RSS for Credit Card Activity

By Deane Barker on July 24, 2003

Here’s an idea that credit card companies should implement: an RSS feed of your credit purchases, in real-time. Basically have an RSS feed of every authorization on your credit card(s), as they happen.

My wife always wants me to keep receipts, but I always lose them or send them through the wash. This way she could know what was going on as it was happening. I just bought a book at a downtown book shop and walked back to my office — she’d know about it by now, and could plan and budget for it accordingly.

And what if your credit card got stolen? Years ago, I was a credit fraud investigator for Citibank. There were people who had no idea their card was missing until they got a statement with $10,000 in charges over the three weeks leading up to the statement date. With an RSS feed, you’d find out something was going on the next time your aggregator checked.

These days, most credit card companies have “Early Warning” departments that flag suspicious credit card activity and call the cardholder to confirm everything is okay. With an RSS feed of all the purchases on my card, I essentially become my own Early Warning department. No one knows better than the customer what’s valid and what’s not, so why not eliminate the middleman?

I’m not going to build this, but I wish someone would.



  1. I’d prefer to not have my credit card data / history exposed over an insecure channel like RSS. Unless they can do SSL and authentication, and even then maybe not. Yikes.

  2. Regarding security, it strikes me that RSS is an HTTP transaction, like any other. If I can view my credit card information at Citibank’s Web site (an HTTP transaction), why wouldn’t it work with RSS?

    I’m sure there’s more to it.

  3. Why not just buy a copy of Microsoft Money or Quicken? I’ve been using MS Money to do this for years. It automatically downloads my daily updates from Fleet, American Express, Capital One and E*Trade for me to peruse and check. And relatively securely too.


  4. Yes, it is via HTTP, but when you look at your bank statement online, you’re using HTTPS, with an SSL layer for encryption. I don’t believe RSS has any authentication re: a signature, etc., let alone a more robust form of security, one that could thwart someone who get their hands on feeds (oy, what a nightmare that would be.)

  5. No, there isn’t.

    All you need is an RSS viewer to pull a file from an https: URL — well, that and RSS clients that understand sessions, authentication, encryption, and all the other security goodies that the browsers do.

    FYI, Quicken uses HTTPS requests and SSL encryption for it’s transaction downloads. So there you go.

  6. A secure transport is definitely feasible with an RSS aggregator – using HTTPS as the transfer protocol is a simple solution.

    However a secure transport is only part of the problem. For information of a confidential nature, I’d also be looking for some form of content encryption once the data had arrived on my machine – and, if I’m viewing the data remotely – encryption between the aggregator and my browser (or whatever client is being used).

    I’d probably feel most comfortable with a feed that contained enough information to allow me to determine whether a transaction was valid or fradulent. The feed would not contain confidential account numbers or other personal data in the feed. I’d like to see a service like this from both my bank and the credit reporting bureaus – with a more aggresive polling interval on the former.

  7. I was CC’d on this email to Dave Winer. It’s posted here with permission. Ole is talking about

    “Dave –

    I saw your post today echoing Deane Barker about a realtime RSS feed for credit card purchases. Actually Tim Bray made similar mention a couple of weeks ago, asking for an RSS feed of his stock portfolio.

    You should know (probably do) that most large financial institutions support an XML-based standard called OFX. (Open Financial Exchange.) This standard was created about ten years ago by Intuit, Microsoft, and CheckFree, as a way to interface personal financial managers like Quicken and Money to financial institutions like banks and bill payment services like CheckFree. Most home banking vendors like Digital Insight support OFX as well, both as clients (they use OFX to get account information from banks) and as servers (they export account information to end-users as OFX).

    There are two main things offered by OFX which are slight complications over RSS. First, there is security; OFX is always exchanged over SSL connections, with validation of server certificates by clients. Also a client must establish identify through a logon sequence (typically userid/password, validated by server). Second OFX servers support client-side state. An OFX client provides the high-water mark of previously seen transactions (all transactions are sequence-numbered by the server), and the server then provides ONLY transactions newer than the high-water mark. This enables small updates to be easily downloaded from large datasets (e.g. all the history on your credit card would make for a large message).

    Both of these features — security and state — would be useful additions to RSS. If added, they would bring RSS up to the level of OFX, but would not necessarily add anything to the OFX standard already in place. There are already a bunch of defined XML tags for modeling financial transactions (I supposed these could be incorporated into RSS as a large ‘financial’ namespace). Additionally there is already software &mdash like Quicken and Money — which ‘understands’ OFX feeds, and incorporates the data seamlessly. Such software wouldn’t necessarily know what to do with RSS versions of the same data.

    Of possible interest…

    Ole Eichhorn CTO, Aperio Technologies

  8. There’s no practical problem with authentication – many newsreaders support it in one form or another (mostly SSL), there’s a list (in progress) at

    The comments regarding MS Money and Quicken are interesting. For the purposes of just reading the credit history, RSS 2.0 and any (authenticated) reader would do. There is however the potential for using an RSS 1.0 module to define the info in a machine readable fashion, for processing and storage in tools that could support the MS Money/Quicken kind of functionality.

  9. PS. I’ve not come across OFX before, and your post arrived as I was typing Deane – sounds like RSS could learn a thing or two.

  10. Re Danny’s comment:

    “There’s no practical problem with authentication – many newsreaders support it in one form or another (mostly SSL)…”

    Keep in mind SSL has nothing to do with authentication, unless you’re doing a certificate exchange with a client cert. In the general case, SSL provides only encryption – not authentication.

  11. Those last few comments allowed me to take a deep soothing breath. Still, let me restate:


    I have yet to see any sort of RSS viewer that fully allows (or even remotely for that matter) for true authentication. You can add all the secure sockets and packet encryption you wish, but until I am absolutely confident that nobody can simply add something to the URL and steal my identity and personal credit info I am absolutely against this idea.

    While interesting in terms of the things you could do with RSS and it sparks other ideas, this one just doesn’t fit.

  12. To the last comment there, NewsGator absolutely supports authentication, including HTTP Basic, Digest, and NTLM/Kerberos. Basic requires an encrypted channel (such as with SSL) to be secure, but the others do not.

  13. If we could fix the security problems (both encryption AND authentication), what else would you want?

    Would you want to be able to drag and drop information into Excel or your personal money program? Would you want a link back to the transaction on your bank’s web teller?

  14. Hi Deane,

    It was a good posting. I think RSS is a relatively an evolving technology and I will uncomfortable if all the credit card transaction information was transmitted using RSS.

    Even though RSS aggregator can use HTTPS it can be not that hard for a hacker to snoof the data. For example the RSS specification allows for description elements to contain arbitrary entity-encoded HTML. While this is great for RSS publishers, it makes writing a safe and effective RSS consumer application exceedingly difficult.

    I am not against the RSS technology, I think it is really good and effective but at the same time I will be uncomfortable if my credit card transactions will be sent via RSS.

    Thanks, KD

  15. Hi, Credit Card & RSS feed

    Credit card transactions are monitored using digital technologies, also systems are available to alarm the back office people to call the card holder confirm on high amount or on abnormal transaction, for example card used in another country or an internet transaction.

    Moreover, if credit card issuers use a reliable Auto Dialers(VRS), SMS & e.Mail based updates to the card holders, then the RSS may not be real need.RSS(Syndication) -hackers too could be syndicated :) ) .

Comments are closed. If you have something you really want to say, tweet @gadgetopia.