What information about me do stores get via my credit card? The 2019 Stack Overflow Developer...
How to read αἱμύλιος or when to aspirate
"is" operation returns false with ndarray.data attribute, even though two array objects have same id
Can each chord in a progression create its own key?
Are spiders unable to hurt humans, especially very small spiders?
Store Dynamic-accessible hidden metadata in a cell
Can the DM override racial traits?
Presidential Pardon
Python - Fishing Simulator
Keeping a retro style to sci-fi spaceships?
What force causes entropy to increase?
Why can't wing-mounted spoilers be used to steepen approaches?
Homework question about an engine pulling a train
Circular reasoning in L'Hopital's rule
Can withdrawing asylum be illegal?
Using dividends to reduce short term capital gains?
Am I ethically obligated to go into work on an off day if the reason is sudden?
Is there a way to generate uniformly distributed points on a sphere from a fixed amount of random real numbers per point?
Match Roman Numerals
Drawing vertical/oblique lines in Metrical tree (tikz-qtree, tipa)
Single author papers against my advisor's will?
What was the last x86 CPU that did not have the x87 floating-point unit built in?
Variable with quotation marks "$()"
Mortgage adviser recommends a longer term than necessary combined with overpayments
Why did Peik Lin say, "I'm not an animal"?
What information about me do stores get via my credit card?
The 2019 Stack Overflow Developer Survey Results Are In
Unicorn Meta Zoo #1: Why another podcast?
Announcing the arrival of Valued Associate #679: Cesar ManaraProxying a Credit Card Transaction?What prevents web shop owners from misusing credit card data?Credit Card Fraud Prevention - Why Aren't Simple Things Used?Storing credit card information for later manual processingUsing browser AJAX to initiate credit card transaction with processor?If my company receives credit card statements showing credit card number, does it have to be PCI compliant?Does my server need to fulfill PCI compliance if it only forwards the credit card number?Is it safe to use an auto pay feature on my smart watch that stores card info?Store credit card numbers in password manager?RFID-Safe Wallet destroys credit card?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
Lets say I buy something at some (physical) store and pay using a credit card on one of these electronic terminals. What information do the owners of this store get about me (or my credit card) from this transaction?
Can they find out whether multiple purchases were paid using the same credit card?
credit-card user-tracking
New contributor
|
show 3 more comments
Lets say I buy something at some (physical) store and pay using a credit card on one of these electronic terminals. What information do the owners of this store get about me (or my credit card) from this transaction?
Can they find out whether multiple purchases were paid using the same credit card?
credit-card user-tracking
New contributor
I have first-hand experience with information going the other way. Specifically, I made a purchase at WalMart with a credit card, and later, that card company asked me about the product. I had no idea they'd ever see that, only the total, date, etc.
– donjuedo
yesterday
2
@donjuedo Curious, was it a Walmart-branded card? My store-branded credit cards do have that info within store. Outside of that relationship, it's possible to pass that info up the chain, but not particularly common.
– gowenfawr
yesterday
@gowenfawr, It was not a WalMart-branded card. I usually use Chase, for the airline miles. There's a small chance it was one other card.
– donjuedo
yesterday
2
The answer to this is going to vary by country due to privacy laws. You should specify where.
– user71659
yesterday
If there is any sort of loyalty scheme involved, see the fine print. You may have agreed to your data being harvested/aggregated and used for research and/or marketing. Hilarity can sometimes ensue when they (or their analytics) get this wrong.
– mckenzm
yesterday
|
show 3 more comments
Lets say I buy something at some (physical) store and pay using a credit card on one of these electronic terminals. What information do the owners of this store get about me (or my credit card) from this transaction?
Can they find out whether multiple purchases were paid using the same credit card?
credit-card user-tracking
New contributor
Lets say I buy something at some (physical) store and pay using a credit card on one of these electronic terminals. What information do the owners of this store get about me (or my credit card) from this transaction?
Can they find out whether multiple purchases were paid using the same credit card?
credit-card user-tracking
credit-card user-tracking
New contributor
New contributor
New contributor
asked yesterday
flawrflawr
44925
44925
New contributor
New contributor
I have first-hand experience with information going the other way. Specifically, I made a purchase at WalMart with a credit card, and later, that card company asked me about the product. I had no idea they'd ever see that, only the total, date, etc.
– donjuedo
yesterday
2
@donjuedo Curious, was it a Walmart-branded card? My store-branded credit cards do have that info within store. Outside of that relationship, it's possible to pass that info up the chain, but not particularly common.
– gowenfawr
yesterday
@gowenfawr, It was not a WalMart-branded card. I usually use Chase, for the airline miles. There's a small chance it was one other card.
– donjuedo
yesterday
2
The answer to this is going to vary by country due to privacy laws. You should specify where.
– user71659
yesterday
If there is any sort of loyalty scheme involved, see the fine print. You may have agreed to your data being harvested/aggregated and used for research and/or marketing. Hilarity can sometimes ensue when they (or their analytics) get this wrong.
– mckenzm
yesterday
|
show 3 more comments
I have first-hand experience with information going the other way. Specifically, I made a purchase at WalMart with a credit card, and later, that card company asked me about the product. I had no idea they'd ever see that, only the total, date, etc.
– donjuedo
yesterday
2
@donjuedo Curious, was it a Walmart-branded card? My store-branded credit cards do have that info within store. Outside of that relationship, it's possible to pass that info up the chain, but not particularly common.
– gowenfawr
yesterday
@gowenfawr, It was not a WalMart-branded card. I usually use Chase, for the airline miles. There's a small chance it was one other card.
