Does Apple's own credit card 'Apple Card' really protect privacy compared to other credit cards?


Melvin Thambi

' Apple Card ' announced by Apple as an original credit card for iPhone is available in the United States from August 20, 2019. The Washington Post is investigating whether this Apple Card or Amazon Prime Rewards Visa Signature Card , a credit card for Amazon Prime members issued by CHASE, has privacy problems.

Credit card privacy matters: Apple Card vs. Chase Amazon Prime Rewards Visa-The Washington Post

There is a privacy law for credit cards in the United States, but transaction information using credit cards is shared by multiple companies, `` Feeler is just a credit card spy in the wallet '' Mr. says.

Apple has released Apple Card as a more secure credit card than traditional credit cards, specializing in privacy. Apple has partnered with Goldman Sachs to provide Apple Cards, but it is prohibited to sell or share personal information linked to Apple Cards to other companies. However, since the transaction is processed as a credit card of the master card to the last, even if Apple and Goldman Sachs do not sell the user's personal information, such kind of information leaks from other routes There seems to be enough possibilities.

Jeffrey Fowler, who is a technical columnist at the Washington Post, purchased bananas using two types of credits, Apple Card and Amazon Prime Rewards Visa Signature Card (APRVSC), where and how credit card We are investigating whether there is a possibility that personal information and transaction information linked to

In order to track information about credit cards, Mr. Fowler investigates what companies access their credit card transaction information with the help of internal parties such as credit card companies and privacy defenders It seems to have done. As a result of experiments using two credit cards, Apple Card and APRVSC, Mr. Fowler's credit card information was accessed by the following six companies.

◆ 1: Bank


Johny vino

When you do a transaction using a credit card, you will, of course, receive data related to the transaction. The problem is that the bank can share that information with whom. Banks have long been required to report suspicious transactions by consumers to the government, and because of the impact of the Gram Reach Briley Act enacted in 1999, banks may share information about specific individuals with companies. It is possible.

For example, Mr. Fowler's APRVSC was shared with CHASE marketing partners and Amazon. CHASE's privacy policy says that `` share transaction information with multiple companies for use for 7 different purposes '', but the category that Fowler felt the most horrible was `` It seems to be an item of “use for marketing for non-affiliates”. This “non-affiliate” refers to all “enterprises not owned by CHASE”, which means that there is a possibility of sharing data with any enterprise. However, CHASE does not disclose which companies share credit card information. Instead, CHASE spokesman Patricia Wexler commented that he did not share 'personalized transaction information'.

In addition, in the case of APRVSC, if you purchase something on Amazon, Amazon will receive information about the transaction. When purchasing any product on a platform other than Amazon using APRVSC, `` We share information only at a high level and do not share the details of what you purchased with Amazon, '' Mr. Wexler says The

In contrast, Apple Card's privacy policy states that most types of data sharing are not possible. In the case of the Apple Card, it seems that the credit bureau will share information about whether the user is paying correctly, but this information is also promised not to be shared with other companies.

Furthermore, in the case of Apple Card, whether it is Apple's official website or an external service, it does not share any transaction information with Apple. Details such as products purchased with a credit card are displayed on the Wallet app, but this information is encrypted on the terminal, so Apple has no way to confirm them.

◆ 2: Card network

by Ales Nesetril

When purchasing a product using a credit card, the information goes to the bank first, and then the information moves to the payment network operated by VISA and MasterCard. “From this stage, the advantage of Apple Card begins to fade 'Fowler points out.

The payment network is a network that connects banks and is responsible for aggregating purchasing information. In the case of the VISA payment network, customers can check the data including postal codes for 50 people. In the case of a master card, the minimum unit of data is not disclosed, but it seems that a similar system has been constructed.

In 2018, Bloomberg reported that Google purchased millions of user information from the master card in order to verify the advertising effect, and it was said that Apple Card used a card with a strong privacy aspect called Apple Card However, as long as the master card payment network is used, there is a possibility that user transaction information and personal information will be leaked to external institutions.

