back to article Credit card companies plan to sell your purchase data to advertisers

Visa Inc and Mastercard Inc are working on a system for delivering online behavioural adverts to consumers based on what they buy in shops, according to media reports. The US-based credit card networks have developed "preliminary" plans to place shoppers into groups based on their in-store purchasing history and sell the …


This topic is closed for new posts.
  1. Usually Right or Wrong


    All your data is ours - you mean you didnt read the T's and C's on page 12,378, paragraph 74, line 1054 (no 1 point is not too small, that's why it is called small print, dummy!)

    All my data leaking mut be my fault then.

    1. Grease Monkey Silver badge

      Hardly. EU and UK law requires a very specific opt in when it comes to passing your data to third parties. IOW the companies could not hide this deep within the Terms and Conditions. If you have not checked the box that says they can pass your data to third parties then they cannot sell or otherwise pass on your data without breaking the law.

  2. JakeyC

    Oh well

    Looks like it's time to start carrying nothing but cash in my tinfoil RFID-shielded wallet now then!

  3. jake Silver badge

    Now ask me ...

    ... why I've been cash-on-the-barrel-head these last 25 years.

    If I need to use credit to purchase something, I get a cash loan. The banker never gets a chance to observe what I do with the funds. Nor should he.

    1. Grease Monkey Silver badge

      Of course that means you won't be able to order your tinfoil hat online.

      1. jake Silver badge

        @Grease Monkey

        I have never purchased a single item online. Nor am I ever likely to. Why would I? I can get anything I will ever need in life within a two hour's round-trip from where I sit as I type ... with the added benefit of being able to look the seller in the eye whilst sealing the deal with a handshake.

        I don't wear hats. Of any kind.

        1. Fibbles

          I'm guessing you won't buy from anybody who doesn't have a firm grip and steady gaze during a handshake either? It's the only way to tell you're not being ripped off!

          Also, cash loan? I've seen pre-aproved junk mail credit cards that charge less interest...

        2. Anonymous Coward
          Anonymous Coward

          Chances are you'll also need that loan as you'll be paying more for everything you buy.

        3. Graham Marsden
          Thumb Down


          "I can get anything I will ever need in life within a two hour's round-trip from where I sit as I type"

          Do you have nothing better to do than spend a couple of hours driving to buy something when, instead, you could get it with a few clicks of a mouse?

          And how much petrol (or diesel) do you burn whilst doing that? And how much does that item cost? Are you really willing to spend extra time and money buying something from someone with a steady gaze and a firm handshake (something which any con-man worth his salt naturally practices carefully) when you can get it cheaper and more easily and delivered to your door just so you can avoid using cards?

          1. jake Silver badge

            @Graham Marsden

            Me & mine travel all over Northern California & most of the this side of the Rockies. It's a hazard of breeding & showing dogs & horses. Fortunately, we know how to multi-task. Dawg show, horse show, eyeballing a used water truck, or a cylinder head for the Perkins in my Monterey Clipper ... the trick is to make the minutes work in your favo(u)r.

            Con-artists, at least in this scenario, are laughable. Purchasing stuff on TehIntraWebTubes[tm]? Maybe not so much.

          2. jake Silver badge

            @Graham Marsden

            "Do you have nothing better to do than spend a couple of hours driving to buy something when, instead, you could get it with a few clicks of a mouse?"

            I'm going that way anyway. Mouse-clicks aren't even close to kicking the tires.

    2. Clyde

      Ref : Now ask me ...

      "If I need to use credit to purchase something, I get a cash loan. The banker never gets a chance to observe what I do with the funds. Nor should he."

      Who in god's own name DOWNVOTED this post ?

      They should be handed over, plastic cards held high, all personal pecadillos exposed, no shame whatever in their brainless faces, to the grasping gormless godforsaken minions of the Great Lord High Finance and His Prophetness on Earth - the Most Exalted Anonymity of the Financial Services Industry, on whose blessed being we pour all our wealth and trust.


      1. IT veteran

        I think they are down-voting it because cash loans are notoriously expensive: they are not called legal loan sharks for nothing...

  4. Anonymous Coward
    Anonymous Coward


    How do they plan to link my card number to my browser unless I log onto something first using the same email address I associated with my card? Cookies aren't much good - I could buy something online from a shared computer (yes, not wise for other reasons, but it could happen) - would the "targeted ads" then be shown to all users of that pc?