– donjuedo
yesterday
2
The answer to this is going to vary by country due to privacy laws. You should specify where.
– user71659
yesterday
If there is any sort of loyalty scheme involved, see the fine print. You may have agreed to your data being harvested/aggregated and used for research and/or marketing. Hilarity can sometimes ensue when they (or their analytics) get this wrong.
– mckenzm
yesterday
I have first-hand experience with information going the other way. Specifically, I made a purchase at WalMart with a credit card, and later, that card company asked me about the product. I had no idea they'd ever see that, only the total, date, etc.
– donjuedo
yesterday
I have first-hand experience with information going the other way. Specifically, I made a purchase at WalMart with a credit card, and later, that card company asked me about the product. I had no idea they'd ever see that, only the total, date, etc.
– donjuedo
yesterday
2
2
@donjuedo Curious, was it a Walmart-branded card? My store-branded credit cards do have that info within store. Outside of that relationship, it's possible to pass that info up the chain, but not particularly common.
– gowenfawr
yesterday
@donjuedo Curious, was it a Walmart-branded card? My store-branded credit cards do have that info within store. Outside of that relationship, it's possible to pass that info up the chain, but not particularly common.
– gowenfawr
yesterday
@gowenfawr, It was not a WalMart-branded card. I usually use Chase, for the airline miles. There's a small chance it was one other card.
– donjuedo
yesterday
@gowenfawr, It was not a WalMart-branded card. I usually use Chase, for the airline miles. There's a small chance it was one other card.
– donjuedo
yesterday
2
2
The answer to this is going to vary by country due to privacy laws. You should specify where.
– user71659
yesterday
The answer to this is going to vary by country due to privacy laws. You should specify where.
– user71659
yesterday
If there is any sort of loyalty scheme involved, see the fine print. You may have agreed to your data being harvested/aggregated and used for research and/or marketing. Hilarity can sometimes ensue when they (or their analytics) get this wrong.
– mckenzm
yesterday
If there is any sort of loyalty scheme involved, see the fine print. You may have agreed to your data being harvested/aggregated and used for research and/or marketing. Hilarity can sometimes ensue when they (or their analytics) get this wrong.
– mckenzm
yesterday
|
show 3 more comments
3 Answers
3
active
oldest
votes
From the card itself, the Merchant gets the track data, which includes card number, expiration date, and cardholder name.
If the Merchant requires zip code verification, they'll get your zip code, obviously.
(Card-Not-Present Merchants often get address data for billing/shipping purposes, but you asked about physical stores... and they get that from the Customer, not the card itself.)
The Merchant can track purchases made with that card within their store(s), but not those made at other, unconnected stores. Be aware that sometimes multiple stores (e.g. HomeGoods, TJ Maxx) are actually the same "Merchant" (TJX Companies).
The Processor, on the other hand, can correlate a single card's activity across multiple Merchants. They don't generally have transaction details ("what you bought") but they do have amounts, categories, Merchants, times, all of which may be provided to the Card Brands (Visa, Mastercard, ...) upon request, or law enforcement upon a subpoena.
Each processor will have a different view. If Processor A handles Merchants A, B, and C, and Processor B handles merchants D, E, and F, then the Processors will have completely disjoint sets of data to work with. In general most Merchants use a single Processor; some load-balance across multiple Processors for redundancy and availability, but most transactions will only be seen by one Processor.
Processors do a lot of data analysis to provide value-add, but not to the extent of providing individual cardholder details across Merchants. Most such data analysis is done on large, anonymous buckets, but others, like householding, require identifying factors be used in the analysis.
Processors, Card Brands, and Banks can also make loose inferences about what you're buying based on the Merchant Category Code (MCC). These aren't very exact - those salted peanuts from the Exxon station might get classified as "Gas" - but they provide some guidance. These are the codes that Corporate-issued credit cards will use to block non-work transactions.
Finally, cards themselves are informative. Merchants can tell the difference between a prepaid card and a Black Card, and they can treat the cardholder differently in accordance with their status, for example extending discounts to higher-value-card holders. This is true not only in a physical store, where the Merchant sees your card; Processors can provide this sort of metadata to Card-Not-Present Merchants as well.
(The ability to determine the type of card is not unique to Processors; it's based on the BIN (the first 6 digits of the card) and you can look it up with freely available tools like binlist.net. However, since the list changes over time, and since it's only a portion of guidance, this is a service most usefully provided by a Processor. For example, anyone can tell if a card is a Black Card - but as a Merchant you might treat a Black Card with a high chargeback rate differently than the rest. Only the Processor can integrate that guidance.)
Thanks for your extensive answer. Regarding your last point: Can they infer the type of card (prepaid etc) directly from the card itself or do they need to get this information from the processors?
– flawr
yesterday
1
@flawr appended update to answer to address this question; answer is "yes they can, but they're better off getting it from the processor"
– gowenfawr
yesterday
Thank you very much!
– flawr
yesterday
3
@PhilMiller yes, PAN is on the EMV and readable. EMV is designed to reduce fraud and cloning, not protect against disclosure - I mean, the number is still printed on the card!
– gowenfawr
yesterday
1
@BenVoigt Citation is personal experience (I work for a large-ish Processor) and human nature. Who wants to upload their details into a platform that doesn't allow data mining or even basic, much less sophisticated, analysis? Level 3 data is, as your link states, for Corporate, B2B, and B2G, which are minority where there's a driving reason to include that data.
