Turning Credit Cards into Comprehensive Financial Surveillance

In 2011 the Obama administration unleashed Operation Choke Point to use informal regulatory pressure on banks to debank the firearms industry, but that plan withered when exposed in congressional hearings. A few years later, the gun prevention lobbies convinced several states to mandate separate merchant category codes (MCCs) for stores that sell firearms; unfortunately for this initiative, the number of states with statutes that (opens in a new tab)forbid special MCCs for such stores far exceeds the number of states that mandate them. Today, the gun prevention movement is receiving an unexpected gift from merchant lobbies who are pushing to embed sophisticated surveillance infrastructure into the basic architecture of electronic commerce. With that architecture in place, the government will be able to track every item purchased with a credit card — firearms and everything else.  The surveillance scheme emerges as an unintended consequence of superficially appealing legislation — namely state-level interchange fee laws — which are promoted as being aimed at helping waitresses, waiters, and small mom-and-pop shops.

This post first describes Operation Choke Point, then its replacement by Merchant Category Codes(MCCs) tracking, and finally the new program for comprehensive surveillance of all purchases. The first two matters are described in my Dickinson Law Review article Big Business as Gun Control, and in my recent post summarizing the article. This post is coauthored with Kristian Stout, who is Director of Innovation Policy at the International Center for Law & Economics, a public policy research organization whose "work is dedicated to the memory"of the famous Law and Economics scholars Armen Alchian and Henry G. Manne.

The first state-level interchange fee statute was enacted in Illinois in June 2024. In the state legislatures, based on who's lobbying for what, the battles over interchange bills often appears as credit card companies versus big box stores, with pro-waitress and pro-small business lobbies chiming in to support the big box stores. But this framing ignores the enormous privacy implications for everyone who uses a credit card: namely forcing credit card companies to make records of the items purchased in every transaction.

A First Foray into Financial Weaponization: Operation Choke Point

The Obama administration unleashed Operation Choke Point in 2011 in an attempt to debank, and thus destroy, politically disfavored businesses. The Federal Deposit Insurance Corporation issued a guidance document warning banks about "merchant categories that have been associated with high-risk activity."

The "high-risk" activity was not high risk that a banking client might use his or her account for something illegal, such as money laundering, for which there are already extensive regulations from the Treasury Department units: the Office of the Comptroller of the Currency (OCC) and the Financial Crimes Enforcement Network (FinCEN). To the contrary, "high risk" was claimed to include the amorphous concept of "reputation risk." That is, a banking client might be politically unpopular, and so the bank's reputation might be harmed.

The "guidance" about "reputation risk" was accurately understood by banks as a threat. The same as if an organized crime underboss told a building contractor, "Just some friendly non-binding guidance: if you keep doing business with that cement supplier we don't like, you might get a bad reputation. They're not very popular around here."

The FDIC deliberately conflated entirely legal businesses with patently illegal activities. The agency's "high-risk" list included legitimate enterprises such as "Ammunition Sales," "Firearms Sales," and "Coin Dealers" alongside clearly illegal operations such as "Ponzi Schemes" and "drug paraphernalia." Rather than pursuing transparent rulemaking, the FDIC made implicit threats to achieve their anti-gun policy objectives without legislative authorization.

Just about any bank can be killed through ratings downgrades and uber-audits. Even if the bank ultimately prevails in court, the bank can be ruined or severely damaged by years of intense targeted investigations. Submitting to the Obama administration's unlawful regulatory threats, banks began debanking firearms businesses. For example, Maryland ammunition dealer TomKat Ammunition, with an unblemished record of regulatory compliance, was systematically denied financial services, with banks citing only its "industry" as justification.

The illegal Operation Choke Point was exposed through official investigations. The FDIC Office of Inspector General documented predetermined supervisory outcomes aligned with political objectives rather than legitimate safety concerns. Following legal challenges, the FDIC admitted that employees had engaged in "regulatory threats, undue pressure, coercion, and intimidation designed to restrict access to financial services for lawful businesses."

Notwithstanding the FDIC's admissions that Operation Choke Point had been illegal, the Biden administration in January 2023 began what critics called "Operation Choke Point 2.0," featuring coordinated attacks on the cryptocurrency and fintech sectors. The abuses included systematic debanking of targeted individuals based on political views, with tech investor Marc Andreessen documenting over 30 entrepreneurs debanked during the Biden administration. As detailed in Kopel's Dickinson Law Review article, other debanking targets during the Biden administration included Melania Trump and Christian religious organizations. In short, the Biden administration flagrantly defied the law and created "a privatized sanctions regime" that operated independently of traditional oversight mechanisms.

