Mastercard has announced plans to remove the 16-digit number from their credit and debit cards by 2030 in a move designed to stamp out identity theft and fraudulent use of cards.
The numbers used to identify cards will be replaced with tokenisation and biometric authentication.
In 2022, Mastercard added biometric options enabling payments to be made with a smile or wave of the hand.
Tokenisation converts the 16-digit card number into a different number — or token — stored on your device, so card information is never shared when you tap your card or phone or make payments online.
The first rollout of these numberless cards will be through a partnership with AMP Bank, but it is expected other banks will follow in the coming 12 months.
Why card security is important
There is nothing quite like the sinking feeling after receiving a call or text from your bank asking about the legitimacy of a card transaction.
In 2023-2024 the total value of card fraud in Australia was $868 million, up from $677.5 million the previous financial year.
Credit card numbers and payment details are often exposed in major data breaches affecting large and small businesses.
Late last year, the United States Federal Trade Commission took action against Marriott and Starwood Hotels for lax data security. More than 300 million customers worldwide were affected.
Event ticketing company . The details of several hundred million customers, including names, addresses, credit card numbers, phone numbers and payment details were illegally accessed.
So-called "card-not-present fraud”, where an offender processes an unauthorised transaction without having the card in their physical possession, accounts for 92 per cent of all card fraud in Australia. This rose 29 per cent in the last financial year.
The Card Verification Value or three-digit number on the back of a credit card aimed to ensure the person making the transaction had the physical card in their hands. But it is clearly ineffective.
Benefits of removing credit card numbers
Removing the credit card number is the latest attempt to curb fraud. Removing numbers stops fraudsters from processing unauthorised card-not-present transactions.
It also reduces the potential for financial damage of victims exposed in data breaches, if organisations are no longer able to store these payment details.
The storage of personal information is a contested issue. For example, exposed information from customers who had previously held accounts with the telco back in 2018.
Removing the ability of organisations to store payment details in the first place, removes the risk of this information being exposed in any future attack.
While any efforts to reduce fraud are welcome, this new approach raises some new issues to consider.
Potential problems with the new system
Mastercard has said customers will use tokens generated by the customer's banking app or biometric authentication instead of card numbers.
This is likely to be an easy transition for customers who use mobile banking.
However, the use of digital banking is not universal. Many senior consumers and those with a disability don't use digital banking services. They would be excluded from the new protections.
While strengthening the security attached to credit cards, removing numbers shifts the vulnerability to mobile phones and telecommunication providers.
Offenders already access victims' phones through . These attacks are likely to escalate as new ways to exploit potential vulnerabilities are found.
There are also concerns about biometrics. Unlike credit card details, which can be replaced when exposed in a data breach, biometrics are fixed. Shifting focus to biometrics will increase the attractiveness of this data, and potentially open victims up to ongoing, irreversible damage.
While not as common, breaches of biometric data do occur.
For example, the web-based security platform BioStar 2 in the UK exposed the fingerprints and facial recognition details of over one million people. Closer to home, IT provider to entertainment companies Outabox is alleged to have exposed the facial recognition data of more than one million Australians.
Will we really need cards in the future?
While removing the numbers may reduce credit card fraud, emerging smart retail technologies may remove the need for cards altogether.
Smartphone payments are already becoming the norm, removing the need for physical cards. GlobalData revealed a 58 per cent growth in mobile wallet payments in Australia in 2023 to $146.9 billion.
In October 2024, 44 per cent of payments were 'device-present' transactions.
Amazon's innovative 'Just-Walk-Out' technology has also removed the need for consumers to bring a physical credit or debit card altogether.
This technology is available at more than 70 Amazon-owned stores, and at more than 85 third-party locations across the US, UK, and Australia. These include sports stadiums, airports, grocery stores, convenience stores and college campuses.
The technology uses cameras, weight sensors and a combination of advanced artificial intelligence technologies to enable shoppers in physical stores to make purchases without having to swipe or tap their cards at the checkout line.
Such technology is now being offered by a variety of other vendors, including Trigo, Cognizant and Grabango. It is also being trialled across other international retailers, including supermarket chains Tesco and ALDI.
While Just-Walk-Out removes the need to carry a physical card, at some point consumers still need to enter their card details into an app. So, to avoid cards and numbers completely, smart retail tech providers are moving to biometric alternatives, like facial recognition payments.
Considering the speed at which smart retail and payment technology is entering the marketplace, it is likely physical credit cards, numberless or not, will soon become redundant, replaced by biometric payment options.
Gary Mortimer is a professor of marketing and consumer behaviour at the Queensland University of Technology.
Cassandra Cross is associate dean (Learning & Teaching) at the Faculty of Creative Industries, Education and Social Justice at the Queensland University of Technology.
