Double Swiping Frequently Asked Questions
The Central Bank of Bahrain (CBB) has announced that all merchants and shopkeepers in Bahrain are required to stop their present practice of "double swiping" of payment cards such as credit, debit, charge or prepaid cards, at their own point of sale (POS) and cash registers, from 15th June, 2017.
1. What is "Double Swiping" ?
When a card is first inserted into the point-of-sale (POS) at a sales counter, the card transaction is completed after the necessary approval or denial. The customer immediately receives a transaction advice via SMS.
"Double swiping" means a merchant or shopkeeper swiping a card for the second time at his or her own point of sale (POS) or cash register, immediately after the card transaction is approved in response to the first insert or swipe at a POS belonging to the card acquirer. "Double swiping" is not a part of a card transaction.
First Card Insert
First Card Swipe
Second Card Swipe
2. Why are payment cards double-swiped?
Merchants or shopkeepers "double swipe" to collect vital card payment details and cardholders' personal data on magnetic stripes of customers' credit, debit, charge or prepaid cards, for their internal accounting purposes and or marketing purposes.
3. What vital information can be accessed by double swiping?
By swiping the card at shopkeeper's own POS or a cash register, it is possible to get access and store all payment cardholder and sensitive authentication data encoded on the magnetic stripe of a customer's payment card. Cardholder data means any personally identifiable data of a cardholder or the customer. This includes the primary account number (PAN), cardholder name, expiration date and service code. Sensitive authentication data means full track data of the magnetic stripe or equivalent data on a chip, card verification codes and values (CAV2/CVC2/CVV2/CID) PINs, PIN blocks. Storing of sensitive authentication data by merchants or shopkeepers after the authorisation of a card transaction, is prohibited.
4. Why it is risky to double swipe?
By double swiping, a shopkeeper can access and store in his or her computer system, customer's all payment card data, including sensitive information encoded on the magnetic stripe. If the shopkeeper's POS, cash register or computer system can be accessed by criminals or fraudsters, card information can be stolen and counterfeit payment cards can be created and/or fraudulent transactions can be carried out.
5. Why do EMV chip embedded payment cards issued in Bahrain have magnetic stripes?
Card transactions in Bahrain are processed using information in chips and PIN numbers. All payment cards issued in Bahrain under the international brands can be used abroad. Therefore, all cards have magnetic stripes, for the cardholders to use them when they travel to countries where the chip technology has not yet been adopted.
6. What are the alternative means available for merchants or shopkeepers, who have a valid business need to get the required cardholder data or non-sensitive information?
Merchants or shopkeepers, who have a valid business requirement to get the cardholder data or non-sensitive information can consult their acquirers and the vendors of POS machines/ cash registers, to get an integration option, complying with the Payment Card Industry Data Security Standard (PCI DSS).