Series 1 — Diagnosis · Paper 5
The Trust Tax
Every commercial transaction begins with a problem. The merchant has something the customer wants. The customer has money the merchant wants. But neither party fully trusts the other — and for good reason. The merchant doesn’t know if the customer’s payment will clear. The customer doesn’t know if the merchant will deliver. At the moment of exchange, both parties are taking a leap of faith.
This is not a new problem. Markets have always required mechanisms for managing it — escrow, reputation, intermediaries, guarantors. What changed in the twentieth century is that a new class of institution stepped in to resolve it at scale. The card network offered both parties something valuable: a trusted third party that would stand between them, guarantee the transaction, and absorb the risk of the leap of faith on behalf of both sides.
It was a genuine service. It solved a real problem. And for decades, both merchants and consumers largely trusted it to do the job it was hired for.
What neither party fully understood — what neither party was in a position to understand, given the opacity of the systems involved — is that the trusted third party had quietly expanded its role far beyond what either of them had sanctioned.
What trust was actually granted
When a customer hands over their card details, they are granting a specific and bounded trust. They are saying: take the amount for this transaction, from this account, for this merchant. That is the consent that exists. It is narrow, specific, and time-limited.
When a merchant signs up to accept card payments, they are granting a different but equally specific trust. They are saying: facilitate my transactions, protect my customers’ financial details, pay me what I’m owed. That too is a bounded relationship — a commercial arrangement for a defined service.
Neither party signed up to have their behaviour aggregated, analysed, scored, and sold. Neither party consented to their transaction history becoming a commercial asset that the network would monetise independently of the transactions themselves. Neither party understood that the trusted third party was, in the background, building one of the most valuable data businesses in history — not from their money, but from their behaviour.
This is not a conspiracy. It is what happens when a trusted intermediary operates inside a closed, proprietary system with no accountability to either of the parties that granted it trust. In the absence of transparency, scope creep is not a failure. It is the default outcome.
The data that was never meant to leave the room
Every card transaction generates data. The amount, the time, the location, the merchant category, the customer identifier — each individually unremarkable, collectively extraordinary. Aggregated across millions of merchants and billions of transactions, this data describes human behaviour with a precision and completeness that no other commercial dataset can match.
The card networks accumulated this dataset because they were the trusted intermediary in every transaction. They didn’t accumulate it by deception — it was a natural consequence of their position. But the uses to which it has been put go well beyond what either merchants or consumers reasonably understood they were enabling.
Spending behaviour is used to build credit scores that affect people’s access to financial products — often without their knowledge or meaningful ability to contest the conclusions. Transaction patterns are sold to third parties as commercial intelligence. Merchant categories and customer profiles feed targeting systems that are opaque to both the merchant whose customer is being profiled and the customer whose behaviour is being exploited.
The merchant who built a relationship with a customer over years of transactions discovers that the detailed picture of that customer’s behaviour belongs not to them, but to the network that processed the payments. The customer who trusted the network with their financial details finds that trust extended to purposes they never anticipated.
Neither party was deceived in the narrow legal sense. Both were given terms and conditions that, somewhere in their considerable length, disclosed the relevant practices. But informed consent requires more than disclosure buried in small print. It requires transparency about what is actually happening — and closed systems are not designed for transparency.
The problem with closed trust
This is the structural issue that no amount of regulation has fully resolved, because regulation addresses specific practices rather than the underlying architecture.
A closed, proprietary system can make any claim about how it handles trust. It can publish privacy policies, obtain certifications, and make commitments that sound meaningful. But a closed system is one where those claims cannot be independently verified. The merchant cannot inspect the system to confirm that their customers’ data is being used only in the ways described. The customer cannot verify that the consent they granted is being honoured in practice. Both must simply trust — which is precisely the situation they were trying to resolve by using the trusted third party in the first place.
This is not a solvable problem within a closed architecture. It is inherent to it. The only way to make trust claims verifiable is to make the system transparent enough that they can be checked.
Open systems have a different relationship with trust. When the protocol is published — when the rules governing what data flows where, on what basis, and for what purposes are open to inspection — trust becomes something that can be earned and maintained rather than asserted and assumed. Participants can verify the claims being made. Regulators can audit the actual behaviour rather than the stated policy. Researchers can identify problems before they become scandals.
This does not mean open systems are without risk. They are not. Trust and vigilance are required in any system that handles financial transactions and personal data — open or closed. The difference is not that open systems are safe and closed systems are not. The difference is that open systems are honest about where the trust relationships sit, and closed systems are not.
What explicit trust looks like
In a payment system built on an open protocol, the trust relationships are defined in the protocol itself — not in a proprietary policy document that one party wrote and the other must accept without negotiation.
The payer who approves a payment knows what consent they are granting, because the consent model is part of the published specification. The data that flows with the transaction is defined by the protocol, not by a commercial decision made behind closed doors. The merchant knows what information the payment system holds about the transaction and what it is permitted to do with it. The scheme authority — the governance body that oversees the protocol — operates under published rules that any participant can read, challenge, and invoke.
None of this eliminates the need for trust. A payer still trusts the scheme authority to enforce its own rules. A merchant still trusts the PISP to handle their customers’ payment details responsibly. Trust in financial transactions cannot be engineered away — it can only be made more honest.
But there is a meaningful difference between trusting a system because you have no alternative and trusting a system because you can see how it works. The first is the trust relationship that closed payment networks have relied on for fifty years. The second is what an open payment protocol makes possible.
Why this matters beyond payments
The question of trust in payment systems is not a narrow technical concern. It sits at the intersection of some of the most significant issues of the digital age: who controls data about our behaviour, what uses that data can be put to without our meaningful consent, and whether the institutions we are required to trust to participate in economic life are accountable to us or merely to themselves.
The card networks did not invent these problems. They are symptoms of a broader pattern in which trusted intermediaries — in payments, in social media, in information — expanded their role far beyond what users understood or consented to, protected by the opacity of closed systems and the absence of meaningful alternatives.
Payments are an unusually clear case because the trust relationship is so explicit at the moment of transaction. Both parties know they are relying on a third party to bridge a leap of faith. Neither party expected that third party to use the bridge as a commercial asset that belonged entirely to itself.
An open payment protocol does not resolve all of these tensions. It does not make data perfectly safe or trust perfectly reliable. What it does is shift the terms of the conversation — from “trust us because you have no choice” to “trust us because you can see what we’re doing and hold us to it.”
That shift has been made in every other domain where open standards replaced proprietary ones. In each case, the incumbents argued that openness would compromise trust, security, and reliability. In each case, they were wrong. The card networks will make the same argument. The question is whether the payments industry is willing to find out if they are wrong again — or whether it will wait another fifty years to ask.
Thomas Larsen is a cloud platform architect and engineering leader with twenty years’ experience building open infrastructure for public-sector and defence organisations. He is currently working on an open payment scheme for the UK market.