Hacker News new | past | comments | ask | show | jobs | submit login
Mastercard Should Stop Selling Our Data (eff.org)
636 points by gslin 11 months ago | hide | past | favorite | 246 comments



Imagine you go to a market notorious for haggling and the company that sold you your wallet monitors all your transactions and reports them to whomever of the market sellers pays most.

You are now the fat chicken, ready to be plucked: You just bought a hammer, now you need nails. From your social media trail sellers can also infer you are somewhat of a dimwit. Hurry, nails are in high demand in your area. But no worries, here is a great offer for you, valid for the next 0.3 hours.

I just can't understand how people have come to accept such erosion of their privacy, ultimately their very own economic interests and agency under the hands of manipulative operators and captured regulators.

What kind of collective inanity allows such social degeneration. Was it always like that? Is there any hope?


Better yet, they now have those e-ink price labels. They could literally update as you walk towards them to show the price they will sell to you.

If you walk off and don't pick something up, they could then change the offer a little. It's no longer '2 for 1', it's now '3 for 2 with a free X'.

Disgusting.

> I just can't understand how people have come to accept such erosion of their privacy, ultimately their very own economic interests and agency under the hands of manipulative operators and captured regulators.

The frog born in boiling water doesn't realise it is hot, it's all he ever knew. The age bracket with the largest disposable income now doesn't know any different, it's how it always was.

> What kind of collective inanity allows such social degeneration. Was it always like that? Is there any hope?

No, technology made it far easier. It's now targeted and automated, it's as worse as it has ever been and continues to get worse. There is not a politician in any land willing to do anything about it - more product sold at higher prices means larger taxes. (And that's if the company doesn't lobby on top.)


Even better - criminals will get the data a way or another and find out your purchasing power, when and where you go leaving your house unattended and what they can tell you or your relatives to effortlessly manipulate into just giving them something valuable.


Who has these labels? And if they did, how would they enforce it? How would a checkout counter know what price you were offered by some random computer sitting on a shelf?


It's been being tested in retail already (see for example: https://link.springer.com/article/10.1057/s41272-019-00224-3) and the main thing holding stores back from implementing it is that most people think discriminatory pricing is wrong. Companies are working very hard to convince us to let them do it though. Their foot in the door is offering "deals" to only certain people. You see this in things like store loyalty cards or Xbox's "just for you" prices (https://www.windowscentral.com/xbox-microsoft-store-just-for...). It's all just trying to condition us to accept that some people deserve different prices/treatment than other people.

If I were building this type of system I'd do away with electronic labels and just force people to scan a QR code with their cell phones, then use that data collected from their device to find out their income level, past purchase history, etc. then use that data to display their "price" (subject to change at any moment) right on their device along with ingredients, nutritional data, product information, ads, etc. Then I'd either generate a QR code on their device for them to scan at self-checkout, use Bluetooth to detect the device when they stood at the checkout counter, or use facial recognition. Either way, knowing what price the computer offered would be dead simple and the price of whatever is being purchased could (and probably would) change from the time you picked it off of the shelf and when it got scanned at the register. I'd be your responsibility to accept the prices or not when you pay.


> You just bought a hammer, now you need nails.

The standard response from someone working in ad-tech: "But isn't it great that an advertisement informs you that you need nails too? Nothing would ever be built without the help from ad-tech!"


As someone said in another thread: the problem with ad-tech is that they think that you need another hamner.


Yes, adding insult to injury.


I think the answer is very simple: people don't understand and even if they do then they don't understand that what might seem minor "well whatever, it's just some nails this one time," and it doesn't cross over to the huge power this data yields in aggregate.


Also, people like the discounts they get from their loyalty cards, and also the free stuff on the internet.

What they don't know is that they pay twice, once with their data and once with money. And the prices they pay now include the cost of the adtech too.


"always was" is such terrible rhetoric. hand-wavey and without substance. A thought terminating cliche.

It honestly makes crypto look desirable, and buildings designed with sensor blocking materials. You can't passively surveil a data-center. Why should my home, office or shopping mall be any different?

The powers-that-be never gave us a choice to opt-out. It's been a slow gradual decline.

We have to incentivize haggling over our own data. My unseen/unknown data is my asset and I will protect it's financial value.

We can't trust random joes to not sell out crypto exchanges and the like, so you have to build technology that functions as a manual crypto exchange - without a developer on it's back to pull the ripchord and destroy the technology whenever money shows up.

Manual software is key, as soon as it becomes "automated", some developer has to be roped into hand-holding it through tech changes. Crypto software that only exists because a man put it together and went hands-off, is Key.

Then you can build the normal philosophical/structural/relationship management ideas on top of that.


The average person simply has no hope of understanding the flows of modern global capital, data, weapons, etc.

Back in the day, if the local leather tanner was polluting the town water supply... you'd just go tell him to stop, and if he didn't...

Nowadays the only people who have any idea what's actually going on are the ones who are profiting the most from it and have no incentive to shut it down.


If they can get you asking the wrong questions, they don't have to worry about answers.

-Pynchon, Gravity's Rainbow


> The average person simply has no hope of understanding

If Mastercard used a private detective to follow you when shopping, and he wrote everything you bought and where you bought it into a notebook, which he later delivers to Mastercard, the average person would understand very quickly.


Yes, it always was like this, all the way back to snake oil salesmen and probably even further back. Now we have 'legit' companies that know the exact snake oil you'd want.

There will always be a battle between the wants and want nots.


Now however, the consequences are on a truly global scale, so it becomes more important than ever before, while at the same time becoming less understandable than ever before for normal people. So instead of downtalking the issue, we should highlight it more than ever before and we should inform and educate people more than ever before.

'cept that education sector is struggling to even get financed in places. We even have people seriously thinking schools should finance themselves, because they are too short-sighted, to see the net benefit for a society, that a good education system brings with it. This in the face of ever more things to learn about the digital world. And I live in a country, where there isn't even an official school subject about interacting with this digital world.


I was always under the impression that despite ups and downs there was (on average) progress, improvement, in some broadly defined way.

I am no longer sure. One could always think that we hit a local minimum. But the comatose, practically non-existent debate suggests there are no reacting forces, the malaise runs deep.

Its puzzling and confusing because none of that phemomena seem pre-ordained. Its all self-inflicted through abysmally bad governance. Literally made up through behavior and choices.


1. People did not accept this "erosion of privacy". They just don't understand. Mastercard is not going to the every customer and telling them, what exactly they do, what it means and so on. Sure, they ask for "explicit consent", they have contract and agreements and tons of legal documents describing every step. But that does not help people understanding what they do. That is the big misunderstanding of legal requirements like GDPR: It does not prevent erosion of privacy.

2. In general, this is not an erosion of privacy. Honestly? I really do not care what a company does with my transaction data. Why? Because I work in the field of data analytics, big data and I got a little idea of what happen: I'm just a small dot in a very huge picture. Sure, at some point in the very beginning of this process the company tracks my data. But this single data point is not of value. Only the aggregation of an massive amount of data point has a value. Saying "your data" is just framing the opinion into a direction "data collection hurts your privacy". Really no one cares about Mr A from B in C, born in 1900, having n kids and m wifes.

3. You may reply that my data is in danger, if a company is collecting it. That is right. And that's probably the main goal of legal stuff like the GDPR. Data breach can only happen to existing data. No data, no breach. Too easy. But if this is the argument, then you may stop using the internet or any other service.

So, to sum it up: Let's blame the companies for 1 (misleading) and 3 (no security)... but 2? Yeah well. I think it's fine to collect data. I mean... it's a human thing! Information advantage is an evolutional advantage and information comes from data.


