diff --git a/src/__phutil_library_map__.php b/src/__phutil_library_map__.php
--- a/src/__phutil_library_map__.php
+++ b/src/__phutil_library_map__.php
@@ -5329,6 +5329,7 @@
     'PhortunePaymentMethodDisableController' => 'applications/phortune/controller/payment/PhortunePaymentMethodDisableController.php',
     'PhortunePaymentMethodEditController' => 'applications/phortune/controller/payment/PhortunePaymentMethodEditController.php',
     'PhortunePaymentMethodPHIDType' => 'applications/phortune/phid/PhortunePaymentMethodPHIDType.php',
+    'PhortunePaymentMethodPolicyCodex' => 'applications/phortune/codex/PhortunePaymentMethodPolicyCodex.php',
     'PhortunePaymentMethodQuery' => 'applications/phortune/query/PhortunePaymentMethodQuery.php',
     'PhortunePaymentProvider' => 'applications/phortune/provider/PhortunePaymentProvider.php',
     'PhortunePaymentProviderConfig' => 'applications/phortune/storage/PhortunePaymentProviderConfig.php',
@@ -11893,11 +11894,14 @@
     'PhortunePaymentMethod' => array(
       'PhortuneDAO',
       'PhabricatorPolicyInterface',
+      'PhabricatorExtendedPolicyInterface',
+      'PhabricatorPolicyCodexInterface',
     ),
     'PhortunePaymentMethodCreateController' => 'PhortuneController',
     'PhortunePaymentMethodDisableController' => 'PhortuneController',
     'PhortunePaymentMethodEditController' => 'PhortuneController',
     'PhortunePaymentMethodPHIDType' => 'PhabricatorPHIDType',
+    'PhortunePaymentMethodPolicyCodex' => 'PhabricatorPolicyCodex',
     'PhortunePaymentMethodQuery' => 'PhabricatorCursorPagedPolicyAwareQuery',
     'PhortunePaymentProvider' => 'Phobject',
     'PhortunePaymentProviderConfig' => array(
diff --git a/src/applications/phortune/codex/PhortunePaymentMethodPolicyCodex.php b/src/applications/phortune/codex/PhortunePaymentMethodPolicyCodex.php
new file mode 100644
--- /dev/null
+++ b/src/applications/phortune/codex/PhortunePaymentMethodPolicyCodex.php
@@ -0,0 +1,35 @@
+<?php
+
+final class PhortunePaymentMethodPolicyCodex
+  extends PhabricatorPolicyCodex {
+
+  public function getPolicySpecialRuleDescriptions() {
+    $object = $this->getObject();
+
+    $rules = array();
+
+    $rules[] = $this->newRule()
+      ->setCapabilities(
+        array(
+          PhabricatorPolicyCapability::CAN_VIEW,
+        ))
+      ->setIsActive(true)
+      ->setDescription(
+        pht(
+          'Account members may view and edit payment methods.'));
+
+    $rules[] = $this->newRule()
+      ->setCapabilities(
+        array(
+          PhabricatorPolicyCapability::CAN_VIEW,
+        ))
+      ->setIsActive(true)
+      ->setDescription(
+        pht(
+          'Merchants you have a relationship with may view associated '.
+          'payment methods.'));
+
+    return $rules;
+  }
+
+}
diff --git a/src/applications/phortune/controller/account/PhortuneAccountPaymentMethodsController.php b/src/applications/phortune/controller/account/PhortuneAccountPaymentMethodsController.php
--- a/src/applications/phortune/controller/account/PhortuneAccountPaymentMethodsController.php
+++ b/src/applications/phortune/controller/account/PhortuneAccountPaymentMethodsController.php
@@ -34,7 +34,6 @@
       ->setCrumbs($crumbs)
       ->setNavigation($navigation)
       ->appendChild($view);
-
   }
 
