From tapping a card at the checkout to typing in details online, making a payment is now a fast and convenient process across every medium. But the ease with which we can make payments is also making it easier to take fundamental things – like privacy and data – for granted.
With debit card transactions, for example, it is not just the receipt that reveals a record of your payments and items that you buy. This data is often stored in POS (point of sale) systems and elsewhere, such as in reward programs you’re a member of, with more and more companies harnessing this kind of metadata for marketing and other purposes.
While the value of metadata from a corporate perspective is clear, people are only just starting to realise how much insight these records can provide about individual consumers. As our payment methods make it easier for this data to be recorded, stored and analysed, it’s also becoming more important to understand how third parties can use details of our transactions (both legitimately and questionably).
So just how much can someone figure out from your transactions? This guide explores how much transaction data reveals about us, what data is used for, and the potential implications for our purchasing habits, privacy and security.
On This Page
- What data is stored from transactions?
- How merchants and third parties use purchase data
- Purchase data anonymity
- Data security
- Protecting your identity during the purchase process
What data is stored from transactions?
At a basic level, the data stored from transactions includes the time and date, location, total transaction cost and payment method. It could also include details of individual items and prices. By law these details are “anonymised”, meaning that details like your name (as it is on your debit card) and card numbers, are excluded from the recorded data.
These details are just the tip of the iceberg now, however, as merchants encourage us to provide more information through reward programs and online accounts. If you sign up to the Coles flybuys or Woolworths Everyday Rewards program, for example, the actual items that you purchase are stored against your account for later reference.
How merchants and third parties use purchase data
Anonymous purchase data is used by businesses to keep track of things like store sales, budgets, total number of customers and transactions and so forth. It is also essential for general sales operations, such as processing a return.
This anonymised data helps businesses refine their strategies and service offerings for customers, helping them figure out things like the busiest times of the day and week (so they can roster on more staff), the most popular ways to pay and even the kinds of cards that are used. For example, a store that is signed up to process American Express cards (which cost merchants the most to process), but only processes 1-2 AMEX transactions a month for a whole year, could use that anonymous data to choose whether or not it’s worth keeping the AMEX option.
But personalised data is even more valuable to businesses, providing them with insights into what each customer wants and how they can provide the best value and service through promotions and marketing strategies.
As the Queensland government’s Business and industry portal puts it: “Collecting and storing information about customers is essential to tailoring your customer service program and growing your business.”
The two major supermarkets, for example, use their reward programs to track what customers purchase, how many purchases they make a week, and the total spending per transaction. This information can be used for things like emails with tailored specials, or customised reward offers.
Similarly, airlines Qantas and Virgin Australia collect customer data to inform their latest sales and other promotions. So if you frequently fly between Melbourne and Sydney, for example, you could get an email with offers focused on these two cities.
A huge variety of other companies are also starting to use this data to inform their interaction with customers, particularly online. Targeted search results, email catalogues, special offers and suggested products are all formulated based on the data a business has stored for you.
Purchase data anonymity
While personal details are removed from a lot of the data recorded when you pay by card in order to keep it anonymous, a recent study has revealed just how easy it is to use this data to identify individuals.
Researchers at the Massachusetts Institute of Technology (MIT) used data recorded from three months of credit card transactions by 1.1 million users to prove that they could easily identify people based on the anonymised information provided. As MIT explains in a news release:
“The data set the researchers analyzed included the names and locations of the shops at which purchases took place, the days on which they took place, and the purchase amounts. Purchases made with the same credit card were all tagged with the same random identification number.
“For each identification number — each customer in the data set — the researchers selected purchases at random, then determined how many other customers’ purchase histories contained the same data points. In separate analyses, the researchers varied the number of data points per customer from two to five. Without price information, two data points were still sufficient to identify more than 40 percent of the people in the data set. At the other extreme, five points with price information was enough to identify almost everyone.”
Their findings – published in the industry journal Science in January 2015 – revealed that just four fairly vague pieces of information (the dates and locations of four purchases) are enough to identify 90% of cardholders.
“Our work shows that human behavior puts fundamental natural constraints to the privacy of individuals and these constraints hold even when the resolution of the dataset is low; even coarse datasets provide little anonymity,” researcher Yves-Alexandre de Montjoye says of the project on his website.
He says that there are many potential benefits from using this data, but that this research highlights fundamental privacy flaws in the current system and makes it even more important for people to be aware of possible limitations and risks.
“…I do really believe that this data has great potential and should be used,” de Montjoye says.
“We, however, need to be aware and account for the risks of re-identification.”
Basically, the study shows that we can’t take our privacy for granted, even when paying with plastic (whether it’s a credit card or a debit card).
The implications found from the MIT study extend to privacy and data security concerns for individuals. In the past few years, there have been huge data leaks for major retailers – particularly in the US.
Information about hacking in Australia is less forthcoming, but regardless of that, the online marketplace makes it easy to shop with merchants anywhere in the world, exposing us to more data breaches than ever before. And when you think about how easy it was for de Montjoye and his colleagues to identify people, the implications of hacking also become a bigger concern.
Theoretically, hackers could target the most basic data sets, and still figure out exactly who has purchased what, and even build up a profile for each individual (without even having access to their names or credit card details). That would make it easier for them to track the people they have identified and get even more personal information, which could then be used for credit card fraud or identity theft.
But a worse scenario is hackers getting access to the data stored under your name. If they infiltrated a rewards program, for example, they would know personal details including your name, address, basic spending habits and purchase activity. What’s more is that if they hacked into an online store profile you have set up, they could even have access to your credit card, debit card and bank account information.
Smart fraudsters could even use this data to make debit card fraud seem less suspicious. While anti-fraud monitoring services often pick up unauthorised transactions based on the merchant locations, if a criminal knows how and where you typically use your card, they could target the same or similar places as a way of staying under the radar. So instead of your card being used for purchases at a Walmart in Colorado, for example, it could be used at a store in your own neighbourhood, or with an online retailer you’ve shopped from before.
Put simply, the more a criminal knows about you, the more likely they are to get away with debit card fraud for a longer amount of time. And transaction data stored by retailers and other merchants you use could play a part in card criminals’ master plans.
Protecting your identity during the purchase process
So how can you make purchases with your cards and not worry about your privacy and security? There isn’t really one solution to the problem at this stage, but there are a few things you can do to reduce the risks – starting with taking more interest in how your data is stored.
By reading privacy policies and asking merchants what data is stored, and how it is stored, you will get a better sense of which companies are looking after this data as best they can. You’ll also be able to make more informed decisions about how to pay at different merchants, and how many online accounts you want to maintain. Other things you can do to protect your identity and details during the transaction process include:
- Choosing not to provide voluntary information (not all transactions require a phone number, for example),
- Using one main account for your online purchases (such as PayPal),
- Sticking to just one card for most transactions,
- Regularly updating antivirus software on your computer and mobile devices,
- Keeping track of how, when and where you use your card; and
- Regularly checking your transaction history for suspicious activity.
While customer and transaction data is an essential element for most businesses these days, that doesn’t mean it has to infringe on your privacy or card security. By being aware of what data is stored, how it is used and the protection surrounding it, you have a better chance of keeping your details safe and reminding companies of the importance of up-to-date security.
The simplicity of paying with plastic makes it easy to get what you want and then forget about the transaction completely. But as the information here shows, that transaction data stays on records for years and can be used in a range of different ways.
Being aware of the value of your data – from both a commercial and personal perspective – gives you a chance to make more informed decisions and so that you have more control over who has access to your information (and how much they actually know).