Comment by devmor

My ethics are “this is unequivocally wrong without consent”.

Thankfully my work was on payment products that serviced businesses and government entities, so I did not really have to deal with that moral quandary.

However it gets muddier in other spaces as well. There are types of cards, like HSA/FSA that require something similar to level 3 data called IIAS that is used to determine what parts of your purchase are eligible. In the parts of the systems I have worked with, this is covered by HIPAA, but I have no idea if there are “clever” methods to sneak that data out of the chain elsewhere.