What information about me do stores get via my credit card? The 2019 Stack Overflow Developer...

How to read αἱμύλιος or when to aspirate

"is" operation returns false with ndarray.data attribute, even though two array objects have same id

Can each chord in a progression create its own key?

Are spiders unable to hurt humans, especially very small spiders?

Store Dynamic-accessible hidden metadata in a cell

Can the DM override racial traits?

Presidential Pardon

Python - Fishing Simulator

Keeping a retro style to sci-fi spaceships?

What force causes entropy to increase?

Why can't wing-mounted spoilers be used to steepen approaches?

Homework question about an engine pulling a train

Circular reasoning in L'Hopital's rule

Can withdrawing asylum be illegal?

Using dividends to reduce short term capital gains?

Am I ethically obligated to go into work on an off day if the reason is sudden?

Is there a way to generate uniformly distributed points on a sphere from a fixed amount of random real numbers per point?

Match Roman Numerals

Drawing vertical/oblique lines in Metrical tree (tikz-qtree, tipa)

Single author papers against my advisor's will?

What was the last x86 CPU that did not have the x87 floating-point unit built in?

Variable with quotation marks "$()"

Mortgage adviser recommends a longer term than necessary combined with overpayments

Why did Peik Lin say, "I'm not an animal"?



What information about me do stores get via my credit card?



The 2019 Stack Overflow Developer Survey Results Are In
Unicorn Meta Zoo #1: Why another podcast?
Announcing the arrival of Valued Associate #679: Cesar ManaraProxying a Credit Card Transaction?What prevents web shop owners from misusing credit card data?Credit Card Fraud Prevention - Why Aren't Simple Things Used?Storing credit card information for later manual processingUsing browser AJAX to initiate credit card transaction with processor?If my company receives credit card statements showing credit card number, does it have to be PCI compliant?Does my server need to fulfill PCI compliance if it only forwards the credit card number?Is it safe to use an auto pay feature on my smart watch that stores card info?Store credit card numbers in password manager?RFID-Safe Wallet destroys credit card?





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}







69















Lets say I buy something at some (physical) store and pay using a credit card on one of these electronic terminals. What information do the owners of this store get about me (or my credit card) from this transaction?



Can they find out whether multiple purchases were paid using the same credit card?










share|improve this question







New contributor




flawr is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





















  • I have first-hand experience with information going the other way. Specifically, I made a purchase at WalMart with a credit card, and later, that card company asked me about the product. I had no idea they'd ever see that, only the total, date, etc.

    – donjuedo
    yesterday






  • 2





    @donjuedo Curious, was it a Walmart-branded card? My store-branded credit cards do have that info within store. Outside of that relationship, it's possible to pass that info up the chain, but not particularly common.

    – gowenfawr
    yesterday











  • @gowenfawr, It was not a WalMart-branded card. I usually use Chase, for the airline miles. There's a small chance it was one other card.

    – donjuedo
    yesterday








  • 2





    The answer to this is going to vary by country due to privacy laws. You should specify where.

    – user71659
    yesterday













  • If there is any sort of loyalty scheme involved, see the fine print. You may have agreed to your data being harvested/aggregated and used for research and/or marketing. Hilarity can sometimes ensue when they (or their analytics) get this wrong.

    – mckenzm
    yesterday


















69















Lets say I buy something at some (physical) store and pay using a credit card on one of these electronic terminals. What information do the owners of this store get about me (or my credit card) from this transaction?



Can they find out whether multiple purchases were paid using the same credit card?










share|improve this question







New contributor




flawr is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





















  • I have first-hand experience with information going the other way. Specifically, I made a purchase at WalMart with a credit card, and later, that card company asked me about the product. I had no idea they'd ever see that, only the total, date, etc.

    – donjuedo
    yesterday






  • 2





    @donjuedo Curious, was it a Walmart-branded card? My store-branded credit cards do have that info within store. Outside of that relationship, it's possible to pass that info up the chain, but not particularly common.

    – gowenfawr
    yesterday











  • @gowenfawr, It was not a WalMart-branded card. I usually use Chase, for the airline miles. There's a small chance it was one other card.

    – donjuedo
    yesterday








  • 2





    The answer to this is going to vary by country due to privacy laws. You should specify where.

    – user71659
    yesterday













  • If there is any sort of loyalty scheme involved, see the fine print. You may have agreed to your data being harvested/aggregated and used for research and/or marketing. Hilarity can sometimes ensue when they (or their analytics) get this wrong.

    – mckenzm
    yesterday














69












69








69


11






Lets say I buy something at some (physical) store and pay using a credit card on one of these electronic terminals. What information do the owners of this store get about me (or my credit card) from this transaction?



Can they find out whether multiple purchases were paid using the same credit card?










share|improve this question







New contributor




flawr is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












Lets say I buy something at some (physical) store and pay using a credit card on one of these electronic terminals. What information do the owners of this store get about me (or my credit card) from this transaction?



Can they find out whether multiple purchases were paid using the same credit card?







credit-card user-tracking






share|improve this question







New contributor




flawr is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question







New contributor




flawr is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question






New contributor




flawr is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked yesterday









flawrflawr

44925




44925




New contributor




flawr is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





flawr is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






flawr is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.













  • I have first-hand experience with information going the other way. Specifically, I made a purchase at WalMart with a credit card, and later, that card company asked me about the product. I had no idea they'd ever see that, only the total, date, etc.

    – donjuedo
    yesterday






  • 2





    @donjuedo Curious, was it a Walmart-branded card? My store-branded credit cards do have that info within store. Outside of that relationship, it's possible to pass that info up the chain, but not particularly common.

    – gowenfawr
    yesterday











  • @gowenfawr, It was not a WalMart-branded card. I usually use Chase, for the airline miles. There's a small chance it was one other card.

