Surveillance society? Credit card data pose no threat to personal privacy

When Mr & Mrs Smith complete their weekly shop with their favourite retailer, they increasingly pay by credit card, as confirmed recently in a previous editionof the SBA insight magazine. According to the latest survey by the comparison portal Moneyland.ch, 71% of respondents consider credit cards essential. Making a credit card purchase triggers a complex payment process.¹

Who is involved in a transaction, and how?

There are usually four parties involved in a credit card transaction: the customer, the merchant, the issuer and the acquirer (the merchant’s payments provider). Issuers are usually external service providers, but they can also be banks. There is a popular misconception that when a credit card transaction is processed, payment goes straight from the buyer to the seller of the goods or services. As the word “credit” implies, however, the buyer only makes a payment promise to the merchant, while giving it the express right to recover the outstanding amount directly from the issuer. The merchant needs someone to perform this task and to collect the money from the issuer. This is where the acquirer comes in. They set in motion everything needed for settling the payment: on the one hand they make an advance payment to the merchant by crediting the outstanding amount to their account, and on the other hand they collect the purchase amount from the issuer. The issuer then advances the amount for the customer and subsequently bills them for it.

What data are needed for the transaction?

However, a complex data flow is triggered before any money is transferred. For a transaction to take place while guaranteeing maximum security, the parties must first exchange various details. A distinction is made here between authorisation data and transaction data. The authorisation data allow the parties involved to check whether the payment is even allowed to proceed: if the card is blocked, reported lost or stolen, or the spending limit reached, payment will be declined immediately. This entire process occurs within a few milliseconds at the point of sale (PoS). The transaction is then initiated after successful authorisation. For the money to flow seamlessly, all parties must receive certain transaction data such as the transaction number and description, purchase amount, cardholder’s name, time and date, currency and merchant’s details.

So who sees what, and when?

No party has unrestricted access to all this information, as the data are encrypted for transmission in the credit card network. Only the party requiring a specific data point for settling the payment has the relevant key. For example: the acquirer initiating the entire process only receives the data required for settling the payment: the transaction amount, credit card number and relevant information for the merchant, such as the location, company and branch. However, this information does not allow any conclusions to be drawn about the buyer’s payment behaviour – in other words, the items bought, the status of their credit card or their spending patterns. The issuer, on the other hand, sees all the data required for billing the payment and monitoring the transaction, identifying the cardholder, preventing card misuse, combating money-laundering, and making contactless payments. These details include the name of the cardholder, the purchase amount, the time and date of the transaction and information about the type of credit card use. Even so, the card issuer is unable to view the items purchased and is therefore unable to draw any conclusions about an individual’s actual spending habits and thus create an end-customer profile with a purchase history. The credit card network (such as Mastercard or Visa) also sees the purchase amount and the merchant’s name, but never the shopping basket. The system is designed so that no individual personal or transaction data can be recorded. Such data can only be collated in an aggregated and anonymised form. As a result, the spending habits of the entire population can be analysed in an aggregated and anonymised format, but the spending behaviours of private individuals is never disclosed.

What does the merchant do?

The merchant uses a card reader to input the data required for the transaction. These include the card number and type, expiry date, purchase amount, time and date, and other information printed on the receipt. The merchant is the only participant in the network able to see details of the items purchased. Anyone worried at this point that their spending habits might be analysed can relax: under Switzerland’s Data Protection Act (DSG), the payment process cannot be linked to the shopping basket, as data may only be processed for their intended purpose. Further processing of the transaction data to compile purchase histories would not serve the original purpose of the payment and is therefore not allowed. If customers have a loyalty card, however, they are expressly allowing the merchant to link the purchase data with their customer profile. Only when loyalty cards are used are merchants able to collect data, analyse spending patterns and offer personalised advertising. In 2017 estimates showed that out of a total of 3.7 million Swiss households, 2.8 million (over 75%) had signed up to one of the large retailer loyalty programmes.

What does all this mean for the protection of personal privacy?

The Data Protection Act provides a high level of protection for personal data. In Switzerland, the financial industry goes even further in shielding its customers: as well as the basic security provided by the Act, the processing of personal data by banks is subject to bank-client confidentiality. On top of that, the Payment Card Industry Data Security Standard (PCI-DSS), a self-regulating council of the credit card networks, sets out supplementary rules. Given the global character of these systems, rigorous licensing standards for participants go hand-in-hand with exceptionally strict rules on handling data.

Following numerous negative news stories about data privacy, consumers are concerned. The novel nature of this topic and the frequently opaque way in which data are collected, used and shared certainly play a part here. Members of credit card networks would do well to take these concerns seriously and be more proactive in communicating what is technically possible and legal in their handling of data – and what is not. All in all, credit card networks are exceptionally secure communication systems and in no way inferior to other payment methods. Paying by credit card does not threaten an invasion of personal privacy – but the voluntary use of loyalty cards certainly does.

¹ For the sake of simplicity, this article does not cover mobile payments and e-commerce payments.