held on your account, or account termination. Active management reduces rates. |
| "My staff would never skim cards." | Insider fraud is under-reported and common. Controls protect honest employees from suspicion as much as they deter dishonest ones. |
| "A new terminal from my supplier is always clean." | Terminals can be tampered with in the supply chain or during delivery. Verify terminals against your supplier's security seal programme. |
| "We're too small to be targeted." | Small merchants are often targeted precisely because their security measures are less robust than large retailers. |
Warning Signs Your Terminal May Be Compromised
Visual inspection — check daily:
- Scratches, residue, tape marks, or adhesive residue around the card slot or PIN pad
- PIN pad that appears raised, spongy, or different from its normal look
- Any unfamiliar attachment, loose piece, or component on the terminal
- Terminal that looks physically different from other terminals in your location
- LED or tamper-indicator lights showing unusual states
Operational signs:
- Terminal behaving unexpectedly — unusual messages, slowness, random reboots
- Customers reporting suspicious charges after visiting your location
- Staff reporting that a terminal was "moved" or "messed with" during their shift
- A terminal that appears to have been replaced without authorisation
If you suspect tampering:
- Do not process further transactions on that terminal
- Preserve it — do not touch, clean, or power down (unless advised by your acquirer)
- Contact your acquiring bank immediately
- Document the situation — photos, written notes of what was observed and when
- Review CCTV footage if available
POS Terminal Security Checklist for Merchants
Daily:
- ✅ Visually inspect all terminals before opening (card slot, PIN pad, cable connections)
- ✅ Compare terminal serial numbers against your asset register
- ✅ Note any unusual customer complaints about transactions during the previous day
Weekly:
- ✅ Verify tamper-evident seals are intact (if your terminal model includes them)
- ✅ Review all voided transactions, refunds, and no-sale operations
- ✅ Check for unauthorised software installations if terminals are computer-based
Access controls:
- ✅ Restrict who has physical access to terminals, especially after-hours
- ✅ Separate "manager override" functions from general staff access
- ✅ Ensure terminals are physically secured (mounting cradles, cable locks where appropriate)
- ✅ Never leave a terminal unattended on a counter where it can be picked up by a customer
Hardware:
- ✅ Use terminals certified to PCI PTS standards — ask your payment processor for guidance
- ✅ Register all terminals with your acquirer and report discrepancies immediately
- ✅ Establish a process for decommissioning old terminals securely
POS Terminal Tampering: How to Inspect Your Devices Every Day
PCI DSS: What Every Merchant Needs to Know
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements designed to protect card data. As a merchant, your compliance level depends on your annual card transaction volume.
The key principles (plain English):
| PCI DSS Domain | What It Means for You |
|---|---|
| Secure network | Your payment traffic runs on a separate, firewalled network segment |
| Protect cardholder data | You don't store card data unless absolutely required, and never in plain text |
| Vulnerability management | Your systems are patched; anti-malware is active |
| Access controls | Only staff who need access to payment systems have it |
| Monitor and test | You have logs, you review them, and you test your security periodically |
| Security policy | You have a documented security policy and your staff know it |
Important: PCI DSS does not make you immune to fraud — but it significantly raises the bar for attackers and reduces your liability exposure if a breach occurs.
POS Security for Merchants: The Complete Guide
Employee Training and Access Controls
Your staff are both your greatest security asset and your most significant insider risk. Key principles:
Training:
- Ensure all staff who handle payment terminals can identify signs of tampering
- Conduct brief daily terminal checks as a standard opening procedure
- Train staff to be suspicious of "technicians" who appear unannounced — verify identity and work orders before allowing access to terminals
- Create a clear reporting process: staff should feel comfortable reporting suspected tampering without fear of blame
Access controls:
- Apply the principle of least privilege — give staff access to only what they need for their role
- Use individual logins for POS systems — never share passwords
- Review access rights when staff leave or change roles
- Require dual authorisation for refunds above a threshold amount
POS Security for Merchants: The Complete Guide
Protecting Your Online Store from CNP Fraud
If you accept online payments, these controls reduce CNP fraud:
- Use Address Verification Service (AVS): Checks billing address against card issuer records
- Require CVV/CVC: The card security code is not stored by legitimate merchants; requiring it confirms the buyer has the physical card
- Enable 3D Secure / Strong Customer Authentication: An additional authentication step for online card transactions (required for EEA merchants under PSD2)
- Set velocity checks: Flag or block multiple orders from the same card, IP, or shipping address in a short period
- Review high-value orders manually: Particularly for new customers, international shipping addresses, or unusual combinations (high-value item, cheapest shipping)
- Use your payment gateway's fraud scoring tools: Most gateways offer fraud detection — configure the thresholds to match your risk appetite
