Cash, card, and the conversion of payments into data

A cash purchase produces no record at any third party. The only persistent record of the exchange is whatever the two participants choose to remember or write down. The exchange begins and ends at the counter.

A card purchase produces a record at every layer it passes through. The merchant captures the card number and stores it, or a token derived from it, against the customer's record. The acquiring bank logs the transaction. The card network logs the routing. The issuing bank logs the authorisation against your account, with the time, the amount, the merchant name, the merchant category, and the merchant location. The merchant's checkout form also collects whatever the merchant decided to ask for, often including your name, your billing address, your email, and your phone number, all of which the merchant keeps and links to the card number it captured.

The difference between the two is not a question of better or worse payment technology. The difference is that one transaction creates data and the other does not. The shift from cash to cards in the UK, accomplished over roughly two decades and substantially settled by 2017, was therefore not the substitution of one payment method for another. It was the conversion of payments into a data event, performed incrementally, presented as a convenience upgrade, with the data consequence disclosed in policies that the consent process did not require consumers to read or understand.

The cash transaction

Cash had a single mechanical property that no card payment has. The transaction left no information with anyone except the two people in the room. The merchant might issue a receipt and keep a duplicate; the buyer might keep their own note of what had been bought, or might not. Whatever record existed of the exchange was the participants' record, made by hand if at all, and held by the participants alone. No third institution, anywhere, knew that the transaction had happened, let alone what had been bought, by whom, or for how much. No payment processor logged the amount. No bank account was queried. No card network routed the value.

This property was not a privacy feature. It was a structural consequence of how cash works. Cash is bearer-instrument value: whoever holds the note has the value, and the note carries no information about its holder, its previous holders, or what it has been spent on. Privacy at the merchant level was the default. There was no way for any third party to record the transaction, because no third party was part of it.

The same property applied at the issuer level. The bank that distributed the cash knew you had withdrawn it. It did not know what you spent it on. Once the cash left the bank, the bank lost sight of it. There was no instrument by which the bank could re-establish that sight.

The card transaction

A card payment is a different kind of object. The card is a credential issued by a bank and indexed to your account at that bank. The merchant captures the card number at checkout and submits an authorisation request through its acquiring bank. The acquiring bank routes the request through Visa or Mastercard. Visa or Mastercard route it to the issuing bank that owns the BIN range the card belongs to. The issuing bank checks the balance, applies any rules attached to the card, and returns approved or declined. The response travels back the same path and reaches the merchant within seconds.

Each layer of that path keeps a record. The merchant records the card number, or a token derived from it, the amount, the time, and whatever the merchant's checkout asked for separately: name, billing address, email, phone, sometimes more. The merchant's processor records the routing details. The card network records the authorisation message. The issuing bank records the authorisation against your account, with the merchant name, the merchant category code, the merchant location, the time, and the amount. The settlement message that follows triggers the actual movement of funds and adds another record at every layer.

What the merchant does not receive directly from the card network is your name, your billing address, your email, or your phone. The card network does not transmit those fields. The merchant has them because the checkout form collected them. The privacy boundary in a card payment is not where most users assume it is. The card network carries the transaction; the form carries the identity. They arrive at the merchant separately and both reach the merchant's database, where they are linked to one another by the order record the merchant builds.

The card number is the durable identifier in card payments. Most cards are valid for three or four years, so the same card number reaches dozens or hundreds of merchants across that period. Each merchant that receives it can store it, or a token derived from it, alongside the identity fields the same checkout collected. This is not what a card was originally designed to do. The first credit cards solved a settlement problem: the merchant wanted to be paid without carrying credit risk on the customer, the customer wanted to defer payment, and the network of issuing banks made the transaction a guaranteed pull on the customer's credit line. Identity tracking across merchants was not the problem cards were built to solve. It is a side-effect of the design.

The conversion

The shift from cash to cards in the UK was not a single event. It was the cumulative result of millions of decisions made over decades. Debit cards were widely issued from the 1990s onward. Contactless cards arrived in 2007 with Barclaycard's OnePulse. Transport for London began accepting contactless on buses in 2012 and on the Underground in 2014. Apple Pay arrived in the UK in July 2015. Each step expanded the surface area on which a card was the easier thing to use, and each step was sold on speed, convenience, and the elimination of small frictions.

In 2017, debit-card payments overtook cash payments by volume for the first time. UK Finance recorded 13.2 billion debit-card transactions and 13.1 billion cash transactions, with cards moving past cash a year earlier than the trade body had previously forecast. By 2024, cash payments had fallen to 4.4 billion transactions, around nine per cent of all UK payments, while contactless transactions had reached 18.9 billion. The conversion was substantially complete. For most readers, the question of whether to use cash or a card no longer arises in most settings; the card arises by default and cash is the deliberate choice.

