The Risk of “Double Swiping”
“Double Swiping” is an act to describe the second swipe of a payment card at an Electronic Cash Register (ECR) after the first swipe / insert made by merchant to obtain initial authorization from the payment card issuer. Double swiping captures sensitive personal data from the card and expose cardholders to fraud risk like unauthorized transactions.
All retail merchants in Malaysia are prohibited by the Card Association (e.g. Visa, MasterCard) and Bank Negara Malaysia from capturing and storing sensitive payment card data / cardholder data encoded on the magnetic stripes of customers’ payment cards i.e. credit, debit or charge card.
Therefore, if you suspect any merchants to be performing “Double Swiping”, you may report the matter to our bank via email at HLOnline@hlbb.hongleong.com.my.
Frequently Asked Questions (FAQ)
1. What is "Double Swiping"?
“Double swiping” is the capturing of payment card data encoded on the magnetic stripes of customers’ payment cards at the Electronic Cash Register (ECR). The data is captured when a payment card is swiped on a retail merchant’s ECR. Double-swiping is not a required step in a payment transaction.
2. Why do merchants perform double-swipe action?
Merchants "double swipe" to collect payment details and cardholders' personal data on magnetic stripes of customers' credit, debit, charge or prepaid cards, for their internal accounting purposes and / or marketing purposes.
3. What are the information can be accessed by double swiping?
By swiping the card at merchant's own cash register, it is possible to get access and store all cardholder data and sensitive authentication data encoded on the magnetic stripe of a customer's payment card. Cardholder data means any personally identifiable data of a cardholder or the customer. This includes the primary account number (PAN), cardholder name, expiration date and service code. Sensitive authentication data means full track data of the magnetic stripe or equivalent data on a chip, card verification codes and values (CAV2/CVC2/CVV2/CID) PINs, PIN blocks. Storing of sensitive authentication data by merchants after the authorization of a card transaction is prohibited.
4. What are the risks of double swiping or storing of payment card data by merchants?
Fraudster can install malicious programmes on merchants’ ECR to steal sensitive payment card data. The stolen payment card data can then be used to produce counterfeit cards or make fraudulent online purchases. As a result, cardholders may suffer financial losses. There is also the risk that the data stored by the retail merchant is stolen and misused.
5. Why do EMV chip embedded payment cards issued in Malaysia have magnetic stripes?
Card transactions in Malaysia are processed using information in chips and PIN numbers. All payment cards issued in Malaysia under the international brands can be used abroad. Therefore, all cards have magnetic stripes for the cardholders to use when they travel to countries where the chip technology has yet to be adopted.