Mastercard Unveils a Five-Year Roadmap to Modernize Payments in Australia

Mastercard has unveiled a five-year roadmap to modernise payments in Australia. The changes include numberless physical cards, single-use virtual card numbers

Mastercard has unveiled a five-year roadmap to modernise payments in Australia, introducing changes like numberless physical cards, single-use virtual card numbers, biometric checkouts, and real-time settlement.

The plan aims to mitigate nearly $1 billion in annual card fraud and enhance the speed and security of payments.

For small businesses, Mastercard’s updates could reduce fraud liability, improve cashflow, and limit the amount of customer data they need to store.

Importantly, it could also offer more control over outgoing payments for businesses through dynamic funding rules built into banking apps.

Tokenisation to replace stored card data

A key change is the move to tokenisation, which Mastercard has called Click to Pay. Instead of storing or transmitting a 16-digit card number, businesses will store a token — a secure, encrypted version that can’t be reused if stolen. This applies to both one-off payments and recurring charges.

“Retailers adopting Click to Pay means they can still populate their card on file, but they’re actually storing tokens so they’re safer. They can’t be breached,” Richard Wormald, Mastercard’s division president for Australasia, said on a call with SmartCompany.

He said the most common source of fraud is a retailer being hacked, with stolen card details reused overseas.

“Today, the most common source of fraud is a retailer being hacked — the card numbers, expiry dates and three-digit codes all being stolen and then being reused by bad actors overseas. Cross-border fraud is what it’s recorded as, but it’s basically retailers being compromised.”

Wormald said Mastercard’s Click to Pay platform will enable full authentication of transactions, moving the fraud liability away from merchants and onto issuing banks.

He added that retailers would also see better approval rates and would no longer be the source of fraud, as they wouldn’t be storing card numbers.

Mastercard is also building tools to allow businesses to deliver offers or loyalty rewards without collecting personal data. These can be shown through the customer’s banking app or at checkout.

“The retailer doesn’t need the consumers’ data,” Wormald said. “That can be done through the bank channel, with the consumer’s consent.”

“We’re working in this space at the moment… so we could actually have loyalty programs for smaller retailers tokenised and actually not held by the retailer directly.”

Lowering data risk for small businesses

Wormald said the changes also reduce the amount of sensitive customer data small businesses need to handle.

“The best way of managing a data breach is not to be holding the data in the first place,” he said.

“Today, what’s happened is retailers are storing customers’ PII data, and they don’t know what happens to that. So this shift actually means there’s less passing of data in the system than today.”

Wormald also confirmed the biometric data and email addresses used for verification in the future will not be passed to merchants.

“We have very stringent data privacy rules and also rules around consent,” Wormald said, pointing to Mastercard operating in jurisdictions with even higher regulation such as the European GDPR.

“It means we actually have to operate at the highest level everywhere in order to comply,” he said.

Numberless and single-use card numbers

The other big change is the removal of 16-digit card numbers from physical Mastercard cards in Australia. Instead, that information will instead be stored in a customer’s banking app.

Consumers will also be able to generate one-time or merchant-specific virtual card numbers. These can be limited to a certain time, value, or store.

In practice this means that if this number was stolen, it wouldn’t be able to be exploited en masse by a hacker like an ordinary 16-digit number connected to your bank account would be.

“I could spin up a card number that can only work at The Iconic,” Wormald said. “If it gets stolen, it’s actually useless to the hacker.”

He confirmed there will be no limit to how many of these temporary card numbers a user can generate.

“What we’re trying to do is build the controls into your banking app so you as a consumer can see the places you stored your card.”

Wormald confirmed that consumers will also be able to revoke that consent through their banking apps.

Faster payments and better cashflow

Mastercard is also updating its infrastructure to support real-time card payment settlement. This means businesses could receive their funds faster, without needing to rely on acquirers to front the money.

“There are three steps in a card transaction. There’s the authorisation, which is when you tap the card. That’s always been real time,” Wormald said.

“We then have a settlement guarantee… We today operate on T+1. Visa currently operates on T+