Mastercard is selling bundles of its customers’ transaction histories and data to third parties across the globe, with Australian consumers no exception.

In a report, the United States Public Interest Research Group (US PIRG) criticised Mastercard for selling customer data to third-party companies, on both large online data marketplaces and through its own in-house data and services division.

“Third parties can access and use information about people’s spending to target advertisements to individuals, build models that predict consumers’ behaviour, or prospect for new high-spending customers,” the report said.

“These groups can be targeted at the micro-geographic level, and even be based on AI-driven scores Mastercard assigns to consumers predicting how likely they are to spend money in certain ways within the next three months.”

The payment processing company calls it the “domain of intelligence,” but in reality, it is selling consumer data for a huge profit in the $380 billion global data-brokering market.

Mastercard’s own global privacy policy states Australian customers’ data can be freely sent overseas, aggregated and sold.

“We may transfer your personal information to the United States and other countries which may not have the same data protection laws as the country in which you initially provided the information,” the policy reads.

“We will protect your personal information in accordance with this Global Privacy Notice, or as otherwise disclosed to you.”

Mastercard is the second biggest processor of payments in Australia, with 28 per cent of all purchases across the country entering through their systems.

Monetising customers

In 2008, Rob Reeg, then-president of Mastercard’s global technology and operations, said his responsibilities included how to “leverage that gold mine of data that occurs when you have 18.7 billion transactions that you’re processing”.

“The ultimate goal for Mastercard IT is: How do we leverage technology to drive business?” he said in an interview.

“The tenet is: We should look to see how we can make every transaction more valuable.”

Mastercard has monetised the data it receives when people use its cards and payment systems. Photo: Getty

The result of this goal was the establishment of an in-house data monetisation division by 2013, tasked with approaching online advertising companies about paying to use the hoard of data collected on its customers.

Most Australians oblivious

Dr Katina Michael, an expert in cyber security and privacy at the University of Wollongong, said most Australians are not aware at the level of data that is collected and sold by corporations.

“Traditionally, customer data was gold, and it still is, but we wouldn’t give it away,” she said.

“The secondary service is as lucrative as some primary service offerings of organisations and they’ve hit a gold mine.”

Mastercard today is one of many multinational businesses which sell customer data sets to third parties on platforms like Amazon’s Web Services Data Exchange, Adobe’s Audience Marketplace and Microsoft’s Xandr platform.

Through its data and services divisions, Mastercard gives a field of corporate customers access to data on more than 125 billion transactions.

The associated services offered by Mastercard make a mockery of ‘anonymised’ data by including the ability for targeted advertising and predicting future purchases by individuals.

‘Pseudonymisation’

Mastercard isn’t the only – or the worst – offender when it comes to misusing customer data for profit, but they often share a common tactic: Hiding behind the anonymisation of data.

Michael said due to increased collection of information and different data sets, people and companies are able to re-identify individuals.

“We’re seeing open source, public sector information on the internet, and you can start to marry up records in a geographical location,” she said.

“As more people are shopping with credit and various digital systems, and doing away with cash, it instantly means there is more transaction history data on each person.”

As less people use cash payments, it has created an even greater source of transaction data. Photo: AAP

According to Anna Johnson, founder of safety-focused law firm Salinger Privacy, one data broker claimed to have data on 85 per cent of the Australian population.

Looking at the source

Michael said it is important that the primary collectors of data – companies like Mastercard – aren’t allowed to hide behind being multinational organisations.

“We talk about informed consent, but often we are locked into services and when we realise what is happening with our data, it is too late.”

The global market for data brokering is estimated to pass $700 billion by 2031, and if there are major breaches or bad practices continue, it will be consumers who are left to pick up the pieces.

When contacted for comment, Mastercard said it does not “sell personal cardholder data for marketing, location tracking or targeted advertising”.

“The promise made to consumers is straightforward: When it comes to your data, you own it, you control it, you should benefit from the use of it, we protect it,” Mastercard said in an email.

“These principles are at the heart of our operations and are incorporated into all Mastercard innovations and products, enabling us to earn, protect, and cultivate the trust that has been placed in us by our customers, their customers, and consumers at large.”

The response doesn’t address that while Mastercard doesn’t sell individual personal cardholder data, it does sell “bundles of cardholder transactions,” according to the US PIRG report, to third parties.