    Perhaps (probably!) I missed something, but it doesn't stand up as an efficient working model to me. Perhaps it is just a marketing wet dream that accidentally escaped the asylum.

    And it would be really annoying to think it was being done anyway of course...

    1. Anonymous Coward
      Anonymous Coward

      Ever use Internet banking?

      "How do they plan to link my card number to my browser unless I log onto something first using the same email address I associated with my card?"

      1. Anonymous Coward
        Anonymous Coward

        Of course

        But not necessarily from my own PC. How do they know it is me when I am on another device and I have not made any transaction using a card?

    2. John G Imrie

      They don't have to link your email to the card

      They just have to tweak the last part of your online perches experience. You Know the bit where they ask for the fist, third and one thousand seven hundred and sixth letter from your password.

      1. chr0m4t1c

        But that only works once you've made a purchase, which reduces the usefulness of the advertising.

        Not that marketeers show much sense in this respect, I've taken several surveys that go along these lines:

        When did you last purchase a TV set? Three weeks ago.

        Are you planning on purchasing a new TV set in the next month? No.

        Why not? Er....

    3. PatientOne

      @AC 09:46

      I was wondering the same.

      They'd have to use a persistent cookie in case you purge cookies when closing the browser, at which point why not simply put a list of group ID's in the cookie so they aren't selling your data, they're just selling the definition of their own groups.

      How would they get the cookie on your PC? Well, I suspect the only time people have direct contact with Visa or Master is when we're making an online purchase and we use their secure payment system. At that point, yes, they could put a cookie on your PC.

      But at that point why not simply put a list of groups they've put you in into the cookie? Then they sell the group definitions to other companies, or they sell a plug in for advertisers that reads the cookie for them and simply tells them what market group you fit in (according to the credit card's interpretation of your purchases, that is). That way they never send any information you have given the card company directly: They only sell their classification of you based on their assessment of your purchases. May be how they intend to get around data protection laws...

    4. Steven Roper

      They don't need to

      link the card number to your browser. Every time you buy something with your Mastercard or Visa, the transaction is recorded by them regardless of where you use the card. You know, the data presented to you on your credit card statement each month?

      This is the data - your card's purchase history - that these fuckers are planning to sell.

      I've already sent an email to Mastercard advising them that my purchase history is my personal data and therefore my intellectual property. I've explained that I am willing to sell them this data for use in their advertising campaigns in exchange for a permanent waiver of any and all interest and credit card fees. Unauthorised use of my data will result in an infringement case being brought against Mastercard in my local court. I have yet to receive a reply, but rest assured, I will not sit still for this.

      1. Silver

        Re: They don't need to

        Good for you. You tell 'em.

        Out of interest, you do know that Mastercard doesn't actually set your interest or credit card fees though right?

        That would be the bank that issued the card.

  5. metaspective

    Expected this...

    ...and what about the data already collected from previous transactions?

  6. Tomato42


    Just another day that I'm glad that I live in the EU and not US.

    1. g e

      Chances are that doesn't matter

      The data will still flow to a US server which the EU has been assured by all and mendacious US sundry that DP laws will be observed while EU purchasing habits are sold to US companies which have operating bases in the EU.

      Fucked all the same.

      1. Tomato42

        @g e

        It would still be illegal under EU DP laws

  7. Dan 55 Silver badge

    And how are they going to connect people's offline and online ID?

    The only thing I can think of is that they wait for the first online purchase with VbV and whatever the MasterCard equivalent is then set cookies for every advertising network under the sun, or every advertising network under the sun makes use of a 3rd party cookie hosted by Visa/MC.

    Pretty easy to defeat with something like NoScript or RequestPolicy.

    1. Gav

      This is how

      One answer to your question; Facebook (or Google+ come to that).

      Simply get your mindless sucker, I mean, customer, to "like" your card/bank/insurance/discounts scheme/any-other-subsidiary-you-care-to-mention and you've got them. Bang. Online identity synced with Financial identity. Sit back and await the social networking revolution to do its work.

      Why do you think companies of all sorts are falling over themselves inventing spurious reasons for you to visit them on Facebook?

      1. Chris007
        Big Brother

        "Why do you think companies of all sorts are falling over themselves inventing spurious reasons for you to visit them on Facebook?"

