This might be a little off topic but I often read articles like this, and elsewhere, speculate on the "future" where so 'n so is able to see exactly what you purchased on your cards for some nefarious reason.
So here is my question: Do stores REALLY pass on an itemised list to the credit card processor? Because it was always my understanding that all they passed upstream was the amount and the name of the establishment.
This article claims: "Imagine getting a call from your doctor if you [...] make a habit of buying candy bars at the checkout counter"
I don't think that data exists outside of the specific convenience store where you purchased the candy. The CC company would know that you spend an extra $1 at that place, but how do you tie that into bad eating habits? Maybe they purchased an apple or a cup of coffee.
I'd really love some insight on this topic, and I will happily admit that maybe my information is either out of date or just flat out wrong.
That's one reason stores like issuing their own credit cards - they have the detailed in-store data and summary external data (assuming you use the card elsewhere):
The exploration into cardholders’ minds hit a breakthrough in 2002, when J. P.
Martin, a math-loving executive at Canadian Tire, decided to analyze almost
every piece of information his company had collected from credit-card
transactions the previous year. Canadian Tire’s stores sold electronics,
sporting equipment, kitchen supplies and automotive goods and issued a credit
card that could be used almost anywhere. Martin could often see precisely what
cardholders were purchasing, and he discovered that the brands we buy are the
windows into our souls — or at least into our willingness to make good on our
debts. His data indicated, for instance, that people who bought cheap, generic
automotive oil were much more likely to miss a credit-card payment than someone
who got the expensive, name-brand stuff. People who bought carbon-monoxide
monitors for their homes or those little felt pads that stop chair legs from
scratching the floor almost never missed payments. Anyone who purchased a
chrome-skull car accessory or a “Mega Thruster Exhaust System” was pretty likely
to miss paying his bill eventually.
Martin’s measurements were so precise that he could tell you the “riskiest”
drinking establishment in Canada — Sharx Pool Bar in Montreal, where 47 percent
of the patrons who used their Canadian Tire card missed four payments over 12
months. He could also tell you the “safest” products — premium birdseed and a
device called a “snow roof rake” that homeowners use to remove high-up
snowdrifts so they don’t fall on pedestrians.
Seriously, can you get more vicious thinking inside the company, when the policy is to spend money on r&d on how to mine users data better, but at the same time not to worry enough about their cc security?
I'd pay for an itemized list of all the stuff I've bought at the grocery store(s) over the last 6 months. I'd love that level of insight into budgeting what is my family's third biggest expense.
FWIW, none of the stores I go to have loyalty cards, though I'm pretty sure that they could do matching based on hashed card values or the name they get back from the card. (That's could, not that they do. I'm not sure if PCI would look at them sideways for hashing card values and using that as a key for a data store)
There are a number of receipt scanning services which can provide what you're looking for (they are mostly B2B, but do what you basically suggest)
https://www.shoeboxed.com/http://www.neat.com/
etc...
A grocery store I visit has recently ended their loyalty card program. My assumption is that they're doing what you describe, and don't care much about the few people who pay cash. Tracking itemized purchases is probably critical business information at this point for any large chain.
I'm surprised there has been no leak of purchases from major restaurants or retailers, just credit card datasets.
Does the California law only require disclosure of leaks of financial information, or do businesses finally start taking proper security measures (and/or airgapping) when there is business intelligence at hand?
Its the former. Laws cover payment info. Also, payment info is more valuable to steal, and more compact to transmit and easier to decode from the raw storage data.
Once you have any security in place, it's probably more complicated to NOT include your payment database in it. PCI auditer will actively inspect your payment database attack surface.
Just curious, but what country/part of the country do you live in? Virtually every store I walk into either has a loyalty points system, a credit card, or both.
I've suspected loyalty points programs are just an accounting trick. You're creating your own currency which doesn't always get used up, and you can devalue whenever you need to make your quarterly numbers.
And if your program really catches on, you can get other retailers to sign on, creating a side business, or spin it off as a separate business if someone is willing to pay you for it (it's easy to segment off from your core business).
In general, store points and so forth are something that stores hope you'll perceive as being of greater value (and hence encourage loyalty) than they'll every have to actually deliver on.
