So here is my question: Do stores REALLY pass on an itemised list to the credit card processor? Because it was always my understanding that all they passed upstream was the amount and the name of the establishment.
This article claims: "Imagine getting a call from your doctor if you [...] make a habit of buying candy bars at the checkout counter"
I don't think that data exists outside of the specific convenience store where you purchased the candy. The CC company would know that you spend an extra $1 at that place, but how do you tie that into bad eating habits? Maybe they purchased an apple or a cup of coffee.
I'd really love some insight on this topic, and I will happily admit that maybe my information is either out of date or just flat out wrong.
The exploration into cardholders’ minds hit a breakthrough in 2002, when J. P.
Martin, a math-loving executive at Canadian Tire, decided to analyze almost
every piece of information his company had collected from credit-card
transactions the previous year. Canadian Tire’s stores sold electronics,
sporting equipment, kitchen supplies and automotive goods and issued a credit
card that could be used almost anywhere. Martin could often see precisely what
cardholders were purchasing, and he discovered that the brands we buy are the
windows into our souls — or at least into our willingness to make good on our
debts. His data indicated, for instance, that people who bought cheap, generic
automotive oil were much more likely to miss a credit-card payment than someone
who got the expensive, name-brand stuff. People who bought carbon-monoxide
monitors for their homes or those little felt pads that stop chair legs from
scratching the floor almost never missed payments. Anyone who purchased a
chrome-skull car accessory or a “Mega Thruster Exhaust System” was pretty likely
to miss paying his bill eventually.
Martin’s measurements were so precise that he could tell you the “riskiest”
drinking establishment in Canada — Sharx Pool Bar in Montreal, where 47 percent
of the patrons who used their Canadian Tire card missed four payments over 12
months. He could also tell you the “safest” products — premium birdseed and a
device called a “snow roof rake” that homeowners use to remove high-up
snowdrifts so they don’t fall on pedestrians.
FWIW, none of the stores I go to have loyalty cards, though I'm pretty sure that they could do matching based on hashed card values or the name they get back from the card. (That's could, not that they do. I'm not sure if PCI would look at them sideways for hashing card values and using that as a key for a data store)
Does the California law only require disclosure of leaks of financial information, or do businesses finally start taking proper security measures (and/or airgapping) when there is business intelligence at hand?
One part of level 3 processing is a line item list of what was purchased. So if it is true that there are stores using a payment system that routinely transmits level 3 information for consumer purchases then it would follow that the credit card processor does currently have the information on exactly what you are buying from those particular stores (not just the merchant and the total amount).
I just did a quick minute or two of web searching and didn't see a trustworthy looking link describing the practice of level 3 card processing for consumer purchases. Maybe someone with experience in the card processing industry could comment on this?
I don't recall if a single merchant may/must offer different codes depending on the type of goods sold (i.e., a gym selling a membership vs selling a soda). I believe not, but it might be an option.
The only place that would get such itemised info is the multi-store loyalty cards; those do link a person to itemised purchases.
If you search for the Safeway grocery store at 14444 124th Ave NE Kirkland WA 98034 - the data level cell contains 'Level III Line Item'. I believe this means that at least for Visa, that store is using level 3 credit card processing and line item receipts are reported to Visa.
What I don't buy is that people's habits will generally predict their health situation. I think this is a report on a press release of what some medical business association imagines that the person that they're hoping to recruit from somewhere will be able to do. I think the benefits will end up far lower than the costs.
[1]: https://developer.paypal.com/webapps/developer/docs/api/#ite...
The problem is that unhealthy lifestyles (drinking, smoking, fast food, &c) are disproportionately found among the lower socioeconomic strata, creating yet another penalty for being poor.
If they perfectly assess risk, your annual premium will just be your annual cost plus all of the administrative costs of insurance, so just self-insure. We're getting closer and closer to that, further eliminating any value that anyone gets from insurance.
If they perfectly assess risk, your annual premium will just be your annual cost plus all of the administrative costs of insurance
The idea of insurance is pooling risk. So if you're perfectly healthy you are in essence paying for other people's treatment.
However, if you happen to run into very expensive health issues it's you that profits from the premiums of other people.
