Key tips to safeguard your business, customers and HICAPS Terminal
It’s not just your financial information that’s at risk from cyber criminals, but details about your business, employees and customers. Keeping your HICAPS terminal safe and restricting who can access it is an important part of protecting your practice and maintaining trust with your patients.
More than ever, it’s important to protect your business against scams and fraud. Criminals are looking for various ways to commit fraud or scams, so it’s vital to be alert and take steps to protect your business.
Keeping your terminal safe
Healthcare environments present unique security challenges. Unlike retail stores with dedicated cashiers, clinic staff often multitask between patient care and processing claims and transactions. While you’re focused on taking care of patients, it’s equally important to keep your HICAPS terminal safe.
During non-operating hours it’s crucial that terminals are not visible as this can make them a target for theft. Train your staff to recognise risks and avoid distractions that could compromise terminal security.
Tips on keeping your terminal safe from theft and terminal takeover
Terminal takeover is a type of fraud where criminals steal physical terminals and use them to process fake refunds linked to cards or accounts they control. This could expose your business to chargebacks or unauthorised refunds processed to the criminal’s account that looks the same.
Here are some tips for keeping your HICAPS terminal and practice safe:
After hours: Ensure your terminals are not visible for theft during non-operating hours.
Safe location: Make sure that your terminals are kept at a secure location that can’t be accessed by customers or people who don’t work at your business and always in line of sight and under supervision.
Check surroundings: Check your premises periodically to ensure there are no new or unknown items of electronic equipment connected or close to the terminal, e.g. hidden cameras, card skimming devices, etc.
Security cameras: Avoid having security cameras at locations which can capture you entering passwords and customer card details.
Secure access: Restrict unauthorised access to your terminal, and ensure your staff are trained to spot tampering.
Monitor transactions: Regularly check that the transaction amount remains consistent. Criminals may adjust amount to fraudulently claim refunds.
Verify identity: Always ask for photo ID from anyone claiming to represent HICAPS or Verifone.
Check serial number: Match the serial numbers on the terminals with the one displayed on the screen.
Keep a record: Maintain a list of your terminals, including model and serial numbers, and regularly check for signs of tampering
Terminal tampering: Check your terminals periodically to ensure that the terminal hasn’t been tampered with and components stay intact and remain unbroken.
What is refund fraud?
Refund fraud involves criminals processing a cash refund linked to cards or accounts they control. These are cash refunds that are processed independently and are not connected to private health insurance claims. To reduce the risk of unauthorised refunds, you should limit access and only allow managers or supervisors to process refunds.
How to help prevent refund scams:
Secure refund process: Use a unique password to process refunds, change them regularly and limit the number of employees who know the password.
Monitor refund amounts: Ensure the refund amount matches the original transaction. Be cautious if a customer requests an unusually large refunds. Always ensure that the refund is processed to an account in the same name as the person making the claiming (i.e. not to a third party).
No third-party transaction: Never accept payments on behalf of another person. Criminals often use this method to access stolen card funds.
Password security tips
Creating a strong password is the first step to protecting yourself and your business online. Update passwords regularly, especially when staff leave or if there's a high turnover. When updating passwords, don’t just change one part of it. Instead create something completely new that hasn’t been used before.
Don’t use simple passcodes like 1234, MedPrac21, the postcode of your business or last four digits of your phone number.
Password checklist:
Use at least 12-14 characters and use a mix of uppercase and lowercase letters, numbers and special characters like !, &, and *.
Avoid obvious choices (family names, practice name, pet names or anything posted on social media).
Generate and store passwords securely.
Learn more: Create good password management habits - NAB
How HICAPS and NAB support your practice
At HICAPS and NAB, protecting your business and your patients is a priority. We understand that healthcare environments face unique security challenges, with staff often balancing patient care and claims processing. That’s why we’re committed to supporting clinics with robust security measures, practical guidance and ongoing education.
Ways HICAPS and NAB support our customers include:
Educating business customers on the importance of storing the HICAPS terminal securely overnight.
Educating business customers on the passcode hygiene. For example, never sharing passcodes with anyone and never leaving the passcodes written down near the terminal.
Strengthening controls to help reduce refund fraud.
Working with customers if they are impacted. This can include sharing information with law enforcement.
Sharing dedicated education resources on NAB’s Security Hub website Card and payment fraud | protect your business - NAB.
Our goal is to make it as easy as possible for you to keep your terminals secure, your staff informed and your practice protected.
Stay informed and protect your business
We work closely with industry and regulatory bodies to keep you informed and protected. Here are some helpful resources:
Stay informed and protect your business with these free NAB security toolkits:
HICAPS Support
Please visit HICAPS Support Hub for step-by-step guides and resources for Terminal Security.