Actually all current card payment providers should be put out of business altogether. Two companies(master/visa) hold complete control over the entire customer spending in the whole world.- They also prevented banks from catching up to the 21st century, technology-wise, and we still do not have instant online payments. There is so many things bad with banking and many causes can be traced back to these card payment providers. We need alternatives, as many as there are banks in the world. Every bank needs to be a card payment provider, an online payment gateway providers and so on.


Not the whole world, this is mostly in the United States. In Europe its more like what you describe, banks are the card payment provider and we have (near) instant online transfers. Credit cards are relatively unimportant here.


What are you going on about? Pretty much all European banks issue Visa/Mastercard credit and debit cards (sometimes under their subbrands Maestro and VPay) by default to pretty much all customers.

Most in-store payment processing goes directly over those two companies still.


But the underlying payments network isn't necessarily Visa/Mastercard's. In the case of France, there's Cartes Bancaires https://www.cartes-bancaires.com/, which you can pay through regardless of your card type (Visa, Mastercard, Amex) as an alternative over paying through the Visa/Mastercard/Amex networks.

And of course with GDPR, there are actual restrictions on how Visa/Mastercard can monetise your transaction history, and with banking regulations, how much of a cut they can take.


Interchange fees are regulated in Europe. This prevents this weird inflation of card fees which are then returned via cashbacks.


Plus, if you want to buy anything online outside of your own country (in Europe), you will likely have to use a credit card or something like PayPal. Or some other third party, that is connected to your credit card.


Banks are already processing payments. When you put your credit card in your bank's ATM, the ATM is managed by the bank. It connects to your bank server and all the authorisation and processing is being done by the bank. Visa and mastercard provide connection to other banks. When you put your card in another bank's ATM or buy something in a business associated with another bank.

Getting ride of the Visa/Mastercard duopoly would mean that all banks must connect to all other banks, which they do not want to do, believe me. That would be an administrative hell for them. Which is why they've been putting up with those two for so long. These are the google of banks. They are convenient.

The alternative would be some sort of joint venture between all the banks. The result would less fees for the banks but no benefits for the client as the bank would keep the margin and it would still be a privacy hell.

Another alternative is a public utility. But a lot of people will be as uncomfortable providing their payment data to the government.


> The alternative would be some sort of joint venture between all the banks. The result would less fees for the banks but no benefits for the client as the bank would keep the margin and it would still be a privacy hell.

This is what happens in India. UPI (unified payment interface) was launched by NPCI which is kind of a joint venture between the regulator and banks. In an abstract sense, the bank processing the payment does connect with every other bank via NPCI.

The underlying rails are an older infrastructure of IMPS[1] which is the interbank money transfer system.

I do not agree with the privacy hell part. When bank transfers happen, they anyway have to do the required checks with the other banks. Frankly, people in my circle never even cared if it could be a privacy issue for us.

On another note, there was always incentive to launch NPCI in india because 1/ The infra is relatively newer so it was easier to do (java I think) 2/ Almost all banks' software was built by Infosys/TCS etc. (in java) and that meant the ones integrating would be the same parties who practically used the same architecture 3/ Visa/Mastercard did not have that kind of penetration in 2010 so settlements were a real issue faced by every bank.

In US or European case, the issue seems bigger because the problem is half solved by Visa/Mastercard, so there is a bit of inertia to solve the same problem again.

[1]: https://www.npci.org.in/PDF/npci/upi/Product-Booklet.pdf


> Getting ride of the Visa/Mastercard duopoly would mean that all banks must connect to all other banks, which they do not want to do, believe me. That would be an administrative hell for them.

What would be so strange about that?

https://en.wikipedia.org/wiki/Single_Euro_Payments_Area


Aren't most SEPA transfers not settled directly bank-to-bank but through STEP2? https://en.wikipedia.org/wiki/EBA_Clearing#STEP2

That said, in a system replacing VISA/MasterCard (which I personally believe is a goal worth working toward), it seems like the easiest way would be to connect all the existing national clearing systems (many of these already have instant payments on their own - Fedwire in the US, STEP2 in the Eurozone, Zengin in Japan, etc etc) in a two-tier system.


Oh, my point was not confirming the premise of the parent in that all banks would need to connect to all other banks, but that it would not be such a hard feat to get rid of VISA/Mastercard for this kind of processing.


> would mean that all banks must connect to all other banks

I think the EU's getting there with open banking directives like the PSD2:

"the provision of a standardised and reliable access interface to payment accounts (i.e. an application programming interface, API)" https://www.ecb.europa.eu/paym/intro/mip-online/2018/html/18...


A pseudo-public joint venture model is viable in internet telecoms (eg ICANN), so why not in payment clearing?


At least in Europe, we do have instant online transfers between banks. But yes, the duopoly situation sucks. And of course, the privacy situation with credit card companies is not nearly as bad in Europe as it's in the US.

I think we need more regulation and government oversight here - even in Europe, but especially in The Land of the Free.


> Two companies(master/visa) hold complete control over the entire customer spending in the whole world.- They also prevented banks from catching up to the 21st century, technology-wise, and we still do not have instant online payments.

India has UPI, China has WeChat Pay and AliPay, Russia has MIR, and forced Visa/MC out of business for domestic payments like five years ago. Adding insult to injury, all these systems do have instant online payments.

Oh, and Japan has JCB, heard African and Latin American countries have their own systems too. The "world" you're talking about is a small one.


Do something about it then?


Isn't writing about it on internet, making people aware of the issue, discussing, doing something about something? Or you meant get his superman costumes and jumping on buildings catching visa/mastercard executives?


Nothing wrong with writing about on the internet. I also agree with the comment, I guess.

It was a philosophical question. Why is it so hard to walk the talk.


Any alternatives to current payment processors is immediately called a scam with no real world use cases.

"The Times 03/Jan/2009 Chancellor on brink of second bailout for banks"



> To opt-out from our anonymization of your personal information to perform data analyses, please provide your Mastercard or Maestro payment card number

Does this mean you're opting out of the anonymization, but not the collection of personal information?

The wording here could definitely be improved.


I suspect the wording is deliberately confusing.


I would says it's almost definitely written to be confusing. See their privacy FAQ also:

> Does Mastercard share transaction data?

> We do not share transaction data without consent or as otherwise legally permitted such as in the context of fraud prevention.

That's a yes or no question. Instead of answering it with a resounding YES they instead reply with some waffle about "legally permitted context".

They also miss out that they sell services that access that data. So an external party might not be able to see it directly but they can pay Mastercard to do the same customer monitoring for them.


I don’t know if it’s deliberately confusing, but it certainly was reviewed by several lawyers.


It is deliberately confusing, but ultimately the meaning behind seems to be "this particular data collection is not for personal advertisements, we got that covered in some other way".


There is also a bit of a 'yes but ' here

> We will not deny, charge different prices for, or provide a different level of quality of goods or services if you choose to exercise these rights, except where the different price or level of quality of good or service is reasonably related to the value of the data that we receive from you. In some instances, we may not be able to provide you with the good or service that you request if you choose to exercise certain rights.


I ended up creating a “my data” account. I am curious what MC has been collecting across my 2 MC branded cards (one of them is an Apple Card which advertises protecting user privacy).

Once I get back that report will be requesting deletion.


Since you didn't post the link, I've just done the same here (US link): https://www.mastercard.us/public/my-data/dgr-public/personal...


Apple will hate if this blows up with a headline of "Apple card users spending data being sold"


Neither the EFF or PIRG mention Apple Card. I was under the impression that Apple had taken measures to prevent exactly this kind of information from being leaked from Apple Card use.

That is, beyond rotation of card numbers whenever Apple Pay is used.

