Do you double swipe your customers’ payment cards for fraud check, reward scheme or marketing purposes? You should stop immediately if you are still doing this process. Here’s why you shouldn’t.
What is "Double Swiping"?
When a card is first inserted into the POS at a sales counter, the card transaction is completed after the necessary approval or denial. The customer immediately receives transaction advice via SMS.
"Double swiping" means a merchant or shopkeeper swiping a card for the second time at his or her own POS or cash register, immediately after the card transaction is approved in response to the first insert or swipe at a POS belonging to the card acquirer. "Double swiping" is not a part of a card transaction.
First Card Insert First Card Swipe Second Card Swipe
Why are payment cards double-swiped?
"Double swiping" is used by some merchants to collect vital card payment details and cardholders' personal data for their internal accounting or marketing purposes. Others simply do it because they have been told to do so by the POS vendor.
What vital information can be accessed by double swiping?
By swiping the card at shopkeeper's own POS or a cash register, it is possible to get access and store all payment cardholder and sensitive authentication data encoded on the magnetic stripe of a customer's payment card. Cardholder data means any personally identifiable data of a cardholder, such as the primary account number (PAN), cardholder name and expiration date. Sensitive authentication data means full track data of the magnetic stripe or equivalent data on a chip, card verification codes and values (CAV2/CVC2/CVV2/CID) PINs, PIN blocks.
Storing of sensitive authentication data by merchants or shopkeepers after the authorisation of a card transaction is prohibited.
Why it is risky to double swipe?
By double swiping, a shopkeeper can access and store in his or her computer system, all data in relation to the customer's payment card , including sensitive information encoded on the magnetic stripe. If the shopkeeper's POS, cash register or computer system can be accessed by criminals or fraudsters, card information can be stolen and counterfeit payment cards can be created and/or fraudulent transactions can be carried out.
What are the alternative means available for merchants or shopkeepers, who have a valid business need to get the required cardholder data or non-sensitive information?
Merchants or shopkeepers, who have a valid business requirement to get the cardholder data or non-sensitive information can consult their acquirers and the vendors of Point Of Sale machines/ cash registers, to get an integration option, complying with the Payment Card Industry Data Security Standard (PCI DSS)
Here to help
If you have any question regarding double swiping, please contact your Elavon Customer Security Consultancy Team who is available to help: PCIEurope@elavon.com