– gowenfawr
18 hours ago
|
show 3 more comments
At the very least, they can get the card number. Most receipts will even have the last few digits of the card number printed on them, but the system will have had the full number at some point, and may well hold a tokenised version of the card number which is allowed under PCI (think of it being a random value which can be linked back to the card number by the tokenising service). Since the same card probably gives the same token each time (technically this is optional, but since it gives more information than the alternative, it's the more common in practice), they can go "this card also bought X, Y and Z on these dates".
They can't usually cross reference that data with other stores though - the token associated with a given card from store A is completely unrelated to that associated with a given card from store B, in a sensibly designed system. I don't know whether any tokenisation providers pool data from multiple clients, but that could be a potential nightmare under GDPR, so I'd assume not, at least in Europe.
The issuing bank can also see purchases being made, obviously, but usually in a per transaction basis, rather than individual items. That doesn't mean they can't make educated guesses about the purchases (e.g. if you make a payment to a business called "99p Donuts" for 99p, it's a pretty safe guess that you bought a donut...),
Are there differences in the data available between magstripe transactions and EMV transactions (or, heck, carbon copy!)? I would (naïvely, unknowingly) assume so?
– gsnedders
yesterday
Kind of. The card number is present in all three, along with the expiration date, and name (see @gowenfawr answer). The main differences are in verification of the card - with carbon copy, that is someone checking the signature. With magstripe, can be a mix of person check and online verification that the card isn't marked as stolen. With chip, ideally it's checking that the person presenting the card knows the PIN (potentially combined with online verification). The differences don't affect the ability to track purchases though.
– Matthew
yesterday
So the industry term is "token" and there are "tokenisation providers" ? Seems like a simple hashing algorithm would do the trick - not sure where a provider comes in.
– JPhi1618
yesterday
@JPhi1618 generally Merchants send card numbers to Processors (who Process them) but often the Processor will hand back a Token and the Merchant can forget the card number. This lowers their PCI scope and requirements. It's really not impactful for this question; the Processor always has both the token and the card and the Merchant can access information using the token instead of the card number.
– gowenfawr
yesterday
1
You don't want to hash because you then run the risk of database leaks giving away actual card numbers - you know the input format (12-18 digits, fitting a Luhn check), so can reduce the search space substantially. If the database also stores the last 4 digits, and you know the valid values for the first 6 (the issuer code), you can cut it even more.
– Matthew
yesterday
|
show 1 more comment
Just to add to the previous answers: Apart from the obvious data that is entered during checkout, you can also get the issuing bank name from the first 6 numbers of the credit card number. With the bank name you can sometimes guess the country where the card was issued when you get a result like "Bank of China", "ANZ" or "Národná banka Slovenska".
I used this method (along with others) in an online store when calculating a risk factor before an order was shipped, to eliminate or flag orders that are placed with stolen credit card numbers.
If user IP, delivery address and bank card are all from different countries then your order would go on hold and flagged for manual review.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
flawr is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f207241%2fwhat-information-about-me-do-stores-get-via-my-credit-card%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
From the card itself, the Merchant gets the track data, which includes card number, expiration date, and cardholder name.
If the Merchant requires zip code verification, they'll get your zip code, obviously.
(Card-Not-Present Merchants often get address data for billing/shipping purposes, but you asked about physical stores... and they get that from the Customer, not the card itself.)
The Merchant can track purchases made with that card within their store(s), but not those made at other, unconnected stores. Be aware that sometimes multiple stores (e.g. HomeGoods, TJ Maxx) are actually the same "Merchant" (TJX Companies).
The Processor, on the other hand, can correlate a single card's activity across multiple Merchants. They don't generally have transaction details ("what you bought") but they do have amounts, categories, Merchants, times, all of which may be provided to the Card Brands (Visa, Mastercard, ...) upon request, or law enforcement upon a subpoena.
Each processor will have a different view. If Processor A handles Merchants A, B, and C, and Processor B handles merchants D, E, and F, then the Processors will have completely disjoint sets of data to work with. In general most Merchants use a single Processor; some load-balance across multiple Processors for redundancy and availability, but most transactions will only be seen by one Processor.
Processors do a lot of data analysis to provide value-add, but not to the extent of providing individual cardholder details across Merchants. Most such data analysis is done on large, anonymous buckets, but others, like householding, require identifying factors be used in the analysis.
Processors, Card Brands, and Banks can also make loose inferences about what you're buying based on the Merchant Category Code (MCC). These aren't very exact - those salted peanuts from the Exxon station might get classified as "Gas" - but they provide some guidance. These are the codes that Corporate-issued credit cards will use to block non-work transactions.
Finally, cards themselves are informative. Merchants can tell the difference between a prepaid card and a Black Card, and they can treat the cardholder differently in accordance with their status, for example extending discounts to higher-value-card holders. This is true not only in a physical store, where the Merchant sees your card; Processors can provide this sort of metadata to Card-Not-Present Merchants as well.
(The ability to determine the type of card is not unique to Processors; it's based on the BIN (the first 6 digits of the card) and you can look it up with freely available tools like binlist.net. However, since the list changes over time, and since it's only a portion of guidance, this is a service most usefully provided by a Processor. For example, anyone can tell if a card is a Black Card - but as a Merchant you might treat a Black Card with a high chargeback rate differently than the rest. Only the Processor can integrate that guidance.)
Thanks for your extensive answer. Regarding your last point: Can they infer the type of card (prepaid etc) directly from the card itself or do they need to get this information from the processors?
– flawr
yesterday
1
@flawr appended update to answer to address this question; answer is "yes they can, but they're better off getting it from the processor"
– gowenfawr
yesterday
Thank you very much!