The norm with grocery stores though seems to be more in the vein of giving instant savings to card holders. Some chains (Safeway out West is one of them I think) have so many and such deep special prices that I have a card even though I only shop there on vacation sometimes.
(Interestingly, Shaws--which is an Eastern US chain now owned by European company I believe--discontinued their card in this vein a few years back.)
An island outside Seattle. We don't have any large chain stores on the island. There are 4 grocery stores, all independent, serving a community of about 15k people. There's also only one fast food chain, a Dairy Queen.
The only loyalty card I actually use is the coop feed store, I think the hardware store might have one too, but I've never bothered with that.
My understanding is that there are three levels of credit card processing (1, 2, and 3 - corresponding to different amounts of information transmitted about the transaction). I've heard from individuals supposedly familiar with payments systems in stores and payment processing that many big chains have a level 3 credit card processing system in place for consumer purchases.
One part of level 3 processing is a line item list of what was purchased. So if it is true that there are stores using a payment system that routinely transmits level 3 information for consumer purchases then it would follow that the credit card processor does currently have the information on exactly what you are buying from those particular stores (not just the merchant and the total amount).
I just did a quick minute or two of web searching and didn't see a trustworthy looking link describing the practice of level 3 card processing for consumer purchases. Maybe someone with experience in the card processing industry could comment on this?
Yeah, I saw that section on Wikipedia also. But I believe I've found a link indicating that level 3 is being used for consumer purchases in at least some individual stores.
If you look through Visa's supplier locator at https://www.visa.com/supplierlocator/ you can search for a business (or category of business) at a particular address or zip code. It will tell you the MCC (category) and appears to also show the data level reported to Visa.
I looked up Safeway grocery stores near Seattle. If you take a look at the one at 14444 124th Ave NE, Kirkland WA 98034 the data level is 'Fleet, Level III Line Item, Level III Summary'. I take this to mean that anyone using a Visa card at that particular Safeway will have their line item receipt sent to Visa. I would be surprised if the other credit card processors don't have setups like this as well.
No, generally the credit card company receives a message with the following data - card info (duh), amount, merchant ID, merchant category. So they don't have to guess if 'McGuffin ltd' is a pharmacy or a restaurant, and they may know that you shop at mcdonalds often, or have never bought anything from a pharmacy, but no more than that.
I don't recall if a single merchant may/must offer different codes depending on the type of goods sold (i.e., a gym selling a membership vs selling a soda). I believe not, but it might be an option.
The only place that would get such itemised info is the multi-store loyalty cards; those do link a person to itemised purchases.
I think there are certain stores that routinely report itemised info. I just posted this link in another comment thread but check out the https://www.visa.com/supplierlocator/ search results for the column 'Enhanced Data Level'.
If you search for the Safeway grocery store at 14444 124th Ave NE Kirkland WA 98034 - the data level cell contains 'Level III Line Item'. I believe this means that at least for Visa, that store is using level 3 credit card processing and line item receipts are reported to Visa.
If you go to Walmart, you will notice when checking out that each item scrolls across the Ingenico POS. I believe they use FirstData (formerly part of AmEx, now privately held by KKR) for their merchant acquirer which is receiving this SKU data. FD used to offer services to the CPG industry using this data.
I bet you could detect a lot of candy buyers through their patterns of convenience store purchases. There's also candy stores, fast food, and restaurants that are known for rich food. Machine learning could probably figure out a lot if trained on the confirmed habits of other people whose purchase records are available. You could do customer surveys to get the data, or put what you want to know into the intake form.
What I don't buy is that people's habits will generally predict their health situation. I think this is a report on a press release of what some medical business association imagines that the person that they're hoping to recruit from somewhere will be able to do. I think the benefits will end up far lower than the costs.
You don't even need a loyalty card. Match up the amount and time of the charge to the in-store inventory system, and you can be about 99% sure that you are correctly matching the person's card to their purchase. If the store scans a UPC, then that UPC is in their system. Sure, the receipt may just print 'candy bar' but the UPC says 'Butterfinger 2oz classic bar'.
It depends on the merchant and the processor. Some, like PayPal Pro [1], support sending a list of items; Stripe and Braintree appear not to. It is always optional.