        That and the NSA / MI5 / MI6 / CIA etc have been dreaming of having this kind of "database" for years and now people are willingly putting any and all info about themselves online for them to search/profile etc.

      2. Dan 55 Silver badge

        @This is how

        Even if someone follows Visa/MC on Facebook, Visa/MC wouldn't be able to work out that this is Mr(s) XYZ with card number 1234 5678, their offline purchases are made in these shops, therefore they can be shown targeted advertising for these things on the web via several advertising networks. Or I don't think they will be able to.

        I still believe it will either require a degree of opting in which crosses the creepy line (logging in to VbV/MC Securecode and giving them your e-mail address, Facebook ID, G+ ID, etc...) or setting up cookies after the first purchase by VbV/MC SC.

        Either way people can opt out in the first case by not giving this info as there's no law which says that people have to have an e-mail address or Facebook profile or in the second case telling the browser to delete cookies on closing.

        1. Mark 65

          @Dan 55

          I suspect all it takes is one special offer that is accessed using card and Facebook.

          1. Dan 55 Silver badge

            Thank you sir, that makes sense

            Purchase something via G+ or Facebook and bob's your uncle.

            I can imagine using an Android phone to buy stuff through NFC will do the trick too.

            And people will do it as well.

    2. Anonymous Coward
      Anonymous Coward

      They don't need a cookie to identify you, whenever you make a purchase with your card, your card goes through their authorisaton platform which gets to see how much you are spending and where you are spending it. they also get the chance to store this information for mining later.

      That information alone is gold dust to marketeers

      1. Dan 55 Silver badge


        Indeed, that is your offline (cardholder) ID. They do need cookies to target advertising through ad networks at you while you browse though and they need to tie those cookies in your online session to your offline (cardholder) ID, otherwise all that information is useless.

  8. James 139


    do I get the horrible feeling this will involve an updated set of terms that will mean you must accept them, and have your details sold off, or have your card cancelled?

    1. Number6

      Go for it

      I have in the past cut up a card and returned it because I didn't like a change of conditions (the one imposing a fee, most often). Whether you'd get enough people prepared to do the same for privacy is another matter.

      I like to think that they'd lose far more by me closing the account than they'd gain from selling the data.

    2. Mark 65


      Can't happen. That, by definition, is not opt-in.

  9. Robert E A Harvey

    Not sure what to think about this. I am, of course, against it on first principles.

    But my buying history would almost certainly blow several fuses in the algorithm, so I would get my vengance that way.

  10. smudge
    Black Helicopters

    How could they find me?

    I don't manage my cards online and I'm pretty sure I've never given them an email address.

    So how would they know when and where I was online?

    Even if they knew my IP address, how could they know that it was me in front of the screen, and not the wife or kids?

  11. You Are Not Free

    I do not wish to be commoditized in this fashion.

    However, using a credit card means you are using someone else's wealth, not your own and if the people that own that wealth want to increase the price you pay for using it, then that's up to them.

    I hope this does not creep to debit cards.

    1. metaspective


      ... but with the advent of the much-vaunted cashless economy, all transactions will be up for analysis. Then it doesn't matter what kind of card is used.

  12. Alistair MacRae

    Really? :(

    In a world where firms are frequently losing people’s personal data, do we really need to spread it around even more?

  13. Da Weezil

    No Way!!!!

    2 words for the abusive duopoly ... the second word is "off".

    May habits... my personal data... not for sale - especially not to ass-hats that I have no relation ship with.

    This has to be a huge invasion of privacy!..I'll go back to cash shopping then, and save on all the interest too.

    I guess the ICO will sleep though all this too... the system is corrupt... which makes me wonder about the corruptibility of those controlling it.

  14. Eponymous Cowherd

    How would this work?

    Assume that I use my visa card to go on a mammoth shopping spree.

    Assume that Visa are allowed to, and do, track the purchases I make with that card.

    I now go online and start browsing t'intewrwebs.

    How do visa intend to tie my card purchase history to my web browsing? The only way they can do this is if they tie something that identifies me online (IP address, cookie, etc) to my card account, which means that they can only do this when / if I enter my card details online, which requires the collusion of web retailers.

