RETAILER FAQ

The industry-wide move to require PIN at Malaysian point of sale (POS) as a form of customer verification for Malaysian credit, debit, charge and prepaid cards will start from mid-2015 as signature cards will be replaced with PIN cards. From 1 July 2017, signature will no longer be accepted on Malaysian payment cards for domestic transactions.

What is PIN?

A PIN, or Personal Identification Number, is a secret code that is either assigned to, or selected by customers to prove that they are the rightful owner of the payment card. PINs for Malaysian cards have six digits.

Why is PIN safer than signing?

PIN usage can help protect against fraud due to lost or stolen cards, because the card and the PIN are required to make a payment. This is why customers must always keep their PIN secret.

Do I need to change my POS terminal?

Yes. Your point of sale terminal software needs to be updated to enable prompting for PIN. This terminal software update will need to be completed before 1 January 2017.

Will customers receive new cards?

Yes, all customers will need to be issued with new cards because current cards do not support PIN for payment. Customers who have yet to receive new PIN cards will continue to pay using signature. All credit, debit, charge and prepaid cards in Malaysia will need to be replaced by 1 January 2017.

What happens if my terminal has not been updated yet and customers come with a PIN card?

It will process new PIN cards without prompting for PIN just like it does for existing signature cards, and the customer’s signature will need to be verified.

Can customers ask me to enter their PIN for them?

No. For security reasons, the customer’s PIN must never be shared with anyone, not even the employees of the card issuer.

What happens if customers enter the wrong PIN?

Before 1 July 2017, signature will be allowed if customers cannot remember their PIN. This is called PIN bypass.

PIN bypass is activated by pressing OK or Enter, depending on the terminal, instead of typing the PIN. Assist customers to use PIN bypass but only if they have forgotten their PIN. PIN bypass is not supported for contactless transactions. To bypass PIN if customers forget their PIN, perform a new transaction by inserting the card.

After 1 July 2017, PIN bypass will no longer be allowed for Malaysian cards and they will be automatically declined if PIN is prompted but not entered.

What if customers have not received new cards with PIN?

Before 1 July 2017, a terminal that has been upgraded for PIN will continue to accept signature cards and will not prompt for PIN but the customer’s signature will still need to be verified. After 1 July 2017, signature-only cards will no longer be permitted to be used in Malaysia.

What happens if overseas customers do not have PIN cards?

Signature will still be a valid form of authorization for many visitors from overseas.

Do all transactions at my POS terminal need PIN?

No, not all transactions at point of sale will need PIN:

  • Low-value contactless transactions for amounts below a certain limit do not require PIN.
  • International transactions (with cards issued by banks outside Malaysia) may be approved with signature and not require a PIN.
Can customers still use the contactless option?

Yes. If the contactless card has a PIN, the terminal will prompt for PIN after the card is tapped on the contactless reader for transaction amounts above a certain limit. However, low-value contactless transactions do not require PIN or signature.

How will I know when PIN is required?

All you need to do is follow the prompts on the terminal. The payment terminal that is reading the card will determine if a PIN is required and if so, it will prompt for a PIN.

What if customers are not prompted to enter a PIN?

They will be asked to sign to authorise their transaction. Note that low-value contactless transactions for amounts below a certain limit will not require a PIN or a signature.

If I run a café, bar or restaurant business, what does this mean for me?

PIN transactions require customers to complete their payment where the terminal is physically located. For convenience, you may want to upgrade from a fixed-line terminal to a portable terminal.

Will PIN be used to make card transactions through the Internet or over the telephone?

No. The PIN that customers use at point of sale terminals or ATMs must never be entered into the Internet or provided over the telephone.

How can customers add a tip/gratuity in a restaurant?

Most terminals at restaurants should display the amount that customers are paying and ask if they wish to add a tip/gratuity, before prompting for PIN. Customers should simply follow the display prompts.

Current process for card payment at F&B outlets still favours signature verification:
  1. Payment card is inserted in the terminal
  2. Terminal prompts for PIN
  3. Operator presses OK to bypass PIN, without first allowing the customer to enter PIN
  4. Customer must sign the transaction receipt
F&B merchants need to take action to enforce PIN…
IF THE TERMINAL PROMPTS FOR PIN, THE PAYMENT CARD REQUIRES PIN TO VERIFY THE CARDHOLDER
ASK THE CUSTOMER TO GO TO THE COUNTER, OR BRING THE TERMINAL TO THE TABLE, TO ENTER THEIR PIN
IF THE CUSTOMER DOES NOT KNOW THEIR PIN, ADVISE THE CUSTOMER TO CONTACT THEIR BANK TO GET A PIN

Reasons for discouraging PIN bypass
  • PIN protects against fraudulent use of a lost card or stolen card
  • Malaysian banks will decline transactions with signature from 1 July 2017
Allow customers to enter PIN now, to facilitate PIN use and minimise disruptions on 1 July. Request for wireless portable terminals from your acquirer, for pay-at- table operations. Without wireless you must ask the customer to go to the terminal to enter their PIN
Current process for card pre-authorisation at hotels does not encourage use of PIN:
  1. Payment card is inserted in the terminal
  2. Terminal prompts for PIN
  3. Operator presses OK to bypass PIN, without first allowing the guest to enter their PIN
  4. Signature on the pre-authorisation receipt may or may not be requested, keeping to established practices
Hotels need to take action to enforce PIN…
IF THE TERMINAL PROMPTS FOR PIN, THE PAYMENT CARD REQUIRES PIN TO VERIFY THE CARDHOLDER
ASK THE GUEST: "PLEASE ENTER YOUR PIN"
IF THE CUSTOMER DOES NOT KNOW THEIR PIN, ADVISE THE GUEST TO CONTACT THEIR BANK TO GET A PIN

Hotels must update procedures for pre-authorisation at check-In
  1. PIN protects against fraudulent use of a lost card or stolen card for all payment card transactions, including PRE-AUTHORISATION
  2. The entry of a PIN for pre-authorisation when a customer checks-in does not change the purpose of a pre-authorisation, and there is no change to the check-out process
  3. Malaysian banks will decline transactions without PIN from 1 July 2017
Allow guests to enter PIN now, to facilitate PIN use and minimise disruptions on 1 July