Knowing Apple has put an emphasis on customer privacy, and that Apple Card is run on Mastercard makes zero mention of it in either article kind of stand out to me.

It would be great to get clarification on what the scope is of Apple Card customer exposure to Mastercard’s commercialization of payment data.


I'm not familiar with Apple Card, but aren't all privacy measures only point-of-sale facing? As in, you pay with a random card number and the shop can't track you, but Mastercard obviously still has a record on you. So unless Apple is a middleman able to issue Mastercards on their own behalf(?) for their customers, I don't see how much more privacy they can offer.


I requested the personal information they have about me related to a Maestro debit card I use as my main debit card, and the result was: "We did not find matching results for you!".

I am in EU.


That's bullshit - it should be through the issuer. I have a half dozen different mastercards, plus variants for online wallets, all with distinct card numbers. IIRC, my Apple card has at least 4-5 numbers associated with it. (iPhone, Apple Pay on the web, Watch, physical card and i think my macbook)


Does visa do the same thing? Do they have an opt our too?



Unfortunately, it redirects to a new page with no direct opt out. You have to send an email and manually request an opt out.


Something went wrong


Hilarious. Is this even working for anybody?


Since Firefox auto-filled my credit card number, I had to delete and re-type the last digit for it to work. Presumably, they have some JS looking for key up/down events to do some validation.


Make sure there are no spaces or dashes, digits only.


Any idea if Mastercard is worse than Visa/Discover? It's not a healthy competitive market, but there are options, I'm curious if I should be making an effort to use one.


Bloomberg reporting, circa 2018:

“For the past year, select Google advertisers have had access to a potent new tool to track whether the ads they ran online led to a sale at a physical store in the U.S. That insight came thanks in part to a stockpile of Mastercard transactions that Google paid for...”

“But most of the two billion Mastercard holders aren’t aware of this behind-the-scenes tracking. That’s because the companies never told the public about the arrangement. .... But the deal, which has not been previously reported, could raise broader privacy concerns about how much consumer data technology companies like Google quietly absorb.”

https://www.bloomberg.com/news/articles/2018-08-30/google-an...

https://archive.vn/SLmFw


How does Mastercard know what you actually bought? If got to Costcos then the CC bill says the whole amount, not individual items.


The merchant may pass on the line item information as well, whether they do so depends on what agreements or other motivation they have.


Yep, this is "level 3 data". Merchants or payments services often get lower interchange rates for providing this extra data


I always wondered about this. It feels like the information gets compressed or summarized a bit. I know this because when I previously had fraud charges I had to dispute the credit card company could report with some amount of accuracy the items that made up the transaction as well as in other transactions that they took the time to vet for fraud as well since they had me on the phone. It wasn’t brand or sku number granularity it was more categorical, clothing, maybe a sweater or something coarse like that. Perhaps the credit card companies do have this information but anonymize it a bit for the customer service folks?


For most merchants/terminals, only amex cards tend to send level 3 data.


Your cc bill says that. The shop knows individual items you purchased and they know how you paid. Someone is buying that data.


I guess these advertisers own stores, eg clothing. The marketers also only need to compare between multiple campaigns, not get a fully accurate count of how many people were served an ad then made a purchase. Yeah, if you use a Visa card you won't show up, but that's just a fixed unknown factor.


If you’re in Europe would this be an issue?

I’ve opted out all the same, no mention was made that nothing would be done, or assurance that this might not be an issue for me.

[Edited for accidental Yoda grammar]


This is why Europe passed data privacy laws.


Not only GDPR, but also a payments directive (PSD2).


Does this mean that Visa, AMEX and Discover don't sell our data?

I agree. Just curious if I should be preferring a specific card company.


None of the big 4 networks in the US don’t sell data.

Best to opt-out of each that you use.


source?


A 5 second search on Google shows Reddit r/privacy has threads for each of {AMEX, Visa, Mastercard, Discover} opt-out of marketing links.

I would argue that data brokers are so prolific in the transactions processing space that we should assume the onus is flipped and assume all companies are doing it until they can prove they aren’t (which is a pretty difficult task).

I also realize that other countries/governments regulate this space differently, so I’m speaking specifically about the USA.


Would be surprised if there are or have been meetings at these companies where they ask themselves when they can start doing what MC is doing


Coincidentally, just earlier today I was looking for one-time-use prepaid cards. I thought I'd buy a few $100 worth cards and use them for pseudo-anonymous transactions. However, all I could find were prepaid "debit cards" (which could be easily tied back to be) our store specific "gift" cards.

Curious to see if anyone has a good solution for that? (In the US.)


Visa vanilla is fairly practical for most threat models. I know some orgs are trying to do more ad targeting via security cameras across multiple stores, but afaik you'll have no problem paying cash for a visa vanilla gift card, activating it online (through a vpn or something if you're worried about that level of tracking), and then using it like a credit card at nearly any brick-and-mortar store and many online retailers.

Potential flaws:

(1) They used to have a bit of overhead (1-5%). Not sure nowadays.

(2) None of that is ironclad anonymity. Don't be an outspoken gay ukrainian hacktivist journalist visiting russia or anything.

(3) Some organizations will only do business with you if they're able to slurp up more data than the initial transaction would suggest to a reasonable person. You can't use prepaid phones to sign up to many online accounts (notably Facebook for a long time) because the site owner can't slurp up your address and other info without certain postpaid plans, and you can't use any pseudo-anonymous card [0] to make transactions at a place that wants to buy your address and purchasing habits from the card issuer.

[0] Solutions like privacy.com might qualify here perhaps, in that you can actually anonymize your name/address/... and still use most of the sites trying to capitalize on that data, but fundamentally that just turns them into a middleman with the same data, and I expect they'll sell out eventually. Plus they have raw access to your bank account and other things you might not want to give out.


>You can't use prepaid phones to sign up to many online accounts

Presumably this is meaning prepaid phone numbers? Also assuming this is likely a US thing? Or I'm misreading it somehow.

Because otherwise, I've always bought my phone cash and buy my airtime and data prepaid (no contract) in both EU and Africa and have never come across a service that restricted my phone number for being prepaid.


Yeah, prepaid phone numbers. I assume it's also likely a US thing as well. If you drop down to the store and buy a TracPhone or Cricket Wireless product or whatever and load it up with a few pre-paid minutes, that'll fail a lot of the identity verification steps happening behind the scenes when you try to create accounts with it. Generally post-paid plans (or "contracts" as they're often called, since we love overloading words) will work for that sort of thing day one.


My number in EU (LTU) is not prepaid, but likely on some bullshit outdated prefix blacklist, so US companies (microsoft and blizzard so far) do not allow to use it for authenticators and such for being a prepaid number. MS simply refused to send the SMS, blizzard explicitly mentioned the prepaid reason.


I think they are referring to VOIP numbers which are blocked from usage for the vast majority of sign ups requiring a phone number


I tried to buy something with a new vanilla visa prepaid card while on a VPN recently and found stripe failed the transaction with a vague something happened error. And then found the visa balance check website plays the same game. Googling around it sounds like they've blocked the card and I'll have to call them and wait on hold if I want any chance of getting the stolen funds back. The card doesn't work on my standard IP either now.


Privacy.com is very neat for this.


their privacy policies are not great iirc. ironicially.


Have you tried cash?


People use separate “loyalty cards” which are a pure data for discounts play happily enough. The only reason such cards have become less popular over time is Mastercard, Visa, and Amex have rendered such products redundant.

At this point you can also 99% of the time pay cash and efforts to change this face significant political resistance as being discriminatory to the poor/unbanked. I think the argument “why don’t you just not use their products if you don’t like the deal” is a shockingly good argument… for now.