The next step is "health insurance" (as we call it in the US, though it's in actuality no such thing) carriers mining your credit card and loyalty program data and hiking your rates if their model predicts you're going to need more or more expensive care.
The problem is that unhealthy lifestyles (drinking, smoking, fast food, &c) are disproportionately found among the lower socioeconomic strata, creating yet another penalty for being poor.
The funny thing is that the insurance industry is obsoleting itself.
If they perfectly assess risk, your annual premium will just be your annual cost plus all of the administrative costs of insurance, so just self-insure. We're getting closer and closer to that, further eliminating any value that anyone gets from insurance.
If they perfectly assess risk, your annual premium will just be your annual cost plus all of the administrative costs of insurance
Uhh, no. That's not how insurance works.
The idea of insurance is pooling risk. So if you're perfectly healthy you are in essence paying for other people's treatment.
However, if you happen to run into very expensive health issues it's you that profits from the premiums of other people.
If insurance works as you describe it it wouldn't make sense at all and everybody would individually be responsible for her entire medical cost. With partially ruinous consequences for the individual.
> If insurance works as you describe it it wouldn't make sense at all and everybody would individually be responsible for her entire medical cost. With partially ruinous consequences for the individual.
And better at real-time charging and paying for insurance in micro-increments. Predicting over the course of a year is hard, over the next microsecond, not so much.
Going to the gun range? Your insurance premium just went up by $6/hour. Speed in your car? Slam on your brakes suddenly? Driving quickly in heavy traffic? Drive at 3AM on Saturdays?
Insurance companies that can better predict customer risk outcompete those that don't. They can charge less for lower-risk customers and still make a profit, thus drawing them away from their competitors and leaving their competitors with higher risk people who pay too little.
Yet, the end game is that everyone can predict risk so thoroughly that insurance is pointless.
It's ultimately a weird, backwards Tragedy of the Commons, and various non-discrimination laws are sort of the regulatory response to it.
Yet, the end game is that everyone can predict risk so thoroughly that insurance is pointless.
Not true. Suppose you have a 0.01% chance of needing a $10M treatment in your lifetime. First of all you can't say, "Oh I'll just self insure" because few people have $10M. Second, you may decide that paying $10,000 over the course of your lifetime is preferable to risking a payment of $10M.
Removing uncertainty doesn't eliminate the need for insurance, it just reduces the opportunity for risky subscribers to socialize their risk, and for insurance companies to reap gross profit.
Um, in both of those cases, removing the uncertainty would eliminate the need for insurance:
In the first, the insurance company would know, with certainty, who falls into that 0.01% category, and charge them $10m for insurance in their lifetime.
In the second, the insurance company, with certainty, would know what year the treatment is needed, and charge a $10m premium for that year only.
Ok, I guess what I mean is eliminating uncertainty in risk profiles. IMO we are headed towards a world with good risk profiling- but I doubt we are anywhere close to predicting the future with certainty.
Insurance companies are identifying things like "Driving at night increases risk of accident". They are nowhere close to, "A blue corvette driven by a 43 year old male will rear-end a ford pinto today"
As of January 2014, the ACA made it illegal to base premiums on current or past health status. So at least in the US pricing like this no longer occurs.
Which means that if your current and past health status are poor, you're probably aware of this, and should sign up for the best insurance you can, since you're far more likely to reap the benefits. You should overinsure yourself, and buy some investments in the hospitals that you're going to be visiting.
Those with above average current and past health status should enrol into the very least amount of insurance they can get away with.
This is, of course, why the law against changing premiums based on a person's health status was combined with a law requiring everybody to buy fairly comprehensive insurance whether or not they want it.
A 0.01% chance means uncertainty. Eliminating uncertainty would mean that you know your risk is either 1 or 0. If it's 0, you wouldn't buy insurance, and if it's 1, they wouldn't sell it.
Actually, mandated insurance is perfectly in-line with what insurance is for. For n people, you now own a 1/n share of n risks that are not perfectly correlated with each other. Since people are assumed to be risk-averse and due to Jensen's inequality, your expected utility from paying your 1/n share is higher than your expected utility from taking a chance and either 1) paying nothing if you don't experience the adverse event, or 2) incurring the full cost of the adverse event.
