They know where you're shopping

Did you know that your credit card information for almost every online purchase is sent through a separate third party -- and stored there?

Chris Hughes was surprised when Internet merchant PayPal rejected his credit card last week, but was even more surprised when he found out why. PayPal's credit card verification service, Cybersource, indicated Hughes was a high risk because he had used ten different credit cards at various Internet sites during the past several months.

The rejection didn't bother Hughes nearly as much as the notion that a company he had never heard of seemed to know an awful lot about his personal purchasing habits.

In fact, Cybersource has an Internet transaction history database that culls information from about 2,000 online merchants, including several big-name Web sites like, and Data from every transaction verified by Cybersource goes into this database -- 34 million transactions in the second quarter of this year alone.

In an effort to check for potential fraud, the database is polled every time a consumer tries to make an online credit card purchase.

The list of personal information sent by online merchants to Cybersource is thorough -- according to the company's developer's kit, it includes: name, phone number, email address, shipping address, even a description of the type of product ordered. The data is stored for at least six months, according to the company.

But Cybersource is not alone. Competitors such as Cybercash also make use of such extensive consumer transaction databases, all in the effort to help merchants prevent fraud. The companies involved say they're doing nothing that hasn't been done by banking institutions in "real world" retailing for at least ten years.

A spokesperson for HNC Software, which provides a huge transaction database to both traditional banks and online companies, says without such verification checks, e-commerce would be nearly impossible because merchants couldn't afford the risks.

"Things would be more like they are in Europe, where use of data is more restricted," said Allen Jost, vice-president of business development at HNC Software. "For example, you can't do address verification in Europe. So if you live in Europe, and want to buy from a US company, you can't. They won't take the risk."

Still, the notion of an enormous consumer transaction database being maintained by any third party is jarring to online privacy advocates. They insist that Web sites ask for and maintain as little personal information about their customers as possible.

"Is it really necessary to have all this information, or are they going overboard?" said Richard Smith, chief technical officer of the Privacy Foundation. "It's easy to say 'We're dealing with money, so the sky's the limit, we've got to stop the crooks'. But are there strong protections about how the data is used?"

According to Tracy Wilk, Cybersource's vice president of product management, the company is particularly stingy with where information from its database ends up. It doesn't share any data with marketing firms and won't even tell a merchant about the transaction history of one of its customers. It also asserts its data is carefully protected from hacker attacks and Cybersource employees must all pass security clearance tests.

Nevertheless, Hughes -- senior computer technician at the Warrington College of Business Administration -- isn't crazy about the idea that every time he buys something from a Web site, Cybersource may know about it.

"I certainly did not authorise [Web e-tailers] to run a credit check on me, and I did not authorise them to send my information, including email address, to another company," he said. Hughes believes he probably did use ten different credit cards during the past six to 12 months shopping at Egghead,, and, all of which are listed as partners or customers by Cybersource.

"A man who uses ten credit cards, why is he blacklisted? It is outrageous if there are profiles that are getting out of your control that can disadvantage you," said Jason Katlett, privacy expert and president of "That sounds pretty unfair to me."

Under the terms of the Fair Credit Reporting Act, individuals are entitled to see their own credit report. But Wilk says Cybersource isn't a credit reporting agency and thus is not bound by the act's rules. Still, he added that company voluntarily submits to some of the Act's provisions.

For example, individuals who send a notarised letter can obtain a copy of their own Cybersource records, and have the opportunity to correct erroneous entries. He said Cybersource urges merchants who reject consumer charges to tell those consumers to contact Cybersource directly for clarification.

"We've actually gotten very few consumer complaints," Wilk said.

Go to Pt II/ The consumer vs the merchant

Take me to the e-commerce special.

What do you think? Tell the Mailroom. And read what others have said.