My Nextbit Robin Android phone has NFC capabilities; for practical purposes, this means that it can, with supporting software, do for me what Apple Pay can do for an iPhone. It also means, though, that it can read the contents of other NFC devices, and it turns out that credit cards themselves, at least those with “contactless” support, fall into that category.
To explore this, I installed the Credit Card Reader NFC (EMV) app on my phone, and held my MasterCard up underneath it to be scanned.
As expected, the phone was able to read the credit card number; to my surprise, however, it also read the last nine transactions processed with the card:
So, for example, that transaction for $130.06 on March 26, 2017 is when I did the weekly grocery shop at Sobeys; it shows up on my credit card transaction report like this:
The standard that drives all of this is, I’ve learned today, called EMV:
EMV is a technical standard for smart payment cards and for payment terminals and automated teller machines that can accept them. EMV cards are smart cards (also called chip cards or IC cards) that store their data on integrated circuits in addition to magnetic stripes (for backward compatibility). These include cards that must be physically inserted (or “dipped”) into a reader and contactless cards that can be read over a short distance using radio-frequency identification (RFID) technology. Payment cards that comply with the EMV standard are often called Chip and PIN or Chip and Signature cards, depending on the authentication methods employed by the card issuer.
Because I can read my transaction history from my card, anyone can read the transaction history from my card. This means that if we’re beside each other in the coffee line, you can, if you can get your card-reading-device close enough to my card, read my transaction history. It also means that every time I pay with my card, the merchant I’m paying can read my transaction history.
While this stored transaction information doesn’t appear to include anything about the merchant, there’s a lot that can be derived from my last 10 transactions. Look at mine, for example: from just those 7 transactions you can see, you can tell how often I use my card, how much I tend to charge to the card, and what countries I’ve visited (because the currency is recorded along with the amount). If I was a merchant processing hundreds of thousands of cards per day, I could skim all of this data, aggregate it, and start to develop fingerprints that would demographically tag card presenters based on their history.
As far as I can tell, there’s no way to turn this “feature” off on your card; I’m hunting for my MasterCard privacy statement to see whether it’s existence is mentioned there.
You can have the bank turn off the RFID capability of your credit card, although I don't know if the same information would be sent via the contact chip as well. At least it would limit the skimming to people you purchase from.