We can revisit this issue when society truly goes cashless, but for now, not the hill I’d die on. Mastercard will cry bloody MURDER before they let go of this gold mine. If anything I find the interchange fees and the virtual monopsony the credit card companies have to be more scandalous.


I visited the Air Force Academy football stadium this past weekend. Multiple audio announcements and various signs posted all over the stadium proclaimed the Falcon stadium as a "cashless venue."


cardholders Mastercard thinks will be “high-value”—predictions used to target certain people and encourage them to spend more money.

Sorry, I don't understand, perhaps because I am in the UK not US. My bank issues my Mastercard, so I don't have a direct relationship with them. How would they target me?


You are using Mastercard's payment network whenever you pay for something. They see and record all your transactions. Mastercard is the entity informing your bank to pay the merchant's bank.


Yes, but how is Mastercard encouraging me to spend more? In my day to day, it matters little which payment network I use since that’s abstracted away by the bank’s interface. What opportunity does Mastercard have to target me?


They sell your transaction data to Google. When merchants provide Level 3 information (line items), Google can now know exactly what you're actually spending your money on.

Then, Google can show you super-relevant ads, that might encourage you to spend even more.


Presumably they could tell stores that you have your card on file with? (Only speculating; I have no idea if they or any other card network actually does that.)


Offering lower interests rates as a promo, higher limits, low interest loans, bonus points from certain brands/categories, offering new types of cards, etc etc


Read OP’s comment again. Mastercard is not a card issuer, they can offer none of the things you mentioned.

The answer to OP’s question, of course, is that Mastercard doesn’t make use of the information it has directly. It sells the information to interested parties like Google and other advertisers. This is the behavior EFF is objecting to.


My worry is that that merchants offer higher prices based on their assessment of my private data.

We've had the situation before when booking holidays that my wife sees higher prices for the same hotel on her laptop while sitting right next to me. Once she cleared cookies the price went down to match what I've been offered on a clean computer.

That was a few years ago so I would imagine IDing potential customers is done via browser finger printing now rather than cookies and so harder to protect against.

Really, who wants their bank or payment network to collude in higher prices?


How does Apple Card compare (since it’s also a Mastercard)?


Do you think apple has some kind of data privacy deal?


What would make the Apple Card special?


so appropriate, literally just saw incoming email from "Shop" (a company I'm sure I was "obliged" to use because some other company that I actually wanted to use told me "we now process all of our transactions through 'Shop'!" This email reads:

We wanted to let you know we’re updating our Terms of Service and Privacy Policy (“Terms”), which applies to the products or services you use, like Shop and Shop Pay. We periodically update our Terms as our services evolve, and to address new laws and regulations. We’ve also made them easier to read.

The changes will take effect on November 6, 2023. Here are some highlights:

Terms of Service

• Broadened the description of the services and features we offer to you and how these services work • Addressed new compliance requirements around Shopify’s role as a platform Privacy Policy

• Explained how we use your data for advertising, and provided information about your consumer rights • Integrated the Privacy for Customers policy, improving transparency about how we process personal information when you interact with a merchant • Updated language to better reflect how our products work, such as Shop • Re-structured parts to add detail about the information Shopify collects and why, how we use it, and how we may share it.

---

Now I "need" to figure out how to delete that account/request erasure of all my personal data. Just did that with "23andme" yesterday and it was pretty straightforward, but still I have to kick my past self for being naive enough to sign up for this crap in the first place.


I belive Mastercard have already told customers in certain regions to stop using their data by last week.


Anyone who makes an account on a commercial website has consented to this indirectly. We've crossed the Rubicon long ago. Most people seem content with their info shared, sold, brokered, etc.


Content? I doubt it. But the choice is agreeing to the terms or not being able to use modern services. And the terms are increasingly abusive.

It used to be that buying something remotely was mailing or calling Sears-Roebuck. You give them money, they ship you a thing. Reasonably discretely.


Tha's a very blunt measurement of 'content'.

Vito Corleone knew how to make an offer you can't refuse. Tech has done the same, in very finely measured increments.


I wonder how this impacts Apple Card (via GS) and knowing Apple's whole privacy focus


“but do not share or sell your transaction information to third parties for marketing or advertising.”

The wording only says they can’t share or sell transactions for those two reasons but I’d imagine analytics may be a valid reason?


Fraud analytics gets an exception from most regulator laws.


they should but they won't.


its not just Mastercard, most banks like Charles Schwab do too


We should have a payment system that isn't held hostage by two providers anyway.

At least here in Europe MasterCard and visa are the only options. Amex and Discovery are really unusable here.

Besides selling our data this also means we get American morals pushed on us, eg they won't provide payments for some websites they don't like.

But how do you break up such a duopoly?


> At least here in Europe MasterCard and visa are the only options. Amex and Discovery are really unusable here

Growing up, my parents had a Discover card (among others) and everywhere we went, I remember them asking if they took Discover because so many places didn't. It wasn't until years later when I saw the joke about this on Futurama that I realized this wasn't a unique experience:

> Fry: Do you take Mastercard? > Employee: Mastercard has been out of business for 100 years. > Fry: Okay, do you take Visa? > Employee: Visa has been out of business for 200 years. > Fry: Hmm, do you take Discover? > Employee: Sorry, no, we don't take Discover.


In the US today, it's been my experience that if a business accepts credit cards, Visa, MC, Amex and Discover are all accepted. Costco would be the exception that proves the rule. This has been the case since I started using credit cards, maybe 10 years ago.

Does anyone know when this changed? I don't think I've just been lucky this entire time.

Edit: When traveling overseas, I've always just used VISA though, but that's just because I have a card without foreign transaction fees with them.


Amex is frequently not taken by small businesses that don’t use one of the newer POS systems like Square or Clover.


IME, it’s less about POS systems and more about what the merchants are willing to give up in fees.

Amex charges significantly more than the others, to the point that multiple businesses I frequent offer a sliding scale - par for cash/check, +2-5% for Visa/Mastercard/Discover, +5%+ for Amex.

This is just one more input to an optimization problem for me, but for merchants makes a significant difference: my mechanic says he saves thousands of dollars a month by turning Amex customers into Mastercard customers, and Mastercard customers into cash customers.


Well, I’ve noticed businesses switch to accepting Amex when they got one of the newer POS systems. I wonder if Square/Clover/etc. have negotiated different rates for their customers.


I think Square has a flat fee no matter what card. They probably just average out the fees between the cards.


I stopped noticing several years ago, it seems every place has all 4 on the "We proudly accept" window decal. But I do remember checking 10-15 years ago to make sure places took my Amex, because not all of them did.


I have seen a few places not take Discover, or Amex, or only take Visa/MC here in the US.

Costco was unique because they used to only take Amex credit cards and then Citi/Visa won that business.


Huh. I hadn't even heard of Discover.


Visa, Mastercard, American Express, Discover, JCB are the five that started PCI-DSS

[1]: https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Sec... [2]: https://www.pcisecuritystandards.org/


It's the company that now owns Diners Club (and is better known under that name in many countries other than the US), who in turn invented credit cards way back :)


They did not invent credit cards. Diners Club was a charge card. They did not invent that either. American Airlines had their own charge card a few decades before.

They did start the first payment card that wasn’t linked to a specific company (i.e. the American Airlines card).


The invention was having a card accepted across a wide range of merchants (all under different ownership).

Store accounts/cards have indeed been around significantly longer.

The distinction between a credit and a charge card is not that relevant in that context, in my view: For both, you spend an issuer’s money at unaffiliated merchants and pay the issuer back later.


You had yet to discover them.


You start an EU competing service with the top EU banks and money lenders. You build a bunch of credit card infrastructure. You tie your infrastructure to the merchant systems and get gateways to implement your protocol.

