Credit cards have a privacy problem

Yup, do-no-evil Google buys your credit card data for advertising purposes: <a href="https:&#x2F;&#x2F;www.bloomberg.com&#x2F;news&#x2F;articles&#x2F;2018-08-30&#x2F;google-and-mastercard-cut-a-secret-ad-deal-to-track-retail-sales" rel="nofollow">https:&#x2F;&#x2F;www.bloomberg.com&#x2F;news&#x2F;articles&#x2F;2018-08-30&#x2F;google-an...</a><p>Companies need to start thinking of this less in the lens of &quot;evil&quot; and more principle of least astonishment. Would users be surprised and angry to learn you do this? Then don&#x27;t.

Will leave these here, just one small step to help you regain your privacy:<p>* <a href="https:&#x2F;&#x2F;marketingreportoptout.visa.com&#x2F;OPTOUT&#x2F;request.do" rel="nofollow">https:&#x2F;&#x2F;marketingreportoptout.visa.com&#x2F;OPTOUT&#x2F;request.do</a><p>* <a href="https:&#x2F;&#x2F;www.mastercard.us&#x2F;en-us&#x2F;about-mastercard&#x2F;what-we-do&#x2F;privacy&#x2F;data-analytics-opt-out.html" rel="nofollow">https:&#x2F;&#x2F;www.mastercard.us&#x2F;en-us&#x2F;about-mastercard&#x2F;what-we-do&#x2F;...</a>

&gt;&quot;We don&#x27;t <i>sell</i> your data, we <i>share</i> it.&quot; -all the companies involved<p>Am I the only one thinking there might be some Clapper-level double-speak going on here? Why would these company share admittedly valuable data without being compensated?<p>A question for contract lawyers: can I sell something (say an API or quarterly report) that &quot;incidentally&quot; includes customer data and get away with saying I&#x27;m not &quot;selling customer data&quot;?

Plaid is the most terrifying company in SV. The fact so many people are comfortable sharing their online banking creds with a third party, and in turn authorizing Plaid to share years of transaction data, your balances, emails, phone numbers, addresses etc scraped from your bank account is insane.

While I do love me some privacy.com, unfortunately they only allow you to tie payments to bank accounts, not credit cards.<p>So, it&#x27;s a virtual debit card, not a virtual credit card.<p>Now, they do let you set transaction limits, and daily&#x2F;weekly&#x2F;monthly limits, as well as either locking the card to the first merchant to use it or to make it a &quot;burner&quot; one-time only card.<p>So, there&#x27;s lots of additional controls there.<p>They don&#x27;t give you a good way to export any of that financial information, so if you want to use a budgeting program to try to help you track what is going where, then privacy.com doesn&#x27;t help you there.<p>Overall, I like privacy.com very much. I do want to be able to tie in multiple back-end payment sources, including credit cards, and I&#x27;d be fine taking the 2% or whatever fee on my end. And I do want more transparency in terms of being able to easily export my data where I want to use it. But those are both relatively minor problems, compared to the ones they do help you solve.

I know, I know, the editorial staff is separate from the advertising&#x2F;sales staff etc, but still find it funny that when I try to access the article in incognito mode, as I habitually do (for privacy), I get<p>&gt; We noticed you’re browsing in private mode. Private browsing is permitted exclusively for our subscribers. Turn off private browsing to keep reading this story, or subscribe to use this feature, plus get unlimited digital access.

I&#x27;ve always wondered: is the data the reason why credit card companies are willing to give cash back as high as 5% even to customers who carefully operate them at a clear loss for them?

I&#x27;m sure this is a great article that highlights an real issue but without executing JS the page doesn&#x27;t show anything besides the logo and upon inspection of the HTML delivered by the server you can see that it&#x27;s almost exclusively tracking scripts (at least in the EU).

I wonder how this applies in Australia and New Zealand, our privacy laws prevent the use of credit card “Address Verification” for example.