– flawr
yesterday
3
@PhilMiller yes, PAN is on the EMV and readable. EMV is designed to reduce fraud and cloning, not protect against disclosure - I mean, the number is still printed on the card!
– gowenfawr
yesterday
1
@BenVoigt Citation is personal experience (I work for a large-ish Processor) and human nature. Who wants to upload their details into a platform that doesn't allow data mining or even basic, much less sophisticated, analysis? Level 3 data is, as your link states, for Corporate, B2B, and B2G, which are minority where there's a driving reason to include that data.
– gowenfawr
18 hours ago
|
show 3 more comments
From the card itself, the Merchant gets the track data, which includes card number, expiration date, and cardholder name.
If the Merchant requires zip code verification, they'll get your zip code, obviously.
(Card-Not-Present Merchants often get address data for billing/shipping purposes, but you asked about physical stores... and they get that from the Customer, not the card itself.)
The Merchant can track purchases made with that card within their store(s), but not those made at other, unconnected stores. Be aware that sometimes multiple stores (e.g. HomeGoods, TJ Maxx) are actually the same "Merchant" (TJX Companies).
The Processor, on the other hand, can correlate a single card's activity across multiple Merchants. They don't generally have transaction details ("what you bought") but they do have amounts, categories, Merchants, times, all of which may be provided to the Card Brands (Visa, Mastercard, ...) upon request, or law enforcement upon a subpoena.
Each processor will have a different view. If Processor A handles Merchants A, B, and C, and Processor B handles merchants D, E, and F, then the Processors will have completely disjoint sets of data to work with. In general most Merchants use a single Processor; some load-balance across multiple Processors for redundancy and availability, but most transactions will only be seen by one Processor.
Processors do a lot of data analysis to provide value-add, but not to the extent of providing individual cardholder details across Merchants. Most such data analysis is done on large, anonymous buckets, but others, like householding, require identifying factors be used in the analysis.
Processors, Card Brands, and Banks can also make loose inferences about what you're buying based on the Merchant Category Code (MCC). These aren't very exact - those salted peanuts from the Exxon station might get classified as "Gas" - but they provide some guidance. These are the codes that Corporate-issued credit cards will use to block non-work transactions.
Finally, cards themselves are informative. Merchants can tell the difference between a prepaid card and a Black Card, and they can treat the cardholder differently in accordance with their status, for example extending discounts to higher-value-card holders. This is true not only in a physical store, where the Merchant sees your card; Processors can provide this sort of metadata to Card-Not-Present Merchants as well.
(The ability to determine the type of card is not unique to Processors; it's based on the BIN (the first 6 digits of the card) and you can look it up with freely available tools like binlist.net. However, since the list changes over time, and since it's only a portion of guidance, this is a service most usefully provided by a Processor. For example, anyone can tell if a card is a Black Card - but as a Merchant you might treat a Black Card with a high chargeback rate differently than the rest. Only the Processor can integrate that guidance.)
Thanks for your extensive answer. Regarding your last point: Can they infer the type of card (prepaid etc) directly from the card itself or do they need to get this information from the processors?
– flawr
yesterday
1
@flawr appended update to answer to address this question; answer is "yes they can, but they're better off getting it from the processor"
– gowenfawr
yesterday
Thank you very much!
– flawr
yesterday
3
@PhilMiller yes, PAN is on the EMV and readable. EMV is designed to reduce fraud and cloning, not protect against disclosure - I mean, the number is still printed on the card!
– gowenfawr
yesterday
1
@BenVoigt Citation is personal experience (I work for a large-ish Processor) and human nature. Who wants to upload their details into a platform that doesn't allow data mining or even basic, much less sophisticated, analysis? Level 3 data is, as your link states, for Corporate, B2B, and B2G, which are minority where there's a driving reason to include that data.
– gowenfawr
18 hours ago
|
show 3 more comments
From the card itself, the Merchant gets the track data, which includes card number, expiration date, and cardholder name.
If the Merchant requires zip code verification, they'll get your zip code, obviously.
(Card-Not-Present Merchants often get address data for billing/shipping purposes, but you asked about physical stores... and they get that from the Customer, not the card itself.)
The Merchant can track purchases made with that card within their store(s), but not those made at other, unconnected stores. Be aware that sometimes multiple stores (e.g. HomeGoods, TJ Maxx) are actually the same "Merchant" (TJX Companies).
The Processor, on the other hand, can correlate a single card's activity across multiple Merchants. They don't generally have transaction details ("what you bought") but they do have amounts, categories, Merchants, times, all of which may be provided to the Card Brands (Visa, Mastercard, ...) upon request, or law enforcement upon a subpoena.
Each processor will have a different view. If Processor A handles Merchants A, B, and C, and Processor B handles merchants D, E, and F, then the Processors will have completely disjoint sets of data to work with. In general most Merchants use a single Processor; some load-balance across multiple Processors for redundancy and availability, but most transactions will only be seen by one Processor.
Processors do a lot of data analysis to provide value-add, but not to the extent of providing individual cardholder details across Merchants. Most such data analysis is done on large, anonymous buckets, but others, like householding, require identifying factors be used in the analysis.
Processors, Card Brands, and Banks can also make loose inferences about what you're buying based on the Merchant Category Code (MCC). These aren't very exact - those salted peanuts from the Exxon station might get classified as "Gas" - but they provide some guidance. These are the codes that Corporate-issued credit cards will use to block non-work transactions.
