Background
Victoria Police are aware of a recent series of burglaries and thefts targeting medical premises across Melbourne. Offences have predominately occurred over weekends, when premises are unoccupied.
This guidance has been prepared to assist GPs and practice managers with implementing security measures to prevent the theft of funds from EFT/HiCaps/Tyro machines, which are being stolen during these burglaries.
Recommendations for security
Secure EFT terminals:
- Physically secure terminals with locking brackets, steel tethers or bolted mounts so they can’t be easily removed.
- Do not use the default PIN code provided by the manufacturer.
- Do not keep the PIN details written on notes within vicinity or the PIN and do not affix a sticker / label with the PIN to the machine.
- Lock terminals away after hours (safe, drawer etc).
- Maintain an inventory/log of serial numbers for all Tyro/ HICAPS/EFT type devices.
- Consider implementation of control refund permissions.
- Consider any set up of 2FA (two-factor authentication) on all online portals.
- Consider limiting refunds amounts per transaction or per day.
- If possible, consider separate logins for each staff member, so refund activity is traceable.
- Maintain staff awareness — train them on manual handling and security issues pertaining to the machines.
If your machine is stolen:
- Contact your merchant (Tyro, NAB etc) and ask them to lock refunds at the terminal level. They can then require any refund to be done through the portal only — safer and traceable.
- Set a unique manager-only PIN (different from settlement or login codes). Once enabled, no refunds can be processed unless the PIN is entered.
- Ensure that the merchant deactivates stolen terminals remotely via the serial number. Stolen terminals can then be ‘blacklisted’.
Strengthen Entry Points by:
- Upgrading locks to commercial-grade deadbolts or electronic locks with audit trails.
- Reinforcing doors and windows with security film or bars (especially on rear/service entries).
- Install bollards or planters if offenders rammed or forced entry through glass doors.
Alarm & CCTV:
- Monitored alarm system with motion detectors and glass-break sensors (link directly to your mobile and/or security company).
- Visible CCTV coverage of all entry points and the counter area — with signage saying “24-hour video recording in use.”
- Ensure any monitored alarm and CCTV are operable and activated.
- Cloud storage for footage (to ensure that offenders can’t delete evidence if they steal the DVR).
Report any offences to Victoria Police via:
- If anyone is in danger, a crime is currently occurring, or you need immediate police attendance, call Triple Zero (000).
- The Police Assistance Line (PAL) via 131444 and the Victoria Police Online Reporting service allows reporting of some non-urgent crimes or events 24 hours a day, seven days a week.
- To report stolen property that is not covered by this service, contact your local police station.