    – donjuedo
    yesterday








  • 2





    The answer to this is going to vary by country due to privacy laws. You should specify where.

    – user71659
    yesterday













  • If there is any sort of loyalty scheme involved, see the fine print. You may have agreed to your data being harvested/aggregated and used for research and/or marketing. Hilarity can sometimes ensue when they (or their analytics) get this wrong.

    – mckenzm
    yesterday



















  • I have first-hand experience with information going the other way. Specifically, I made a purchase at WalMart with a credit card, and later, that card company asked me about the product. I had no idea they'd ever see that, only the total, date, etc.

    – donjuedo
    yesterday






  • 2





    @donjuedo Curious, was it a Walmart-branded card? My store-branded credit cards do have that info within store. Outside of that relationship, it's possible to pass that info up the chain, but not particularly common.

    – gowenfawr
    yesterday











  • @gowenfawr, It was not a WalMart-branded card. I usually use Chase, for the airline miles. There's a small chance it was one other card.

    – donjuedo
    yesterday








  • 2





    The answer to this is going to vary by country due to privacy laws. You should specify where.

    – user71659
    yesterday













  • If there is any sort of loyalty scheme involved, see the fine print. You may have agreed to your data being harvested/aggregated and used for research and/or marketing. Hilarity can sometimes ensue when they (or their analytics) get this wrong.

    – mckenzm
    yesterday

















I have first-hand experience with information going the other way. Specifically, I made a purchase at WalMart with a credit card, and later, that card company asked me about the product. I had no idea they'd ever see that, only the total, date, etc.

– donjuedo
yesterday





I have first-hand experience with information going the other way. Specifically, I made a purchase at WalMart with a credit card, and later, that card company asked me about the product. I had no idea they'd ever see that, only the total, date, etc.

– donjuedo
yesterday




2




2





@donjuedo Curious, was it a Walmart-branded card? My store-branded credit cards do have that info within store. Outside of that relationship, it's possible to pass that info up the chain, but not particularly common.

– gowenfawr
yesterday





@donjuedo Curious, was it a Walmart-branded card? My store-branded credit cards do have that info within store. Outside of that relationship, it's possible to pass that info up the chain, but not particularly common.

– gowenfawr
yesterday













@gowenfawr, It was not a WalMart-branded card. I usually use Chase, for the airline miles. There's a small chance it was one other card.

– donjuedo
yesterday







@gowenfawr, It was not a WalMart-branded card. I usually use Chase, for the airline miles. There's a small chance it was one other card.

– donjuedo
yesterday






2




2





The answer to this is going to vary by country due to privacy laws. You should specify where.

– user71659
yesterday







The answer to this is going to vary by country due to privacy laws. You should specify where.

– user71659
yesterday















If there is any sort of loyalty scheme involved, see the fine print. You may have agreed to your data being harvested/aggregated and used for research and/or marketing. Hilarity can sometimes ensue when they (or their analytics) get this wrong.

– mckenzm
yesterday





If there is any sort of loyalty scheme involved, see the fine print. You may have agreed to your data being harvested/aggregated and used for research and/or marketing. Hilarity can sometimes ensue when they (or their analytics) get this wrong.

– mckenzm
yesterday










3 Answers
3






active

oldest

votes


















52














From the card itself, the Merchant gets the track data, which includes card number, expiration date, and cardholder name.



If the Merchant requires zip code verification, they'll get your zip code, obviously.



(Card-Not-Present Merchants often get address data for billing/shipping purposes, but you asked about physical stores... and they get that from the Customer, not the card itself.)



The Merchant can track purchases made with that card within their store(s), but not those made at other, unconnected stores. Be aware that sometimes multiple stores (e.g. HomeGoods, TJ Maxx) are actually the same "Merchant" (TJX Companies).



The Processor, on the other hand, can correlate a single card's activity across multiple Merchants. They don't generally have transaction details ("what you bought") but they do have amounts, categories, Merchants, times, all of which may be provided to the Card Brands (Visa, Mastercard, ...) upon request, or law enforcement upon a subpoena.



Each processor will have a different view. If Processor A handles Merchants A, B, and C, and Processor B handles merchants D, E, and F, then the Processors will have completely disjoint sets of data to work with. In general most Merchants use a single Processor; some load-balance across multiple Processors for redundancy and availability, but most transactions will only be seen by one Processor.



Processors do a lot of data analysis to provide value-add, but not to the extent of providing individual cardholder details across Merchants. Most such data analysis is done on large, anonymous buckets, but others, like householding, require identifying factors be used in the analysis.



Processors, Card Brands, and Banks can also make loose inferences about what you're buying based on the Merchant Category Code (MCC). These aren't very exact - those salted peanuts from the Exxon station might get classified as "Gas" - but they provide some guidance. These are the codes that Corporate-issued credit cards will use to block non-work transactions.



Finally, cards themselves are informative. Merchants can tell the difference between a prepaid card and a Black Card, and they can treat the cardholder differently in accordance with their status, for example extending discounts to higher-value-card holders. This is true not only in a physical store, where the Merchant sees your card; Processors can provide this sort of metadata to Card-Not-Present Merchants as well.



(The ability to determine the type of card is not unique to Processors; it's based on the BIN (the first 6 digits of the card) and you can look it up with freely available tools like binlist.net. However, since the list changes over time, and since it's only a portion of guidance, this is a service most usefully provided by a Processor. For example, anyone can tell if a card is a Black Card - but as a Merchant you might treat a Black Card with a high chargeback rate differently than the rest. Only the Processor can integrate that guidance.)






share|improve this answer


























  • Thanks for your extensive answer. Regarding your last point: Can they infer the type of card (prepaid etc) directly from the card itself or do they need to get this information from the processors?