Finally, cards themselves are informative. Merchants can tell the difference between a prepaid card and a Black Card, and they can treat the cardholder differently in accordance with their status, for example extending discounts to higher-value-card holders. This is true not only in a physical store, where the Merchant sees your card; Processors can provide this sort of metadata to Card-Not-Present Merchants as well.
(The ability to determine the type of card is not unique to Processors; it's based on the BIN (the first 6 digits of the card) and you can look it up with freely available tools like binlist.net. However, since the list changes over time, and since it's only a portion of guidance, this is a service most usefully provided by a Processor. For example, anyone can tell if a card is a Black Card - but as a Merchant you might treat a Black Card with a high chargeback rate differently than the rest. Only the Processor can integrate that guidance.)
From the card itself, the Merchant gets the track data, which includes card number, expiration date, and cardholder name.
If the Merchant requires zip code verification, they'll get your zip code, obviously.
(Card-Not-Present Merchants often get address data for billing/shipping purposes, but you asked about physical stores... and they get that from the Customer, not the card itself.)
The Merchant can track purchases made with that card within their store(s), but not those made at other, unconnected stores. Be aware that sometimes multiple stores (e.g. HomeGoods, TJ Maxx) are actually the same "Merchant" (TJX Companies).
The Processor, on the other hand, can correlate a single card's activity across multiple Merchants. They don't generally have transaction details ("what you bought") but they do have amounts, categories, Merchants, times, all of which may be provided to the Card Brands (Visa, Mastercard, ...) upon request, or law enforcement upon a subpoena.
Each processor will have a different view. If Processor A handles Merchants A, B, and C, and Processor B handles merchants D, E, and F, then the Processors will have completely disjoint sets of data to work with. In general most Merchants use a single Processor; some load-balance across multiple Processors for redundancy and availability, but most transactions will only be seen by one Processor.
Processors do a lot of data analysis to provide value-add, but not to the extent of providing individual cardholder details across Merchants. Most such data analysis is done on large, anonymous buckets, but others, like householding, require identifying factors be used in the analysis.
Processors, Card Brands, and Banks can also make loose inferences about what you're buying based on the Merchant Category Code (MCC). These aren't very exact - those salted peanuts from the Exxon station might get classified as "Gas" - but they provide some guidance. These are the codes that Corporate-issued credit cards will use to block non-work transactions.
Finally, cards themselves are informative. Merchants can tell the difference between a prepaid card and a Black Card, and they can treat the cardholder differently in accordance with their status, for example extending discounts to higher-value-card holders. This is true not only in a physical store, where the Merchant sees your card; Processors can provide this sort of metadata to Card-Not-Present Merchants as well.
(The ability to determine the type of card is not unique to Processors; it's based on the BIN (the first 6 digits of the card) and you can look it up with freely available tools like binlist.net. However, since the list changes over time, and since it's only a portion of guidance, this is a service most usefully provided by a Processor. For example, anyone can tell if a card is a Black Card - but as a Merchant you might treat a Black Card with a high chargeback rate differently than the rest. Only the Processor can integrate that guidance.)
edited yesterday
answered yesterday
gowenfawrgowenfawr
54.5k11115161
54.5k11115161
Thanks for your extensive answer. Regarding your last point: Can they infer the type of card (prepaid etc) directly from the card itself or do they need to get this information from the processors?
– flawr
yesterday
1
@flawr appended update to answer to address this question; answer is "yes they can, but they're better off getting it from the processor"
– gowenfawr
yesterday
Thank you very much!
– flawr
yesterday
3
@PhilMiller yes, PAN is on the EMV and readable. EMV is designed to reduce fraud and cloning, not protect against disclosure - I mean, the number is still printed on the card!
– gowenfawr
yesterday
1
@BenVoigt Citation is personal experience (I work for a large-ish Processor) and human nature. Who wants to upload their details into a platform that doesn't allow data mining or even basic, much less sophisticated, analysis? Level 3 data is, as your link states, for Corporate, B2B, and B2G, which are minority where there's a driving reason to include that data.
– gowenfawr
18 hours ago
|
show 3 more comments
Thanks for your extensive answer. Regarding your last point: Can they infer the type of card (prepaid etc) directly from the card itself or do they need to get this information from the processors?
– flawr
yesterday
1
@flawr appended update to answer to address this question; answer is "yes they can, but they're better off getting it from the processor"
– gowenfawr
yesterday
Thank you very much!
– flawr
yesterday
3
@PhilMiller yes, PAN is on the EMV and readable. EMV is designed to reduce fraud and cloning, not protect against disclosure - I mean, the number is still printed on the card!
– gowenfawr
yesterday
1
@BenVoigt Citation is personal experience (I work for a large-ish Processor) and human nature. Who wants to upload their details into a platform that doesn't allow data mining or even basic, much less sophisticated, analysis? Level 3 data is, as your link states, for Corporate, B2B, and B2G, which are minority where there's a driving reason to include that data.
– gowenfawr
18 hours ago
Thanks for your extensive answer. Regarding your last point: Can they infer the type of card (prepaid etc) directly from the card itself or do they need to get this information from the processors?
– flawr
yesterday
Thanks for your extensive answer. Regarding your last point: Can they infer the type of card (prepaid etc) directly from the card itself or do they need to get this information from the processors?
– flawr
yesterday
1
1
@flawr appended update to answer to address this question; answer is "yes they can, but they're better off getting it from the processor"
– gowenfawr
yesterday
@flawr appended update to answer to address this question; answer is "yes they can, but they're better off getting it from the processor"
– gowenfawr
yesterday
Thank you very much!
– flawr
yesterday
Thank you very much!
