What you need to know about Data Security and Double-Swiping

What is Double-Swiping?

  • Collecting information through swiping the credit/debit card at the point-of-sale (POS) reader / Electronic Cash Register (ECR)
  • Storing the CVV2/CVC2/CAV2/CVN2 number on the signature panel on the back of the card, or the CID number located on the front of the card, post-authorisation

Example A - double-swiping, or reading the magnetic stripe of the card at POS / ECR


Example B - inserting or dipping a chip-enabled payment card in a payment card terminal for payment is not considered as double-swiping

What is the sensitive payment card data that merchants should not store? Sensitive payment card data such as card security code (CVV/CVC/CAV/CVN) are encoded on the magnetic stripes of payment cards. Retail merchants should not store such data.The card security code goes by different names under the various Card Schemes as follows:

  • Card Identification Number (CID) – American Express;
  • Card Authentication Value (CAV) – JCB;
  • Card Verification Code (CVC) – MasterCard;
  • Card Verification Number (CVN) – UnionPay;
  • Card Verification Value (CVV) – Visa/Diners.

As a merchant accepting card payments or offering Standard Chartered Easy Payment (EPS) facility via First Data POS terminal in Malaysia, the Association Rules do not allow you to capture cardholder data at the POS reader/Electronic Cash Register (ECR). Also referred to as “track data”, this information is read and captured when a credit/debit card is swiped on a merchant’s POS reader or Electronic Cash Register to capture card details from the magnetic stripe for loyalty/marketing programmes, or internal record-keeping purposes.

All retail merchants are required by the Bank Negara Malaysia (BNM) Payment Systems Act 2003 and Card associations (i.e. American Express, Diners Club, JCB, MasterCard, UnionPay and Visa) to stop capturing and storing sensitive payment card data (or cardholder data) encoded on the magnetic stripes of customers’ payment cards (i.e. credit, debit and charge card).

Double-swiping is not a required step in a payment transaction. Please stop undertaking this step in your payment transaction as merchants found to be in non-compliant with the Association rules may risk being placed on the non-compliance list by the Associations. Once a merchant’s name is in the non-compliance list, it will be prevented from using card acceptance services for credit/debit card transactions provided by any merchant acquiring institution or bank.