Mastercard plans to get rid of credit card numbers. We could be heading towards the end of cards
- Written by Gary Mortimer, Professor of Marketing and Consumer Behaviour, Queensland University of Technology
Mastercard has announced plans[1] to remove the 16-digit number from their credit and debit cards by 2030 in a move designed to stamp out identity theft and fraudulent use of cards.
The numbers currently used to identify cards will be replaced with tokenisation and biometric authentication[2][3]
In 2022, Mastercard added biometric options enabling payments to be made with a smile or wave of the hand[4].
Tokenisation converts the 16-digit card number[5] into a different number – or token – stored on your device, so card information is never shared when you tap your card or phone or make payments online.
The first rollout of these numberless cards will be through a partnership with AMP Bank[6], but it is expected other banks will follow in the coming 12 months.
Why card security is important
There is nothing quite like the sinking feeling after receiving a call or text from your bank asking about the legitimacy of a card transaction.
In 2023-2024 the total value of card fraud in Australia was A$868 million[7], up from $677.5 million[8] the previous financial year.
Credit card numbers and payment details are often exposed in major data breaches affecting large and small businesses.
Late last year, the US Federal Trade Commission took action against the Marriott and Starwood Hotels[10] for lax data security. More than 300 million customers worldwide were affected.
Event ticketing company Ticketmaster[11] was also hacked last year. The details of several hundred million customers, including names, addresses, credit card numbers, phone numbers and payment details were illegally accessed.
So-called “card-not-present fraud[12]”, where an offender processes an unauthorised transaction without having the card in their physical possession, accounts for 92% of all card fraud[13] in Australia. This rose 29%[14] in the last financial year.
The Card Verification Value[15] (CVV) (or three-digit number on the back of a credit card) aimed to ensure the person making the transaction had the physical card in their hands. But it is clearly ineffective.
Benefits of removing credit card numbers
Removing the credit card number is the latest attempt to curb fraud. Removing numbers stops fraudsters processing unauthorised card-not-present transactions.
It also reduces the potential for financial damage of victims exposed in data breaches, if organisations are no longer able to store these payment details.
The storage of personal information is a contested issue. For example, the 2022 Optus[17] data breach exposed information from customers who had previously held accounts with the telco back in 2018.
Removing the ability of organisations to store payment details in the first place, removes the risk of this information being exposed in any future attack.
While any efforts to reduce fraud are welcome, this new approach raises some new issues to consider.
Potential problems with the new system
Mastercard has said[18] customers will use tokens generated by the customer’s banking app or biometric authentication instead of card numbers.
This is likely to be an easy transition for customers who use mobile banking.
However, the use of digital banking is not universal. Many senior consumers[19] and those with a disability [20]don’t use digital banking services. They would be excluded from the new protections.
While strengthening the security attached to credit cards, removing numbers shifts the vulnerability to mobile phones and telecommunication providers.
Offenders already access victims’ phones through mobile porting[21] and impersonation scams[22]. These attacks are likely to escalate as new ways to exploit potential vulnerabilities are found.
There are also concerns about biometrics. Unlike credit card details, which can be replaced when exposed in a data breach, biometrics are fixed. Shifting a focus to biometrics will increase the attractiveness of this data, and potentially opens victims up to ongoing, irreversible damage.
While not as common, breaches of biometric data do occur.
For example, web-based security platform BioStar 2[23] in the UK exposed the fingerprints and facial recognition details of over one million people. Closer to home, IT provider to entertainment companies Outabox[24] is alleged to have exposed facial recognition data of more than one million Australians.
Will we really need cards in the future?
While removing the numbers may reduce credit card fraud, emerging smart retail technologies may remove the need for cards all together.
Smartphone payments are already becoming the norm, removing the need for physical cards. GlobalData[25] revealed a 58% growth in mobile wallet payments in Australia in 2023, to $146.9 billion. In October 2024, 44% of payments were “device-present[26]” transactions.
Amazon’s innovative “Just-Walk-Out[27]” technology has also removed the need for consumers to bring a physical credit or debit card all together.
Amazon Go and the world’s most advanced shopping technology.This technology is available at more than 70 Amazon-owned stores, and at more than 85 third-party locations across the US, UK, and Australia. These include sports stadiums[28], airports, grocery stores, convenience stores[29] and college campuses.
The technology[30] uses cameras, weight sensors and a combination of advanced AI technologies to enable shoppers in physical stores make purchases without having to swipe or tap their cards at the checkout line.
Such technology is now being offered by a variety of other vendors including Trigo[31], Cognizant[32] and Grabango[33]. It is also being trialled across other international retailers, including supermarket chains Tesco and ALDI.
While Just-Walk-Out removes the need to carry a physical card, at some point consumers still need to enter their cards details into an app. So, to avoid cards and numbers completely, smart retail tech providers are moving to biometric alternatives, like facial recognition payments[34].
Read more: Paying with your face: what will convince consumers to use facial recognition payment technology?[35]
Considering the speed at which smart retail and payment technology is entering the marketplace, it is likely physical credit cards, numberless or not, will soon become redundant, replaced by biometric payment options.
References
- ^ plans (www.smh.com.au)
- ^ tokenisation (www.mastercard.com.au)
- ^ biometric authentication (www.payset.io)
- ^ smile or wave of the hand (www.mastercard.com)
- ^ converts the 16-digit card number (www.mastercard.com)
- ^ AMP Bank (corporate.amp.com.au)
- ^ A$868 million (www.auspaynet.com.au)
- ^ $677.5 million (www.auspaynet.com.au)
- ^ CC7/Shutterstock (www.shutterstock.com)
- ^ Marriott and Starwood Hotels (www.ftc.gov)
- ^ Ticketmaster (www.abc.net.au)
- ^ card-not-present fraud (www.europol.europa.eu)
- ^ 92% of all card fraud (www.auspaynet.com.au)
- ^ rose 29% (www.auspaynet.com.au)
- ^ Card Verification Value (www.canstar.com.au)
- ^ ESBProfessional/Shutterstock (www.shutterstock.com)
- ^ 2022 Optus (www.abc.net.au)
- ^ has said (www.smh.com.au)
- ^ senior consumers (nationalseniors.com.au)
- ^ disability (www.a11y-collective.com)
- ^ mobile porting (www.idcare.org)
- ^ impersonation scams (www.scamwatch.gov.au)
- ^ BioStar 2 (www.theguardian.com)
- ^ Outabox (www.wired.com)
- ^ GlobalData (www.globaldata.com)
- ^ device-present (www.rba.gov.au)
- ^ Just-Walk-Out (aws.amazon.com)
- ^ sports stadiums (www.mcg.org.au)
- ^ convenience stores (www.thenewdaily.com.au)
- ^ technology (www.aboutamazon.com)
- ^ Trigo (www.trigoretail.com)
- ^ Cognizant (www.cognizant.com)
- ^ Grabango (www.grabango.com)
- ^ facial recognition payments (www.finextra.com)
- ^ Paying with your face: what will convince consumers to use facial recognition payment technology? (theconversation.com)
Authors: Gary Mortimer, Professor of Marketing and Consumer Behaviour, Queensland University of Technology