– flawr
yesterday
3
3
@PhilMiller yes, PAN is on the EMV and readable. EMV is designed to reduce fraud and cloning, not protect against disclosure - I mean, the number is still printed on the card!
– gowenfawr
yesterday
@PhilMiller yes, PAN is on the EMV and readable. EMV is designed to reduce fraud and cloning, not protect against disclosure - I mean, the number is still printed on the card!
– gowenfawr
yesterday
1
1
@BenVoigt Citation is personal experience (I work for a large-ish Processor) and human nature. Who wants to upload their details into a platform that doesn't allow data mining or even basic, much less sophisticated, analysis? Level 3 data is, as your link states, for Corporate, B2B, and B2G, which are minority where there's a driving reason to include that data.
– gowenfawr
18 hours ago
@BenVoigt Citation is personal experience (I work for a large-ish Processor) and human nature. Who wants to upload their details into a platform that doesn't allow data mining or even basic, much less sophisticated, analysis? Level 3 data is, as your link states, for Corporate, B2B, and B2G, which are minority where there's a driving reason to include that data.
– gowenfawr
18 hours ago
|
show 3 more comments
At the very least, they can get the card number. Most receipts will even have the last few digits of the card number printed on them, but the system will have had the full number at some point, and may well hold a tokenised version of the card number which is allowed under PCI (think of it being a random value which can be linked back to the card number by the tokenising service). Since the same card probably gives the same token each time (technically this is optional, but since it gives more information than the alternative, it's the more common in practice), they can go "this card also bought X, Y and Z on these dates".
They can't usually cross reference that data with other stores though - the token associated with a given card from store A is completely unrelated to that associated with a given card from store B, in a sensibly designed system. I don't know whether any tokenisation providers pool data from multiple clients, but that could be a potential nightmare under GDPR, so I'd assume not, at least in Europe.
The issuing bank can also see purchases being made, obviously, but usually in a per transaction basis, rather than individual items. That doesn't mean they can't make educated guesses about the purchases (e.g. if you make a payment to a business called "99p Donuts" for 99p, it's a pretty safe guess that you bought a donut...),
Are there differences in the data available between magstripe transactions and EMV transactions (or, heck, carbon copy!)? I would (naïvely, unknowingly) assume so?
– gsnedders
yesterday
Kind of. The card number is present in all three, along with the expiration date, and name (see @gowenfawr answer). The main differences are in verification of the card - with carbon copy, that is someone checking the signature. With magstripe, can be a mix of person check and online verification that the card isn't marked as stolen. With chip, ideally it's checking that the person presenting the card knows the PIN (potentially combined with online verification). The differences don't affect the ability to track purchases though.
– Matthew
yesterday
So the industry term is "token" and there are "tokenisation providers" ? Seems like a simple hashing algorithm would do the trick - not sure where a provider comes in.
– JPhi1618
yesterday
@JPhi1618 generally Merchants send card numbers to Processors (who Process them) but often the Processor will hand back a Token and the Merchant can forget the card number. This lowers their PCI scope and requirements. It's really not impactful for this question; the Processor always has both the token and the card and the Merchant can access information using the token instead of the card number.
– gowenfawr
yesterday
1
You don't want to hash because you then run the risk of database leaks giving away actual card numbers - you know the input format (12-18 digits, fitting a Luhn check), so can reduce the search space substantially. If the database also stores the last 4 digits, and you know the valid values for the first 6 (the issuer code), you can cut it even more.
– Matthew
yesterday
|
show 1 more comment
At the very least, they can get the card number. Most receipts will even have the last few digits of the card number printed on them, but the system will have had the full number at some point, and may well hold a tokenised version of the card number which is allowed under PCI (think of it being a random value which can be linked back to the card number by the tokenising service). Since the same card probably gives the same token each time (technically this is optional, but since it gives more information than the alternative, it's the more common in practice), they can go "this card also bought X, Y and Z on these dates".
They can't usually cross reference that data with other stores though - the token associated with a given card from store A is completely unrelated to that associated with a given card from store B, in a sensibly designed system. I don't know whether any tokenisation providers pool data from multiple clients, but that could be a potential nightmare under GDPR, so I'd assume not, at least in Europe.
The issuing bank can also see purchases being made, obviously, but usually in a per transaction basis, rather than individual items. That doesn't mean they can't make educated guesses about the purchases (e.g. if you make a payment to a business called "99p Donuts" for 99p, it's a pretty safe guess that you bought a donut...),
Are there differences in the data available between magstripe transactions and EMV transactions (or, heck, carbon copy!)? I would (naïvely, unknowingly) assume so?
– gsnedders
yesterday
Kind of. The card number is present in all three, along with the expiration date, and name (see @gowenfawr answer). The main differences are in verification of the card - with carbon copy, that is someone checking the signature. With magstripe, can be a mix of person check and online verification that the card isn't marked as stolen. With chip, ideally it's checking that the person presenting the card knows the PIN (potentially combined with online verification). The differences don't affect the ability to track purchases though.
– Matthew
yesterday
So the industry term is "token" and there are "tokenisation providers" ? Seems like a simple hashing algorithm would do the trick - not sure where a provider comes in.
– JPhi1618
yesterday
@JPhi1618 generally Merchants send card numbers to Processors (who Process them) but often the Processor will hand back a Token and the Merchant can forget the card number. This lowers their PCI scope and requirements. It's really not impactful for this question; the Processor always has both the token and the card and the Merchant can access information using the token instead of the card number.