I think what you're trying to say is that the aggregate risk remains the same under mandatory coverage, put that's going to be true no matter what and the effects of this risk can be optimally spread through insurance.
As an example, say $180 billion dollars worth of damage is done to 1 million homes in the US through natural disasters every year. With 300 million people in the US, mandated insurance would have everyone pay $600 a year to cover these damages. No insurance would mean you paid nothing unless your house was affected, at which point you lost on average $180,000. Insurance exists to pool the risks of these life-destroying events.
Insurance definitely isn't going away, in fact our capability to insure against a wide variety of events is in its infancy. The insurance market will only get more and more sophisticated. Hank Greenberg has some interesting thoughts on the direction of the industry.
Perfectly. Wow. You've confused a single-payer system with mandated-coverage for-profit insurance companies...that will somehow be forced by regulation to "optimize"...cost? Yeah. What's the CEO of UnitedHealthcare's nut, again?
Let's talk outcomes and efficiency, and not pretend charging doctors $39 to file "insurance" paperwork is anywhere close to optimal.
And, yes, aggregate risk for people will not change, as we, unlike our tools (e.g. a house), are only at equilibrium when we are dead.
For now. The mandated electronic medical records from the ARRA and ACA will make it easier for entities, government or private, to do so in the future.
A single-payer system would have similar incentives (in the form of cost reduction) to do the same.
there should be no limits on smokers. There is no possible health benefit with smoking and as such penalizing them might get them quit. Many self insured companies already charge extra, 600 a year where I am. However for the money most make that isn't diddly, at least they don't think so
Vanderbilt University economist Kip Viscusi claims a net cost savings of 32 cents per pack sold [1]. It seems we're all going to die, and Alzheimer's isn't part of the quick and easy way out of healthcare cost. And at the ripe age of 125 or so, 100% suffer cancer.
Smoking could save money for society but it probably doesn't save money for individual insurers, who are much more worried about the shorter term. The private insurance you have when you're 30 isn't going to be paying for your nursing-home care when you're 90, but they are likely to end up paying for various smoking-related illnesses that kill you sooner.
We don't really have Health Insurance companies. Insurance is about risk management, and we have mandated health coverage. But, to your point, this is why real insurance companies manage their portfolios, aggregate. If they're losing money, it's not the responsibility of society to save them.
You're not wrong that there's a negative correlation between smoking and obesity or Parkinson's, but that is not a reason to take up smoking. You're far more likely to die of cancer or heart disease as a smoker than you are not to die from Parkinson's because you smoked.
In the case of poor diets, it's often enough a matter of what they can afford. So, yes. Let's impose a financial penalty on people who are eating poorly because they can't afford to eat well. That makes perfect sense.
That said, I'm not opposed to smokers paying higher premiums — but that practice already exists, based on policyholder disclosure, or rescission in the event of fraud. (I say that as a former smoker, who did disclose my habit, and paid a substantially higher premium because of it.) We don't need carriers trolling through peoples' transaction history to dredge up every possible excuse for hiking premiums, because that's exactly what they'll do.
You can eat well for cheap. But it requires discipline. And that's what lot of poor people lack. (It's a survivorship bias: discipline helps your chances of getting out of poverty.)
Yes, it's true that sometimes you can find healthy stuff for relatively cheap. It's also true that you cannot do it consistently, in order to "eat cheap" in a consistent manner, it means constantly hunting for those deals, which implies trading your time for money. This is something the poor do a lot of, sitting at a laundromat instead of just throwing clothes in a washer, for example.
And I don't want to hear about eating some form of beans 5 days/week, eating healthy implies variety.
It can occassionally be done as cheaply as eating unhealthily, but not consistently over time. Your food bill will go up.
No need for deals. Just stick to the basics, and avoid sugar and other crap.
> And I don't want to hear about eating some form of beans 5 days/week, eating healthy implies variety.
Vegetables can be pretty cheap, if you stick to what's in season. Beans are a good start, add lentils, potatoes, carrots, etc. Offal makes for cheap protein (but is not to everyone's taste).
On the other hand you could get cheaper insurance by paying in cash or being healthier. This is the point of insurance, to estimate your risk as accurately as possible and charge based on that.
