This might be a little off topic but I often read articles like this, and elsewhere, speculate on the "future" where so 'n so is able to see exactly what you purchased on your cards for some nefarious reason.
So here is my question: Do stores REALLY pass on an itemised list to the credit card processor? Because it was always my understanding that all they passed upstream was the amount and the name of the establishment.
This article claims: "Imagine getting a call from your doctor if you [...] make a habit of buying candy bars at the checkout counter"
I don't think that data exists outside of the specific convenience store where you purchased the candy. The CC company would know that you spend an extra $1 at that place, but how do you tie that into bad eating habits? Maybe they purchased an apple or a cup of coffee.
I'd really love some insight on this topic, and I will happily admit that maybe my information is either out of date or just flat out wrong.
That's one reason stores like issuing their own credit cards - they have the detailed in-store data and summary external data (assuming you use the card elsewhere):
The exploration into cardholders’ minds hit a breakthrough in 2002, when J. P.
Martin, a math-loving executive at Canadian Tire, decided to analyze almost
every piece of information his company had collected from credit-card
transactions the previous year. Canadian Tire’s stores sold electronics,
sporting equipment, kitchen supplies and automotive goods and issued a credit
card that could be used almost anywhere. Martin could often see precisely what
cardholders were purchasing, and he discovered that the brands we buy are the
windows into our souls — or at least into our willingness to make good on our
debts. His data indicated, for instance, that people who bought cheap, generic
automotive oil were much more likely to miss a credit-card payment than someone
who got the expensive, name-brand stuff. People who bought carbon-monoxide
monitors for their homes or those little felt pads that stop chair legs from
scratching the floor almost never missed payments. Anyone who purchased a
chrome-skull car accessory or a “Mega Thruster Exhaust System” was pretty likely
to miss paying his bill eventually.
Martin’s measurements were so precise that he could tell you the “riskiest”
drinking establishment in Canada — Sharx Pool Bar in Montreal, where 47 percent
of the patrons who used their Canadian Tire card missed four payments over 12
months. He could also tell you the “safest” products — premium birdseed and a
device called a “snow roof rake” that homeowners use to remove high-up
snowdrifts so they don’t fall on pedestrians.
Seriously, can you get more vicious thinking inside the company, when the policy is to spend money on r&d on how to mine users data better, but at the same time not to worry enough about their cc security?
I'd pay for an itemized list of all the stuff I've bought at the grocery store(s) over the last 6 months. I'd love that level of insight into budgeting what is my family's third biggest expense.
FWIW, none of the stores I go to have loyalty cards, though I'm pretty sure that they could do matching based on hashed card values or the name they get back from the card. (That's could, not that they do. I'm not sure if PCI would look at them sideways for hashing card values and using that as a key for a data store)
There are a number of receipt scanning services which can provide what you're looking for (they are mostly B2B, but do what you basically suggest)
https://www.shoeboxed.com/http://www.neat.com/
etc...
A grocery store I visit has recently ended their loyalty card program. My assumption is that they're doing what you describe, and don't care much about the few people who pay cash. Tracking itemized purchases is probably critical business information at this point for any large chain.
I'm surprised there has been no leak of purchases from major restaurants or retailers, just credit card datasets.
Does the California law only require disclosure of leaks of financial information, or do businesses finally start taking proper security measures (and/or airgapping) when there is business intelligence at hand?
Its the former. Laws cover payment info. Also, payment info is more valuable to steal, and more compact to transmit and easier to decode from the raw storage data.
Once you have any security in place, it's probably more complicated to NOT include your payment database in it. PCI auditer will actively inspect your payment database attack surface.
Just curious, but what country/part of the country do you live in? Virtually every store I walk into either has a loyalty points system, a credit card, or both.
I've suspected loyalty points programs are just an accounting trick. You're creating your own currency which doesn't always get used up, and you can devalue whenever you need to make your quarterly numbers.
And if your program really catches on, you can get other retailers to sign on, creating a side business, or spin it off as a separate business if someone is willing to pay you for it (it's easy to segment off from your core business).
In general, store points and so forth are something that stores hope you'll perceive as being of greater value (and hence encourage loyalty) than they'll every have to actually deliver on.
The norm with grocery stores though seems to be more in the vein of giving instant savings to card holders. Some chains (Safeway out West is one of them I think) have so many and such deep special prices that I have a card even though I only shop there on vacation sometimes.
(Interestingly, Shaws--which is an Eastern US chain now owned by European company I believe--discontinued their card in this vein a few years back.)