MCCs: The Institutionalization of Surveillance Infrastructure

The push for firearm-specific Merchant Category Codes represented an evolution from the covert pressures of Operation Choke Point to overt, institutionalized surveillance infrastructure. In September 2022, the International Organization for Standardization approved MCC 5723 for "Firearms Stores, Gun Stores, and Ammunition Stores" following a petition by a coalition of gun control advocates.

Merchant credit codes are used to distinguish broad categories of businesses — such as agriculture, transportation, professional services, or retail. There are a few codes used for businesses where the risk of credit card fraud is particularly high, such as casino gaming chips or online tobacco sales. Merchants who are assigned these categories typically have to pay higher interchange fees (which are described below).

Unlike Operation Choke Point's informal regulatory "guidance," behind-the-scenes pressure, and implied threats of enforcement action, the MCC system creates self-executing surveillance that requires no ongoing regulatory intervention. Using the firearms Merchant Category Code, payment networks and financial institutions can now automatically flag and track purchases at firearms retailers.

This technical infrastructure transforms surveillance from an episodic regulatory tool into a permanent feature of the financial system. Unlike the informal pressures that characterized Choke Point, MCCs embed tracking capabilities into the fundamental architecture of electronic payments, making surveillance the default rather than the exception. Three states — California, Colorado, and New York -- have enacted firearms MCC mandates, while 19 states — Texas plus 18 midsize or smaller states -- have forbidden the use of such codes.

The shift from regulatory pressure to technical infrastructure creates a permanence problem that extends far beyond traditional policy reversals. Bureaucratic systems, once established, develop institutional momentum that makes them extraordinarily difficult to dismantle. The technical infrastructure required to implement MCCs — from payment processor updates to merchant acquirer systems — represents significant capital investment that creates powerful incentives for continued use regardless of changing political winds.

Like other data streams, the firearms data stream from MCCs justify their own existence, creating bureaucratic constituencies with vested interests in maintaining and expanding the system. Technical capabilities, once built, exert pressure for utilization regardless of their original justification.

The pretext for firearms MCCs is prevention of gun deaths, particularly mass shootings. However, as Kopel's  Dickinson Law Review article explains, this rationale falls apart unless one presumes that every firearms purchase, such as a single handgun and a box of ammunition, will trigger an in-depth investigation by law enforcement. More realistically, the banking system's forced segregation of firearms store transactions will create a database of persons who likely are firearms owners, providing the foundation for enforcement of future restrictions, including registration requirements and potential confiscation policies similar to those implemented in other nations — such as Australia or Great Britain, whose confiscations have been praised as a model by former Vice-President Harris.

Not that the list would be perfect. At this stage of technology, a MCC identifies merchant types, not specific products purchased, meaning that any purchase at a store assigned the firearms code — whether for a gun safe, hunting equipment, or sporting goods — would be flagged for potential scrutiny. Large sporting goods retailers that sell firearms alongside boats, ATVs, and camping equipment would trigger the same surveillance alerts regardless of what customers actually purchase. Even so, a person who shops at a small firearms retailer, even to buy bow-hunting equipment, is relatively more likely to be a firearms owner, and so, to a lesser extent, is someone who buys anything (such as a fishing rod) at Bass Pro Shops.

Obviously the MCC would function better as a de facto firearms registry if retailers that sell a variety of products were forced to establish a separate "store" for firearms purchases. So if you went to Cabela's a bought hiking boots, the transaction would be rung up at "general retail" register, and if you bought a box of shotgun ammunition, the transaction would have to be rung up a separate register. Future advocacy efforts may focus on supposed "loopholes" in existing MCC mandates, potentially leading to proposals requiring stores to establish separate merchant credit accounts solely for firearms-related transactions.

But maybe the gun prevention lobbies won't have to go to such trouble. What if every credit card transaction had to provide to the bank that operates a merchant's or consumer's bank an itemized list of everything that a consumer purchased? Then credit card records could, in essence, function as gun registries. Enacting such an intrusive statute might require more political capital than the gun prevention lobbies currently possess. Fortunately for them, other interest groups are doing the job for them, to create the technical necessity for banks to look directly into your shopping basket, as detailed in the next part of this Post.

Interchange Regulation and the Dawn of 'Shopping Basket' Surveillance

A credit card transaction on a network like Visa or Mastercard involves multiple parties: the cardholder, who is buying something; the merchant, who is selling something; the issuing bank, which gave a credit card to the cardholder; the acquirer, which is a bank or other entity (e.g., Stripe, Paypal) that services the retailer's sales; and the "network." When a sale takes place, the acquirer provides information about the sale to the network, which notifies the bank that issued the buyer's credit card. The issuing bank then approves or declines the sales transaction, uses the network to notify the acquirer of the decision, and the acquirer notifies the seller. The four major American networks are Visa, MasterCard, Discover, and American Express. Visa and Mastercard are "open" networks, whereas American Express and Discover are "closed-loop" networks, in which the issuing bank (to the purchaser) and the acquiring bank (for the retailer) are the same. The interchange laws described below would apply to open networks (Visa, Mastercard) but not closed ones (American Express, Discover).