Not exactly easy but it’s not impossible. An app based system could probably do it and force ApplePay and GooglePay to use it in those areas. They will if it’s in place.


Well the whole credit/lending part isn't even needed. In Europe this is only a marginal thing and most people just have debit cards.


There are advantages to credit. For example, the money remains in your hands until you pay your credit card bill, so if there is a dispute, fraud, or overcharge, you don't have to fight and wait to get your money back.

Also, some businesses, such as car rental companies, won't provide services to debit card holders.

Also, it's a free [edit: zero-interest, not free] loan (if you pay credit card bills in full); you get some small marginal revenue from the money you keep for up to a month.


There are some benefits, but it does complicate the transaction significantly. It's no longer between two parties (a consumer and a merchant), there are now at least two more: a lender and a credit bureau.

And that's why we're in this mess to begin with. Credit card transactions are reported to credit bureaus (from a quick web search, it looks like debit card transactions aren't) and this normalizes the idea that your financial data should be shared freely amongst finance companies.

There's really no such thing as a free lunch, or a free loan. When someone offers you one, it's good to understand how you're going to be paying for it.


> It's no longer between two parties (a consumer and a merchant)

A cash transaction is between 2 parties. A debit card transaction is between 5: consumer, consumer's bank, merchant, merchant's bank, payment network/card provider.


Credit reporting makes getting loans easier because lenders are more willing to give loans when they can look up your credit rating instead playing it safe and declining you because they have nothing to judge the risk with.

You also get fraud protection.

It’s not free, but you’re not necessarily paying for it. The main concern is that some people are definitely paying for it disproportionally more than others.


I would disagree, as things stand, getting a loan is easier if you have a good credit rating, but it is a deformation of the space.

If there was no credit reporting, the lender would still need to loan just as much. They would base their decisions on other factors (down payment, wages, employ stability, assets, ...) rather than the extremely invasive credit rating.


Good points, especially the last one.


> Also, some businesses, such as car rental companies, won't provide services to debit card holders.

In America, yes. Not really a thing in Europe, at least not in any places I’ve been to.


I've always wondered about this. You drive off with a EUR30k car. What do they do if you don't come back? Drain your bank account of 500 Euros? What then?

In the US, the rental agreements let them keep charging you the daily rental fee until the amount collected exceeds the value of the car.


Well, what do they do if you drive off with the car and they have your credit card?

Your issuer is only liable for the few hundreds of dollars that the rental car company has authorized; beyond that, it's still their (or their insurance's) loss.

The only practical difference is that you're not out that money on your checking account for a few days, which can indeed be inconvenient – but arguably that's not really the rental car agency's problem?


It probably has nothing to do with getting the car back.

It’s probably to avoid lending the car to higher risk demographics.

It’s a test.

The rental car company basically loses fewer cars overall and thus has lower insurance premiums, and thus can offer cars cheaper than other rental companies that do not require a credit card (if any even still exist?) that have higher premiums to pay.


That’s the most likely theory as far as I can tell: While a credit card doesn’t make it more likely to get the money back in case the customer does run away with the car, it’s probably less likely for high-risk customers to even have a credit card.

Which unfortunately creates all kinds of false-positives, like making it very hard for tourists from countries where credit cards are not commonly used to rent a car…


It does but I assume the loss of business from foreign customers still is less than the cost of losing cars.

That said, you’d think they’ve considered exceptions based on your passport?


Couldn't the rental car company keep charging the card and the issuer remains liable for further amounts?


Not if the issuer declines the authorization, and just closing the card (or even just temporarily locking it in the app for many cards!) would do that.


Exactly this.

The issuer can also sell that debt (daily rental up to car value) to a debt collector.


Call the police and report it stolen is my understanding. I’ve never rented a vehicle in another country, but the handful of times I’ve rented a van to move house, the place has asked for two forms of ID. So they definitely know where they (or the police, I suppose) can find me.


> Also, some businesses, such as car rental companies, won't provide services to debit card holders.

This almost ruined our vacation. I didn't have a drivers license and my SO didn't have a credit card. I've never had any issues renting cars here in Norway, both with credit and debit card, despite not being the driver.

But not in the US, no no! Credit card had to be on the same name as the drivers license.

And so we stood there, just having exited the plane, our two week vacation turning to dust in our minds as a car was most definitely needed.

After some desperate attempts by us at finding a solution, the manager came by, having noticed the commotion. After some thinking she asked where we stayed. We had rented a place through Airbnb, which turned out to be the solution. Using the zip code from that place, she could register the debit card, and we finally got a rental.


> Also, some businesses, such as car rental companies, won't provide services to debit card holders.

I think most debit cards, at least in the US, can also be authorized on the credit rails, and can therefore be used to rent cars. It's always worked for me.


When I opened my checking account at Bank of America I was issued a ordinary debit card. After a couple years they replaced it with one with a Visa logo. I argued with them on the phone long enough to get them to replace it with an ordinary debit card. After than one expired they did the same thing and I gave up. I haven't seen a debit card from any bank without visa or mc in a long time.


How does that work? Do you tell them it's a credit card?


Sometimes the terminal will ask Debit or Credit, sometimes it will just prompt for a PIN (meaning it wants to run it as debit) and you can just hit OK and it will run it as credit instead.


Annoyingly, Home Depot makes you press "Cancel" at the PIN prompt, and then it automatically runs it as credit.

Of course if you do that anywhere else, you have to restart the flow.


In the UK you also get access to better consumer protection using credit thanks to Section 75


You need capital to lend though or you need lender groups you can securitize. That’s the “credit” part of Visa/Mastercard. The concept can easily be done all digital. IANAE on payments but pretty sure if you build it (and connect it), it would work.


What you wrote is not responsive to the comment you are replying to. Whether it would work is irrelevant if it’s bad product market fit.




More importantly, both Visa Europe and Mastercard Europe used to be cooperatives owned by various European banks, largely independent from their parent organizations in the US.

The European banks just sold their stakes in the late 90s to the US parents, because they supposedly didn't see a future in that business model...


You forgot the Access Credit card:

https://en.wikipedia.org/wiki/Access_(credit_card)

They spent all that money on advertising, I still remember it, but for what?

This and Harding and Hobbs


Eurocard and Access got merged into MasterCard

So European cards worked but the owners ie banks wanted global ones.


Visa and Mastercard are umbrella organizations that at bottom work through banks; the card doesn't just say Visa or MC, it also has a bank on it, and the front part of the card number is a bank identifier. So, there's no reason that European banks can't also be part of the same network, and presumably they are.


European banks definitely issue Visa and Mastercard cards (and in many countries, there isn't even any local alternative for card payments).

But given the network effect, Visa and Mastercard have a lot of power over both issuing and acquiring banks. Issuers have at least a choice out of these two; acquirers just have to accept whatever their customer puts on the counter at payment time (or lose ~50% of their card-paying customers).

In other words, participation is (relatively) easy; getting some amount of control, let alone autonomy, is almost impossible – again due to the network effect.


That takes an enormous amount of frozen capital. For regulation reasons MasterCard (and other networks) need to keep huge cash on hand to cover stand-ins and other network blips.


We have alternative real time payment systems that make it very clear that we do not need a fill in replacement for credit cards.

The system we use in Switzerland (Twint) has everything you'd need for barely any fee and real privacy laws, for everything else and over border transactions there is SEPA. There is simply no need for anything else than that.

Nobody is looking to use Google pay or apple pay when we already have a perfectly fine system with way lower fees.


Here in Japan, the run-around the system has been QR code payments.

Those apps are easy to make and don't have to get any special system access to NFC hardware.

Small merchants can just use their existing phones or get iPads, although the payments are now also integrated into merchant systems and the standard card readers in shops now also have a camera to scan QR codes.


