Online retail is one of the most foreign-investor-friendly segments in Malaysia. 100% foreign equity is permitted in pure online models, KPDN distributive-trade approval is not required, and the regulatory load is light compared to physical retail. That does not mean zero compliance — consumer protection, payments, PDPA, and tax obligations all apply. This guide walks through the end-to-end setup for a Malaysian e-commerce business.
The MSIC codes
The primary code for most online stores is:
- 47911 — Retail sale via internet — direct-to-consumer online retailers selling their own goods.
- 47919 — Retail sale via mail order or internet (other) — used for hybrid mail-order/online operations.
Platform / marketplace operators (Shopee-style intermediaries) more accurately sit in MSIC 63120 (Web portals) with a commission/agency code as secondary. Fulfilment-only operators are in division 52 (warehousing & logistics support) or 53200 (other postal and courier). Use the MSIC code finder to confirm.
The KPDN exemption — what it does and doesn't cover
Pure online retail is treated as outside the scope of the Distributive Trade Guidelines. You can set up a 100% foreign-owned Sdn Bhd, register MSIC 47911, and operate without KPDN approval. The boundary cases:
- Online + warehouse with walk-in pickup: if customers can walk in and buy, the physical retail leg pulls you into the KPDN regime.
- Online + pop-up shops or experience centres: any permanent physical retail presence triggers KPDN approval.
- Marketplace operator: regulated under MCMC's ASP framework rather than KPDN, but with different obligations.
The legal vehicle
For most founders the right structure is a Sdn Bhd. Foreign founders should review the foreign Sdn Bhd setup guide; locals can compare via the Sdn Bhd vs LLP vs Sole Prop guide. Sole proprietorships are a viable option for small Malaysian operators below the SST threshold.
Consumer protection — the e-Trade Regulations
The Consumer Protection (Electronic Trade Transactions) Regulations 2012 require every Malaysian online seller to publish the following on the storefront:
- Business name and registration number (SSM).
- Registered office address and contact email/phone.
- Full description of goods and prices including taxes.
- Estimated delivery time.
- Cooling-off / refund / cancellation terms.
- Complaints handling procedure.
Marketplaces additionally have to retain seller verification records and act on complaints under the regulations.
Personal Data Protection Act 2010
Any business that processes personal data of customers (and e-commerce by definition does) must comply with PDPA:
- Notice and Consent: explicit consent to collect and process personal data, with a privacy notice in Bahasa Malaysia and English.
- Registration: data users in regulated classes — which includes "communications" and various retail categories — must register with the JPDP (Department of Personal Data Protection). Fees are tiered.
- Security and retention: reasonable safeguards; delete personal data when no longer needed.
- 2024 amendments: introduced data-breach notification, data-portability rights, and the role of Data Protection Officer for higher-risk processing.
Payment gateways
Malaysian online businesses typically integrate with one or more of the licensed Payment System Operators regulated by Bank Negara Malaysia under the Financial Services Act 2013:
- Domestic gateways: iPay88, eGHL, Razer (formerly MOL Pay), Senangpay, Billplz, Curlec, Stripe Malaysia.
- e-Wallets: Touch 'n Go eWallet, GrabPay, Boost, MAE (Maybank).
- QR-code unified standard: DuitNow QR (PayNet) is the interoperable QR network — single QR accepts all wallets and banks.
- International gateways: Stripe, PayPal, Adyen for cross-border. Many require local merchant entity (Sdn Bhd) to settle in MYR.
Onboarding usually requires SSM documents, bank account, sample product/website link, and confirmation of business type. High-risk categories (supplements, alcohol via licensed sellers, adult goods) face higher rates and stricter onboarding.
SST — when do you register?
Online retailers register for SST once annual taxable turnover crosses RM 500,000. Goods sold may carry sales tax at 5% or 10% depending on HS code. Services sold (subscriptions, hosting, bundled software) carry 8% service tax. Imported low-value goods (≤ RM 500 consignment) attract the 10% Low Value Goods tax for foreign sellers. See our SST guide.
e-Invoice
E-commerce sellers above the LHDN turnover bands must onboard to MyInvois. For B2C orders, sellers typically issue a consolidated monthly e-Invoice rather than per order. Marketplace operators are responsible for self-billed e-Invoices on payouts to sellers. See the e-Invoice phase planner to confirm which phase applies.
Shipping and last-mile
- Express courier in Malaysia is regulated by MCMC. Most e-commerce sellers use licensed third parties (Pos Laju, J&T, Ninja Van, DHL eCommerce, FlashExpress).
- For cross-border imports, customs declarations are made under the Customs Act 1967. Customs has a fast-track lane for licensed courier consolidators.
- High-volume sellers should consider Approved Trader Scheme (ATS) / LMW for cash-flow on sales tax on imports.
The marketplace question
Most early-stage online retailers in Malaysia run multi-channel: own-store (Shopify/WooCommerce/Magento) + Shopee + Lazada + TikTok Shop. Each channel has its own seller agreement and commission structure. From a regulatory standpoint, sales on Malaysian marketplaces still require:
- SSM registration of the selling entity.
- SST collection if you cross the threshold.
- e-Invoice via the marketplace's self-billed payout flow.
- Compliance with marketplace product policies and consumer protection.
Indicative setup costs
| Cost item | Indicative range |
|---|---|
| Sdn Bhd incorporation + secretary year 1 | RM 2,000 – 4,000 |
| Storefront (Shopify, WooCommerce, custom) | RM 0 – 30,000 |
| Payment gateway setup + monthly fees | RM 200 – 1,000 / month |
| PDPA registration (data user) | RM 200 – 700 |
| Warehouse / fulfilment (3PL) | RM 5 – 15 / order |
| Initial inventory | RM 20,000 – 200,000 |
| Marketing (paid ads) — month 1 | RM 5,000 – 50,000 |
Operational compliance to maintain
- Annual SSM filings + audited financials.
- SST returns bi-monthly once registered.
- e-Invoice flow once your phase goes live.
- PDPA: renew registration; update privacy notice; data breach response plan.
- Consumer Protection (Electronic Trade) compliance — keep terms current.
- Trademark / IP filings (MyIPO) for brand protection.
Common pitfalls
- Operating as a sole proprietor while taking foreign equity — structurally invalid. Sole prop is closed to non-residents.
- Adding a single physical pickup point without checking KPDN implications.
- Skipping PDPA registration. JPDP audits are increasingly common for e-commerce platforms.
- Selling alcohol or pharmaceuticals online without the underlying sectoral licences — both attract heavy enforcement.
- Forgetting that service components (e.g. a paid subscription on top of product sales) carry their own SST and e-Invoice classification.
Sources: KPDN; Department of Personal Data Protection; Bank Negara Malaysia — Payment Systems; MCMC; Consumer Protection (Electronic Trade Transactions) Regulations 2012; Personal Data Protection Act 2010 (as amended 2024).
Get help with e-commerce setup in Malaysia
Talk to our Malaysia setup specialists. One-business-day response, no obligation.