cross-posted from: https://links.hackliberty.org/post/125466

My credit card issuer apparently never gets to know what I purchased at stores, cafes, & restaurants – and rightfully so. The statement just shows the shop name, location, and amount.

Exceptionally, if I purchase airfare the bank statement reveals disclosures:

  • airline who sold the ticket
  • carrier
  • passenger name
  • ticket number
  • city pairs

So that’s a disturbing over-share. In some cases the airline is a European flag carrier, so IIUC the GDPR applies, correct? Doesn’t this violate the data minimization principle?

Airlines no longer accept cash, which is also quite disturbing (and illegal in jurisdictions where legal tender must be accepted when presented for PoS transactions).

Has anyone switched to using a travel agent just to be able to pay cash for airfare?

UPDATE

A relatively convincing theory has been suggested in this other cross-posted community:

https://links.hackliberty.org/comment/414338

Apparently it’s because credit cards offer travel insurance & airlines have incentive to have another insurer involved. Would be useful if this were documented somewhere in a less refutable form.

GDPR question still outstanding.

  • If your bank knows you’re meant to be in a specific place, they’ll know transactions happening there aren’t because someone’s stolen your card.

    Every bank’s AI-driven fraud detection system is different and non-transparent. Whenever my account gets frozen for “fraud” and I removed¹ at the bank over it, I ask WHY my account was frozen. The CSR guesses what happened (because apparently it’s such a secret the bank’s own staff is kept in the dark). This can be deceiving because bankers seem to be trained to propose their guesswork with confidence to thwart questions. I ask “where in my terms of service agreement does it say I shouldn’t do [whatever the CSR thinks triggered the fraud sensors] & how can I prevent this false positive in the future?” They can never answer that.

    Some banks don’t require travel notices and some do. The banks that don’t: how are they finding out my travel plans when I buy the ticket using a different bank? Most likely their fraud algo is (or tries to be) smart enough to not need to track you.

    It would probably be a valid exception to GDPR on those grounds.

    How is sharing purchase info with banks within the bounds of the airline’s operational needs? The bank’s problem is not the airline’s problem.

    (edit)

    1: woah, slur filter did a silent hit-and-run on my post. The word “removed” should be some form of “complain” using a synonym that begins with a “b”.

    • The AI-driven fraud detection system is probably more accurate when the other transactions on the account support the questioned transaction. If there’s a bunch of transactions in a city/country you’ve never been to before, the fraud detection algorithm can come to two conclusions: either you have travelled there, or someone has cloned your card. If there’s a transaction showing you bought tickets to that city/country for the same dates that transactions happen within that city/country, that’s evidence to support one decision over the other on the algorithm’s part.

      The prevention of crime and fraud is a valid exception to GDPR, and it being the bank’s problem entitles them to request the data from the airline/train company/whatever.

      Like I said, I don’t agree with the quantity of data being shared here, but let’s face it, if you travel to another place and use your card there, then your bank are going to know you’re there. If you use your card to buy foreign currency, they’re going to know you’re going to that country. So as a general principle, I don’t think a travel company sharing the dates and destination really makes any difference.

      • if you travel to another place and use your card there, then your bank are going to know you’re there.

        That’s not the same bank that I bought my airfare with. The bank I use to buy the airfare with has no reason to know where I am. IIRC there’s a stat that on avg Americans have like ~15 or so different bank/credit cards. What you’re saying makes no sense. The airline takes the liberty of giving a travel notice to just one of your dozens of banks, and what about the rest?

        If there’s a transaction showing you bought tickets to that city/country for the same dates that transactions happen within that city/country, that’s evidence to support one decision over the other on the algorithm’s part.

        I often buy a one-way ticket with one card and a one-way return with another. So not even one bank has the full picture. I typically leave those cards at home as well because they have poor forex rates. Yet this doesn’t trip fraud sensors on the cards I carry to the destination. The fraud sensors are tripped when I forget my ATM limit or incorrectly adjust that limit for the foreign currency.

        One bank that requires a travel notice doesn’t even accept that a trip would last more than 2 weeks. I call and say I will be gone 3 weeks, or 4 weeks, and they cannot handle it. They say “the travel notice will expire in 2 weeks so you have to call again when that time comes to renew your travel notice”. What I tell them directly carries more weight than whatever shows up on the transactions because they have no way of knowing what other travel arrangements I have. Yet what I tell them is not fully utilized.

        The other problem with your theory is travel notices are a recent development of the past ~10—20 years, whereas itineraries have been shared with banks for as long as I can recall (~25+ years). Anyway, speculation isn’t cutting it. Solid info needed on why this is happening.

        • I’m finding your hostility towards me to be completely unnecessary. Unless there is someone here that works for a bank, you’re not going to get a solid answer, only people’s best guesses. I have offered you the most likely explanation. Getting angry at me for that is not in keeping with the rules of the Beehaw community.

        • Reading this response, I’m compelled to ask

          Do you want an answer or just a space to br angry and rant?

          Do you have an answer in mind which you’re looking for and will react with hostility to anything which doesn’t fit with your expectations?

          • Do you want an answer or just a space to br angry and rant?

            It’s all about getting an answer. Any rant that you think you sensed is at most an attempt to motivate a good answer.

            I should also stress that I don’t want bad answers. The same broken speculation has been posted multiple times in this thread and in the parent. Thus compelling me to repeat the flaws in that bad answer.

            I’m confident at this point that I finally got a viable answer: insurance. But I might be tempted to press for more details because it’s still unclear how the GDPR compliance pans out. GDPR violations are rampant these days, so it could lead to an article 77 complaint. I still have to do a bit of analysis on that from the insurance narrative.