    Now, I'd imagine the last thing that an online retailer like Scan, Dabs, etc want is for me to be bombarded by competitor's ads because they pimped me to Visa.

    Shocking proposal, in any case. Do these people not learn? Did they not see the shitstorm of bad publicity that arose from the BT/Phorm debacle?

  15. Disgruntled of TW

    Rock and a hard place ...

    So, VISA and Mastercard issue new T's & C's and say "let us sell your data or cut your card up". Not really a choice in today's society.

    1. Grease Monkey Silver badge

      One more time: "They can't do that under EU law."

  16. Anonymous Coward
    Anonymous Coward


    I had the misfortune to work with a "data aggregation" company back in dot com days and was astonished at the level of information these fuckers could provide and that was in 1997/1998 FFS! I shiver to think about how they have evolved since.

    This is something that needs to be regulated very strictly, but I imagine it will carry on in the same half arsed fashion in its current form on both sides of the Atlantic.

  17. Jonathan White
    Big Brother

    I can't imagine they'd go as far as 'agree to this or we close your account' - remember with a credit card, you owe them money, not vice versa. They have thw authority but at the end of the day you have the money as a bargaining chip. If they say "right, we're going to close your account because you didn't agree, give us the money' and you say 'haven't got it, sue me', are they really going to do that? For thousands of people? With all the publicity that entails, telling everyone exactly why they are changing the T&C?

    They will want to sneak this through on the quiet. They'll go with opt-in for existing customers (with incentives to do so) and make it a standard clause in new contracts. That way they get the same effect in a few years with no noise and much less publicity.

  18. matthew1471

    This makes me wonder about how much data supermarkets know about our shopping habits, even if you've never signed up to a loyalty scheme.

    I've never signed up to [for example] Tesco Clubcard, but that doesn't mean they can't track my shopping habits through my debit card number. It must be very valuable data to them.

    1. regorama

      That would be illegal

      It's illegal to track people unless they have given their express consent. In Europe at least.

    2. Anonymous Coward
      Anonymous Coward

      That's probably a PCI-DSS fail.

  19. Anonymous Coward
    Anonymous Coward

    my thoughts on how it will work

    you are making the assumption that this will be targeted ads at you _directly_, which is where I believe you are making a mistake.

    The way I read the article, Visa and Mastercard will look and see what did people in 'Block A' buy from brick and motor stores (and even online). Then it will sale that information as: Block A is interested in beer.... give them adverts for pubs and liquor stores.

    So expect targeted ads in you mail box based on what the people in your street have bought!

    1. Dan 55 Silver badge

      Geo-IP isn't that good (yet)

      ISPs don't allocate IPs based on the street or town.

      1. Anonymous Coward
        Anonymous Coward

        Re: Geo-IP isn't that good (yet)

        what you write implies that you still think that this will have to do with online advertisement or online tracking. The point I am trying to make is: this whole thing will be _offline_.

        They will see what type of stuff is being bought by the people in your area, then sale that info to advertisers. Advertisers will then deliver physical adverts to your mail box.

        note, the online online tracking they will do is, they will see where the physical product get delivered to, and sale that. Although, now that I think about it.... advertisers will have a better chance with ebay and Amazon (and other such places), just let they know what type of product each household is interested in and they will be delivering very very VERY targeted adverts! (this is worrying).

        1. Dan 55 Silver badge

          Re: Geo-IP isn't that good (yet)

          The article starts with "delivering online behavioural adverts to consumers based on what they buy in shops". I think Mark 65 hit the nail on the head above.

          However I wouldn't mention your idea too loudly, we don't want to give them any more ideas.

  20. Anonymous Coward
    Anonymous Coward

    Smart plan, at least they're not as stupid as The Register who just give our details away for free

  21. DaeDaLuS_015

    opt in/opt out

    This is one thing that drives me mental on forms. There should be a law created outlawing the use of "opt out" boxes because they are a trick in essence. People are far, far too busy doing other things, if you don't tick something it should not under any circumstances include you in something. Seems obvious really.. So incredibly tedious. The local council got one of my relatives with this, all of a sudden you can find her address, phone number, how many people live in her house, etc quite easily on the internet because apparently even the local f*****g council is selling details on... and for paying a damned tax of all things. It's disgusting.