Again, we don't have health "insurance". Actual insurance, as the term is used everywhere but in the American health care system wouldn't cover routine care like visits to your kid's pediatrician, but would cover major care such as surgeries — just like your car insurance doesn't cover oil changes, but does cover fender benders.
Auto and home insurers in fact do pay customers for risk-mitigation actions like driver training and alarm systems, just as health insurers pay for preventive medicine.
They don't pay you for those things, and nor do they pay for them. They reduce your premiums if you have them. That's perhaps a subtle distinction, but it's a critical one.
If you're suggesting that an annual physical exam is the risk mitigation equivalent of a car alarm, then GEICO should have eaten the extra cost for purchasing a car with one installed instead of charging a lower premium because you have one.
Huh? My (mandatory and public) health insurance in Germany does pay for that. For some short time there was a €10 co-pay for routine checks (obviously not covering the actual cost of the visit) but even that was abolished some time ago.
I mean, insurance doesn’t cover everything, obviously, but that mostly applies to nice to have things or aesthetic things that aren’t really necessary (e.g. root canal treatment for wisdom teeth is not covered – pulling wisdom teeth if the caries is causing problems that can’t be solved with fillings anymore is, glasses are not covered, etc.).
The penalty is for being unhealthy, not poor. There are poor people that are healthy, just because a lot aren't, do you expect insurance companies to give them special treatment?
So? Should we give criminals an easier time because the majority are from poor backgrounds? There will always be poor people and there are always things you can do to make their lives better, complaining about insurance companies isn't one of them.
This is coming from somebody who was raised in a very poor family so it's got nothing to do with not caring about poverty. It's just these sort of liberal ideas you could hear at an occupy protest show zero understanding of economics and are basically just bitching about companies.
How are hospitals incentivized to prevent disease? I thought it would be the insurance companies who would do this, but they wouldn't be allowed to as it would also let them prescreen customers. Perhaps it could be insurance companies who pay hospitals for being good with disease prevention? There's an interesting interaction there.
Capitation of member lives is one mechanism that's been tried. That's the theory behind HMOs, though some (notably Kaiser) seem to be markedly more effective than others.
The story behind how Kaiser healthcare was founded (providing health services for workers on the Hoover Dam) is pretty interesting.
One of the primary ways (though not the only one) is by being part of an "Accountable Care Organization." These allow health systems to share in the savings they create for Medicare patients.
If they're accurate enough, can they be legally forced to inform the patient when there's a high probability that the patient will get sick in the future? You know, "prevention is better than cure"
How long before someone sues a hospital for 'negligence' for knowing the future and not letting the patient know?
How do they know what specific items were purchased? Is there any way for a consumer to see their own data on that? Also, seems like there would be a lot of false positives as I don't consume or use everything I buy with my card.
Can insurance companies legally access credit card transactions? Like the fact that you shopped at a specialty medical store for a pre-existing condition?
Lots of health insurance companies are technically non-profits. Doesn't change their behavior. They accumulate huge amounts of excess reserves, and pay their executives like they're a for profit company.
How can they tell whether I've been buying cigarettes or carrots at the grocery store?
My credit card statement just shows a store name, timestamp and amount. They'd presumably have to be colluding with the grocery chains to get the sort of information mentioned in the article.
From TFA, emphasis added: "The company purchases the data from brokers who cull public records, store loyalty program transactions, and credit card purchases."
Store loyalty programs do track SKU-level purchases. There was a case years ago where a patron tripped and fell at a store, and filed a personal injury suit. The store pulled up that person's loyalty program records, noted that they'd been purchasing a larger than average amount of alcoholic beverages, and insinuated at trial that the patron might have been drunk.
The article seems to be taking things further than is necessarily possible right now, but while it might be hard to know precisely what you buy at a supermarket, it's a pretty fair bet that if you made a purchase at McDonalds you were buying junk food; if you made a purchase at an off-licence you were probably buying alcohol. And so on.
The data might not be perfectly accurate but it can leak a lot of probable information.
If you ran a machine learning algorithm on the data, without knowing how much anything cost and just wanted to correlate certain purchase amounts with whether people tended to get sick or not, you would probably find correlations with certain amounts that happen to correspond to things like cigarette purchases.
