How to Verify Gravity Payments Security Requests
July 12, 2026
By Elena Brooks, merchant-security documentation editor, eight-year support beat (editorial persona)
Last reviewed: July 12, 2026
A caller claiming to represent Gravity Payments should not ask a merchant to run a “terminal test,” process a refund, disclose account passwords or install remote-access software from an unexpected link. End the call and contact Gravity through its published support page or its 24-hour number, 866-701-4700.
This independent guide is not operated by Gravity Payments and cannot verify a caller, inspect a terminal or secure a merchant account.
What Gravity Payments security support covers
Gravity Payments provides merchant processing, terminals, account reporting and related payment tools. Its security materials address two separate responsibilities: protecting an account from impersonation scams and validating the merchant’s payment environment under the Payment Card Industry Data Security Standard.
Those tasks overlap, but they are not interchangeable. A merchant can complete an annual PCI questionnaire and remain vulnerable to a fraudulent phone call. Another merchant may correctly reject a suspicious caller while leaving an overdue compliance requirement unresolved.
Handle the immediate threat first. Complete PCI work through the established account channel afterward.
Stop before touching the terminal
Gravity says it will not ask a merchant to process a refund or enter codes as part of a terminal “functionality check” or “recalibration.” Such instructions may create an unauthorized refund rather than test the machine.
Hang up.
Five signs that the support request is suspicious
Gravity published a dedicated scam-awareness page in June 2025 after reporting increased impersonation attempts involving its name and Clover equipment. The warnings cover telephone calls, unexpected visitors, statement requests and fraudulent remote-support sessions.
| Request or claim | Why it is suspicious | Safer response |
|---|---|---|
| “Run a refund to test the terminal” | Gravity says it does not test equipment through refunds | End the call and use the published support channel |
| “Send your merchant statements for an $850 credit” | Gravity identifies this as a processor-switching scam | Do not send the statements |
| “Your Clover device must be replaced today” | Impersonators may use urgency to obtain a new contract | Verify the request before signing |
| “Let me inspect or hold the terminal” | Physical terminal access can be used to issue a fraudulent refund | Keep the device under employee control |
| “Install this remote-access app” | Gravity routes screen sharing through its own support page after a session key is issued | Do not use the caller’s link |
Gravity says it will not request merchant statements in the described $850-credit solicitation, banking-login credentials, personal passwords, Dashboard login details, gift-card payments, wire transfers or payments through apps such as Venmo or Cash App.
The exact dollar amount makes the scam memorable. It does not mean that an offer using a different amount is legitimate.
Gravity screen sharing has a defined starting point
Gravity’s support page places Start Screen Sharing beneath the heading Already Getting Support? The page says the merchant should already be speaking with the support team and have a session key before initiating the connection.
That sequence is the verification control:
- The merchant contacts Gravity through a trusted channel.
- A support session is established.
- Gravity supplies a session key.
- The merchant opens the official support page.
- Screen sharing is started from that page.
A pop-up, email attachment or link supplied by an unexpected caller skips those controls. The Federal Trade Commission warns that technical-support impostors use false alerts and search advertisements to obtain remote computer access, then claim to find nonexistent problems or demand payment through difficult-to-reverse methods.
Use Gravity’s page first. Skip links embedded in unsolicited messages.
What Gravity says it will never request
Gravity’s scam FAQ says its representatives will not ask for a merchant’s password, complete Dashboard login, banking credentials, full payment-card number or PIN. It also warns that telephone numbers and email identities may be spoofed, so familiar caller information does not prove who initiated the contact.
One older Gravity support article tells merchants preparing for a technical call to have the Merchant ID, error codes, antivirus passwords and applicable administrator passwords “on hand.” A separate current scam page says Gravity will never ask for personal passwords or the Dashboard login.
The safest reading is narrow: credentials may need to be available for the merchant to enter locally while troubleshooting, but they should not be read aloud, emailed or handed to an unexpected caller. Gravity’s newer scam instructions deserve priority whenever the two pages appear ambiguous.
That distinction is easy to miss.
If information was already disclosed
Gravity directs merchants who suspect they interacted with an impersonator to contact its support team immediately. Its support service is listed as available 24 hours a day in English, Spanish, Korean and Japanese.