If insurance works as you describe it it wouldn't make sense at all and everybody would individually be responsible for her entire medical cost. With partially ruinous consequences for the individual.
Insurance companies that can better predict customer risk outcompete those that don't. They can charge less for lower-risk customers and still make a profit, thus drawing them away from their competitors and leaving their competitors with higher risk people who pay too little.
Yet, the end game is that everyone can predict risk so thoroughly that insurance is pointless.
It's ultimately a weird, backwards Tragedy of the Commons, and various non-discrimination laws are sort of the regulatory response to it.
A single-payer system would have similar incentives (in the form of cost reduction) to do the same.
That said, I'm not opposed to smokers paying higher premiums — but that practice already exists, based on policyholder disclosure, or rescission in the event of fraud. (I say that as a former smoker, who did disclose my habit, and paid a substantially higher premium because of it.) We don't need carriers trolling through peoples' transaction history to dredge up every possible excuse for hiking premiums, because that's exactly what they'll do.
My credit card statement just shows a store name, timestamp and amount. They'd presumably have to be colluding with the grocery chains to get the sort of information mentioned in the article.
Store loyalty programs do track SKU-level purchases. There was a case years ago where a patron tripped and fell at a store, and filed a personal injury suit. The store pulled up that person's loyalty program records, noted that they'd been purchasing a larger than average amount of alcoholic beverages, and insinuated at trial that the patron might have been drunk.
Guess who won that case.
The data might not be perfectly accurate but it can leak a lot of probable information.
If you ran a machine learning algorithm on the data, without knowing how much anything cost and just wanted to correlate certain purchase amounts with whether people tended to get sick or not, you would probably find correlations with certain amounts that happen to correspond to things like cigarette purchases.
This is especially likely because people often tend to buy only cigarettes, or maybe a couple of other things, rather than only buying them along with a larger group of items that would tend to disguise the purchase.
It should be pretty easy to spot the difference in average prices between someone buying a packet of cigarettes, vs a bar of chocolate, vs a weeks' worth of shopping. It might not be super accurate for each data point, but given enough data it's likely some fairly consistent patterns will emerge.
In fact, one of the things about ML is that it's good at spotting all sorts of correlations. Those don't prove the existence of a causal link, but often that doesn't matter: the fact a correlation exists is enough. So simple things like buying patterns might be correlated with certain tendencies or risk factors, regardless of what the contents of the purchases actually are (of course this is purely hypothetical).
Maybe you wouldn't be able to tell precisely what someone bought, but I imagine you could get a reasonable idea.
Not that I don't imagine - the article and rosser say as much - that they have other sources of info.
[1]: https://developer.paypal.com/webapps/developer/docs/api/#ite...
The story behind how Kaiser healthcare was founded (providing health services for workers on the Hoover Dam) is pretty interesting.
http://blogs.wsj.com/digits/2014/05/14/data-broker-acxiom-mo...
"The data-gathering has stirred privacy concerns. The Wall Street Journal reported in 2010 that Rapleaf, the former parent company of LiveRamp, had amassed databases tying people’s real names to privately shared information in their Facebook profiles, as well as data in their voter-registration files, real-estate titles, shopping histories, and other records. The company was censured by Facebook for the practice, which involved pulling data from apps against the social network’s rules."
Obviously, some purchases are more obvious than others - but it's safe to assume that if there's a profit to be made regarding selling more-specific information about each purchase, then businesses looking to increase their bottom-line will seek to opt-in to selling that information.
What I expect to see is for it to star as an opt-in choice by consumers. Want a lower health-insurance rate? Opt-in to this program where we see where you're eating and if you're going to the gym. You're starting to see it in the auto-insurance industry where insurers will give you a safe-driver discount provided the device you attach to your car confirms you're a "safe-driver". But eventually I'd bet it will be a requirement for auto insurance. They're pushing to mandate auto "black-boxes" in every car. Right now, that data requires a court order to obtain in an accident, but how does that change when every car is connected? Does that data live with the vehicle, or is it sent to a remote location "for the safety of the data in case of a crash" or whatever spin they put on it?
Here's the car-dongle I mentioned: http://www.progressive.com/auto/snapshot/
How long before someone sues a hospital for 'negligence' for knowing the future and not letting the patient know?