Monday, September 11, 2017
Prohibition on Debit- and Credit-Card Double Swiping
Deborah Wijaya, M. Agus Yozami
The Communication and Information System Security Research Center (CISSRec) has reminded debit- and credit-card owners of the dangers of swiping cards on devices other than Electronic Data Capture (EDC) machines. In order to tackle this issue, Bank Indonesia (BI) has issued Bank Indonesia Regulation No. 18/40/PBI/2016on the Implementation of Processing for Payment Transactions.
CISSRec chairman, Pratama Persadha, stated recently that Bank Indonesia was concerned that so-called “double swiping”, i.e. swiping cards through cash registers, as well as through official EDC machines, could lead to customer data being recorded on cash register computers, which could in turn ultimately lead to misuses of data. Mr. Persadha added that the security of debit and credit cards in Indonesia was far from watertight and thus it the duplication of data was a relatively simple matter. “The moment that a card is swiped through a card reader attached to a cashier’s computer, then the card data is read and copied,” Mr Persadha asserted.
Mr. Persadha added that it was important for card holders to keep their Private Identification Numbers (PIN) a secret, as when data is duplicated, it can subsequently be used for anything. In Indonesia, credit-card data can be used immediately, whereas the more commonly used debit cards require PINs.
Mr. Persadha asserted that BI should be constantly reminding customers of the importance of securing their debit- and credit-card data. In addition, it is also seen as necessary to standardize the security of personal data in line with State Cyber and Cryptography Agency (Badan Siber dan Sandi Negara – BSSN) guidelines. The BSSN is an institution which formulates personal-data security standards for implementation by banking and other institutions of national importance.
Mr. Persadha asserts that is imperative that personal data is fully protected but that until now, the various regulations which address this issue have overlapped with each other, resulting in only partial security. Therefore, Mr. Persadha believes that in this digital era, a comprehensive, all-encompassing personal-data security law should be introduced as a regulatory framework which applies to all types of user data.
Mr. Persadha also added that the affirmation of electronic security must be followed up by the implementation of a rigorous information-security management process. Mr Persadha thus believes that personal-data security standards must address adequate rights and obligations, both for consumers and electronic-service providers.
Bank Indonesia Governor, Agus D.W Martowardojo has also stated in the past that a regulation specifically prohibiting double swiping should be introduced, as this practice can lead to two types of reporting. Firstly, reporting to the acquiring bank, as incorporated by the related merchant and secondly, direct reporting to BI, as deemed necessary.
Taking an opposing view is Roy Mandey, Chairman of the Indonesian Retail Business Association (Asosiasi Pengusaha Ritel Indonesia – Aprindo), who states that the swiping of both credit and debit cards through cash registers is performed in order to accelerate payment services. “We aim to offer decent services through quick transactions,” explained Mr. Mandey.
Mr. Mandey claims that that the swiping process is used in order to validate purchase data. Through this validation process, it is possible to accelerate payment services and avoid the manual process of recording debit- and credit-card numbers, which takes more time and which can lead to longer queues, inconveniencing customers in the process.
Mr. Mandey also affirmed that swiping does not involve any theft of customer data, as the related retail companies do not have access to such data in any detail, and that addresses and telephone numbers can therefore not be taken. Furthermore, Mr Mandey has claimed that this validation is vital due to the fact that the incorrect entering of transaction values or similar data still occurs from time to time.
However, Mr Mandey believes that in order to provide decent service to the general public, retail companies should demonstrate their willingness to implement BI regulations by not swiping credit and debit cards through cash registers. “In principle, we want to prioritize public service and we have already disseminated this goal among our members. As a result of this recommendation, our members have already started to reduce their double swiping and to return to the old manual system,” Mr Mandey concluded.