Government Confirms Interest in Collecting Card Transaction Data

The federal government says it may build databases of credit card transactions, hotel records and Internet searches as part of counter security measures.

Speaking during a House Judiciary Committee hearing this week on National Security Agency surveillance, representatives of the Obama administration did not rule out expanding surveillance beyond phone calls, the Associated Press reports. The administration says the NSA's PRISM surveillance program is authorized by the Patriot Act, which was passed in the wake of the September 11, 2001 terrorist attacks and was reauthorized in 2005 and 2010. The NSA did not return a request for comment by deadline.

The news that credit card transactions may be part of U.S. government security efforts is more fodder for companies that are already worried about the U.S. government accessing payments data, says Phil Philliou, a payments consultant.

"One of the consequences of this NSA discussion is we often get calls from clients in Latin America, such as banks that are looking for card processing services, and the pain point they have is around data in the U.S., and the ability of some branch of the government to access data in such a way that could be problematic for the bank's clients," Philliou says.

These companies often inquire about how data could be kept outside of the United States, Philliou says. "The way the credit card industry works … a lot of that data does find its way into the U.S.," he says.

The NSA's phone surveillance program has been ongoing for years, but was thrust into public awareness by Edward Snowden, a former government contractor who leaked documents detailing the program.

Credit card transactions have long been rumored to be on the NSA's radar, since payments data can provide a rich flow of information about a suspect's activities—particularly when paired with phone, email and social network analysis.

"There's an assumption that the data can be accessed by the government in some way," Philliou says. "It comes up in the context of tax fraud and other crimes where financial data may be used as evidence."

American Express provides information when legally required to do so, said Marina Norville, an American Express spokesperson, in an email. Visa, MasterCard and Discover did not provide comment by deadline.

The public perception of credit card companies depends on how they are involved in a program, says Gareth Lodge, a senior analyst at Celent. "The question of whether there is a PR disaster depends on how the companies act. A correctly executed court order is rather different than just a blanket request not backed by justifications or legal precedents," he says.

During this week's hearing, the Obama administration faced bipartisan heat—Rep. James Sesenbrenner (R-Wis.), one of the sponsors of the Patriot Act, said the law was not meant to allow the creation of a huge database of phone records. Rep. Jerry Nadler (D-N.Y.) criticized the scope of the data accumulation, according to the Associated Press.

Rep. Blake Farenthold (R-Texas) asked specifically about the government's intend to collect Internet records, hotel records and credit card transactions, and was told by Deputy Attorney General James Cole that it would depend on those records' relevance to terrorism investigations.

There have been other public debates over tracking payments for security purposes, Lodge says, noting European pushback against a U.S. attempt to monitor bank data in Europe as part of anti-terrorism activities.

"What question this highlights is, who owns the data and what are the parties giving permission for?" Lodge says. "On one hand, I'm sure we'd all be relieved if a serious incident was averted as a result of such sharing. Equally, I suspect few if any of us would specifically wish to opt into such sharing."