   private function buildPaymentMethodsSection(PhortuneAccount $account) {
diff --git a/src/applications/phortune/query/PhortunePaymentMethodQuery.php b/src/applications/phortune/query/PhortunePaymentMethodQuery.php
--- a/src/applications/phortune/query/PhortunePaymentMethodQuery.php
+++ b/src/applications/phortune/query/PhortunePaymentMethodQuery.php
@@ -53,6 +53,7 @@
       $account = idx($accounts, $method->getAccountPHID());
       if (!$account) {
         unset($methods[$key]);
+        $this->didRejectResult($method);
         continue;
       }
       $method->attachAccount($account);
@@ -72,6 +73,7 @@
       $merchant = idx($merchants, $method->getMerchantPHID());
       if (!$merchant) {
         unset($methods[$key]);
+        $this->didRejectResult($method);
         continue;
       }
       $method->attachMerchant($merchant);
@@ -91,6 +93,7 @@
       $provider_config = idx($provider_configs, $method->getProviderPHID());
       if (!$provider_config) {
         unset($methods[$key]);
+        $this->didRejectResult($method);
         continue;
       }
       $method->attachProviderConfig($provider_config);
diff --git a/src/applications/phortune/storage/PhortunePaymentMethod.php b/src/applications/phortune/storage/PhortunePaymentMethod.php
--- a/src/applications/phortune/storage/PhortunePaymentMethod.php
+++ b/src/applications/phortune/storage/PhortunePaymentMethod.php
@@ -4,8 +4,12 @@
  * A payment method is a credit card; it is associated with an account and
  * charges can be made against it.
  */
-final class PhortunePaymentMethod extends PhortuneDAO
-  implements PhabricatorPolicyInterface {
+final class PhortunePaymentMethod
+  extends PhortuneDAO
+  implements
+    PhabricatorPolicyInterface,
+    PhabricatorExtendedPolicyInterface,
+    PhabricatorPolicyCodexInterface {
 
   const STATUS_ACTIVE     = 'payment:active';
   const STATUS_DISABLED   = 'payment:disabled';
@@ -148,18 +152,50 @@
   }
 
   public function getPolicy($capability) {
-    return $this->getAccount()->getPolicy($capability);
+    return PhabricatorPolicies::getMostOpenPolicy();
   }
 
   public function hasAutomaticCapability($capability, PhabricatorUser $viewer) {
-    return $this->getAccount()->hasAutomaticCapability(
-      $capability,
-      $viewer);
+
+    // See T13366. If you can edit the merchant associated with this payment
+    // method, you can view the payment method.
+    if ($capability === PhabricatorPolicyCapability::CAN_VIEW) {
+      $any_edit = PhortuneMerchantQuery::canViewersEditMerchants(
+        array($viewer->getPHID()),
+        array($this->getMerchantPHID()));
+      if ($any_edit) {
+        return true;
+      }
+    }
+
+    return false;
+  }
+
+
+/* -(  PhabricatorExtendedPolicyInterface  )--------------------------------- */
+
+
+  public function getExtendedPolicy($capability, PhabricatorUser $viewer) {
+    if ($this->hasAutomaticCapability($capability, $viewer)) {
+      return array();
+    }
+
+    // See T13366. For blanket view and edit permissions on all payment
+    // methods, you must be able to edit the associated account.
+    return array(
+      array(
+        $this->getAccount(),
+        PhabricatorPolicyCapability::CAN_EDIT,
+      ),
+    );
   }
 
-  public function describeAutomaticCapability($capability) {
-    return pht(
-      'Members of an account can always view and edit its payment methods.');
+
+/* -(  PhabricatorPolicyCodexInterface  )------------------------------------ */
+
+
+  public function newPolicyCodex() {
+    return new PhortunePaymentMethodPolicyCodex();
   }
 
 }
diff --git a/src/applications/policy/codex/PhabricatorPolicyCodex.php b/src/applications/policy/codex/PhabricatorPolicyCodex.php
--- a/src/applications/policy/codex/PhabricatorPolicyCodex.php
+++ b/src/applications/policy/codex/PhabricatorPolicyCodex.php
@@ -44,16 +44,6 @@
     return null;
   }
 
-  final public function getPolicySpecialRuleForCapability($capability) {
-    foreach ($this->getPolicySpecialRuleDescriptions() as $rule) {
-      if (in_array($capability, $rule->getCapabilities())) {
-        return $rule;
-      }
-    }
-
-    return null;
-  }
-
   final protected function newRule() {
     return new PhabricatorPolicyCodexRuleDescription();
   }