The context
What card transactions reveal.
A card payment creates a permanent record that names the merchant. For privacy service users, that record links your identity to the tools you chose.
Who has access
A card transaction passes through several parties, each of which retains a copy.
01
Your bank
Merchant name, amount, date, location. Retained 5-7 years minimum.
02
Card networks
Visa, Mastercard, and Amex process and store transaction metadata. Some sell aggregated data to analytics firms.
03
Payment processors
Full transaction records including merchant category codes (MCCs) that identify what type of service you paid for.
Transaction metadata is identifiable
A 2015 Science paper by de Montjoye et al. analyzed 1.1 million credit card users and found that even anonymized transaction datasets are re-identifiable with just four transactions. The metadata alone — merchant, amount, date — is sufficient. Your non-anonymized bank statement, which already carries your name, is far more revealing.
A relevant case
Encrypted email / FBI (2024)
The FBI identified the person behind an anonymous encrypted email account by obtaining the credit card identifier linked to the subscription. The provider’s encryption held. The payment metadata was the weak point.
Source: citation pending