> Wait for the weekends takings to clear into your merchant account, and then take off with the money.
That's the difficult part - since the acquiring bank is fully financially responsible if you do so (they'll compensate everyone else involved for the fraud chargebacks, no matter if they can recover it from you), they generally take quite stringent steps to fight merchant-initiated scams, and the simplest step is simply freezing the money for some time; 30 days is not uncommon but I have even seen 90 days if the merchant's profile is risky or if the incoming payment volume suddenly increases significantly - the bank is effectively treating any payments to the merchant as a line of credit or letter of guarantee until it's clear that those payments won't be fraudulent or charged back. So a merchant can quite realistically do some shenanigans with a reprogrammed terminal, but they won't be permitted to take off with a large amount of money from the merchant account until a sufficient amount of time will have passed for the first chargebacks or complaints of fraud to show up.
I don’t know about every jurisdiction, but every place that I’ve ever been involved with payment terminals, the money clears to the merchant account in a couple of business days. So your weekend’s takings would usually be cleared by Tuesday. I can’t imagine any retail or hospitality business would be able to extend a 90 day line of credit to their payment processor on all payment card revenue.
I think the main reason this never happens is because there’s a lot of easier and more profitable scams you can operate as a fraud-oriented merchant.
I would expect there to be a difference between a first time and a repeat thing. If you do out-of-normal-operation things, the bank will treat you more suspiciously, if you do your normal business, it can release your money immediately
I built the first online payment system for my university' frosh week in the early 2000's (before that they only accepted cash). This is pre-shopify/etc, and if you were doing any moderate volume it was worthwhile to use a gateway that went direct to your own merchant account.
They started accepting signups a couple weeks before school started, and on the second day it was running, after several hundred signups (of ~$200 each iirc), apparently some security people from the bank showed up at the orientation office at the school basically just to confirm it was legit. (I don't remember if they suspended the account first or not)
I had built a few online store sites using merchant accounts by then, but nothing that went from zero to that volume so quickly; it was fascinating to see that check in action.
I wonder what volume it would take to trigger such scrutiny today, and what it would look like..
Different merchant underwriters have different processes. Visiting merchant locations was pretty common, usually just to check if it looks like a real operating business though.
> they'll compensate everyone else involved for the fraud chargebacks,
But in this hypothetical would there be chargebacks? People went to a bar. They consumed, and paid for it. As far as the costumers know it went all good.
The one who is harmed would be the pub. And presumably they would complain and soon.
I don’t doubt that the whole scheme would come to light quick, i’m just questioning the exact mechanism.
Presuming the attack wasn’t initially detected, which is entirely plausible imo, it would be noticed by the merchant when the funds didn’t settle into their account. So if you do it on Friday, the merchant should notice by Tuesday at the latest. If they don’t pay close attention to their accounts, it might take a little longer.
That's the difficult part - since the acquiring bank is fully financially responsible if you do so (they'll compensate everyone else involved for the fraud chargebacks, no matter if they can recover it from you), they generally take quite stringent steps to fight merchant-initiated scams, and the simplest step is simply freezing the money for some time; 30 days is not uncommon but I have even seen 90 days if the merchant's profile is risky or if the incoming payment volume suddenly increases significantly - the bank is effectively treating any payments to the merchant as a line of credit or letter of guarantee until it's clear that those payments won't be fraudulent or charged back. So a merchant can quite realistically do some shenanigans with a reprogrammed terminal, but they won't be permitted to take off with a large amount of money from the merchant account until a sufficient amount of time will have passed for the first chargebacks or complaints of fraud to show up.