    – flawr
    yesterday






  • 1





    @flawr appended update to answer to address this question; answer is "yes they can, but they're better off getting it from the processor"

    – gowenfawr
    yesterday











  • Thank you very much!

    – flawr
    yesterday






  • 3





    @PhilMiller yes, PAN is on the EMV and readable. EMV is designed to reduce fraud and cloning, not protect against disclosure - I mean, the number is still printed on the card!

    – gowenfawr
    yesterday








  • 1





    @BenVoigt Citation is personal experience (I work for a large-ish Processor) and human nature. Who wants to upload their details into a platform that doesn't allow data mining or even basic, much less sophisticated, analysis? Level 3 data is, as your link states, for Corporate, B2B, and B2G, which are minority where there's a driving reason to include that data.

    – gowenfawr
    18 hours ago



















14














At the very least, they can get the card number. Most receipts will even have the last few digits of the card number printed on them, but the system will have had the full number at some point, and may well hold a tokenised version of the card number which is allowed under PCI (think of it being a random value which can be linked back to the card number by the tokenising service). Since the same card probably gives the same token each time (technically this is optional, but since it gives more information than the alternative, it's the more common in practice), they can go "this card also bought X, Y and Z on these dates".



They can't usually cross reference that data with other stores though - the token associated with a given card from store A is completely unrelated to that associated with a given card from store B, in a sensibly designed system. I don't know whether any tokenisation providers pool data from multiple clients, but that could be a potential nightmare under GDPR, so I'd assume not, at least in Europe.



The issuing bank can also see purchases being made, obviously, but usually in a per transaction basis, rather than individual items. That doesn't mean they can't make educated guesses about the purchases (e.g. if you make a payment to a business called "99p Donuts" for 99p, it's a pretty safe guess that you bought a donut...),






share|improve this answer
























  • Are there differences in the data available between magstripe transactions and EMV transactions (or, heck, carbon copy!)? I would (naïvely, unknowingly) assume so?

    – gsnedders
    yesterday











  • Kind of. The card number is present in all three, along with the expiration date, and name (see @gowenfawr answer). The main differences are in verification of the card - with carbon copy, that is someone checking the signature. With magstripe, can be a mix of person check and online verification that the card isn't marked as stolen. With chip, ideally it's checking that the person presenting the card knows the PIN (potentially combined with online verification). The differences don't affect the ability to track purchases though.

    – Matthew
    yesterday











  • So the industry term is "token" and there are "tokenisation providers" ? Seems like a simple hashing algorithm would do the trick - not sure where a provider comes in.

    – JPhi1618
    yesterday











  • @JPhi1618 generally Merchants send card numbers to Processors (who Process them) but often the Processor will hand back a Token and the Merchant can forget the card number. This lowers their PCI scope and requirements. It's really not impactful for this question; the Processor always has both the token and the card and the Merchant can access information using the token instead of the card number.

    – gowenfawr
    yesterday






  • 1





    You don't want to hash because you then run the risk of database leaks giving away actual card numbers - you know the input format (12-18 digits, fitting a Luhn check), so can reduce the search space substantially. If the database also stores the last 4 digits, and you know the valid values for the first 6 (the issuer code), you can cut it even more.

    – Matthew
    yesterday



















4














Just to add to the previous answers: Apart from the obvious data that is entered during checkout, you can also get the issuing bank name from the first 6 numbers of the credit card number. With the bank name you can sometimes guess the country where the card was issued when you get a result like "Bank of China", "ANZ" or "Národná banka Slovenska".



I used this method (along with others) in an online store when calculating a risk factor before an order was shipped, to eliminate or flag orders that are placed with stolen credit card numbers.
If user IP, delivery address and bank card are all from different countries then your order would go on hold and flagged for manual review.






share|improve this answer
























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "162"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });






    flawr is a new contributor. Be nice, and check out our Code of Conduct.










    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f207241%2fwhat-information-about-me-do-stores-get-via-my-credit-card%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    3 Answers
    3






    active

    oldest

    votes








    3 Answers
    3






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    52














    From the card itself, the Merchant gets the track data, which includes card number, expiration date, and cardholder name.



    If the Merchant requires zip code verification, they'll get your zip code, obviously.



    (Card-Not-Present Merchants often get address data for billing/shipping purposes, but you asked about physical stores... and they get that from the Customer, not the card itself.)



    The Merchant can track purchases made with that card within their store(s), but not those made at other, unconnected stores. Be aware that sometimes multiple stores (e.g. HomeGoods, TJ Maxx) are actually the same "Merchant" (TJX Companies).



    The Processor, on the other hand, can correlate a single card's activity across multiple Merchants. They don't generally have transaction details ("what you bought") but they do have amounts, categories, Merchants, times, all of which may be provided to the Card Brands (Visa, Mastercard, ...) upon request, or law enforcement upon a subpoena.



    Each processor will have a different view. If Processor A handles Merchants A, B, and C, and Processor B handles merchants D, E, and F, then the Processors will have completely disjoint sets of data to work with. In general most Merchants use a single Processor; some load-balance across multiple Processors for redundancy and availability, but most transactions will only be seen by one Processor.



    Processors do a lot of data analysis to provide value-add, but not to the extent of providing individual cardholder details across Merchants. Most such data analysis is done on large, anonymous buckets, but others, like householding, require identifying factors be used in the analysis.



    Processors, Card Brands, and Banks can also make loose inferences about what you're buying based on the Merchant Category Code (MCC). These aren't very exact - those salted peanuts from the Exxon station might get classified as "Gas" - but they provide some guidance. These are the codes that Corporate-issued credit cards will use to block non-work transactions.



    Finally, cards themselves are informative. Merchants can tell the difference between a prepaid card and a Black Card, and they can treat the cardholder differently in accordance with their status, for example extending discounts to higher-value-card holders. This is true not only in a physical store, where the Merchant sees your card; Processors can provide this sort of metadata to Card-Not-Present Merchants as well.



