PIX Security for Businesses: How to Protect Your Merchant Account from Fraud

PIX has transformed how businesses in Brazil handle payments. With instant settlement, zero transaction fees for most operations, and 24/7 availability, it has become the dominant payment method — processing over 40 billion transactions in 2025. But as PIX adoption has exploded, so have the fraud techniques targeting merchants.

For businesses that rely on PIX, understanding these threats is not optional. Here is your complete guide to PIX security for merchants.

PIX Threats Targeting Businesses

1. Fake Payment Screenshots

The simplest and most common fraud. A customer presents a fabricated PIX receipt on their phone screen, claiming payment was sent. For busy merchants — food trucks, street vendors, retail shops — the temptation to glance at the screenshot and move on is exactly what scammers count on.

Scale of the problem: FEBRABAN reported that fake PIX receipt fraud affected over 500,000 businesses in 2025.

2. QR Code Swap Attacks

Scammers physically replace your PIX QR code at your point of sale with their own. Every customer who scans the QR code sends money to the fraudster instead of your business. This is especially common at:

• Food courts and street stalls
• Market vendors
• Self-service payment stations
• Printed QR codes left unattended

3. Social Engineering Against Employees

Scammers call your business pretending to be from your bank or payment processor. They claim there is a "PIX system update" or "security verification" that requires your employees to share account credentials, make a test transfer, or install remote access software.

4. Scheduled PIX Exploitation

A customer shows you a "scheduled PIX" receipt as proof of payment. Unlike an instant PIX transfer, a scheduled transfer can be canceled by the sender before it processes. You release the goods, and the customer cancels the scheduled payment.

5. Refund Exploitation

A customer makes a legitimate small PIX payment, then claims they paid more or paid twice. They request a refund to a different PIX key. The refund goes through, but the original dispute leaves you at a loss.

6. Account Takeover via PIX Key

If your business PIX key is a phone number or email, and an attacker gains control of that phone number (via SIM swap) or email account, they can redirect incoming payments to themselves.

PIX Business Threat Matrix

Threat	Target	Complexity	Impact
Fake Screenshot	Point of sale	Low	Medium per transaction
QR Code Swap	Physical location	Low	High (affects all customers)
Social Engineering	Employees	Medium	Very High
Scheduled PIX Trick	Point of sale	Low	Medium
Refund Exploitation	Finance team	Medium	Medium
PIX Key Takeover	Business account	High	Critical
Malware/RAT	Accounting systems	High	Critical

Merchant Protection Measures

Real-Time Payment Verification

Never rely on what the customer shows you. Implement these verification steps:

1. Check your bank account directly — Open your banking app or POS system to confirm the credit
2. Set up real-time push notifications for every incoming PIX payment
3. Use audio notifications — Some banking apps can announce incoming payments, useful in noisy retail environments
4. Verify the amount, sender, and timestamp match the expected transaction

QR Code Security

Protect your PIX QR codes from tampering:

1. Laminate static QR codes so they cannot be easily covered with stickers
2. Check QR codes daily — Look for signs of overlaid stickers or replacement
3. Use dynamic QR codes that change per transaction (available through most POS systems)
4. Mount QR codes where staff can monitor them — Not in blind spots
5. Test-scan your own QR code regularly to verify it directs to your account

Employee Training

Your staff is your first line of defense:

• Train employees to verify every PIX payment in the banking app, not from customer screenshots
• Establish a policy that no employee should share banking credentials over the phone
• Create a verification protocol for anyone claiming to be from your bank — hang up and call the bank directly
• Practice scenarios so staff recognize social engineering attempts

Account Security

Protect the accounts that receive your PIX payments:

1. Use a CNPJ-linked PIX key rather than a personal phone number or email
2. Enable two-factor authentication on all banking and financial apps
3. Limit account access — Only authorized personnel should have credentials
4. Set up transaction limits for individual PIX operations
5. Review account activity daily for unauthorized transactions

Sharing Business Financial Information Securely

Businesses regularly need to share PIX keys, bank account details, and payment instructions with partners, suppliers, and employees. Sending this information through email or WhatsApp groups creates permanent records that can be compromised.

Use LOCK.PUB to share your business banking details through password-protected links that expire after a set time. This ensures your PIX keys and account numbers are not sitting in dozens of WhatsApp chat histories where they could be harvested by someone who gains access to any of those devices.

Setting Up PIX Securely for Your Business

Choose the Right PIX Key

PIX Key Type	Security Level	Recommendation
Random Key (EVP)	Highest	Best for business — no personal info exposed
CNPJ	High	Good for formal business identification
Email	Medium	Risk if email account is compromised
Phone Number	Lower	Risk of SIM swap attacks
CPF	Lowest for business	Avoid using personal CPF for business transactions

Configure Transaction Limits

The Central Bank allows you to customize PIX limits:

• Set lower nighttime limits (between 8 PM and 6 AM)
• Establish per-transaction maximums appropriate for your business size
• Require additional authentication for transfers above a certain threshold
• Register trusted recipients for recurring large payments

Monitor and Audit

• Review all PIX transactions daily
• Reconcile PIX receipts with your sales records
• Watch for unusual patterns (multiple small transactions, off-hours activity)
• Set up alerts for transactions above your typical range

What to Do If Your Business Is Targeted

1. Freeze the affected account by contacting your bank immediately
2. Request a MED (Mecanismo Especial de Devolucao) through your bank within 80 days for fraudulent transactions
3. File a B.O. (police report) online with all transaction evidence
4. Notify your employees about the specific fraud technique used
5. Review and strengthen your verification procedures
6. Check all QR codes at your physical locations for tampering

Conclusion

PIX has made payments faster and more convenient for Brazilian businesses, but that convenience requires a corresponding investment in security. The most critical habit is simple: always verify payments in your bank account before releasing goods or services. Never trust a screenshot, never skip verification during busy periods, and protect your QR codes from physical tampering.

When sharing business banking information with partners or employees, use LOCK.PUB to create free password-protected, expiring links that keep your financial details secure.