İçeriğe geç
AC

Card Copying (Skimming), Fake POS and Contactless Payment Abuse — TCK Article 245

9 Nisan 2026 Computer Crimes 7 dk okuma 54 görüntülenme Son güncelleme: 8 Mayıs 2026

The technological dimension of card abuse is developing rapidly. Skimming, fake POS devices and abuse of contactless payment systems are among the most common types of card fraud in recent years. In this article, the evaluation of the acts in question within the framework of TCK Article 245 and the legal remedies that the victim can apply are discussed.

Reminder: This article is for informational purposes only. The penalty ranges and processes in the article are within the framework of general legislation; The decision to be made in the concrete case is within the discretion of the judge; The result varies depending on the file.

What is Card Copying (Skimming)?

Skimming is the copying of magnetic stripe or chip debit/credit card information using special devices. Typical methods:

  • ATM skimmer: Case-device placed on the ATM card slot and reading card information; Most of the time, a hidden camera is placed next to the PIN button.
  • POS abuse: Restaurant, store or gas station employee swiping the card through an additional device other than POS; "handheld device" or mini skimmer placed under the case.
  • Shimming (chip reading): Reading data from chip cards with a thin device placed in the ATM card slot. It is a more advanced method than magnetic stripe copying.
  • Fake ATM/PoS: Fake devices disguised as branded ATMs or fake devices disguised as real POS in restaurants.

With the copied card information, a fake physical card can be produced or transactions can be made over the internet.

Actions committed as a result of skimming generally fall within the scope of the second and third paragraphs of TCK Article 245:

TCK article 245/2 — Fake Card Production

According to the legislation, the penalty range for "anyone who produces, sells, transfers, purchases or accepts fake bank or credit cards by associating them with bank accounts belonging to others" is imprisonment from 3 to 7 years and a judicial fine of up to 10,000 days.

TCK art.245/3 — Gaining Benefits with a Fake Card

According to the legislation, the penalty range for "a person who benefits himself or others by using a fake or forged bank or credit card" is imprisonment from 4 to 8 years and a judicial fine of up to 5,000 days.

In these cases, it is not possible to benefit from the relative exemption (TCK Article 167); Personal reasons that remove/reduce the penalty are not applied. For details on the subject, you can see our article Relationship between Close Relative Exception and TCK Article 245.

Fraud with Fake POS

Fake POS systems can be established on illegal betting sites, fake e-commerce sites or at unreal payment points. In this case:

  • The customer thinks he has paid, but in reality the service or product is not delivered after the money is withdrawn.
  • Card information can be captured and used in subsequent transactions.
  • TCK Article 158 (qualified fraud) and TCK Article 245 can be evaluated together before the judiciary.

Contactless Payment Abuse

Contactless (NFC) payments made without requiring a PIN for payments under a certain amount may also be open to abuse:

  • Small transactions with stolen or lost cards without asking for pin
  • Reading information near the card with RFID skimming devices (rare in practice, but possible in theory)
  • Split transactions to exceed the contactless limit

Legislation and bank procedures contain special provisions for the protection of the card holder in contactless transactions; However, bank procedures must also be followed.

Supreme Court Approach

Supreme Court 8/12/16. In its established jurisprudence, the Criminal Chambers apply the following principles in skimming files:

  • The seizure of devices used for skimming can be considered as preparation for the production of fake cards under TCK Article 245/2
  • Producing fake cards and benefiting from fake cards constitute separate crimes, and the rules of real assembly (TCK art. 42-44) can be applied.
  • In the files where the skimming perpetrator was identified; Camera records, seized device forensic report, bank statement matches, physical witness are important strengthening evidence.
  • As IP address alone is not considered sufficient, ATM camera records alone must be supported by other evidence. For details, you can see our article Is IP Address Alone Sufficient for Conviction?.

Steps the Victim Should Take

  • Immediate notification to the bank: As soon as an unauthorized transaction is noticed, the card must be blocked from the 24/7 call center or mobile application. In accordance with Article 12 of the Debit Cards and Credit Cards Law No. 5464, while there may be limited liability before notification, the card holder does not have liability after notification.
  • Written petition to the branch: Submit a written petition documenting the incident with details of the ATM/POS location used and date/time; Keep a copy.
  • Criminal complaint: Submit a written criminal complaint to the Chief Public Prosecutor's Office or the law enforcement. Bank statement, SMS notifications, ATM/POS address used and, if possible, a request for security camera recordings of this point should be added to the petition.
  • Chargeback application: A transaction objection can be made within the framework of the rules of the card schemes (Visa, Mastercard). The bank requests a refund from the member business for amounts for which products/services are not delivered or for fraudulent transactions.
  • Review card protection practices: Lower the contactless limit; use a virtual card; Keep bank SMS/app notifications enabled.
  • Bank's Liability

    According to Article 12 of Law No. 5464:

    • The card holder may have limited liability for lost/stolen transactions prior to notification.
    • The card holder is not responsible for the transactions following the notification; The bank is responsible.
    • In case of security vulnerabilities of the bank (suspicious transaction alarms not working, 3D Secure disabled transactions, abnormal patterns not detected), additional legal remedies may be considered against the bank.

    The 11th Civil Chamber of the Supreme Court has ruled against the bank in cases where the bank violated its duty of care.

    Preventive Recommendations

  • Before using an ATM, check the card slot for play, looseness or adhesive marks.
  • Cover the keys with your other hand while entering the PIN.
  • If possible, choose ATMs inside the bank branch.
  • Do not take your card out of sight during POS transactions; If possible, do the process yourself.
  • Keep SMS notifications on; Be instantly informed of every transaction.
  • Keep the contactless limit as low as you need
  • Prefer to create a virtual card for online shopping; Complete the transaction by depositing the required amount.
  • Do not store browser password; If possible, do not save card information.
  • Even though I did not withdraw from the ATM, I did not receive my money, the bank holds me responsible. What can I do?

    It is meticulously investigated whether the bank's security procedures are followed, whether the ATM is manipulated with a skimming device, and whether ATM cameras are working. It is recommended that you consult with a lawyer to evaluate legal remedies against the bank; The result is specific to the file and a definitive result cannot be promised.

    My card information was stolen at the restaurant and then used in another city. Is it possible to identify the perpetrator?

    The perpetrator is tried to be identified through the cameras of the POS location where the transaction was made, bank log records and common point analysis. The process can take a long time; The result may be different for each file.

    I made a transaction, but later I learned that it was a fake POS. Will I get my money back?

    Bank chargeback application and other legal methods for refund may be considered. The actual nature of the merchant, payment scheme rules and the evidence status of the file affect the result.

    Conclusion

    Skimming, fake POS and contactless payment abuse; It is an area with high technical complexity and where multiple legal relations (TCK Article 245, Article 158, bank liability, card scheme rules) are intertwined. The speed of the steps to be taken in the victim position is of critical importance. Due to the technical characteristics of the process, it is recommended to work in coordination with both the financial advisor and the lawyer from the beginning of the file.

    Telif bildirimi This content and all related Q&A texts are protected under Turkish Copyright Law No. 5846. Unauthorized copying, reproduction, publication, adaptation, bulk extraction, or commercial use is prohibited; legal and criminal remedies are reserved in case of infringement.

    Hukuki destek arıyorsanız

    Bu konuda profesyonel hukuki destek için Aycan Ceylan Avukatlık Bürosu olarak yanınızdayız.

    Görüşme Planla