◆ 3: Store


Mike Petrucci

Information linked to the credit card is also shared with stores that actually purchased the product using the credit card. In the case of a store, it is said that by creating a user profile using a credit card and learning the user's habits while updating this profile, advertisements targeting users are published on advertising distribution platforms such as Facebook. Whether this is Apple Card or APRVSC, it will be done unchanged.

The target of a major American department store says it doesn't sell the customer information it receives, but the privacy policy clearly states 'Share your personal information with other companies.' Mr. Fowler asked the target about this “other company”, but he did not get a clear response.

He also asked about what kind of personal information the target would share, but there was a reply that the content 'changes' and 'provides anonymized information whenever possible' That's right.

◆ 4: POS system and merchant bank



When purchasing a product using a credit card, the card is read by a special machine to process the transaction. The POS system and merchant bank are used at that time. Companies associated with these will have access to credit card holder names / card numbers and other detailed information. And in many cases, these companies seem to have the right to share the card-related information that they obtained in some way.

It seems that it is very difficult to find out which companies are involved at this stage, Mr. Fowler purchased bananas at the target, but `` The target did not reveal where the merchant bank used '' It is written.

Although Square, which provides a POS system, does not sell credit card information, it shares email addresses and phone numbers entered for receipts with sellers, and further purchase information from general consumers in the industry. It is shared with organizations.

◆ 5: Mobile wallet

Mr. Fowler seems to have purchased bananas using a physical card, but more information may be leaked outside when using a payment system on a smartphone.

For example, in the case of Google Pay, a payment service for Android, transaction information is stored in a Google account. Although Google does n’t allow targeted advertising based on this information, Google Pay ’s default privacy setting says “pay this seller to third-party sellers of sites and apps you visit. 'Allow Google or its affiliates to notify you if a user is using a Google payments account that can be used for'.

Apple Pay, on the other hand, does not store any transaction information associated with the user.

◆ 6: Financial app

There are countless free financial apps that manage your financial situation. Mint can manage all bank accounts at once, but the data is used for marketing. Similarly , Yodlee anonymizes collected user data and sells it to market research firms, retailers and investors.

Google also adds this information to your Google Account purchase database when you receive a receipt via Gmail. Google does not use the content collected via Gmail to target ads, but it does use it for other purposes.

According to corporate privacy policies and responses to inquiries, Fowler said, “The card information business is booming to help advertisers and investors, and encourage retailers and banks to spend more. Commented that credit card transaction information is used as marketing information to accelerate user consumption.

In addition, “There is a good chance that the credit card transaction will be misused, but there is no need to“ sell ”or“ share ”the transaction in such a way that it can be completely identified. `` Even if the data is aggregated, anonymized, hashed or pseudonymized, it can be used as information to target a specific user. '' Points out that even if processed, it remains sufficiently useful information.

by rupixen

How does credit card transaction information processed so as not to be associated with personal information harm the general user? Although fraudulent transactions and unfair lending activities are legally restricted, “There are multiple pieces of information that can be revealed from personal spending patterns, and that information may be used to threaten users,” Mr. Fowler Pointed out.

In addition, it has been suggested that there may be a disadvantage for general consumers if companies handle credit card transaction information effectively. `` The more companies know more about consumers, the more information manipulation opportunities there are, '' said Professor Chris Hofnagle of the University of California, Berkeley, using transaction information such as when and where users bought what , It will be possible to increase the price of certain products and to model consumer behavior.

Mr. Fowler says, “I will continue to use my Apple Card,” although it does n’t have the luxury benefits of other credit cards. The reason is that the contract between Apple and Goldman Sachs is unlikely to cause credit card related information to leak at least through the bank. Apple Card doesn't work with apps like Mint, so you'll need to check transaction information from a dedicated app, but the privacy isn't perfect but it seems a little better than other cards.

in Mobile,   Software,   Security, Posted by logu_ii