Ask HN: Since when can merchants correlate card transactions?
I recently paid with my MasterCard debit card in a store run by Amazon, and Amazon correlated this transaction with a card in my online account to send me an email with the receipt.
I'd always assumed that the only party who can correlate transactions made with the same card is the card issuer.
Is this capability a feature introduced by EMVCo tokenization, or is it made possible by some earlier protocol?
4 comments
[ 2.6 ms ] story [ 14.9 ms ] thread(This may be of dubious legality under GDPR.)
The protocol between the card reader, the payment processor, and your creditor is determined by your creditor, but the details of the implementation are not. In the same way that a website can do whatever they like with your credit card information once you enter it, the card reader can do the same. There are some laws and industry best practices intended to protect your card information that vary by region, but your account number, name, and card expiration date are exposed to the merchant even when using EMV. (see https://www.eftlab.com/knowledge-base/complete-list-of-emv-n...)
EMV is designed to provide PIN authentication to prevent the use of stolen cards. It doesn't guarantee an end-to-end secure protocol for each transaction (because that wouldn't work offline).