This is especially likely because people often tend to buy only cigarettes, or maybe a couple of other things, rather than only buying them along with a larger group of items that would tend to disguise the purchase.
It should be pretty easy to spot the difference in average prices between someone buying a packet of cigarettes, vs a bar of chocolate, vs a weeks' worth of shopping. It might not be super accurate for each data point, but given enough data it's likely some fairly consistent patterns will emerge.
In fact, one of the things about ML is that it's good at spotting all sorts of correlations. Those don't prove the existence of a causal link, but often that doesn't matter: the fact a correlation exists is enough. So simple things like buying patterns might be correlated with certain tendencies or risk factors, regardless of what the contents of the purchases actually are (of course this is purely hypothetical).
If it were me, and that was all I had to go on, I'd take the amount and work out the likely combinations of goods that you might buy with that amount, then use other purchases where the store was likely to be selling one thing to alter the probability assigned to various purchase combinations. You could also weight it by buying frequency, the likelihood of particular purchasing habits in their demographic - things like that.
Maybe you wouldn't be able to tell precisely what someone bought, but I imagine you could get a reasonable idea.
Not that I don't imagine - the article and
rosser say as much - that they have other sources of info.
When the merchant submits the transaction to their credit card processor, depending on the processor, they can have the option of sending a list of items. I'm not sure why anyone does (maybe it'd be required for sales tax purposes, or for more complicated rate calculations), but for example PayPal Pro [1] offers the ability to send a list of items.
I don't understand this. How does my credit card data tell hospitals what I buy? Personally, I can't get anything beyond a date (dubious accuracy) and the amount spent.
If you buy something at a liquor store, you're likely buying alcohol. If you buy something at McDonald's, you're likely buying fast food. Do you pay for a gym membership? Pretty much every store has an itemized list of everything you're buying - though only some of that is currently exposed to your credit card processor.
Obviously, some purchases are more obvious than others - but it's safe to assume that if there's a profit to be made regarding selling more-specific information about each purchase, then businesses looking to increase their bottom-line will seek to opt-in to selling that information.
What I expect to see is for it to star as an opt-in choice by consumers. Want a lower health-insurance rate? Opt-in to this program where we see where you're eating and if you're going to the gym. You're starting to see it in the auto-insurance industry where insurers will give you a safe-driver discount provided the device you attach to your car confirms you're a "safe-driver". But eventually I'd bet it will be a requirement for auto insurance. They're pushing to mandate auto "black-boxes" in every car. Right now, that data requires a court order to obtain in an accident, but how does that change when every car is connected? Does that data live with the vehicle, or is it sent to a remote location "for the safety of the data in case of a crash" or whatever spin they put on it?
I see a lot of people asking about how they get the data. One way is through huge data brokers that buy and sell data from retailers, merchants etc. One big company that has a huge trove of customer purchase information is Acxiom.
"The data-gathering has stirred privacy concerns. The Wall Street Journal reported in 2010 that Rapleaf, the former parent company of LiveRamp, had amassed databases tying people’s real names to privately shared information in their Facebook profiles, as well as data in their voter-registration files, real-estate titles, shopping histories, and other records. The company was censured by Facebook for the practice, which involved pulling data from apps against the social network’s rules."
It is interesting. In Sweden this would be illegal to do, unless you had consent from each individual at the time of data collection to do that type of data assembly and analysis.
This seems promising. When it comes to healthcare, prevention is nearly always more efficient than treatment, and early detection of problems is very important. If this can be turned into more accurately determining who needs to be screened for lifestyle-related problems like arteriosclerosis, blood pressure, diabetes, etc, that would be amazing.
So here is my question: Do stores REALLY pass on an itemised list to the credit card processor? Because it was always my understanding that all they passed upstream was the amount and the name of the establishment.
This article claims: "Imagine getting a call from your doctor if you [...] make a habit of buying candy bars at the checkout counter"
I don't think that data exists outside of the specific convenience store where you purchased the candy. The CC company would know that you spend an extra $1 at that place, but how do you tie that into bad eating habits? Maybe they purchased an apple or a cup of coffee.
I'd really love some insight on this topic, and I will happily admit that maybe my information is either out of date or just flat out wrong.