    1. peter_dtm

      yes - the Electoral role

      and the phrasing they use on the opt out sort of reads backwards as well; so I suspect lots of people tick the wrong box - probably what happened with your relative

  22. Derichleau
    Thumb Down

    Section 11 every time

    Financial organisations couldn't give a toss about their customers; they see us simply as a commodity to be exploited. If they're not charging us high interest rates they're selling our details to other organisations. But one thing's for sure... they hate the ICO! Pop a question to any financial organisation and they're likely to quote their code of practice rather than data protection law in response. I've made the FSA aware of this on a number of occasions because in the majority of cases, their code of practice is not legally binding whereas the DPA98 is. The FSA are just not interested.

    Your best bet is to section 11 all financial services organisations that you do business with. Section 11 of the DPA98 requires an organisation to cease processing your personal data for direct marketing purposes - by whatever means. Failure to comply with a section 11 request can result in criminal prosecution, non-criminal enforcement or audit against the offending organisation. All my banks have to remove the advertising from the envelopes that contain my bank statements - I love it!

    1. <shakes head>

      can i section 11 google?

    2. peter_dtm

      I wonder ...

      add this to your email signature :

      tick box and return email to indicate this email is not de facto accepted as a written instruction to apply section 11 of the DPA98 act; failure to do this will mean your organisation accepts this as a written request to apply section 11 of the DPA98 with immediate effect

      a sort of consumers revenge for all those sodding opt out boxes ....

  23. RobE

    Something in return!?

    This is a huge "data slurp" that credit card companies expect to get for free?! they should really think this through carefully.

  24. Anonymous Coward
    Anonymous Coward

    Look to how VISA and MC treated Assange

    Obey or else we cut you off.

  25. This post has been deleted by its author

  26. Anonymous Coward
    Anonymous Coward

    Purchases: Shovel, binbags, vat of strong acid

    Adverts: Criminal defence lawyers, flights to Brazil

  27. Velv

    More Complicated than it appears

    Visa and Mastercard do not issue cards. Repeat - DO NOT ISSUE CARDS

    Banks issue cards under license from the Handler (Visa, Mastercard), however it is the BANKS who set your terms and conditions. Don't like the T&Cs, CHANGE BANKS. Complain to the banks if you think your data is being sold.

    (that aside, the cynic in me thinks *anyone* using my purchasing history to target advertising or other services is a bad idea)

  28. Anonymous Coward
    Anonymous Coward

    Cash Rules!

    I love the faces on the droids at Tesco's when I ...

    - Don't swipe the clubcard they refused to give me despite a perfect credit history

    - Pay with good old CASH.

    anon, coz BB is everywhere.

  29. Cthulhu

    I assumed

    that this sort of thing already happened..?

  30. Anonymous Coward
    Anonymous Coward

    To people who believe this is about web browsing

    It is not about about web browsing.

    Visa or Mastercard don't care about about what you look at on the web.

    They exactly know who you are, what you buy, from which seller, where you live, where you are buying from, and using what kind of method (online, in the shop).

    So yes, they are sitting on a pile of data that just begs to be analyzed.

    Also, it might not have escaped you that Visa just made a deal with Google?

  31. Anonymous Coward
    Anonymous Coward

    Even cash might be traceable...

    Often get cash from a machine located near the nightclubs in town? See adverts for alcoholic beverages.

    Often get cash from a machine outside the supermarket? See adverts for rival supermarkets.

    PS: Card companies- this idea is (c) 2011 Anonymous Coward, please do not steal.

  32. Anonymous Coward
    Anonymous Coward

    This is just one of the (many) reasons I only ever make day to day purchases in cash.

    I cut all my credit/debit cards up 5 years ago, never looked back.

    Debit & Credit cards only really benefit the banks & government. They've conned people into giving up freedom and anonymity in the name of convenience.

    Plus, a lot of small businesses will give you a nice discount for cash.

  33. Titus Aduxass

    I may be showing my ignorance here.

    How would the Credit Card companies know what I've bought? Surely they only know who I've bought from and how much I've paid. that's hardly going to lead to advertising that's very "targetted".

    1. Anonymous Coward
      Anonymous Coward

      Through the MCC code, see here:

      that should suffice (broadly)

    2. Anonymous Coward
      Anonymous Coward

      You're right: they don't know what you bought

      They don't even know who you are.

