Why credit cards shouldn't be 'double-swiped'


Posted at Oct 09 2013 02:48 PM | Updated as of Oct 10 2013 07:55 PM

MANILA, Philippines - "Don't double-swipe credit cards" -- this is the message of the Credit Card Association of the Philippines to commercial establishments and retailers.

CCAP spokesperson Alan German said the practice of "double-swiping" is being discouraged since this may compromise the data security of credit cardholders.

Double-swiping is the act of merchants completing a second swipe of the card at the Point-of-Sale (POS) system, even after the transaction has been approved.

The CCAP said any credit, debit or prepaid card should only be swiped using a POS terminal issued by the bank, not the establishment's own POS system.

German said criminal groups are now targeting establishments' own POS systems, stealing payment card data and PINs of customers.

"In many cases, the second swipe results in the credit card’s full data to be retained by the merchant in its own system. Effectively, this unnecessary practice increases the merchant's vulnerability to potential data compromise... This loose data, so to speak, can then be used to create counterfeit cards, engage in identity theft, and perpetrate fraud,” he said.

The CCAP spokesperson urged merchants to use other record-keeping methods for their retail operations, instead of double-swiping the cards.

"More often than not, the second swipe is unrelated to authorization or transaction settlements. Instead, it is used to create a secondary record to support the merchant's accounting, reporting or customer-relationship management programs," German said.

"Instead of using customers’ payment cards, merchants can explore alternatives such as loyalty account numbers, transaction IDs, or truncated primary account numbers to track customer activity, if necessary."

German said card issuers and merchants should understand the risks in double-swiping the card, and should undertake measures to protect their businesses.

He said CCAP is committed to increasing data security awareness to ensure that all stakeholders are aware of potential vulnerabilities and associated risks.