Pursuant to instructions by the Central Bank of Kuwait, double swiping of all credit, debit and prepaid cards through the store’s system is banned. NBK advises customers to follow this directive to protect their data from theft and ensure compliance with international standards.
Customers can also call NBK’s dedicated hotline on 2259 5958 to file complaints against merchants that double swipe cards.
Who does this affect?
The announcement is applicable for all NBK Customers and non-customers who use banking payment cards.
What should I know?
When a card is first inserted into the point–of-sale (POS) machine at a sales counter, the card transaction is completed after the necessary approval or denial. You may immediately receive a transaction advice via SMS message, subject to issuing bank rules.
“Double swiping” is when a cashier or shopkeeper swipes a card for the second time at their own store system, immediately after the card transaction is approved.
By double swiping, a shopkeeper can access and store all your payment card data, including sensitive information encoded on the magnetic stripe, in their computer system. If the store’s system can be accessed or compromised, your card information is at risk for theft, and counterfeit payment cards can be created and/or fraudulent transactions can be carried out.
Therefore, bank cards should only be inserted or swiped once in the POS machines.
1. Why are payment cards double-swiped?
Cashiers or shopkeepers double swipe to get your card payment details and personal data stored on the magnetic stripe of credit, debit or prepaid cards, to use for internal accounting, reconciliation purposes and/or marketing.
2. What information can be accessed by double swiping?
By swiping the card at the shopkeeper’s own system, it is possible to get access and store all payment-related sensitive authentication data encoded on the magnetic stripe of your card. Cardholder data is any personal identifiable data of the Cardholder. This includes the primary account number (PAN), cardholder name, and expiration date and service code.
Sensitive authentication data means full track data of the magnetic strip equivalent data on a chip, card verification codes and values (CAV2/CVC2/CVV2/CID) PINs, PIN blocks storing of sensitive authentication data by shopkeepers after the authorization of the card transaction is prohibited.
3. Why do EMV chip cards used in Kuwait have magnetic stripes?
Card transactions in Kuwait are processed using information in chips and PIN numbers. All payment cards issued in Kuwait under international brands can be used abroad. Therefore, all cards have magnetic stripes, so you can use them when you travel to countries where the chip technology has not yet been adopted.
4. What are the alternative means available for merchants, who have a valid business need to get the required card holders’ data or non-sensitive information?
Merchants who have a valid business requirement to get cardholder data or non-sensitive information can consult their acquiring bank of the store system to get an integrated point of sale machine - IPOS option, complying with Payment Card Industry Data Security Standard (PCI DSS).
All stores in Kuwait should stop double swiping credit, debit or prepaid cards at their own store’s system.
How can I be compliant?
By avoiding having your bank cards double swiped through the store’s system, you will be complying with Central Bank of Kuwait’s regulations, and further protecting your bank card data.