    (The ability to determine the type of card is not unique to Processors; it's based on the BIN (the first 6 digits of the card) and you can look it up with freely available tools like binlist.net. However, since the list changes over time, and since it's only a portion of guidance, this is a service most usefully provided by a Processor. For example, anyone can tell if a card is a Black Card - but as a Merchant you might treat a Black Card with a high chargeback rate differently than the rest. Only the Processor can integrate that guidance.)






    share|improve this answer


























    • Thanks for your extensive answer. Regarding your last point: Can they infer the type of card (prepaid etc) directly from the card itself or do they need to get this information from the processors?

      – flawr
      yesterday






    • 1





      @flawr appended update to answer to address this question; answer is "yes they can, but they're better off getting it from the processor"

      – gowenfawr
      yesterday











    • Thank you very much!

      – flawr
      yesterday






    • 3





      @PhilMiller yes, PAN is on the EMV and readable. EMV is designed to reduce fraud and cloning, not protect against disclosure - I mean, the number is still printed on the card!

      – gowenfawr
      yesterday








    • 1





      @BenVoigt Citation is personal experience (I work for a large-ish Processor) and human nature. Who wants to upload their details into a platform that doesn't allow data mining or even basic, much less sophisticated, analysis? Level 3 data is, as your link states, for Corporate, B2B, and B2G, which are minority where there's a driving reason to include that data.

      – gowenfawr
      18 hours ago
















    52














    From the card itself, the Merchant gets the track data, which includes card number, expiration date, and cardholder name.



    If the Merchant requires zip code verification, they'll get your zip code, obviously.



    (Card-Not-Present Merchants often get address data for billing/shipping purposes, but you asked about physical stores... and they get that from the Customer, not the card itself.)



    The Merchant can track purchases made with that card within their store(s), but not those made at other, unconnected stores. Be aware that sometimes multiple stores (e.g. HomeGoods, TJ Maxx) are actually the same "Merchant" (TJX Companies).



    The Processor, on the other hand, can correlate a single card's activity across multiple Merchants. They don't generally have transaction details ("what you bought") but they do have amounts, categories, Merchants, times, all of which may be provided to the Card Brands (Visa, Mastercard, ...) upon request, or law enforcement upon a subpoena.



    Each processor will have a different view. If Processor A handles Merchants A, B, and C, and Processor B handles merchants D, E, and F, then the Processors will have completely disjoint sets of data to work with. In general most Merchants use a single Processor; some load-balance across multiple Processors for redundancy and availability, but most transactions will only be seen by one Processor.



    Processors do a lot of data analysis to provide value-add, but not to the extent of providing individual cardholder details across Merchants. Most such data analysis is done on large, anonymous buckets, but others, like householding, require identifying factors be used in the analysis.



    Processors, Card Brands, and Banks can also make loose inferences about what you're buying based on the Merchant Category Code (MCC). These aren't very exact - those salted peanuts from the Exxon station might get classified as "Gas" - but they provide some guidance. These are the codes that Corporate-issued credit cards will use to block non-work transactions.



    Finally, cards themselves are informative. Merchants can tell the difference between a prepaid card and a Black Card, and they can treat the cardholder differently in accordance with their status, for example extending discounts to higher-value-card holders. This is true not only in a physical store, where the Merchant sees your card; Processors can provide this sort of metadata to Card-Not-Present Merchants as well.



    (The ability to determine the type of card is not unique to Processors; it's based on the BIN (the first 6 digits of the card) and you can look it up with freely available tools like binlist.net. However, since the list changes over time, and since it's only a portion of guidance, this is a service most usefully provided by a Processor. For example, anyone can tell if a card is a Black Card - but as a Merchant you might treat a Black Card with a high chargeback rate differently than the rest. Only the Processor can integrate that guidance.)






    share|improve this answer


























    • Thanks for your extensive answer. Regarding your last point: Can they infer the type of card (prepaid etc) directly from the card itself or do they need to get this information from the processors?

      – flawr
      yesterday






    • 1





      @flawr appended update to answer to address this question; answer is "yes they can, but they're better off getting it from the processor"

      – gowenfawr
      yesterday











    • Thank you very much!

      – flawr
      yesterday






    • 3





      @PhilMiller yes, PAN is on the EMV and readable. EMV is designed to reduce fraud and cloning, not protect against disclosure - I mean, the number is still printed on the card!

      – gowenfawr
      yesterday








    • 1





      @BenVoigt Citation is personal experience (I work for a large-ish Processor) and human nature. Who wants to upload their details into a platform that doesn't allow data mining or even basic, much less sophisticated, analysis? Level 3 data is, as your link states, for Corporate, B2B, and B2G, which are minority where there's a driving reason to include that data.

      – gowenfawr
      18 hours ago














    52












    52








    52







    From the card itself, the Merchant gets the track data, which includes card number, expiration date, and cardholder name.



    If the Merchant requires zip code verification, they'll get your zip code, obviously.



    (Card-Not-Present Merchants often get address data for billing/shipping purposes, but you asked about physical stores... and they get that from the Customer, not the card itself.)



    The Merchant can track purchases made with that card within their store(s), but not those made at other, unconnected stores. Be aware that sometimes multiple stores (e.g. HomeGoods, TJ Maxx) are actually the same "Merchant" (TJX Companies).



    The Processor, on the other hand, can correlate a single card's activity across multiple Merchants. They don't generally have transaction details ("what you bought") but they do have amounts, categories, Merchants, times, all of which may be provided to the Card Brands (Visa, Mastercard, ...) upon request, or law enforcement upon a subpoena.



    Each processor will have a different view. If Processor A handles Merchants A, B, and C, and Processor B handles merchants D, E, and F, then the Processors will have completely disjoint sets of data to work with. In general most Merchants use a single Processor; some load-balance across multiple Processors for redundancy and availability, but most transactions will only be seen by one Processor.