The acquirer applies a "merchant discount rate"(MDR) that covers its own costs, fees charged by the networks (Visa and Mastercard), and the interchange fee, which is retained by the issuing bank. For example, on a transaction of $100 where the MDR is 3%, the interchange fee is 2%, and the network fee is 0.13%, the merchant receives $97; the issuer retains $2; the network receives $0.13, and the acquirer retains $0.87

The MDR is typically about 1% to 4%. It includes a fee charged by the acquiring bank for its services, often 0.2% to 0.5%. The MDR also reflects fees that were charged by other parties in the transaction: first, network fees (charged by Visa or Mastercard), typically 0.1% to 0.2%. The MDR also incorporates the interchange fee, which is retained by the card-issuing bank.

Interchange fees vary by type of merchant, type of card, and type of transaction. For any specific merchant and card, interchange fees are lowest for "card present" transactions (when the physical credit card or mobile wallet was used at a point of sale device) and highest for online transactions (because of greater risk of fraud). Interchange fees generally range from 1% to 3%.

In the Colorado legislature this year, there was a proposal to restrict interchange fees, and the public relations campaign very much focused on waitstaff. Suppose you dine at a restaurant, and the tab is $100, including tax and tip. You pay the $100 with your credit card, so the restaurant will receive $97 in its bank account. The $3 that didn't go into the restaurant's bank account might have been comprised of a 15 cent network fee by Visa, a 45 cent fee by the restaurant's bank, and a $2.40 interchange fee by the diner's credit card issuer.

Although the restaurant, and theoretically the waitstaff, may make a slightly lower amount for each transaction, both make more money in the long run because the restaurant accepts credit cards. Extensive data shows that consumers spend more, including at restaurants, when they pay by credit card. See, e.g., Julian Morris and Ben Sperry, The Cost of Payments: A Review, ICLE White Paper (2024) (literature review).

The Illinois legislature, however, has already enacted the Illinois Interchange Fee Prohibition Act (IFPA), which prohibits banks from collecting interchange fees on sales tax and gratuity amounts. The law, if it goes into effect in 2026, will force credit card companies to implement systems that account for sales taxes and tips, rather than just on the total amount.

For example, as of today in Illinois, if your total restaurant bill is $100, your credit card issuer doesn't care how the $100 was divided among food, alcohol, tax, and tip. But once the interchange law goes into effect, the issuer will have to sort out the tax and the tip as line items, and subtract them before charging the interchange fee.

In principle, some larger merchants with sophisticated point of sale (POS) systems might be able to do this quite easily, as those systems are at least capable of recording and transmitting line-item data. By contrast, the simple POS systems used by most restaurants and merchants in the United States only provide the total transaction amount and some related data such as the card number, expiration date, transaction date, and the Merchant Category Code. This is called Level 1 data. At Level 2, the system can separate out the sales tax (and some other items). Line-item data is only available at Level 3.

However, Level 2 and 3 data are currently only regularly collected for business credit cards, not consumer cards. As explained in the 2024 ICLE white paper State Regulation of Interchange Fees, the Illinois statute would effectively require "considerable reprogramming by all parties in the payment stack," including merchants, acquirers, networks, and issuers. The problem is even worse for debit cards, which were never designed for such detail.

The IFPA also introduces an even more worrying prospect. By mandating the exclusion of interchange fees on taxes and tips, the government successfully forces the creation of a much more detailed data pipeline. By compelling the payments industry to adopt systems capable of processing the specific contents of a purchase, Illinois sets the stage for transforming routine transactions into detailed surveillance events. A law that in Illinois permits restaurants to collect and remit tax and tip data could in California or New York become a requirement for stores to disclose the sales of firearms. And from there, it could extend to all manner of specific items, or even a general reporting requirement. Then, a government administrative subpoena to an acquirer or issuer would reveal much more than a list of people who bought something at Cabela's or Uncle Joe's Hunting Shack; it would reveal precisely what each customer purchased.

