Back More
Salem Press

Table of Contents

Privacy Rights in the Digital Age, 2nd Edition

Credit and debit cards

by Savanna L. Nolan

Identification: Plastic payment cards that can be used to purchase goods or services electronically, or without cash on hand.

Each credit and debit card features a unique number, usually up to sixteen digits long and embossed on the front of the card. In the United States, the back of a credit or debit card has traditionally featured a magnetic stripe. This stripe stores digital data about the credit or debit account, including the account number; the cardholder’s name; the card’s expiration date; and an encrypted numeric code known as a card verification value (CVV1), which the merchant’s card reader uses to verify that the card is valid. Transactions during which a consumer’s card is swiped through a merchant’s card reader are known as card present transactions. In card not present transactions, such as purchases made online or over the phone, the consumer gives to the merchant the card number and other information, including the card’s expiration date, the consumer’s address on file for the card, and the three- or four-digit CVV2 number printed on the back of the card. The CVV2 serves the same purpose as a CVV1, and may also be called a card security code (CSC) or card verification code (CVC, depending on the credit card company.

Some card issuers are incorporating alternatives to the magnetic stripe in their cards, including contactless or tap-and-go cards that use a radio frequency identification (RFID) chip that can be read by the merchant’s card reader from a short distance away. Some credit cards are incorporating EMV microchips, which require the consumer to verify the transaction with either a personal identification number (PIN) or a signature. (“EMV” refers to Europay, Master-Card, and Visal these three companies were the creators of the standard.) Debit cards always require either a PIN or a signature. A single card could contain multiple methods for proving a card present transaction; for example, contact-less cards are a fairly recent development, and many contactless RFID chip cards also have a magnetic stripe so that the card can be used regardless of the type of card reader provided by the merchant. Merchants have also begun to accept m-payments (mobile payments), a process by which the consumer can use a credit or debit card to pay for goods or services either through a smartphone app or by tapping the mobile device itself against a card reader if the mobile device contains an RFID chip.

Credit versus debit

Credit transactions and debit transactions differ practically and legally. In a credit transaction, the consumer is paying with money borrowed from the bank that issued the card. The bank issuing the card sets a credit limit, and the consumer can use the card to borrow up to the credit limit. If a consumer’s credit limit has been reached, the card issuer declines to process the transaction when a consumer next uses the card, and the consumer must find an alternative method of payment. If the consumer does not pay the balance of the card by the end of the billing cycle, the card issuer can charge an interest rate on the remaining amount in accordance with the terms and conditions of the card.

In contrast, debit transactions are a form of electronic fund transfer where the consumer pays for goods or services with money in the consumer’s checking account. If there is not enough money in the consumer’s checking account to cover the purchase, the transaction does not go through.

In a credit transaction, the order to pay the merchant is given by the consumer. In a debit transaction, the order to pay the merchant comes from the merchant. These differences mean that credit and debit transactions are governed by different laws, with credit transactions governed by the Truth in Lending Act, 82 Stat. 146 (1968), and debit transactions governed by the Electronic Funds Transfer Act, 92 Stat. 3641 (1978). The Truth in Lending Act offers much more protection than the Electronic Funds Transfer Act for consumers who have their cards stolen or used fraudulently. Under the Electronic Funds Transfer Act, a consumer can be liable for part or all of the fraudulent charges, depending on when the consumer notifies the bank of the loss or theft of a card or any irregular transactions. In contrast, the Truth in Lending Act limits consumer liability to $50.00 for unauthorized transactions, regardless of whether the consumer reported the card as stolen or missing.

EuroPay, MasterCard, and Visa (EMV)

In the beginning of 2014, news broke that major retailers Target and Neiman Marcus had been the victims of data breaches that allowed hackers to access customers’ credit card information, including home addresses and names. These hacks were extensive, with the Target hack affecting up to an estimated 70 million customers.

In light of these massive data breaches, major credit card companies EuroPay, MasterCard, and Visa jointly developed the EMV standard, which incorporates the use of EMV microchip cards without magnetic stripes. When read, EMV chips create a unique, transaction-specific number to verify the account with the bank instead of using a card number, or CCV (card code verficiation). This is a major advance over magnetic stripe technology, where thieves can capture the security information permanently embedded in the magnetic stripe simply by swiping the card through a device called a skimmer.

EMV technology has already been implemented in much of the rest of the world, with one of the major examples being the chip-and-pin machines of the United Kingdom. The United States has been slow to adopt EMV technology, particularly because of the cost incurred: Merchants will have to pay for new card readers, and individuals will have to have new cards issued.

With EMV technology now available and incidents like the Target breach a reality, most major American credit card companies announced that they would shift liability for fraudulent payments as of October 1, 2015. Prior to that date, card issuers were liable for fraudulent purchases made with magnetic stripe cards. After September, the liability fell either to the merchant or the card issuer, whichever party failed to implement EMV technology. This liability shift gave an incentive to merchants to purchase new EMV card readers and to card issuers to distribute new EMV cards to their customers.

Card metadata and privacy

While the loss of personal data in events like the Target data breach are obvious breaches in privacy because of the unique combination of purchases a consumer makes, an individual could be identifiable even in a dataset that has had personal information—like a name, date of birth, address, or credit card number—removed. These types of scrubbed datasets are frequently used by companies to hone algorithms that allow the company to market more efficiently to an individual. Anonymous credit card metadata are also used regularly to determine credit scoring and to detect fraud. Massachusetts Institute of Technology (MIT) researchers have recently discovered that they could uniquely identify 90 percent of individuals from a dataset comprising 1.1 million people and three months of credit-card data if they knew the dates and locations of four of the individual’s purchases through outside information like receipts or social media updates. The study also found that, even when the data was coarse and used ranges instead of precise dates or locations, individuals could still be readily identified. With both coarse data and standard data, the chance of identification increased if the researchers had more confirmed pieces of data using outside information. For example, even with fairly coarse data, the researchers found a 40 percent chance of identification if four data points were known and an 80 percent chance of identification if ten data points were known.

Further Reading

1 

Barker, Katherine, Jackie D’Amato, and Paul Sheridan. “Credit Card Fraud: Awareness and Prevention.” Journal of Financial Crime 15 (2008): 398.

2 

Gray, Dahli, and Jessica Ladig, “The Implementation of EMV Chip Card Technology to Improve Cyber Security Accelerates in the U.S. Following Target Corporation’s Data Breach.” International Journal of Business Administration 6 (2015): 60.

3 

Peretti, Kimberly Kiefer. “Data Breaches: What the Underground World of ‘Carding’ Reveals.” Santa Clara Computer and High Technology Law Journal 25 (2009): 375.

See also: Apps; Credit and debit cards; Data breaches; Fair Credit Reporting Act; Federal Trade Commission; Smartphones

Citation Types

Type
Format
MLA 9th
Nolan, Savanna L. "Credit And Debit Cards." Privacy Rights in the Digital Age, 2nd Edition, edited by Jane E. Kirtley & Michael Shally-Jensen, Salem Press, 2019. Salem Online, online.salempress.com/articleDetails.do?articleName=PRDA2e_0053.
APA 7th
Nolan, S. L. (2019). Credit and debit cards. In J. E. Kirtley & M. Shally-Jensen (Eds.), Privacy Rights in the Digital Age, 2nd Edition. Salem Press. online.salempress.com.
CMOS 17th
Nolan, Savanna L. "Credit And Debit Cards." Edited by Jane E. Kirtley & Michael Shally-Jensen. Privacy Rights in the Digital Age, 2nd Edition. Hackensack: Salem Press, 2019. Accessed December 14, 2025. online.salempress.com.