– gowenfawr
yesterday
1
You don't want to hash because you then run the risk of database leaks giving away actual card numbers - you know the input format (12-18 digits, fitting a Luhn check), so can reduce the search space substantially. If the database also stores the last 4 digits, and you know the valid values for the first 6 (the issuer code), you can cut it even more.
– Matthew
yesterday
|
show 1 more comment
At the very least, they can get the card number. Most receipts will even have the last few digits of the card number printed on them, but the system will have had the full number at some point, and may well hold a tokenised version of the card number which is allowed under PCI (think of it being a random value which can be linked back to the card number by the tokenising service). Since the same card probably gives the same token each time (technically this is optional, but since it gives more information than the alternative, it's the more common in practice), they can go "this card also bought X, Y and Z on these dates".
They can't usually cross reference that data with other stores though - the token associated with a given card from store A is completely unrelated to that associated with a given card from store B, in a sensibly designed system. I don't know whether any tokenisation providers pool data from multiple clients, but that could be a potential nightmare under GDPR, so I'd assume not, at least in Europe.
The issuing bank can also see purchases being made, obviously, but usually in a per transaction basis, rather than individual items. That doesn't mean they can't make educated guesses about the purchases (e.g. if you make a payment to a business called "99p Donuts" for 99p, it's a pretty safe guess that you bought a donut...),
At the very least, they can get the card number. Most receipts will even have the last few digits of the card number printed on them, but the system will have had the full number at some point, and may well hold a tokenised version of the card number which is allowed under PCI (think of it being a random value which can be linked back to the card number by the tokenising service). Since the same card probably gives the same token each time (technically this is optional, but since it gives more information than the alternative, it's the more common in practice), they can go "this card also bought X, Y and Z on these dates".
They can't usually cross reference that data with other stores though - the token associated with a given card from store A is completely unrelated to that associated with a given card from store B, in a sensibly designed system. I don't know whether any tokenisation providers pool data from multiple clients, but that could be a potential nightmare under GDPR, so I'd assume not, at least in Europe.
The issuing bank can also see purchases being made, obviously, but usually in a per transaction basis, rather than individual items. That doesn't mean they can't make educated guesses about the purchases (e.g. if you make a payment to a business called "99p Donuts" for 99p, it's a pretty safe guess that you bought a donut...),
answered yesterday
MatthewMatthew
25.2k78092
25.2k78092
Are there differences in the data available between magstripe transactions and EMV transactions (or, heck, carbon copy!)? I would (naïvely, unknowingly) assume so?
– gsnedders
yesterday
Kind of. The card number is present in all three, along with the expiration date, and name (see @gowenfawr answer). The main differences are in verification of the card - with carbon copy, that is someone checking the signature. With magstripe, can be a mix of person check and online verification that the card isn't marked as stolen. With chip, ideally it's checking that the person presenting the card knows the PIN (potentially combined with online verification). The differences don't affect the ability to track purchases though.
– Matthew
yesterday
So the industry term is "token" and there are "tokenisation providers" ? Seems like a simple hashing algorithm would do the trick - not sure where a provider comes in.
– JPhi1618
yesterday
@JPhi1618 generally Merchants send card numbers to Processors (who Process them) but often the Processor will hand back a Token and the Merchant can forget the card number. This lowers their PCI scope and requirements. It's really not impactful for this question; the Processor always has both the token and the card and the Merchant can access information using the token instead of the card number.
– gowenfawr
yesterday
1
You don't want to hash because you then run the risk of database leaks giving away actual card numbers - you know the input format (12-18 digits, fitting a Luhn check), so can reduce the search space substantially. If the database also stores the last 4 digits, and you know the valid values for the first 6 (the issuer code), you can cut it even more.
– Matthew
yesterday
|
show 1 more comment
Are there differences in the data available between magstripe transactions and EMV transactions (or, heck, carbon copy!)? I would (naïvely, unknowingly) assume so?
– gsnedders
yesterday
Kind of. The card number is present in all three, along with the expiration date, and name (see @gowenfawr answer). The main differences are in verification of the card - with carbon copy, that is someone checking the signature. With magstripe, can be a mix of person check and online verification that the card isn't marked as stolen. With chip, ideally it's checking that the person presenting the card knows the PIN (potentially combined with online verification). The differences don't affect the ability to track purchases though.
– Matthew
yesterday
So the industry term is "token" and there are "tokenisation providers" ? Seems like a simple hashing algorithm would do the trick - not sure where a provider comes in.
– JPhi1618
yesterday
@JPhi1618 generally Merchants send card numbers to Processors (who Process them) but often the Processor will hand back a Token and the Merchant can forget the card number. This lowers their PCI scope and requirements. It's really not impactful for this question; the Processor always has both the token and the card and the Merchant can access information using the token instead of the card number.
– gowenfawr
yesterday
1
You don't want to hash because you then run the risk of database leaks giving away actual card numbers - you know the input format (12-18 digits, fitting a Luhn check), so can reduce the search space substantially. If the database also stores the last 4 digits, and you know the valid values for the first 6 (the issuer code), you can cut it even more.
– Matthew
yesterday
Are there differences in the data available between magstripe transactions and EMV transactions (or, heck, carbon copy!)? I would (naïvely, unknowingly) assume so?
– gsnedders
yesterday
Are there differences in the data available between magstripe transactions and EMV transactions (or, heck, carbon copy!)? I would (naïvely, unknowingly) assume so?
– gsnedders
yesterday
Kind of. The card number is present in all three, along with the expiration date, and name (see @gowenfawr answer). The main differences are in verification of the card - with carbon copy, that is someone checking the signature. With magstripe, can be a mix of person check and online verification that the card isn't marked as stolen. With chip, ideally it's checking that the person presenting the card knows the PIN (potentially combined with online verification). The differences don't affect the ability to track purchases though.