An island outside Seattle. We don't have any large chain stores on the island. There are 4 grocery stores, all independent, serving a community of about 15k people. There's also only one fast food chain, a Dairy Queen.
The only loyalty card I actually use is the coop feed store, I think the hardware store might have one too, but I've never bothered with that.
My understanding is that there are three levels of credit card processing (1, 2, and 3 - corresponding to different amounts of information transmitted about the transaction). I've heard from individuals supposedly familiar with payments systems in stores and payment processing that many big chains have a level 3 credit card processing system in place for consumer purchases.
One part of level 3 processing is a line item list of what was purchased. So if it is true that there are stores using a payment system that routinely transmits level 3 information for consumer purchases then it would follow that the credit card processor does currently have the information on exactly what you are buying from those particular stores (not just the merchant and the total amount).
I just did a quick minute or two of web searching and didn't see a trustworthy looking link describing the practice of level 3 card processing for consumer purchases. Maybe someone with experience in the card processing industry could comment on this?
Yeah, I saw that section on Wikipedia also. But I believe I've found a link indicating that level 3 is being used for consumer purchases in at least some individual stores.
If you look through Visa's supplier locator at https://www.visa.com/supplierlocator/ you can search for a business (or category of business) at a particular address or zip code. It will tell you the MCC (category) and appears to also show the data level reported to Visa.
I looked up Safeway grocery stores near Seattle. If you take a look at the one at 14444 124th Ave NE, Kirkland WA 98034 the data level is 'Fleet, Level III Line Item, Level III Summary'. I take this to mean that anyone using a Visa card at that particular Safeway will have their line item receipt sent to Visa. I would be surprised if the other credit card processors don't have setups like this as well.
No, generally the credit card company receives a message with the following data - card info (duh), amount, merchant ID, merchant category. So they don't have to guess if 'McGuffin ltd' is a pharmacy or a restaurant, and they may know that you shop at mcdonalds often, or have never bought anything from a pharmacy, but no more than that.
I don't recall if a single merchant may/must offer different codes depending on the type of goods sold (i.e., a gym selling a membership vs selling a soda). I believe not, but it might be an option.
The only place that would get such itemised info is the multi-store loyalty cards; those do link a person to itemised purchases.
I think there are certain stores that routinely report itemised info. I just posted this link in another comment thread but check out the https://www.visa.com/supplierlocator/ search results for the column 'Enhanced Data Level'.
If you search for the Safeway grocery store at 14444 124th Ave NE Kirkland WA 98034 - the data level cell contains 'Level III Line Item'. I believe this means that at least for Visa, that store is using level 3 credit card processing and line item receipts are reported to Visa.
If you go to Walmart, you will notice when checking out that each item scrolls across the Ingenico POS. I believe they use FirstData (formerly part of AmEx, now privately held by KKR) for their merchant acquirer which is receiving this SKU data. FD used to offer services to the CPG industry using this data.
I bet you could detect a lot of candy buyers through their patterns of convenience store purchases. There's also candy stores, fast food, and restaurants that are known for rich food. Machine learning could probably figure out a lot if trained on the confirmed habits of other people whose purchase records are available. You could do customer surveys to get the data, or put what you want to know into the intake form.
What I don't buy is that people's habits will generally predict their health situation. I think this is a report on a press release of what some medical business association imagines that the person that they're hoping to recruit from somewhere will be able to do. I think the benefits will end up far lower than the costs.
You don't even need a loyalty card. Match up the amount and time of the charge to the in-store inventory system, and you can be about 99% sure that you are correctly matching the person's card to their purchase. If the store scans a UPC, then that UPC is in their system. Sure, the receipt may just print 'candy bar' but the UPC says 'Butterfinger 2oz classic bar'.
It depends on the merchant and the processor. Some, like PayPal Pro [1], support sending a list of items; Stripe and Braintree appear not to. It is always optional.
So here is my question: Do stores REALLY pass on an itemised list to the credit card processor? Because it was always my understanding that all they passed upstream was the amount and the name of the establishment.
This article claims: "Imagine getting a call from your doctor if you [...] make a habit of buying candy bars at the checkout counter"
I don't think that data exists outside of the specific convenience store where you purchased the candy. The CC company would know that you spend an extra $1 at that place, but how do you tie that into bad eating habits? Maybe they purchased an apple or a cup of coffee.
I'd really love some insight on this topic, and I will happily admit that maybe my information is either out of date or just flat out wrong.