Could you not just use the same protocol?


This is anecdata, so take it with a grain of salt, but I hear this isn't motivated by morals at all. Instead, people who spend on things like OnlyFans tend to later claim that those charges were fraudulent, expecting to get their money back. If true, it makes sense that Visa/Mastercard might ban this sort of stuff just to avoid the headache.


Nope. If it were just a question of economics they can charge more to get around that. Chargeback rates are high for porn but not the highest category by any means, and the likes of OnlyFans tend to have a lower chargeback rate than the PornHub/Brazzers/etc. of the world.


May I suggest: With Free Software (https://taler.net/)?


> But how do you break up such a duopoly?

Start buying things with cash again.


I'd be willing if most of the things hit weren't purely software services. It's a bit sad that Cryptocurrency has been the most common alternate payment for that and it's not in a good positions either


Ignoring the convenience aspect one problem with this is that you are now paying an ~2% "tax" as most stores include credit card fees in their prices. If you use a credit card you get ~2% back in "rewards" but if you don't you are still paying the same prices (in most businesses).

It's a pretty clever scheme by the card companies where the have raised the price for people not using their services.


This whole rewards thing we don't really have in Europe. At all.


Yep, because we're not getting scammed on transactions fees (capped by the ECB to 0.2% for debit and 0.3% for credit card transactions). I have an Amex card that has some cashback, but it's not a lot.


Yes! Let's ignore the fact that more and more companies do not take money at all. Problem solved.


More and more places are banning cashless companies. Delaware, NJ, Pittsburgh, NYC, San Francisco. Likely more to come.


In Switzerland there is not a single shop I could name that only takes credit cards. Nether offline nor online.

I can name you at least 50 shops that dont take credit card but at least 2 different payment methods.


Then you vote with your wallet and boycott those companies.


So when I need to buy software, should I send cash by post or drive 500 miles and pay in person?


I wonder if we could convince companies to put software on some sort of portable physical medium that could be sold in brick and mortar stores?


> At least here in Europe MasterCard and visa are the only options. Amex and Discovery are really unusable here.

Depends on the country!

Amex is accepted in many places in Germany these days (though you definitely still need to carry another card, so it can't be your only card).

And Discover and Diners Club are actually the same network, so in the European countries that have strong Diners Club acceptance, you can usually also get by with Discover. (No idea about how good the exchange rates are, though; those of Diners Club in the other direction are atrocious.)


The EU has something on the way called EPI for European Payment Initiative:

https://www.epicompany.eu/

https://www.ecb.europa.eu/paym/intro/news/html/ecb.mipnews23...


I forgot to update myself actually. Last month, they chose a brand name for the service: Wero.[0]

Here [1], it says:

> strong potential for "wero" to emerge as the leading wallet for the digital euro central bank digital currency (CBDC)

Great, but I am not sure about its potential to safeguard our privacy. One can hope maybe they wont sell our data to commercial entities.

[0]: https://www.epicompany.eu/european-payments-initiative-selec...

[1]: https://payments1connectingthedots.substack.com/p/new-kid-on...


FedNow instant payments in the US. Already live, just taking time to ramp (already plugged into 108 banks and financial services providers, including JPMC and the US Treasury). What it could look like is India’s UPI. UPI is so detrimental to Mastercard’s India business it complains about it publicly.

In Europe, more aggressive adoption of SEPA instant payments.

TLDR utility priced payment rails provided by a central bank or other neutral clearinghouse, instead of a for profit corporation trying to maximize its skim off of nation state or some fraction of global commerce volume.

https://news.ycombinator.com/item?id=36801491

https://techcrunch.com/2023/10/11/mastercard-india-upi-econo...

https://www.ecb.europa.eu/paym/intro/news/html/ecb.mipnews23...

https://www.ecb.europa.eu/pub/pdf/other/ecb.eurosystemretail...


FedNow is a great step but most of the people I've asked tell me it isn't going to do anything to stop people from being debanked for "morality" reasons like sex work.


The only thing that can stop people from being debunked for various bullshit reasons is a legal mandate, explicitly establishing a right to a basic bank account such as e.g. EU payment services legislation does. Even convicted fraudsters should have a right to participate in society by being able to receive and make electronic payments.


You’re only solutions for that are physical cash, crypto, gift cards, etc. The legal framework and value transfer systems are tightly coupled. Your bank isn’t going to break the law for you (maybe HSBC).


The OP us not trying to do anything illegal, he is not sending money to ISIS.

We are discussing OnlyFans and WikiLeaks, the only reason you can't pay them is because credit card bosses said so.

HSBC is a premium service, cant afford it untill you are a boss of a drug cartel


It would have to the banks themselves banning their customers, right?


Don't FedNow payments come directly from your bank account, like a debit card? Credit charges have the advantage of protecting you from fraud - the money is still in your hands; you don't have to fight to get it back.


People keep claiming this.

I've run a SaaS in the past. About 10% of all US customers were cc fraud, by far the worst rate by country in my data.

I've lost about ~7 dollars on any transaction that went through and then got refunded. I never had any fraud issues with any other payment method.

For me accepting credit card was a pain and costly, but you are telling me for customers this is painless?


Yes FedNow (and RTP from the Clearinghouse) are captured from bank account, but are push unlike debit which is a pull like credit cards. I looked into it for bill payments and there's a FedNow feature to request payment but it's still in very early stages I don't know if it's even implemented for any of the banks that do support fed now already.


Interesting. Services like my property taxes and electric bill charge me an extra fee for credit card payment (which I prefer since it is push and also rewards) but they only offer direct bank transfer as the other electronic method which I hate since it is pull. I doubt I'll seem them adopt fednow though.

My solution for property taxes has been to just set billpay every year to send them a check at the expected intervals.


> property taxes and electric bill charge me an extra fee for credit card payment (which I prefer since it is push and also rewards)

Precisely why credit cards are a hidden parasite on overall economic activity. They incentivize customers to use to get rewards and then take a ~4% cut of the payment from the merchant. So that's why merchants charge you extra fee they need to make up that 4% cost somewhere and it's either fees or raising prices even though you might not realize it.


If you want to pay the 3% credit card surcharge for that benefit, you still can (as merchants can both continue to offer credit card rails and surcharge those transactions). If you as a consumer want to avoid that extra cost, instant payments are available. Disputes is not a valid argument for an entire economy to pay a 3% tax to the credit card rails ecosystem imho.


But it is a valid argument for encouraging distance sales, including most online sales. When customers know they have fraud protection, that helps bring down the anxiety of a purchase a whole lot.

For your local purchases with trusted entities, you can still use cash.

It also goes the other way. Go and try to purchase something from any business on credit when you don't have the money right now. They will always say no, even if you've been shopping there for decades. Visa and MasterCard always say yes.

People love to rail against the CC companies, but if you actually clear your mind and think about it, their payment systems are incredible.


Credit card payment systems were incredible. They are no longer novel, nor compelling, with inexpensive competing systems available. You can extend credit instantly to someone with a deposit account like you would with a credit card (with the "overdraft" being the issued credit, lots of ways to skin the UX around this). You can also offer purchase insurance on a per purchase basis, while still enabling immediate settlement. Buy Now Pay Later (BNPL) is an example of extending credit immediately without needing value to ride CC rails. I am in no way saying that there is no use case for credit card rails whatsoever, but that the economy, businesses, and consumers need not rely on them exclusively. There are cheaper options available now, speaking from a speed perspective.

https://www.axios.com/2023/07/22/fednow-instant-payments-cre...

> Interchange fees — the swipe fees paid by merchants when customers pay by credit card — reached $100 billion in 2022, per Matt Schulz of Lending Tree. That's more than $800 per household.