Card Fraud Prevention: EMV, Contactless & Digital Payments
Chargeback Prevention Strategies
| Strategy | How It Helps |
|---|---|
| Clear billing descriptor | Customers recognise your name on their statement — preventing "I don't know this charge" disputes |
| Confirmation emails with item detail | Provides evidence of a legitimate transaction; customers less likely to dispute |
| Transparent refund policy | Clearly displayed refund terms reduce "item not as described" chargebacks |
| Delivery confirmation | Proof of delivery defeats "item not received" disputes |
| 3D Secure | Shifts liability for fraudulent CNP transactions to the card issuer |
| Prompt customer service | Customers who can reach you easily are more likely to contact you before filing a chargeback |
| Transaction records | Retain signed receipts, IP logs, delivery records for at least 18 months |
Merchant POS Compromise Checklist: Suspected Terminal Tampering
What Criminals Try and How to Disrupt It
| Approach | Disruption |
|---|---|
| Terminal swap overnight | Secure terminals physically; check serial numbers each morning |
| Distraction-based skimmer installation | Training staff to guard terminals; visitor sign-in for technicians |
| Employee skimming | Access controls; camera coverage at POS; transaction anomaly monitoring |
| CNP fraud with stolen card data | AVS, CVV, 3D Secure, velocity checks, manual review |
| Chargeback abuse | Clear records, delivery confirmation, transparent policies |
| Phishing staff for network access (POS malware precursor) | Email security awareness training; network segmentation |
If You Suspect a POS Compromise — Incident Response
- Stop transactions on the affected terminal(s) immediately — do not process further card payments
- Call your acquiring bank — they have a fraud/breach notification line; notify them within the timeframe your merchant agreement requires
- Preserve evidence — do not clean, power down, or tamper with the terminal; your acquirer and potentially law enforcement will need it
- Check CCTV — identify anyone who had access to the terminal in the period before discovery; preserve the footage
- Review recent transactions — look for anomalies (small test charges, unusual refund activity)
- Notify affected customers if required — your acquiring bank and/or local data protection authority will advise; in the EU under GDPR, a personal data breach notification to your supervisory authority may be required within 72 hours
- Contact law enforcement — file a report; your acquirer may require a crime reference number
- Replace compromised terminals — only with certified, traceable hardware from your payment provider
- Review and update your security procedures to prevent recurrence
Merchant POS Compromise Checklist: Suspected Terminal Tampering Payment Fraud Incident Response: A Step-by-Step Guide
Frequently Asked Questions
Q: Am I liable for chargebacks on chip-and-PIN transactions? A: In most cases, liability for fraudulent card-present transactions shifts to the card issuer when EMV chip-and-PIN is used and the merchant has compliant terminals. However, chargebacks for "item not as described" or "not delivered" remain the merchant's responsibility regardless of card type.
Q: How often should I inspect my POS terminals? A: A brief visual inspection before opening each day is the minimum. High-risk environments (high footfall, poor sightlines, overnight unmanned counters) warrant more frequent checks and physical security controls.
Q: Do I have to store customer card data? A: No — and in almost all merchant use cases, you should not. Your payment gateway stores tokenised data. Storing raw card data significantly increases your PCI DSS scope and liability.
Q: A customer says I charged them twice. Is this a fraud attempt? A: Not necessarily — duplicate transactions do happen. Always investigate before assuming fraud. If you cannot verify the transaction, provide a refund promptly; this is cheaper than a chargeback.
Q: An engineer appeared and said he needed to "update" my terminals. What should I do? A: Never allow unannounced or unverified access to your terminals. Call your payment provider directly (using their official number, not one provided by the visitor) to verify the engineer's identity and work order before granting access. Legitimate engineers expect this verification.
Q: What is a "friendly fraud" chargeback and can I dispute it? A: Friendly fraud is when a legitimate customer files a chargeback claiming a transaction was fraudulent, when it was not. Yes, you can dispute it — with evidence such as signed receipts, delivery confirmation, and IP logs. Your payment gateway or acquirer will guide the dispute process.
Q: How much do chargebacks cost my business? A: Beyond the refunded amount, chargebacks typically incur a fee from your acquirer (example: €20–€35 per dispute). If your chargeback rate exceeds thresholds set by your card scheme (typically around 1% of monthly transactions), you may be placed in a monitoring programme with additional fees or account restrictions.
CTA — For Merchants and Retailers
Concerned about your terminal security or PCI compliance posture?
ATM Fortify provides security assessments and anti-tampering solutions for merchants and ATM operators. Request a Free Security Consultation →
Last Updated: February 2026
If you suspect a POS compromise, contact your acquiring bank immediately and preserve all evidence. This article is for educational purposes and does not constitute legal, regulatory, or professional security advice.
Need Professional ATM Security Support?
ATM Fortify provides anti-skimming hardware, security assessments, and fraud prevention consulting for ATM operators and financial institutions across 30+ countries.