The next actions depend on what occurred:
- If account credentials were disclosed, change the affected credentials through the genuine service and change reused credentials elsewhere.
- If remote computer access was granted, disconnect the session and have the device checked before resuming financial work.
- If banking access or a payment was involved, contact the financial institution through a trusted number.
- If a terminal refund was created, preserve the transaction and support records rather than attempting several corrective transactions.
- Report the impersonation to Gravity even when no money was lost.
The FTC similarly advises changing exposed credentials immediately and contacting the appropriate bank or card company when an unauthorized transaction appears.
Priority one is containment. Skip deleting emails, call records or transaction details until the incident has been documented.
PCI compliance is a separate annual process
PCI DSS establishes baseline technical and operational requirements for environments where payment-account data is stored, processed or transmitted. PCI DSS v4.0.1 became the only active revision supported by the PCI Security Standards Council after PCI DSS v4.0 retired on December 31, 2024.
Gravity’s current PCI overview says compliance requirements depend on the merchant’s individual payment environment. The company partners with VikingCloud, also identified as SecureTrust, to provide guided questionnaires and assistance in selecting the appropriate validation path and Self-Assessment Questionnaire.
Do not choose an SAQ because another business completed it. A standalone countertop terminal, an internet-connected point-of-sale system and an ecommerce payment page can create different validation requirements.
The PCI Security Standards Council’s v4.0.1 guidance tells merchants to confirm that they meet every eligibility criterion for the chosen SAQ before completing it.
PCI fees and onboarding details need confirmation
Gravity’s detailed PCI support-library page says integrated-payment merchants are boarded with SecureTrust after their first 90 days of processing. It lists a $115 annual PCI compliance fee, $55 for each additional location and a $19.95 monthly noncompliance charge. The page also describes annual SAQ completion and vulnerability scans where applicable.
A newer PCI overview focuses on individualized assessment and does not repeat those fee amounts. Merchants should therefore verify the current charge and program directly against their processing statement and agreement rather than assuming every account receives identical billing.
A fee does not complete compliance by itself. Paying for access to a validation service and successfully completing the applicable assessment are different events.
A basic employee procedure
Every employee who can reach a payment terminal should know one response sequence:
- Stop when an unexpected caller asks for a refund, code or terminal access.
- Keep the terminal physically under employee control.
- End the call without continuing the requested steps.
- Open Gravity’s support page independently.
- Contact the published number and describe what the caller requested.
- Check the transaction report for any action already taken.
The procedure should apply to managers, weekend staff and temporary employees. Scammers often create urgency because a rushed employee is less likely to question why a supposed technician needs a refund, statement or banking change.
Gravity’s phishing example shows how seemingly ordinary business information can be combined. A scammer may first gather the Merchant ID, employer identification number, address and contact details through a fake chargeback inquiry, then impersonate the business when requesting changes to banking or contact information.
Individual details may seem harmless. Together, they can support a convincing impersonation.
FAQ
Will Gravity Payments ask for my Dashboard password?
No. Its scam guidance says it will not ask for the password or complete Dashboard login.
Does Gravity Payments test terminals by issuing refunds?
No. Gravity specifically warns that “recalibration” or functionality checks involving refunds are scams.
Is the $850 Gravity Payments credit real?
Gravity identifies unsolicited offers of an $850 credit in exchange for processing statements as an impersonation scheme used to move merchants to another processor. Contact Gravity independently rather than replying to the offer.
How does legitimate Gravity screen sharing begin?
The merchant should already be speaking with Gravity support and possess a session key. Screen sharing is then started from the official Gravity support page under Already Getting Support?
Is PCI compliance optional?
Gravity describes PCI DSS as a contractual obligation within the merchant-processing relationship, even though it is not a general federal law requiring every U.S. business to follow the standard. Exact validation duties depend on the merchant environment.
Why am I being asked to complete an SAQ?
An SAQ is a PCI self-assessment document used to validate applicable security controls. Several SAQ types exist, and the PCI Council says the merchant must satisfy the eligibility rules for the selected version.
What number should I call about a suspicious request?
Gravity publishes 866-701-4700 for 24-hour support. Obtain the number from the official support page rather than from the suspicious message or caller.
The practical rule is consistent: no terminal test should require a refund, no surprise caller needs control of the device, and legitimate remote support begins from Gravity’s own support page.