> In a world where goods cost the same regardless of how they're paid for, it's entirely rational for consumers to pay with credit cards and then collect their kickbacks.

> There's no particular reason why this kind of financial intermediation should be a $100 billion industry, rife with inefficiencies.

> "The shift to instant payments is inevitable," writes TD Cowen analyst Jaret Seiberg in a research note, "though it will take time."

(work at a fintech payments-adjacent, thoughts and opinions are my own)


Great comment! However, I don't see any competing systems that offer built in fraud protection being widely used anywhere. Bank transfer are instant now, yes. For daily purchases they can easily replace CCs, like paying for your groceries.

You mention BNPL, but those systems AFAIK are much worse for the merchants, with very high fees. I'm not sure I understood the insurance per purchase part, but if the vendor is going to scam you, he for sure is going to scam you on the insurance as well. Who sells this insurance and how?

> There's no particular reason why this kind of financial intermediation should be a $100 billion industry, rife with inefficiencies.

What are the inefficiencies really? As a customer, paying by card deducts the money from my bank account instantly. As a merchant, card sales are paid into my bank account the next day.

> You can extend credit instantly to someone with a deposit account like you would with a credit card (with the "overdraft" being the issued credit, lots of ways to skin the UX around this).

I apologize, but I didn't understand this part. How will the merchant instantly open an account for a customer? How would this be as fast, secure and convenient as swiping a card?


But how do you break up such a duopoly?

You create a publicly-funded option.


> A digital euro would be an electronic means of payment. It would be a digital version of cash, available to the general public and backed by the European Central Bank (ECB) the same way your physical banknotes and coins are. You could use it anywhere that you already use physical euro cash.

https://finance.ec.europa.eu/digital-finance/digital-euro_en


> American morals...they won't provide payments for some websites...

Never heard of that. What are some examples?


Major recent examples that spring to mind are the Wikileaks and OnlyFans bans.


To be clear, it is not finance companies that have morals (which seems silly to even have to say) but rather government, specifically conservative state governments, that go on moral crusades of varying degrees of earnestness to shut down sex stuff they don't like.


CapitalOne told me the reason I can’t use my debit card for the Virginia state lottery, or for any of the numerous betting sites, was because of MasterCard.


Hopefully a dent can be made with something like Offset

https://www.freedomlayer.org/offset/about-offset/


AMEX unusable in Europe? Hardly. I payed for my dentist Friday with it, both supermarket and lunch today, and all Amazon, etc. Some vendors dont take it, but in my European country most places


From the other side of the table, I've worked in companies avoiding Amex support as long as they could, and even after actively obfuscating the support to push the user to use another card.

For smaller entities it's a PITA to have to manage a separate additinal contract, and it costs a lot more for the merchant, when virtually nobody only owns an Amex.

If you're in europe there are probably other payment means that don't rely on Visa/Mastercard thay will be much more welcome.

Funny thing to me was the store credit cards that are processed internallu without hitting the network (e.g. Carrefour cards, AlbertHein as well I think ?)


Otoh, companies chasing the highest dollar value customers or differentiating via service may want to take it. Higher ticket prices, more revenue, despite the aggravations.

It’s almost as if a business needs to decide if it’s mass market or high end. I would only buy certain classes of goods with my AmEx due to how confident I am that Amex customer service has my back.

For example, the Amex platinum card will reimburse you for items the merchant won’t accept as a return. I recently bought an electric screwdriver that sucked, but wasn’t able to make a decision until I’d used it for longer than the merchant return window. I paid with amex and just got it refunded.

As a consumer that has real value.


Yes. This also happens on luxury goods: if you're selling hotel rooms on top of a casino, accepting Amex/Diner etc. is table stakes.

Cheaping out on processing fees or putting friction on the payment part will be a signal that you don't understand your customer and will potentially be nickel and diming the experience all the way down, which is clearly not the image you're trying to convey.


I have an Amex card because my work forces me to take one. But I don't find this a "luxury" experience at all. It's really hard to use the damn thing, for example try to get a taxi at the rank in Paris Charles de Gaulle. 90% of the drivers refuse it and the ones that do accept it often pretend the "machine is broken" later.

In other countries like Romania the taxi drivers just laugh in your face when you try to pay with an amex. I hate that thing but our stupid HR VP from the US forced it on all of us. Probably gets some nice kickbacks in return.


> As a consumer that has real value.

Of course, that value is entirely funded out of your own pocket.

Instead of paying with your Amex for overpriced goods, you could put a bit of money to the side for every normal purchase, and use that pot to 'refund' your electric screwdriver yourself.


I’m not clear what you mean, but I understand the concept of being your own warranty backer. This is different - I would have bought this screwdriver with a visa, if I didn’t have that Amex.

The Amex makes me confident I have recourse. Is your point that I would spend less if I didn’t have that confidence? I suppose so, but I’d actually rather prefer having that confident experience rather than feeling insecure or like I got ripped off.

That’s real value, and I don’t mind if it means I buy an extra tool here and there. Especially if I can get some extra refunds.


> For smaller entities it's a PITA to have to manage a separate additinal contract, and it costs a lot more for the merchant, when virtually nobody only owns an Amex.

I completely agree on the cost part for AMEX, but how do you mean it's a PITA to accept those cards? It's usually as simple as enabling an option with your card payment service, not very complicated at all.


Visa/Mastercard is usually a contract that is bundled with your PSP, where Amex needs a separate contract merchant by merchant.


Use cash more.

I know you can't use it everywhere, and for everything, but -- for the sake of privacy, use cash when and where you can. The cashless economy is a surveillance economy, and if you care about privacy (for others, if not for yourself) then you should use cash whenever possible.


Unfortunately, using cash does not by itself create an alternative that can be used for remote/online payments too.


I'm aware. But it does reduce the value of data mining, simply by reducing the amount of data.


that is not relevant, it does not help produce alternative payment system


the problem is cash is sometimes slower. self-checkout machines not uncommonly have card-only option or otherwise stuck waiting in line, which can be way slower


So not there. Where you can, is the important part


This comment is meant to get an interesting conversation instead of "mastercard bad" or whatever.

Would the EFF feel any differently if the data were pseudo-anonymous and open to everyone?

You can go to SteamDB.info and learn a lot about millions of people based on what games they buy. It's a psuedo-anonymous per-user purchase history. Here's mine: https://steamdb.info/calculator/76561197975362423/?cc=us . You can look up basically anyone on Steam, and even do advanced math on all of it. It's been going on for at least a decade.

Have there been consequences or harms? I mean maybe in some isolated case I can imagine it. But there's also lots of value in the data being open.


Absolutely not. Pseudo-anoymous can still be traced back with the right correlations.

It should just be illegal to use customer data unless they explicitly agree.

It's not even about harm. It's about having a right to privacy.

And this is not some computer games we're talking about. It's our whole lives.


Ad Tech measurement companies can absolutely attribute purchase behavior back to a specific individual. Having worked in this space, banks sell data with an "anonymous" ID that's correlated back to an identity graph provided by a company like LiveRamp. Usually this is then used to determine whether a specific individual who viewed a advertisement (as determined by probabalistic (ip address, session id, or similar) or deterministic data (device id, account login) about an individual) has actually been "converted" to make a purchase. These data sets are not "deidentified" or "anonymized" as many of them claim, and "data clean rooms" advertised by many ad tech vendors are a good privacy aid, but are not nearly sufficient to protect vulnerable populations.


Yes.

But perhaps go further?

> It should just be illegal to use customer data unless they explicitly agree.

Should you be able to use customers data for any purpose whatsoever except in the delivery of goods and services that define your business?