      The absolute maximum they (Visa & Mastercard) know is that a specific card issued by a member bank was used to make a purchase from a particular merchant. They know the date, time, amount and risk score of that purchase but nothing else. They don't even know your name - that field isn't sent from the acquirer (the shop's bank) through Visa/Mastercard to the issuer (the bank you got your card from).

      They do have the history of the card's usage though and that data is what is likely to be analysed on behalf of issuing banks. That data can only be made available to the bank that issued the card and it's the bank that would/could use it for marketing purposes - not Visa/Mastercard.

      Some pretty shoddy reporting by the WSJ here.

  34. Alain Moran

    They *will* ask for your fully informed consent

    However that informed consent will boil down to a choice between a 2% interest rate and a 29% interest rate.

    1. Grease Monkey Silver badge

      You might think so, but they're not allowed to do that. They can't make any services or costs conditional upon your opt in or out.

  35. Anonymous Coward
    Paris Hilton

    What title

    Well why not stop using the cards and pay them off, that way there will be no more new data for them to analyse. If it came to a choice between 2% and 29% I would go for the 2% and stop using the card.

    Paris, 'cos she's interested.

  36. Anonymous Coward
    Anonymous Coward

    "Fully informed" consent isn't hard to come by

    It'll just mean the signup will have and link and a checkbox at the end. The checkbox will be to agree to the Ts&Cs, the link will be to a separate "PDF for your convenience" set of Ts&Cs you can optionally download with bolded text at the top that states your data will be sold.

    Then all they have to do is rely on the fact that most people are too lazy to even download the Ts&Cs.

  37. Dan Crichton

    Without a major overhaul of the payment network protocols this isn't going to be feasible. I've implemented 3 different payment systems over the past few years, and while one had the option to include a description of what was being purchased I've never seen a reason to include it. All that Visa/Mastercard would see would be a merchant reference, the card details, and an amount - how are they ever going to figure out what has been purchased? Amazon (or Tesco, or any other retailer selling a wide variety of items),will likely have 1 merchant services account for all transactions, so if you spend £10 with them there's no way to identify what that £10 was spent on - it could be books, DVDs, shampoo, food, toys, paint, anything!

    So, we're back to the first line - a major overhaul of the payment network and forcing all retailers to specify merchandise category codes in transactions. Considering that the payment network doesn't even handle addresses (only address numerics are passed around as the system doesn't support non-numeric values) there's little chance of adding a system to handle these codes in the forseeable future, and even then a significantly smaller chance of retailers implementing these codes as that would require major changes to all commerce platforms.

    Is it April already?

  38. Dan Crichton

    Ah, now I've read a few more articles I see what Visa are planning - aggregating offline purchases in an "area" with the types of purchases made (which would still have to assume that a purchase at Tesco would be for groceries rather than a new TV, for instance) and then the advertisers would use geo-location (most likely by IP address as they'll be little else to go on without any personal data) to figure out which area you're in and show ads ... so if you live in an area with a large number of people buying things at Pet City then you'll end up with pet related ads. Short term looks like it'll be a utter waste of time for advertisers; geo-location is often a mess, my home IP comes up as being around 200 miles from where I live, and my work one about the same distance from where I work ... and ads based on aggregated data will be irrelevant for most browsers as the ads will be based on offline sales, not online, which likely has a wildly different purchasing demographic (I buy food in Tesco but never online, for instance, so online ads for food wouldn't give me a sudden impulse to buy food online).

    Maybe it's not April, but Visa/Mastercard will be having the last laugh with this.

  39. Anonymous Coward
    Anonymous Coward

    I had assumed that...

    ...the ratfuck weasel bastards were selling the data already. Presumably this latest idea is to tag use of a card for online shopping then associate that transaction with whatever other details can be raped from the shopper.

    My card is just used to pillage the local cashpoint. The card companies are cordially invited to put that in an appropriate segment.

  40. You Are Not Free

    "May habits... my personal data... "

    Someone else's wealth.

  41. Anonymous Coward
    Anonymous Coward

    I can imagine me getting some pretty bleak adverts.

    I seem to recall an anecdote/urban myth about someone getting their card automatically blocked for suspicious activity. When he queried it he was told it was because there were two transactions of over £50 in one day, and neither was in an off-licence or pub.

This topic is closed for new posts.

Other stories you might like