– Matthew
yesterday
Kind of. The card number is present in all three, along with the expiration date, and name (see @gowenfawr answer). The main differences are in verification of the card - with carbon copy, that is someone checking the signature. With magstripe, can be a mix of person check and online verification that the card isn't marked as stolen. With chip, ideally it's checking that the person presenting the card knows the PIN (potentially combined with online verification). The differences don't affect the ability to track purchases though.
– Matthew
yesterday
So the industry term is "token" and there are "tokenisation providers" ? Seems like a simple hashing algorithm would do the trick - not sure where a provider comes in.
– JPhi1618
yesterday
So the industry term is "token" and there are "tokenisation providers" ? Seems like a simple hashing algorithm would do the trick - not sure where a provider comes in.
– JPhi1618
yesterday
@JPhi1618 generally Merchants send card numbers to Processors (who Process them) but often the Processor will hand back a Token and the Merchant can forget the card number. This lowers their PCI scope and requirements. It's really not impactful for this question; the Processor always has both the token and the card and the Merchant can access information using the token instead of the card number.
– gowenfawr
yesterday
@JPhi1618 generally Merchants send card numbers to Processors (who Process them) but often the Processor will hand back a Token and the Merchant can forget the card number. This lowers their PCI scope and requirements. It's really not impactful for this question; the Processor always has both the token and the card and the Merchant can access information using the token instead of the card number.
– gowenfawr
yesterday
1
1
You don't want to hash because you then run the risk of database leaks giving away actual card numbers - you know the input format (12-18 digits, fitting a Luhn check), so can reduce the search space substantially. If the database also stores the last 4 digits, and you know the valid values for the first 6 (the issuer code), you can cut it even more.
– Matthew
yesterday
You don't want to hash because you then run the risk of database leaks giving away actual card numbers - you know the input format (12-18 digits, fitting a Luhn check), so can reduce the search space substantially. If the database also stores the last 4 digits, and you know the valid values for the first 6 (the issuer code), you can cut it even more.
– Matthew
yesterday
|
show 1 more comment
Just to add to the previous answers: Apart from the obvious data that is entered during checkout, you can also get the issuing bank name from the first 6 numbers of the credit card number. With the bank name you can sometimes guess the country where the card was issued when you get a result like "Bank of China", "ANZ" or "Národná banka Slovenska".
I used this method (along with others) in an online store when calculating a risk factor before an order was shipped, to eliminate or flag orders that are placed with stolen credit card numbers.
If user IP, delivery address and bank card are all from different countries then your order would go on hold and flagged for manual review.
add a comment |
Just to add to the previous answers: Apart from the obvious data that is entered during checkout, you can also get the issuing bank name from the first 6 numbers of the credit card number. With the bank name you can sometimes guess the country where the card was issued when you get a result like "Bank of China", "ANZ" or "Národná banka Slovenska".
I used this method (along with others) in an online store when calculating a risk factor before an order was shipped, to eliminate or flag orders that are placed with stolen credit card numbers.
If user IP, delivery address and bank card are all from different countries then your order would go on hold and flagged for manual review.
add a comment |
Just to add to the previous answers: Apart from the obvious data that is entered during checkout, you can also get the issuing bank name from the first 6 numbers of the credit card number. With the bank name you can sometimes guess the country where the card was issued when you get a result like "Bank of China", "ANZ" or "Národná banka Slovenska".
I used this method (along with others) in an online store when calculating a risk factor before an order was shipped, to eliminate or flag orders that are placed with stolen credit card numbers.
If user IP, delivery address and bank card are all from different countries then your order would go on hold and flagged for manual review.
Just to add to the previous answers: Apart from the obvious data that is entered during checkout, you can also get the issuing bank name from the first 6 numbers of the credit card number. With the bank name you can sometimes guess the country where the card was issued when you get a result like "Bank of China", "ANZ" or "Národná banka Slovenska".
I used this method (along with others) in an online store when calculating a risk factor before an order was shipped, to eliminate or flag orders that are placed with stolen credit card numbers.
If user IP, delivery address and bank card are all from different countries then your order would go on hold and flagged for manual review.
answered 23 hours ago
iHaveacomputeriHaveacomputer
49326
49326
add a comment |
add a comment |
flawr is a new contributor. Be nice, and check out our Code of Conduct.
flawr is a new contributor. Be nice, and check out our Code of Conduct.
flawr is a new contributor. Be nice, and check out our Code of Conduct.
flawr is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f207241%2fwhat-information-about-me-do-stores-get-via-my-credit-card%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
I have first-hand experience with information going the other way. Specifically, I made a purchase at WalMart with a credit card, and later, that card company asked me about the product. I had no idea they'd ever see that, only the total, date, etc.
– donjuedo
yesterday
2
@donjuedo Curious, was it a Walmart-branded card? My store-branded credit cards do have that info within store. Outside of that relationship, it's possible to pass that info up the chain, but not particularly common.
– gowenfawr
yesterday
@gowenfawr, It was not a WalMart-branded card. I usually use Chase, for the airline miles. There's a small chance it was one other card.
– donjuedo
yesterday
2
The answer to this is going to vary by country due to privacy laws. You should specify where.
– user71659
yesterday
If there is any sort of loyalty scheme involved, see the fine print. You may have agreed to your data being harvested/aggregated and used for research and/or marketing. Hilarity can sometimes ensue when they (or their analytics) get this wrong.
– mckenzm
yesterday