A mandate requiring the reporting of level 3 data exponentially magnifies the "mosaic effect," a phenomenon where individually innocuous data points combine to reveal intimate personal details, including personal beliefs, associations, and constitutionally protected activities. Such a mandate would allow the government, via administrative subpoenas, to discover the books you bought, your purchase of kosher food at a grocery store, an Islamic prayer rug at a department store, or the 50 cans of beans and dozen gallons of bottled water you purchased at Costco. The last two items might get you identified as a "survivalist," which according to a leaked 2009 memo from the Department of Homeland Security means you might be a domestic terrorist. Or in a state where abortion is illegal, the simultaneous purchase of a pregnancy test plus two boxes of maxi pads would be a lead for finding women using at-home abortion pills.

Don't count on the law to protect your privacy. Under the third-party doctrine created by the Supreme Court, you have no Fourth Amendment right of privacy for data you voluntarily share with a third party, such as a bank or credit card company. See, e.g., United States v. Miller, 425 U.S. 435 (1976) (government subpoena of bank records, 7-2, opinion by Powell, dissents by Marshall and Brennan); Liza Goldenberg, Going Cashless: Privacy Implications for Gun Control in a Digital Economy, 17 The Journal of Business, Entrepreneurship & the Law 124 (2024) (Pepperdine). The Gramm-Leach-Bliley Act, Pub. L. No. 106-102, 113 Stat. 1338 (1999) places some limits on the financial industry's ability to aggregate and share consumer data. The Act is why merchants have to ask your permission to share (sell) your information to other businesses. But the Act does not limit law enforcement agencies' subpoenas for data. 15 U.S.C. sect. 6802(e)(5).

Nor should you expect your bank to stand up for your privacy rights as a customer. Even without an administrative subpoena, Bank of America voluntarily provided customer data to federal investigators following January 6th, without any warrant or legal process identifying customers who made purchases at weapons-related merchants  This included the FBI asking Bank of America for "ANY historical purchase" in the previous six months of weapons or from weapons-related vendors, for anyone who traveled to D.C. around the time of the infamous January 6 attack on the Capitol. Staff of H.R. Comm. on the Judiciary, 118th Cong., Financial Surveillance in the United States: How the Federal Government Weaponized the Bank Secrecy Act to Spy on Americans 26 (Comm. Print 2024).

While Visa correctly argued in 2022 that requiring a separate Merchant Credit Code for stores that sell firearms, would be "an invasion of consumers' privacy" and create a "dangerous precedent," the Illinois Interchange Fee Prohibition Act compels the very infrastructure Visa said shouldn't exist.

Conclusion

The evolution from Operation Choke Point to firearm-specific MCCs, and now to state-mandated interchange fee regulations illustrates a broader pattern in American governance: the systematic expansion of the panopticon state through private intermediaries that circumvent constitutional constraints. By deputizing banks and payment processors as surveillance or enforcement agents, regulators achieve policy objectives impossible through direct government action, exploiting the reality that participation in the modern financial system is not truly voluntary.

What began as purportedly nonbinding "guidance" against politically disfavored industries has evolved into a two-pronged surveillance infrastructure. MCCs enable categorical tracking of where citizens shop, while interchange fee laws like Illinois's IFPA create the technical necessity to monitor what they buy. This combination transforms the financial system from a tool of commerce into a comprehensive surveillance apparatus capable of monitoring both merchant categories and shopping basket contents with unprecedented granularity.

Technical infrastructure built for one purpose inevitably expands to serve others, creating what could become comprehensive transaction surveillance affecting all aspects of personal autonomy and constitutional rights exercise. Until the 1970s, Social Security Number cards included the warning "NOT FOR IDENTIFICATION," but the numbers now serve as de facto centralized national ID number for everyone. Internet Protocol (IP) Address Tracking (meaning your computer has a unique Internet ID) was developed by in the 1970s by the Advanced Research Projects Agency Network (ARPANET) for technical efficiency in routing data packets, but is now pervasively used by websites (and government) as one of the tools to track Internet users.  Automated License Plate Readers were introduced in the 1990s for their utility in finding stolen vehicles and fugitives. But today, they are used for mass tracking of everyone, with over two billion scans stored in databases. A similar story can be told for Facial Recognition Technology. When the above tools were first brought in for innocuous purposes, it would have been better if laws had been enacted restricting broader uses that would otherwise be inevitable as the tools and computing power improved.

Without protective legislation, the notion that requiring payment networks to enable the transmission of Level 3 data on all transactions will not eventually lead to mass surveillance of every item you buy with a credit card appears implausible. The American Revolution was founded on "that ancient maxim of prudence; obsta principiis" (resist the first advances). Simeon Howard, A Sermon Preached to the Ancient and Honorable Artillery Company in Boston, June 7, 1773. As of 2025, Americans have lost much of their privacy and freedom from government and corporate surveillance because they did not resist the first advances, including many of the intrusions described above.