A dynamic graphic object managed by a financial institution that issues a payment device prevents third-party access to sensitive account data when linking the payment device to marketing documents provided by the third party. A payment processing server uses an alias for the sensitive data and configures a dynamic graphic object with the alias. The object may also include instructions to link the sensitive data to the alias and allow the payment processing server to monitor transactions with the third party. The payment processing server may then mediate communication between the consumer and the third party without exposing sensitive data.