Across that same period, the data the new payment method generated became valuable. Cash had produced no equivalent data because cash had produced no data at all. The aggregation problem that Bruce Schneier names in Data and Goliath applies precisely here: a single transaction reveals little, but a year of transactions reveals income range, health conditions through pharmacy spending, religious practice through donation patterns, political affiliation through subscriptions, family structure through grocery patterns, and the rough geography of a life through merchant locations. The data has value when it forms a pattern. A pattern needs a stable identifier to accumulate against, and the card number is that identifier. Most card numbers persist for three or four years, long enough for a pattern to form.

The data is not held in one place but distributed across the parties in the chain. Each holds a slice: the merchant has the merchant-side record, the acquirer's processor has the routing details, the card network has the authorisation log, and the issuing bank, which sits on every transaction the cardholder makes, has the most complete record of any single party. Beyond these named parties, data brokers hold derivations, joined sometimes to the card number through hashed forms, sometimes to the customer through the identity fields the merchant collected, sometimes through both. Gottfried Leibbrandt, who ran SWIFT for a decade, characterised payment data in The Pay Off as of particular interest to intelligence agencies, commercial actors, and governments, and noted that the constraints currently keeping payment data less exploited than social-media data are partly legal, partly practical, and not structural. The implication is direct: the constraints could weaken.

Cards replaced a payment method that produced no data with one that produces data continuously, indexed against the card number, accessible to the parties holding it, and in some cases sold. Cards were sold on convenience. The convenience is real, and so is the data the new system produces. Consumers agreed to standard card terms. The data terms were disclosed in the privacy policies and the small print but not surfaced in the marketing.

Cash and the law

UK readers have two tools today, before any new product launches. Cash itself is one option. UK banknotes and Royal Mint coins remain legal tender in England and Wales. The Bank of England is clear that legal tender carries no requirement on shops to accept any particular form of payment, which means UK businesses can refuse cash, but most do not, and the choice to use cash where it is accepted is one the reader can make any day. Six per cent of UK adults, roughly 3.1 million people on the FCA's 2022 figures, used cash for everything or most things in their day-to-day lives. The dominant default has shifted from cash to card, but cash is still available where merchants accept it.

The infrastructure that lets the reader use cash is, for the first time in UK law, a thing the regulator is required to protect. The Financial Services and Markets Act 2023 inserts a new Part 8B into the Financial Services and Markets Act 2000 and gives the Financial Conduct Authority statutory powers to ensure reasonable provision of cash deposit and withdrawal services across the country. The FCA published its final access-to-cash rules in 2024 (PS24/8); designated banks and building societies have been operating under them since September 2024. The Act does not create a right for the consumer to use cash with any merchant; it guarantees that the means to obtain cash, deposit cash, and operate a cash-based life will be protected as the high-street infrastructure thins. In practice, the Act recognises that the shift from cash to cards is not irreversible, that some part of the population should not have to participate in the data economy in order to participate in the consumer economy, and that cash should remain a real option.

UK GDPR provides a second instrument, this one operating directly against the merchants who already hold card-derived data. Article 15 gives every UK reader the right to ask any merchant what personal data the merchant holds about them, in what categories, sourced from where, retained for how long, and shared with whom. Article 17 gives the right to request erasure of that data where there is no longer a lawful basis for the merchant to hold it. Few readers exercise these rights, and merchants know it. The rights nonetheless exist and apply to every UK reader, today, against every merchant the reader has paid by card.

Online transactions

Cash and existing rights help with part of the problem, not all of it. Cash works only with physical merchants who accept it, which excludes most online commerce. Online subscriptions, recurring digital services, and the long tail of merchants the reader interacts with through a screen rather than a counter all require a payment instrument that travels through the card networks. For most of these transactions, the practical choice is between paying with a card and not having access to the service.

For online merchants, the practical answer is a card that behaves differently from a normal card. A single-use card number, issued for one transaction and unable to be reused, leaves the merchant with a credential that does not link to anything. A card number locked to a single merchant cannot be charged by any other merchant who acquires it through a breach or a sharing arrangement. A card number that the user can close stops a subscription from being charged, without having to argue with the merchant. eigin is being built to provide these mechanisms for UK consumers, on the same Visa rails any other UK card runs on, with the same statutory protections any other UK cardholder has. It is one option alongside cash and the law, not a substitute for either.

Cards produce records at every layer they pass through. Cash didn't. UK readers have three tools today: paying in cash where it's accepted, using UK GDPR Articles 15 and 17 against merchants holding card data, and using cards designed so each merchant sees a number unique to that merchant.