Series 1 — Diagnosis · Paper 2
The Invisible Passenger
For as long as people have traded with strangers, they have needed ways to manage the risk of doing so. The merchant in a medieval market town who accepted a promissory note from a travelling trader was making a bet — not just on the note’s face value, but on the integrity of the system behind it. The trader who handed over coin for goods they hadn’t yet inspected was making the same bet from the other side. Commerce between strangers has always required something beyond the transaction itself: a framework of trust, reputation, or institutional guarantee that made the leap of faith possible.
The institutions that provided this framework — moneylenders, clearing houses, banks, and eventually card networks — were never neutral parties. They had their own interests, their own costs, and their own ways of extracting value from the position of trust they occupied. That is not a criticism. It is the nature of intermediaries. The question that has always mattered is not whether the intermediary profits from its position — of course it does — but whether the terms of that arrangement are visible and fair to the parties it serves.
For most of the history of commerce, those terms were at least legible. The moneylender’s rate was stated. The clearing house’s fee was known. The relationship between the intermediary’s interests and the interests of the parties it served was, if not always equitable, at least visible.
The modern payment network changed that. Not through malice, but through scale, opacity, and the remarkable convenience it offered to both sides of the transaction. The payer, in particular, got something genuinely valuable — and in exchange gave up something they were never quite asked about.
The bargain that was never explicitly made
When a consumer uses a card to pay for something, they experience the payment as a simple exchange: goods or services in return for authorisation of a transaction. The mechanics are invisible. The money moves, the receipt appears, the interaction is complete.
What is less visible is the second transaction that happens simultaneously — one that the payer did not explicitly initiate and has limited ability to inspect or control.
Every card payment generates a record. Not just of the amount and the merchant, but of the time, the location, the category of purchase, the frequency of visits, the relationship between this transaction and thousands of others. Individually, these data points are unremarkable. Collectively, over time and across millions of payers, they constitute something extraordinary: a detailed, continuous account of how people live — what they eat, where they travel, what they worry about, what they aspire to, how their circumstances change over time.
This record belongs to the network, not to the payer who generated it. It is used to build profiles, inform credit decisions, and feed commercial intelligence systems that operate entirely outside the payer’s view. The payer authorised a payment. They did not authorise the construction of a detailed portrait of their life. But the authorisation was bundled in with the transaction, disclosed somewhere in the terms and conditions, and accepted by the act of using the card.
This is the bargain that was never explicitly made. The payer got convenience. The network got something considerably more valuable, on terms the payer was never in a meaningful position to negotiate.
The protection that isn’t quite what it seems
The chargeback is the payer’s primary protection in the card payment system — and it is, in important respects, genuinely protective. The ability to dispute a transaction and recover funds when something goes wrong is a meaningful safeguard. It is one of the reasons consumers trust card payments and have adopted them so thoroughly.
But the chargeback also has a side that is rarely visible to the payer making the claim.
When a payer disputes a transaction, they initiate a process that routes through their bank, through the card network, and eventually to the merchant — who may be the party best placed to resolve the issue, but who is the last to be consulted. The payer experiences this as efficient: a few taps in a banking app, and the matter is in hand. What they do not see is the cost that lands on the merchant, the administrative burden of responding to a dispute they may not even have been aware of until the money was already removed from their account, or the effect that their dispute — even when entirely valid — has on the merchant’s standing with the network.
More significantly, the payer does not see that the chargeback mechanism was designed around the network’s interests as much as their own. A dispute that routes through the card network keeps the network central to the resolution. It collects fees at every stage. It reinforces the payer’s dependency on their bank as the primary relationship for resolving problems with merchants. It positions the network as the indispensable intermediary — not just for the payment, but for everything that follows.
The payer who goes to their bank first, rather than the merchant, has been trained to do so. The system made it easy and made the alternative feel uncertain. That training serves the network’s interest in remaining central. Whether it serves the payer’s interest in actually resolving the problem — quickly, fairly, and in a way that preserves their relationship with the merchant — is a different question.
