FAQs on Double Swiping
All retail merchants in Singapore are required by The Association of Banks in Singapore (ABS) and the Card Schemes (i.e. American Express, Diners Club, JCB, MasterCard, UnionPay and Visa) to stop capturing and storing sensitive payment card data (or cardholder data) encoded on the magnetic stripes of customers’ payment cards (i.e. credit, debit and charge card).
Double-swiping is the capturing of payment card data encoded on the magnetic stripes of customers’ payment cards at the Point-of-Sale (POS) reader / Electronic Cash Register (ECR). The data is captured when a payment card is swiped on a retail merchant’s POS reader / ECR. Double-swiping is not a required step in a payment transaction.
Example A - double-swiping, or reading the magnetic stripe of the card at POS reader/ ECR.
Example B - inserting or dipping a chip-enabled payment card in a payment card terminal for payment is not considered as double-swiping.
Sensitive payment card data such as card security code (CVV/CVC/CAV/CVN) are encoded on the magnetic stripes of payment cards. Retail merchants should not store such data.
The card security code goes by different names under the various Card Schemes as follows:
- Card Identification Number (CID) – American Express;
- Card Authentication Value (CAV) – JCB;
- Card Verification Code (CVC) – MasterCard;
- Card Verification Number (CVN) – UnionPay;
- Card Verification Value (CVV) – Visa/Diners.
Fraudsters can install malicious programmes on merchants’ POS readers / ECR to steal sensitive payment card data.
The stolen payment card data can then be used to produce counterfeit cards or make fraudulent online purchases. As a result, cardholders may suffer financial losses.
There is also the risk that the data stored by the retail merchant is stolen and misused.
EMV chip technology is not adopted in some countries. Card transactions at retail merchants in these countries can therefore only be completed by using the information that is encoded on the magnetic stripes of payment cards.
To minimise unauthorised transactions, you should activate the magnetic stripe on your card only for the period that you are travelling overseas.
You should report the incident or any attempt of double-swiping by a merchant to ABS via email: email@example.com. ABS will look into the matter, and identify the retail merchant that does not comply with the “do not double-swipe” rule set out by ABS and the Card Schemes.
If you suspect that your personal data has been collected by the retail merchant without your consent and for purposes other than the payment transaction, you may report the matter to the Personal Data Protection Commission, or PDPC, via email: firstname.lastname@example.org.
Please include the following details in your email:
- Date and time of your transaction;
- Name of the merchant outlet; and
- Address of the merchant outlet.
The above information is prepared in collaboration with the Association of Banks in Singapore.