    Processors do a lot of data analysis to provide value-add, but not to the extent of providing individual cardholder details across Merchants. Most such data analysis is done on large, anonymous buckets, but others, like householding, require identifying factors be used in the analysis.



    Processors, Card Brands, and Banks can also make loose inferences about what you're buying based on the Merchant Category Code (MCC). These aren't very exact - those salted peanuts from the Exxon station might get classified as "Gas" - but they provide some guidance. These are the codes that Corporate-issued credit cards will use to block non-work transactions.



    Finally, cards themselves are informative. Merchants can tell the difference between a prepaid card and a Black Card, and they can treat the cardholder differently in accordance with their status, for example extending discounts to higher-value-card holders. This is true not only in a physical store, where the Merchant sees your card; Processors can provide this sort of metadata to Card-Not-Present Merchants as well.



    (The ability to determine the type of card is not unique to Processors; it's based on the BIN (the first 6 digits of the card) and you can look it up with freely available tools like binlist.net. However, since the list changes over time, and since it's only a portion of guidance, this is a service most usefully provided by a Processor. For example, anyone can tell if a card is a Black Card - but as a Merchant you might treat a Black Card with a high chargeback rate differently than the rest. Only the Processor can integrate that guidance.)






    share|improve this answer















    From the card itself, the Merchant gets the track data, which includes card number, expiration date, and cardholder name.



    If the Merchant requires zip code verification, they'll get your zip code, obviously.



    (Card-Not-Present Merchants often get address data for billing/shipping purposes, but you asked about physical stores... and they get that from the Customer, not the card itself.)



    The Merchant can track purchases made with that card within their store(s), but not those made at other, unconnected stores. Be aware that sometimes multiple stores (e.g. HomeGoods, TJ Maxx) are actually the same "Merchant" (TJX Companies).



    The Processor, on the other hand, can correlate a single card's activity across multiple Merchants. They don't generally have transaction details ("what you bought") but they do have amounts, categories, Merchants, times, all of which may be provided to the Card Brands (Visa, Mastercard, ...) upon request, or law enforcement upon a subpoena.



    Each processor will have a different view. If Processor A handles Merchants A, B, and C, and Processor B handles merchants D, E, and F, then the Processors will have completely disjoint sets of data to work with. In general most Merchants use a single Processor; some load-balance across multiple Processors for redundancy and availability, but most transactions will only be seen by one Processor.



    Processors do a lot of data analysis to provide value-add, but not to the extent of providing individual cardholder details across Merchants. Most such data analysis is done on large, anonymous buckets, but others, like householding, require identifying factors be used in the analysis.



    Processors, Card Brands, and Banks can also make loose inferences about what you're buying based on the Merchant Category Code (MCC). These aren't very exact - those salted peanuts from the Exxon station might get classified as "Gas" - but they provide some guidance. These are the codes that Corporate-issued credit cards will use to block non-work transactions.



    Finally, cards themselves are informative. Merchants can tell the difference between a prepaid card and a Black Card, and they can treat the cardholder differently in accordance with their status, for example extending discounts to higher-value-card holders. This is true not only in a physical store, where the Merchant sees your card; Processors can provide this sort of metadata to Card-Not-Present Merchants as well.



    (The ability to determine the type of card is not unique to Processors; it's based on the BIN (the first 6 digits of the card) and you can look it up with freely available tools like binlist.net. However, since the list changes over time, and since it's only a portion of guidance, this is a service most usefully provided by a Processor. For example, anyone can tell if a card is a Black Card - but as a Merchant you might treat a Black Card with a high chargeback rate differently than the rest. Only the Processor can integrate that guidance.)







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited yesterday

























    answered yesterday









    gowenfawrgowenfawr

    54.5k11115161




    54.5k11115161













    • Thanks for your extensive answer. Regarding your last point: Can they infer the type of card (prepaid etc) directly from the card itself or do they need to get this information from the processors?

      – flawr
      yesterday






    • 1





      @flawr appended update to answer to address this question; answer is "yes they can, but they're better off getting it from the processor"

      – gowenfawr
      yesterday











    • Thank you very much!

      – flawr
      yesterday






    • 3





      @PhilMiller yes, PAN is on the EMV and readable. EMV is designed to reduce fraud and cloning, not protect against disclosure - I mean, the number is still printed on the card!

      – gowenfawr
      yesterday








    • 1





      @BenVoigt Citation is personal experience (I work for a large-ish Processor) and human nature. Who wants to upload their details into a platform that doesn't allow data mining or even basic, much less sophisticated, analysis? Level 3 data is, as your link states, for Corporate, B2B, and B2G, which are minority where there's a driving reason to include that data.

      – gowenfawr
      18 hours ago



















    • Thanks for your extensive answer. Regarding your last point: Can they infer the type of card (prepaid etc) directly from the card itself or do they need to get this information from the processors?

      – flawr
      yesterday






    • 1





      @flawr appended update to answer to address this question; answer is "yes they can, but they're better off getting it from the processor"

      – gowenfawr
      yesterday











    • Thank you very much!

      – flawr
      yesterday






    • 3





      @PhilMiller yes, PAN is on the EMV and readable. EMV is designed to reduce fraud and cloning, not protect against disclosure - I mean, the number is still printed on the card!

      – gowenfawr
      yesterday








    • 1





      @BenVoigt Citation is personal experience (I work for a large-ish Processor) and human nature. Who wants to upload their details into a platform that doesn't allow data mining or even basic, much less sophisticated, analysis? Level 3 data is, as your link states, for Corporate, B2B, and B2G, which are minority where there's a driving reason to include that data.

      – gowenfawr
      18 hours ago

















    Thanks for your extensive answer. Regarding your last point: Can they infer the type of card (prepaid etc) directly from the card itself or do they need to get this information from the processors?