Friction that belongs to someone else
Not all friction in the payment experience belongs to the payer. Some of it is imposed for the payer’s genuine protection — authentication steps that prevent unauthorised use, for instance. But a meaningful portion of the friction that payers experience exists to manage risks that belong to others.
Declined transactions that aren’t fraud. Authentication challenges on purchases the payer has made dozens of times before. Holds on funds that have cleared. Spending alerts calibrated to the network’s risk models rather than the payer’s actual behaviour. These are not features designed for the payer’s benefit. They are the visible surface of risk management systems designed to protect the network and the issuing bank — systems whose thresholds and parameters the payer has no ability to influence or even understand.
The payer who has their transaction declined at a restaurant, or who is locked out of a payment while travelling, or who finds a hold on funds they expected to be available, is experiencing the cost of someone else’s risk model. They were not consulted about the model. They have no recourse against its decisions. They are, in the most literal sense, subject to a system that was built around other people’s interests.
This is not an argument that fraud prevention is unimportant. It is an argument that a payment system designed from the payer’s point of view would give the payer meaningful control over how that prevention operates — what triggers it, what the payer can do when it produces a false result, and how their own behaviour and preferences can be reflected in the system’s decisions. None of the current systems do this in any meaningful way.
The loyalty programme as a mirror
Loyalty programmes deserve particular attention because they are the most visible attempt by payment networks and their issuing banks to offer the payer something that feels like a direct benefit.
Points, miles, cashback, rewards — these are real. They have real value. Payers who use them thoughtfully do extract genuine benefit. But loyalty programmes are also the most transparent illustration of the underlying dynamic of the modern payment relationship: the payer is offered something tangible in exchange for something intangible, on terms designed by the network.
The something intangible is behavioural data at a granularity and consistency that no other commercial relationship provides. Every purchase, every location, every category, every merchant — logged, attributed, and used to build a picture of the payer that the payer cannot see, cannot correct, and cannot opt out of without forgoing the programme entirely.
The design of loyalty programmes also reinforces the behaviours the network wants. Spend more to earn more. Use this card, not that one. Shop at these partners, not those. The programme is an incentive structure calibrated to benefit the network — and it works, because it genuinely does benefit the payer too, in the narrow transactional sense. But the terms of the exchange were set entirely by one side.
A payer who understood the full picture of what their loyalty participation involved might make exactly the same choices. Or they might not. The point is that the choice has never been genuinely available to them, because the full picture has never been genuinely visible.
The payer the system forgot to design for
Looked at as a whole, the picture that emerges is of a payment system that was designed around the interests of banks, networks, and merchants — and then adapted, over time, to give payers enough of what they wanted to ensure their participation. Convenience was genuine. Protection was real, if imperfect. The experience improved year on year as competition drove innovation.
But the payer was never the starting point. They were the necessary participant whose cooperation had to be secured — through convenience, through rewards, through the absence of meaningful alternatives. The system was not designed against their interests. It was designed without them at the centre.
The result is a payer experience shaped by forces the payer cannot see: data practices they never explicitly authorised, risk models they cannot influence, dispute processes that route around them, loyalty structures that extract more than they appear to give. None of these are secret. All of them are disclosed, somewhere. But disclosure without transparency is not the same as consent, and consent without alternatives is not the same as choice.
A payment system designed from first principles — with the payer genuinely at the centre rather than as the necessary participant to be managed — would look different. Not in the payment itself, which should be invisible when it works, but in everything that surrounds it: who controls the data it generates, how disputes are resolved, how risk is managed, and on whose terms the relationship between payer and system is defined.
That is not a description of any payment system that currently exists at scale. It is a description of what the next one should be designed to achieve — and a measure against which any claim to have built something genuinely different should be judged.
Thomas Larsen is a cloud platform architect and engineering leader with twenty years’ experience building open infrastructure for public-sector and defence organisations. He is currently working on an open payment scheme for the UK market.