I&#x27;ve discovered this problem by finding out that you can sign up for additional cash back on apps like Yelp and Dosh. When you make a purchase these companies will automatically determine whether this purchase is eligible for cash back. I&#x27;m guessing they must be buying the data for all my transactions for the purpose of figuring out whether they would give me cash back. It immediately made me suspicious since I&#x27;m getting cash back from a third party instead of from a bank.

I wish Mondex would try again. Mondex was a MasterCard idea tried in the UK that was basically &#x27;digitized cash in a wallet which has the form of a smart card&#x27;.<p>Approach ATM, insert Mondex card. Feed ATM bills and coins, Mondex card gets loaded. Spend card, swipe as normal. Works offline, no connection to a bank account necessary, the money is deducted from your local card&#x27;s &#x27;account&#x27; to the &#x27;account&#x27; on the POS&#x2F;business. Your card records a transaction date&#x2F;time&#x2F;merchant for debits, theirs records the same for a credits.<p>You can transfer funds from one card to another, cash out the card offline at supporting ATMs, be used for building access&#x2F;RFID cards, hold up to 5 digital wallets on one card, and more.<p>It was tried in the UK back in the 90s and NYC right in 2000 and worked about as well as you&#x27;d imagine in that world. But today, it would probably work much better. HK has the Octopus card which is conceptually similar and works well.<p>I&#x27;d certainly give either a shot so I don&#x27;t have to carry physical cash but also aren&#x27;t worried about having my money in someone else&#x27;s hands who can lose it all due to bank fraud or have IT issues preventing payment processing.<p><a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Mondex" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Mondex</a><p><a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Octopus_card" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Octopus_card</a>

Purchase data has been around for years. Marketers want to know if their ad dollars worked. “How did you hear about us?” provides scant and mostly unusable data. By matching purchase data with ad campaign data there can be more quantitative evaluation of an ad campaign’s performance.<p>Additionally I imagine this data is available for marketers to target buyers of Product X with Accessory Y.<p>Finally, marketers may use purchase data to build suppression lists; ie. Stop retargeting people that already purchased Product X. I don’t know if this happens very often in practice. It’s very hard to do well in general, and generally cheaper to spam people than buy data to shrink your list.<p>None of this is well-disclosed to consumers, not one bit of it is right. It just is, and it has been for going on for 8+ years.

Summary? Wapo appears pay walled.

How do privacy-forward payment methods like ApplePay change the math?

Headline not proven. He claimed to do an experiment and didn&#x27;t find any security hole or any real results, but then blathered on about what might have happened. I can read privacy policies and make up scenarios and so can you, but so what?<p>And more generally, credit cards have been around a long time. Shouldn&#x27;t there be more evidence by now if anyone is being harmed by sharing data about consumer purchases?

Says the pot to the kettle.

Good morning

This article is severely deficient and written to draw clicks.<p>It doesn&#x27;t go far enough (or at all, really) to explain that the credit card issuer doesn&#x27;t see the data. They see a transaction amount. There&#x27;s no banana.<p>The current top comment about Google linking online to B&amp;M purchases isn&#x27;t a leak of privacy: it&#x27;s strictly private both to Google and the merchant. You are being tracked, but not in a privacy-revealing way, just in an uber-annoying I&#x27;m-still-being-targetted so-it&#x27;s-creepy-and-annoying way.<p>That retail merchants are tracking you is a huge, huge problem. The CC facilitates this by linking all your purchases into a single history, but it isn&#x27;t the CC per se that is the problem. eg the store&#x27;s own rewards card specifically does this. They don&#x27;t even care if you give your actual PII up to signup for the rewards card, all they care about is that they can [even anonymously] identify the purchase stream tied to an individual.<p>They should go to length to better distinguish this problem because then they can get to the fact that every Apple Pay transaction is tokenized and not linkable to prior or future Apple Pay transactions.