    – flawr
    yesterday





    Thanks for your extensive answer. Regarding your last point: Can they infer the type of card (prepaid etc) directly from the card itself or do they need to get this information from the processors?

    – flawr
    yesterday




    1




    1





    @flawr appended update to answer to address this question; answer is "yes they can, but they're better off getting it from the processor"

    – gowenfawr
    yesterday





    @flawr appended update to answer to address this question; answer is "yes they can, but they're better off getting it from the processor"

    – gowenfawr
    yesterday













    Thank you very much!

    – flawr
    yesterday





    Thank you very much!

    – flawr
    yesterday




    3




    3





    @PhilMiller yes, PAN is on the EMV and readable. EMV is designed to reduce fraud and cloning, not protect against disclosure - I mean, the number is still printed on the card!

    – gowenfawr
    yesterday







    @PhilMiller yes, PAN is on the EMV and readable. EMV is designed to reduce fraud and cloning, not protect against disclosure - I mean, the number is still printed on the card!

    – gowenfawr
    yesterday






    1




    1





    @BenVoigt Citation is personal experience (I work for a large-ish Processor) and human nature. Who wants to upload their details into a platform that doesn't allow data mining or even basic, much less sophisticated, analysis? Level 3 data is, as your link states, for Corporate, B2B, and B2G, which are minority where there's a driving reason to include that data.

    – gowenfawr
    18 hours ago





    @BenVoigt Citation is personal experience (I work for a large-ish Processor) and human nature. Who wants to upload their details into a platform that doesn't allow data mining or even basic, much less sophisticated, analysis? Level 3 data is, as your link states, for Corporate, B2B, and B2G, which are minority where there's a driving reason to include that data.

    – gowenfawr
    18 hours ago













    14














    At the very least, they can get the card number. Most receipts will even have the last few digits of the card number printed on them, but the system will have had the full number at some point, and may well hold a tokenised version of the card number which is allowed under PCI (think of it being a random value which can be linked back to the card number by the tokenising service). Since the same card probably gives the same token each time (technically this is optional, but since it gives more information than the alternative, it's the more common in practice), they can go "this card also bought X, Y and Z on these dates".



    They can't usually cross reference that data with other stores though - the token associated with a given card from store A is completely unrelated to that associated with a given card from store B, in a sensibly designed system. I don't know whether any tokenisation providers pool data from multiple clients, but that could be a potential nightmare under GDPR, so I'd assume not, at least in Europe.



    The issuing bank can also see purchases being made, obviously, but usually in a per transaction basis, rather than individual items. That doesn't mean they can't make educated guesses about the purchases (e.g. if you make a payment to a business called "99p Donuts" for 99p, it's a pretty safe guess that you bought a donut...),






    share|improve this answer
























    • Are there differences in the data available between magstripe transactions and EMV transactions (or, heck, carbon copy!)? I would (naïvely, unknowingly) assume so?

      – gsnedders
      yesterday











    • Kind of. The card number is present in all three, along with the expiration date, and name (see @gowenfawr answer). The main differences are in verification of the card - with carbon copy, that is someone checking the signature. With magstripe, can be a mix of person check and online verification that the card isn't marked as stolen. With chip, ideally it's checking that the person presenting the card knows the PIN (potentially combined with online verification). The differences don't affect the ability to track purchases though.

      – Matthew
      yesterday











    • So the industry term is "token" and there are "tokenisation providers" ? Seems like a simple hashing algorithm would do the trick - not sure where a provider comes in.

      – JPhi1618
      yesterday











    • @JPhi1618 generally Merchants send card numbers to Processors (who Process them) but often the Processor will hand back a Token and the Merchant can forget the card number. This lowers their PCI scope and requirements. It's really not impactful for this question; the Processor always has both the token and the card and the Merchant can access information using the token instead of the card number.

      – gowenfawr
      yesterday






    • 1





      You don't want to hash because you then run the risk of database leaks giving away actual card numbers - you know the input format (12-18 digits, fitting a Luhn check), so can reduce the search space substantially. If the database also stores the last 4 digits, and you know the valid values for the first 6 (the issuer code), you can cut it even more.

      – Matthew
      yesterday
















    14














    At the very least, they can get the card number. Most receipts will even have the last few digits of the card number printed on them, but the system will have had the full number at some point, and may well hold a tokenised version of the card number which is allowed under PCI (think of it being a random value which can be linked back to the card number by the tokenising service). Since the same card probably gives the same token each time (technically this is optional, but since it gives more information than the alternative, it's the more common in practice), they can go "this card also bought X, Y and Z on these dates".



    They can't usually cross reference that data with other stores though - the token associated with a given card from store A is completely unrelated to that associated with a given card from store B, in a sensibly designed system. I don't know whether any tokenisation providers pool data from multiple clients, but that could be a potential nightmare under GDPR, so I'd assume not, at least in Europe.



    The issuing bank can also see purchases being made, obviously, but usually in a per transaction basis, rather than individual items. That doesn't mean they can't make educated guesses about the purchases (e.g. if you make a payment to a business called "99p Donuts" for 99p, it's a pretty safe guess that you bought a donut...),






    share|improve this answer
























    • Are there differences in the data available between magstripe transactions and EMV transactions (or, heck, carbon copy!)? I would (naïvely, unknowingly) assume so?

      – gsnedders
      yesterday











    • Kind of. The card number is present in all three, along with the expiration date, and name (see @gowenfawr answer). The main differences are in verification of the card - with carbon copy, that is someone checking the signature. With magstripe, can be a mix of person check and online verification that the card isn't marked as stolen. With chip, ideally it's checking that the person presenting the card knows the PIN (potentially combined with online verification). The differences don't affect the ability to track purchases though.

      – Matthew
      yesterday











    • So the industry term is "token" and there are "tokenisation providers" ? Seems like a simple hashing algorithm would do the trick - not sure where a provider comes in.

      – JPhi1618
      yesterday











    • @JPhi1618 generally Merchants send card numbers to Processors (who Process them) but often the Processor will hand back a Token and the Merchant can forget the card number. This lowers their PCI scope and requirements. It's really not impactful for this question; the Processor always has both the token and the card and the Merchant can access information using the token instead of the card number.

      – gowenfawr
      yesterday






    • 1





      You don't want to hash because you then run the risk of database leaks giving away actual card numbers - you know the input format (12-18 digits, fitting a Luhn check), so can reduce the search space substantially. If the database also stores the last 4 digits, and you know the valid values for the first 6 (the issuer code), you can cut it even more.

      – Matthew
      yesterday














    14












    14








    14







    At the very least, they can get the card number. Most receipts will even have the last few digits of the card number printed on them, but the system will have had the full number at some point, and may well hold a tokenised version of the card number which is allowed under PCI (think of it being a random value which can be linked back to the card number by the tokenising service). Since the same card probably gives the same token each time (technically this is optional, but since it gives more information than the alternative, it's the more common in practice), they can go "this card also bought X, Y and Z on these dates".



    They can't usually cross reference that data with other stores though - the token associated with a given card from store A is completely unrelated to that associated with a given card from store B, in a sensibly designed system. I don't know whether any tokenisation providers pool data from multiple clients, but that could be a potential nightmare under GDPR, so I'd assume not, at least in Europe.



    The issuing bank can also see purchases being made, obviously, but usually in a per transaction basis, rather than individual items. That doesn't mean they can't make educated guesses about the purchases (e.g. if you make a payment to a business called "99p Donuts" for 99p, it's a pretty safe guess that you bought a donut...),






    share|improve this answer













    At the very least, they can get the card number. Most receipts will even have the last few digits of the card number printed on them, but the system will have had the full number at some point, and may well hold a tokenised version of the card number which is allowed under PCI (think of it being a random value which can be linked back to the card number by the tokenising service). Since the same card probably gives the same token each time (technically this is optional, but since it gives more information than the alternative, it's the more common in practice), they can go "this card also bought X, Y and Z on these dates".



    They can't usually cross reference that data with other stores though - the token associated with a given card from store A is completely unrelated to that associated with a given card from store B, in a sensibly designed system. I don't know whether any tokenisation providers pool data from multiple clients, but that could be a potential nightmare under GDPR, so I'd assume not, at least in Europe.



    The issuing bank can also see purchases being made, obviously, but usually in a per transaction basis, rather than individual items. That doesn't mean they can't make educated guesses about the purchases (e.g. if you make a payment to a business called "99p Donuts" for 99p, it's a pretty safe guess that you bought a donut...),







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered yesterday









    MatthewMatthew

    25.2k78092




    25.2k78092













    • Are there differences in the data available between magstripe transactions and EMV transactions (or, heck, carbon copy!)? I would (naïvely, unknowingly) assume so?

      – gsnedders
      yesterday











    • Kind of. The card number is present in all three, along with the expiration date, and name (see @gowenfawr answer). The main differences are in verification of the card - with carbon copy, that is someone checking the signature. With magstripe, can be a mix of person check and online verification that the card isn't marked as stolen. With chip, ideally it's checking that the person presenting the card knows the PIN (potentially combined with online verification). The differences don't affect the ability to track purchases though.

      – Matthew
      yesterday











    • So the industry term is "token" and there are "tokenisation providers" ? Seems like a simple hashing algorithm would do the trick - not sure where a provider comes in.

      – JPhi1618
      yesterday











    • @JPhi1618 generally Merchants send card numbers to Processors (who Process them) but often the Processor will hand back a Token and the Merchant can forget the card number. This lowers their PCI scope and requirements. It's really not impactful for this question; the Processor always has both the token and the card and the Merchant can access information using the token instead of the card number.

      – gowenfawr
      yesterday






    • 1





      You don't want to hash because you then run the risk of database leaks giving away actual card numbers - you know the input format (12-18 digits, fitting a Luhn check), so can reduce the search space substantially. If the database also stores the last 4 digits, and you know the valid values for the first 6 (the issuer code), you can cut it even more.

      – Matthew
      yesterday



















    • Are there differences in the data available between magstripe transactions and EMV transactions (or, heck, carbon copy!)? I would (naïvely, unknowingly) assume so?

      – gsnedders
      yesterday











    • Kind of. The card number is present in all three, along with the expiration date, and name (see @gowenfawr answer). The main differences are in verification of the card - with carbon copy, that is someone checking the signature. With magstripe, can be a mix of person check and online verification that the card isn't marked as stolen. With chip, ideally it's checking that the person presenting the card knows the PIN (potentially combined with online verification). The differences don't affect the ability to track purchases though.

      – Matthew
      yesterday











    • So the industry term is "token" and there are "tokenisation providers" ? Seems like a simple hashing algorithm would do the trick - not sure where a provider comes in.

      – JPhi1618
      yesterday











    • @JPhi1618 generally Merchants send card numbers to Processors (who Process them) but often the Processor will hand back a Token and the Merchant can forget the card number. This lowers their PCI scope and requirements. It's really not impactful for this question; the Processor always has both the token and the card and the Merchant can access information using the token instead of the card number.

      – gowenfawr
      yesterday






    • 1





      You don't want to hash because you then run the risk of database leaks giving away actual card numbers - you know the input format (12-18 digits, fitting a Luhn check), so can reduce the search space substantially. If the database also stores the last 4 digits, and you know the valid values for the first 6 (the issuer code), you can cut it even more.