There are edge cases, of course. But it is not edge cases that matter.

Giving permission is problematic. How do you know if you have genuine permission?

Her in New Zealand I think (IANAL) that if the other side of a major contract (like a house purchase) does not get independent legal advice then it is very difficult to enforce the contract in any way other that buy/sell.

Other conditions, idiosyncratic ones, cannot be enforced.


Not every anonymization can be undone. It depends on how it's done.

And customers already explicitly agree. They just don't read the terms when they sign up or value having a credit card more than that level of privacy.


It's not like people have a choice. At least where I live a lot of places don't take cash anymore.


Then we all should vote for a new net neutrality because until internet is a utility, you agree to a terms of service that is hostile towards privacy.


All transactions on most crypto networks are pseudo anonymous and publicly accessible.


>You can go to SteamDB.info and learn a lot about millions of people based on what games they buy. It's a psuedo-anonymous per-user purchase history. Here's mine: https://steamdb.info/calculator/76561197975362423/?cc=us . You can look up basically anyone on Steam, and even do advanced math on all of it. It's been going on for at least a decade.

can't you opt out by making your profile private?


Sure, but if you game this out, it still comes down to whether or not your opinion is that this data should be public. That Steam's methodology happens to be opt-out sharing - in other words their opinion is it should be shared, because people don't change defaults - doesn't change that there haven't been any known major harms and many major benefits, especially in the opinions of game developers.


Never seen what gamedevs think of it, you remember what they think of this data?


Note that you can set this data to private - I can't see my steam data on this site...


Yes you can. This is just steamdb processing data that is already public.


> Would the EFF feel any differently if the data were pseudo-anonymous and open to everyone?

I think having data visibly public and open to everyone is a lot better than having it seemingly private and quietly selling it.

> Have there been consequences or harms? I mean maybe in some isolated case I can imagine it.

There have definitely been people getting outed against their will because they didn't realise their play history was visible. I'd be amazed if there wasn't at least one case where someone has been attacked as a result.


Good point. The sticky point is privacy protection. Would you be ok with every single transaction you make being public? Even if so, many would not be.

Selling/sharing depersonalized data is hard to find fault with.


Is it objectively true in general that default sharing transaction-level credit card data - in other words, I can see a (pseudo) anonymous "user ID" column in a table of transactions - benefits all of us more than default privacy? In my estimation yes, but this is a complex question.

My point is that the EFF spends no time investigating this in a serious way at all. We live the reality I'm describing with Steam, which is millions of people, it's been going on for a long time, it's conceivable that even broader categories of transaction data may be prisoner-dilemma-style valuable to share. I just wish the EFF would engage with that 1 iota. Otherwise they are just another opinion in a sea of brand-and-celebrity posters.


No, they’re taking a clip of every sale and if I want to pay by card (which is increasingly becoming the only medium) I must choose them or VISA who I assume are just as bad.


pseudo-anonymous can be de-anonymized. This would be terrible to be public.


Greatly appreciate this post! Have a Mastercard issued by my bank and have now requested them to investigate or else!


Your bank knows. If they're big enough, they will have known for a while as Google and/or MC will have told them during a sales pitch.

See the Bloomberg reporting from 2018: https://archive.vn/SLmFw


EFF doing something that pertains to their charter as it stood e.g. 10 years ago? I'm all for it.


What are you getting at?


One reason to like the visa mastercard duopoly. They work everywhere. I go to the Netherlands a lot for work, and it is a real pain as they have their own payment system, IDEAL, one needs to live there, that is closed to foreigners. Many vendors, especially outside of main tourist areas will not take foreign cards. Guess they don't want to pay 0.1% fees. Yesterday, was left embarrassed in Albert Heijn where they only took Dutch cards and I did not have enough cash. (some AH do, most don't)


But as you just discovered, they don't work everywhere. Plenty of Dutch and German stores don't accept them. Visa and Mastercard interchange fees are nowadays capped to 0.3% by law, but they used to be 2%+ (and still are in the USA AFAICT), that's why historically Dutch and German retailers shunned them. Why pay 2% to accept a few more cards from foreigners and tourists when 99% of your customers already have a 0.3% fee card (Maestro or VPay)?

Also, the Dutch iDEAL system might form in important building block of a European home-grown payment solution, that hopefully will give the Visa/MC duopoly some actual competition: https://en.wikipedia.org/wiki/European_Payments_Initiative


I agree. But plenty of Dutch vendor only accept Dutch mastercards and not foreign. The fee s the same. WHY? And foreigners can't get IDEAL or Dutch mastercards. I have gotten used to carry a lot of cash when there. Fortunately, Holland is safe. Someone looked at me very funny when I payed them EUR 500 in cash last week.

But we also know why a European home grown payments system is not happening. The incumbent banks hate it and have enough power to block such solutions.


Here are the transaction costs for a retailer at the largest Dutch bank:

- Maestro, V PAY, Debit Mastercard en VISA Debit issued in Europe: €0.047-€0.06 per transaction

- iDEAL: €0.35

- Mastercard en VISA creditcards issued in Europe: 1.70%

- Mastercard en VISA creditcards and debitcards issued outside of Europe: 2.50%

https://www.ing.nl/zakelijk/betalen/tarieven/betalingen-binn...

For a €100 payment, we're looking at €0.06 debitcard transaction vs €1.70-€2.50 creditcard. If I were a Dutch retailer outside of areas/sectors with a lot of foreign/tourist business I probably wouldn't bother with credit cards either, as probably 99%+ of the Dutch have Maestro, VPAY or cash.


I have European debit cards. They get rejected in many Albert Heijn when Dutch cards (debit and credit) are taken. Jumbo takes foreign cards. Jumbo gets my (and a lot of my colleagues who pass though) business, AH not. Many restaurants take Dutch credit cards and not non-Dutch European credit cards. I went to a restaurant that takes Bitcoin but not EU debit (and Bitcoin transactions costs are much higher)

So if the fees on non-Dutch European and Dutch cards are the same, what explains this? Xenophobia? That is what my colleagues in Holland say.


There is no such thing as a generic "European debit card". Dutch retailers accept specifically only Maestro, VPay, MasterCard Debit or VISA debit cards, but usually not not VISA Electron, or various other other country-specific European debit cards like Bancontact or giropay or EC. Albert Heijn (except in a few stores in Amsterdam and Schiphol) doesn't accept any credit cards and does not distinguish between domestic or foreign. It's a matter of costs, not xenophobia.

Retailers just choose from the options from their bank, which are the debit card I already listed (Maestro, VPay, MasterCard Debit or VISA debit), and optionally VISA and MasterCard credit cards (which are separate from their debit cards). Retailers do not have the option of accepting Dutch Maestro/VPay but excluding Maestro/VPay issued elsewhere in Europe. They do have the option to exclude credit cards altogether, and many do for the reason of € 0.06 transaction cost vs 1.7% and that around 100% of Dutch account holders have one of (Maestro, VPay, MasterCard Debit or VISA debit). Xenophobia has nothing to do with it, any more than retailers in your countries might not accept Bancontact, giropay or UnionPay cards.


The actual problem is that merchants are not allowed to charge payment fees to their customers.

If you had to pay the fees as a customer, free market forces would do its job.


Outside of main cities and Germany is the same for restaurants and cafes. Pita


As a tourist, though, a pro tip is that big banks in Germany charge for deposits, not withdrawals, so if you happen to have a debit Mastercard with no exchange fees (e.g. in Canada, EQ Bank or WealthSimple), you can use your Mastercard at a bank ATM completely fee free and at Mastercard exchange rates. Plus it doesn’t matter which bank you go to, just pick the nearest name brand big bank ATM and you’re good to go.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: