Credit card swiped a second time? It's against privacy law

Public can now file report against retailers for collecting personal data

The Personal Data Protection Act, fully implemented on July 2, safeguards consumers against wrongful collection and use of personal data.
The Personal Data Protection Act, fully implemented on July 2, safeguards consumers against wrongful collection and use of personal data. ST FILE PHOTO

It is done so quickly that you might not even notice it. But that extra swipe of your credit card by some merchants compromises your personal data and breaches data protection laws.

Known in the industry as "double swiping", the second quick swipe of consumers' credit cards is typically done after credit-card transactions have been approved.

Merchants do this to record the mode of payment for accounting purposes and to collect cardholders' personal data for marketing purposes such as loyalty programmes.

Even though banks have been telling retailers to stop doing this in the past two years as the practice exposes consumers' personal data to security risks, many retailers have not stopped.

But today, new data protection legislation allows consumers to file a report against rogue merchants.

"If the merchant wants to collect personal data beyond what is needed for the payment, the merchant should get the consent of the customer," a spokesman for the Personal Data Protection Commission told The Straits Times.

The Personal Data Protection Act was fully implemented on July 2 to safeguard consumers against the wrongful collection, use and disclosure of personal data for marketing.

Last week, The Straits Times spotted several merchants, including eateries and toy shops, double-swiping cards.

The Association of Banks in Singapore (ABS) said banks have asked merchants to consider alternative ways of collecting consumers' data. The Straits Times understands that some are dragging their feet as this involves changing the way they work and investing in new systems.

"Some merchants and retailers would need extra time to reconfigure their more complex systems," said Mrs Ong-Ang Ai Boon, ABS director.

Double-swiping undermines the latest advancements in card technologies. Credit card data now resides more securely in embedded computer chips instead of on magnetic stripes that can be skimmed by fraudsters.

Depending on how merchants design their cash registers, any information - from the cardholders' names to credit card numbers and card expiration dates - can be collected.

The double-swiping practice has left some consumers concerned about their privacy.

Engineer Ngiam Shih Tung, 47, said: "A credit card number and expiration date are all you need for a fraudulent transaction on some websites."

The Personal Data Protection Commission said it has not received any complaint about double-swiping so far.

Organisations found in breach of the Act could face a fine of up to $1 million.

Join ST's Telegram channel and get the latest breaking news delivered to you.