• Prohibition of Double Swiping

    • OM-5.2.4

      Double swiping of cards by merchants is not allowed, and all card acquirer licensees must ensure that the merchants concerned must comply with this requirement.

      Added: January 2020

    • OM-5.2.5

      For the purpose of Paragraph OM-5.2.4, card acquirer licensee means a CBB licensee that enters into a contractual relationship with a merchant and the payment card issuer, under a card payment scheme, for accepting and processing payment card transactions. Card acquirers include three-party payment card network operators, who have outsourced their acquiring services to third party service providers.

      Added: January 2020

    • OM-5.2.6

      For the purpose of Paragraph OM-5.2.4, double swiping means swiping of a payment card by a merchant at the POS terminal/ECR for the second time, resulting in capturing and storing of payment cardholder data and sensitive authentication data encoded on the magnetic stripe of a customer's payment card, after the merchant received the required card payment authorisation response.

      Added: January 2020

    • OM-5.2.7

      All card acquirer licensees must include the following clause into the merchant agreements entered into with all their merchants: "Pursuant to the CBB directions and instructions, the merchant shall stop double swiping of a payment card at a merchant's point-of-sale (POS) terminal/electronic cash register (ECR) to capture or store cardholder and sensitive authentication data encoded on the magnetic stripe of a customer's payment card, after the merchant received the required card payment authorisation response. The merchant asserts its full compliance with the obligation contained in this clause and understands that any breach of this clause will expose the merchant to mandatory contractual and/or legal disciplinary actions by the relevant regulator and/or concerned Ministry."

      Added: January 2020

    • OM-5.2.8

      All card acquirer licensees must:

      (i) Educate the concerned merchants on the regulatory requirement and monitor the implementation of this requirement; and
      (ii) Educate and facilitate, where necessary, any merchant that has a valid business need to have cardholder data or non-sensitive information, to transmit such data/information through an integration option.
      Added: January 2020