Credit card swiped a second time? It's against privacy law

Public can now file report against retailers for collecting personal data
By Irene Tham, The Straits Times, 8 Sep 2014

IT IS done so quickly that you might not even notice it. But that extra swipe of your credit card by some merchants compromises your personal data and breaches data protection laws.

Known in the industry as "double swiping", the second quick swipe of consumers' credit cards is typically done after credit-card transactions have been approved.

Merchants do this to record the mode of payment for accounting purposes and to collect cardholders' personal data for marketing purposes such as loyalty programmes.

Even though banks have been telling retailers to stop doing this in the past two years as the practice exposes consumers' personal data to security risks, many retailers have not stopped.

But today, new data protection legislation allows consumers to file a report against rogue merchants.

"If the merchant wants to collect personal data beyond what is needed for the payment, the merchant should get the consent of the customer," a spokesman for the Personal Data Protection Commission told The Straits Times.

The Personal Data Protection Act was fully implemented on July 2 to safeguard consumers against the wrongful collection, use and disclosure of personal data for marketing.

Last week, The Straits Times spotted several merchants, including eateries and toy shops, double-swiping cards.

The Association of Banks in Singapore (ABS) said banks have asked merchants to consider alternative ways of collecting consumers' data. The Straits Times understands that some are dragging their feet as this involves changing the way they work and investing in new systems.

"Some merchants and retailers would need extra time to reconfigure their more complex systems," said Mrs Ong-Ang Ai Boon, ABS director.

Double-swiping undermines the latest advancements in card technologies. Credit card data now resides more securely in embedded computer chips instead of on magnetic stripes that can be skimmed by fraudsters.

Depending on how merchants design their cash registers, any information - from the cardholders' names to credit card numbers and card expiration dates - can be collected.

The double-swiping practice has left some consumers concerned about their privacy.

Engineer Ngiam Shih Tung, 47, said: "A credit card number and expiration date are all you need for a fraudulent transaction on some websites."

The Personal Data Protection Commission said it has not received any complaint about double-swiping so far.

Organisations found in breach of the Act could face a fine of up to $1 million.

Get consent before collecting customer info

MERCHANTS and retailers who wish to gather personal data from their customers for purposes other than payment, when they collect credit cards, should obtain customer consent ("Three ways to reduce 'double swiping' of credit cards" by Mr Bruno Poh Teck Boon; Sept 15).

The Personal Data Protection Commission (PDPC) has been working with the Singapore Retailers Association to educate its members on the Personal Data Protection Act, including clarifying the practice of "double swiping" for purposes other than for the intended purchases, which is against the Act if consent has not been sought from the customer.

The PDPC will continue to work with organisations and associations through its education and training programmes, to ensure they are aware of and comply with the Act.

Other than the PDPC website, individuals and organisations that want to get in touch with the PDPC can call our telephone hotline on 6377-3131 or e-mailinfo@pdpc.gov.sg

Evelyn Goh (Ms)

Director,
Communications, Planning & Policy
Personal Data Protection Commission
ST Forum, 3 Oct 2014