      – Matthew
      yesterday

















    Are there differences in the data available between magstripe transactions and EMV transactions (or, heck, carbon copy!)? I would (naïvely, unknowingly) assume so?

    – gsnedders
    yesterday





    Are there differences in the data available between magstripe transactions and EMV transactions (or, heck, carbon copy!)? I would (naïvely, unknowingly) assume so?

    – gsnedders
    yesterday













    Kind of. The card number is present in all three, along with the expiration date, and name (see @gowenfawr answer). The main differences are in verification of the card - with carbon copy, that is someone checking the signature. With magstripe, can be a mix of person check and online verification that the card isn't marked as stolen. With chip, ideally it's checking that the person presenting the card knows the PIN (potentially combined with online verification). The differences don't affect the ability to track purchases though.

    – Matthew
    yesterday





    Kind of. The card number is present in all three, along with the expiration date, and name (see @gowenfawr answer). The main differences are in verification of the card - with carbon copy, that is someone checking the signature. With magstripe, can be a mix of person check and online verification that the card isn't marked as stolen. With chip, ideally it's checking that the person presenting the card knows the PIN (potentially combined with online verification). The differences don't affect the ability to track purchases though.

    – Matthew
    yesterday













    So the industry term is "token" and there are "tokenisation providers" ? Seems like a simple hashing algorithm would do the trick - not sure where a provider comes in.

    – JPhi1618
    yesterday





    So the industry term is "token" and there are "tokenisation providers" ? Seems like a simple hashing algorithm would do the trick - not sure where a provider comes in.

    – JPhi1618
    yesterday













    @JPhi1618 generally Merchants send card numbers to Processors (who Process them) but often the Processor will hand back a Token and the Merchant can forget the card number. This lowers their PCI scope and requirements. It's really not impactful for this question; the Processor always has both the token and the card and the Merchant can access information using the token instead of the card number.

    – gowenfawr
    yesterday





    @JPhi1618 generally Merchants send card numbers to Processors (who Process them) but often the Processor will hand back a Token and the Merchant can forget the card number. This lowers their PCI scope and requirements. It's really not impactful for this question; the Processor always has both the token and the card and the Merchant can access information using the token instead of the card number.

    – gowenfawr
    yesterday




    1




    1





    You don't want to hash because you then run the risk of database leaks giving away actual card numbers - you know the input format (12-18 digits, fitting a Luhn check), so can reduce the search space substantially. If the database also stores the last 4 digits, and you know the valid values for the first 6 (the issuer code), you can cut it even more.

    – Matthew
    yesterday





    You don't want to hash because you then run the risk of database leaks giving away actual card numbers - you know the input format (12-18 digits, fitting a Luhn check), so can reduce the search space substantially. If the database also stores the last 4 digits, and you know the valid values for the first 6 (the issuer code), you can cut it even more.

    – Matthew
    yesterday











    4














    Just to add to the previous answers: Apart from the obvious data that is entered during checkout, you can also get the issuing bank name from the first 6 numbers of the credit card number. With the bank name you can sometimes guess the country where the card was issued when you get a result like "Bank of China", "ANZ" or "Národná banka Slovenska".



    I used this method (along with others) in an online store when calculating a risk factor before an order was shipped, to eliminate or flag orders that are placed with stolen credit card numbers.
    If user IP, delivery address and bank card are all from different countries then your order would go on hold and flagged for manual review.






    share|improve this answer




























      4














      Just to add to the previous answers: Apart from the obvious data that is entered during checkout, you can also get the issuing bank name from the first 6 numbers of the credit card number. With the bank name you can sometimes guess the country where the card was issued when you get a result like "Bank of China", "ANZ" or "Národná banka Slovenska".



      I used this method (along with others) in an online store when calculating a risk factor before an order was shipped, to eliminate or flag orders that are placed with stolen credit card numbers.
      If user IP, delivery address and bank card are all from different countries then your order would go on hold and flagged for manual review.






      share|improve this answer


























        4












        4








        4







        Just to add to the previous answers: Apart from the obvious data that is entered during checkout, you can also get the issuing bank name from the first 6 numbers of the credit card number. With the bank name you can sometimes guess the country where the card was issued when you get a result like "Bank of China", "ANZ" or "Národná banka Slovenska".



        I used this method (along with others) in an online store when calculating a risk factor before an order was shipped, to eliminate or flag orders that are placed with stolen credit card numbers.
        If user IP, delivery address and bank card are all from different countries then your order would go on hold and flagged for manual review.






        share|improve this answer













        Just to add to the previous answers: Apart from the obvious data that is entered during checkout, you can also get the issuing bank name from the first 6 numbers of the credit card number. With the bank name you can sometimes guess the country where the card was issued when you get a result like "Bank of China", "ANZ" or "Národná banka Slovenska".



        I used this method (along with others) in an online store when calculating a risk factor before an order was shipped, to eliminate or flag orders that are placed with stolen credit card numbers.
        If user IP, delivery address and bank card are all from different countries then your order would go on hold and flagged for manual review.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered 23 hours ago









        iHaveacomputeriHaveacomputer

        49326




        49326






















            flawr is a new contributor. Be nice, and check out our Code of Conduct.










            draft saved

            draft discarded


















            flawr is a new contributor. Be nice, and check out our Code of Conduct.













            flawr is a new contributor. Be nice, and check out our Code of Conduct.












            flawr is a new contributor. Be nice, and check out our Code of Conduct.
















            Thanks for contributing an answer to Information Security Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f207241%2fwhat-information-about-me-do-stores-get-via-my-credit-card%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Couldn't open a raw socket. Error: Permission denied (13) (nmap)Is it possible to run networking commands...

            VNC viewer RFB protocol error: bad desktop size 0x0I Cannot Type the Key 'd' (lowercase) in VNC Viewer...

            Why not use the yoke to control yaw, as well as pitch and roll? Announcing the arrival of...