Take the free 60-second quiz
How-to

Card Machine Security: The Scams That Actually Target Small Businesses

Skimming is rare on modern card machines. The real threats are staff refund fraud, upgrade phone scams and fake payment screens. Here is how to stop them.

By Nathan Keeble Published: 8 min read
A sturdy padlock on a dark background

Card machine security worries tend to focus on the wrong villain. Hollywood-style skimming is genuinely rare on modern encrypted terminals; the scams that actually cost UK small businesses are far more mundane. Staff processing refunds to their own cards, phone callers offering terminal upgrades, customers flashing fake payment screens and chargeback fraud do the real damage. This guide covers each one, with the practical fixes that stop them.

The good news first: skimming is mostly yesterday's problem

Modern card machines encrypt card data from the moment of contact, and chip-and-PIN plus tokenised contactless leave very little for a criminal to skim. Attacks on the terminal hardware itself are rare and getting rarer, which is why the fraudsters moved on.

Where they moved to is people. Every scam in this guide targets a human being, your staff, you, or your processes, rather than the electronics. That is oddly good news, because process problems are fixable for free.

Basic hygiene still applies: buy terminals from the provider, not a marketplace bargain, keep software updated, and glance at the device occasionally for anything bolted on. Then spend your real attention on the four threats below.

Threat one: refund fraud by your own staff

The most expensive card machine scam in most small businesses is an inside job: a staff member processes refunds to their own card. No sale is reversed on the shelf, the till balances at a glance, and the money leaves quietly in £20 and £40 increments.

The fix is permissions, not paranoia. Most modern systems let you lock refunds behind a manager PIN or a named login, and every decent card machine or POS has some version of this. If anyone on the shop floor can refund without a second pair of eyes, you are running an honesty system.

Back it up with the refunds report. Refunds clustering on one login, or refunds processed outside trading hours, are the pattern to watch; review weekly and the window for quiet theft shrinks to days.

Threat two: the terminal upgrade phone scam

A caller claims to be from your card provider: your terminal needs an urgent upgrade, or your account needs re-verifying, and they just need a merchant ID, some codes, or for you to key a few numbers into the machine. Some even send a courier to swap your terminal for a doctored one.

The rule that defeats all versions of it: never act on an unsolicited call about your card machine. Hang up, find the provider's number from your statement or their website, and call back; a genuine provider will not mind, and a fraudster cannot survive it.

Brief your staff specifically, because these callers deliberately ring at busy times and lean on urgency. A one-line policy, nobody touches the terminal or reads out codes on an incoming call, is enough.

Threat three: the fake payment confirmation screen

This one is brazen and effective: a customer shows you their phone displaying a payment confirmation, a banking app screenshot or a bank-transfer-sent screen, and walks out with the goods. The screen was a screenshot, an app that generates fakes, or a payment they cancelled seconds later.

The rule is simple: the sale is confirmed on your device, never theirs. Until your terminal shows approved or your POS logs the transaction, no payment has happened, however convincing the customer's screen looks.

For bank transfers the same applies: money is real when it is in your account, not when a sending screen is waved at you. On big-ticket items, wait for the credit to land before goods leave; a genuine buyer will understand.

Threat four: chargeback fraud

Chargeback fraud, sometimes politely called friendly fraud, is a customer disputing a genuine card payment with their bank: the classic claims are goods never arrived or transaction not recognised. Card-not-present sales are the main target, which is one reason remote payments cost more than in-person taps.

Your defence is evidence, gathered before you need it: itemised receipts, delivery confirmation with signature or photo, written terms shown at purchase, and correspondence. In-person chip-and-PIN and contactless sales are hard to dispute; remote sales live and die on paperwork.

Respond to every chargeback inside the deadline, because silence is an automatic loss. Our guide to chargebacks for UK small businesses covers the process step by step.

Reconciliation: the boring safety net that catches everything

End-of-day reconciliation, comparing what the terminal says you took against what the till says you sold, is the single habit that catches every scam above. Refund fraud, cancelled payments and missing transactions all surface as a mismatch between the two numbers.

It takes five minutes: run the terminal's end-of-day total, run the POS sales total, and explain any gap before you lock up. A pound of drift is life; a recurring £40 gap on Thursdays is a pattern with a name attached.

Do it daily even on quiet days, precisely because quiet days are when nobody is watching. Fraud survives on the assumption that no one checks.

PCI basics without the panic

PCI DSS is the card industry's security standard, and for most small businesses using a modern provider it is far less scary than it sounds: the provider's hardware and software do the heavy lifting, and you complete a short annual self-assessment.

The practical rules are the ones you would guess: never write card numbers down, never take card details by email, and use your provider's virtual terminal or payment links for remote orders rather than a notepad. Storing card numbers yourself is the one genuinely dangerous habit.

Some traditional providers charge monthly PCI compliance or non-compliance fees, which flat-rate providers generally do not; our guide to PCI compliance fees explains what is legitimate and what is padding.

FAQs

What are the most common card machine scams targeting small businesses?

The big four are staff refund fraud, where refunds are processed to an employee's own card; the terminal upgrade phone scam, where callers extract codes or swap your machine; customers showing fake payment confirmation screens; and chargeback fraud on remote sales. Skimming of modern encrypted terminals is rare by comparison.

How do I stop staff processing fraudulent refunds on my card machine?

Lock refunds behind a manager PIN or named login so no one can refund unsupervised, and review the refunds and voids report weekly. Watch for refunds clustering on one login or occurring outside trading hours. Daily reconciliation of terminal totals against POS sales closes the loop, because refund fraud shows up as a mismatch.

Is card machine skimming still a risk in the UK?

It is rare on modern terminals, because card data is encrypted from the moment of contact and contactless payments are tokenised. The residual risks are buying second-hand terminals from unofficial sources or letting a stranger handle your machine. Buy from the provider, keep software updated, and focus your worry on the human scams instead.

Should I trust a payment confirmation shown on a customer's phone?

No. Screenshots and fake banking apps are trivially easy to produce, and a shown screen is not a settled payment. The transaction is only real when your own terminal shows it as approved or the money is visible in your account. For high-value bank transfers, wait for the funds to land before handing over goods.