What actually happens to your card details when you pay online

Every time you pay by card online, a set of data leaves your device and travels through a chain of companies you have never heard of.

Most people assume the merchant gets what they need to process the payment and nothing more.

What you type into a checkout form

When you pay online, a typical checkout asks for:

• Your card number (the 16-digit number on the front)
• The expiry date
• The CVV (the 3-digit code on the back)
• Your name as it appears on the card
• Your billing address

Each of these fields serves a different purpose, and each one is handled differently once it leaves your browser.

The four parties involved in every card payment

To understand what happens to your data, start with the structure of a card payment. There are four parties involved in every transaction. This is called the four-corner model, and it is how Visa and Mastercard have operated for decades.

You. The cardholder, using your card to pay.

Your bank (the issuing bank). The bank that issued your card. When a payment is requested, your bank decides whether to approve it.

The merchant's bank (the acquiring bank). The bank that processes payments on behalf of the merchant. When you pay, the merchant's bank requests authorisation from your bank.

The card network. Visa or Mastercard, sitting in the middle, routing the authorisation request between the two banks and setting the rules.

The merchant is not a party in this model. The merchant submits the transaction to their acquiring bank, which routes it through the network.

What data the card network actually transmits

Here is what travels through the card network when you pay:

Your card number (technically called the Primary Account Number, or PAN). This is the critical identifier. It uniquely links the transaction back to your account.

Your expiry date.

A CVV code. This is checked at the point of authorisation and then discarded by compliant merchants. If a merchant stores your CVV after authorisation, they are in breach of PCI-DSS rules.

The transaction amount and merchant category code (a four-digit code that classifies what type of business the merchant is).

Your name and billing address are not transmitted through the card network itself. They are submitted separately by you in the checkout form, for shipping or for address verification. The card network does not carry them.

This distinction matters. Your card number is the persistent identity link. Your name and address are things you provide voluntarily at checkout, often necessary for delivery, but separate from the card transaction itself.

What the merchant actually receives

When your payment is approved, the merchant receives confirmation that the payment was authorised, a reference number, and typically the last four digits of your card number for their records.

The merchant does not receive your full card number from the card network.

However, the merchant does receive your full card number when you type it into their checkout form. That data passes through their payment system before reaching the network. What the merchant does with it from that point is governed by PCI-DSS compliance rules and their own data policies.

What merchants can do with your card number

Payment Card Industry Data Security Standards set strict rules about storing card data. Compliant merchants should not store your full card number after the transaction is processed.

In practice, many merchants store a token: a placeholder that represents your card number in their system, allowing them to charge you again without storing the raw number, which is standard for subscriptions.

Some merchants store more than they should. Data breaches affecting major retailers have exposed tens of millions of card numbers as a result. The ICO maintains a public record of enforcement actions against organisations that failed to protect card data adequately. When a merchant is breached, every card number they have stored is potentially compromised.

Your card number, once in a merchant's system, also becomes a persistent identifier. The same number appearing across multiple transactions at different merchants creates a data trail that can be linked back to you over time.

What data brokers do with payment data

Merchants often share transaction data with third parties. Payment processors, analytics companies, and data brokers all operate in this ecosystem. The data they handle is not just your card number: it is the pattern of everything you buy.

Individual purchases are not sensitive. The pattern is.

Purchase history over months and years reveals health conditions, political views, religious practice, financial situation, relationships, and habits. Insurance companies use purchase histories when pricing policies. The former chief executive of SWIFT, the global interbank payments network, wrote in The Pay Off (2021) that payment data is highly prized by intelligence agencies, commercial actors, and governments, and that current restraints on its use may not hold permanently.

This is documented behaviour, not speculation.

The subscription problem

When you sign up for a subscription, the merchant stores a token representing your card. As long as that token is valid, they can continue to charge you. Cancelling the subscription in their system should remove their authorisation to charge. If it does not, or if the merchant disputes it, your recourse is limited to contacting your bank for a chargeback.

The card number itself cannot be easily changed. Unlike a password, you cannot simply reset it when you want to cut off a merchant's access.

This is why free trials that auto-convert to paid subscriptions, and subscriptions that refuse to cancel through normal means, work so well for the companies running them.

What happens after a data breach

When a merchant suffers a data breach, stored card numbers are exposed. Those numbers are sold on criminal markets and used for fraudulent purchases before the banks can identify and block them.

The same limitation applies to Revolut's virtual cards, which change the card number but not the identity attached to it. The card industry's response to breaches has been tokenisation at the network level. Apple Pay and Google Pay never send your real card number to the merchant. They send a device-specific token, a substitute number that is worthless to anyone who steals it. When a merchant accepting Apple Pay is breached, the stolen tokens cannot be used elsewhere.

This mechanism works well. The problem is that it operates at the device level, not the identity level. You still have one underlying card number that is your persistent identifier in the payment system. The token protects that number from merchant breaches. It does not prevent the identity link your purchase pattern creates over time.

What could be different

The mechanism exists. A disposable number, issued for a specific merchant or a specific transaction, that expires after use and cannot be traced back to your underlying account.

Some products in the US offer this. In the UK and Europe, nothing equivalent exists for consumers.

A disposable number issued per merchant means that even if that merchant stores it, shares it, or is breached, the number is worthless. It cannot be used again. It cannot be linked to your other purchases. The profile cannot be built because the thread connecting transactions does not exist.

This is what eigin is being built to provide.

---

eigin is a pre-launch UK product being built to issue disposable virtual card numbers for online payments. The virtual number reaches the merchant. Your real card number does not. Join the waitlist to hear when it launches.