Mastercard plans to get rid of credit card numbers. We could be heading towards the end of cards

Payment technologies are advancing at such a rate it may not be long before credit cards are redundant. 4 February 2025 Mastercard has announced

Mastercard is planning to remove the 16-digit credit card number from its cards by 2030 in a bid to stamp out identity theft and fraudulent use of cards.

The numbers currently used to identify cards will be replaced with tokenisation and biometric authentication.

Mastercard already added biometric options in 2022, enabling payments to be made with a smile or wave of the hand.

Tokenisation converts the 16-digit card number into a different number – or token – stored on your device, so card information is never shared when you tap your card or phone or make payments online.

The first rollout of these numberless cards will be through a partnership with AMP Bank, but it is expected other banks will follow in the coming 12 months.

Why card security is important There is nothing quite like the sinking feeling after receiving a call or text from your bank asking about the legitimacy of a card transaction.

In 2023-2024 the total value of card fraud in Australia was A$868 million, up from $677.5 million the previous financial year.

Credit card numbers and payment details are often exposed in major data breaches affecting large and small businesses.

Late last year, the US Federal Trade Commission took action against the Marriott and Starwood Hotels for lax data security. More than 300 million customers worldwide were affected.

Event ticketing company Ticketmaster was also hacked last year. The details of several hundred million customers, including names, addresses, credit card numbers, phone numbers and payment details were illegally accessed.

So-called “card-not-present fraud”, where an offender processes an unauthorised transaction without having the card in their physical possession, accounts for 92% of all card fraud in Australia. This rose 29% in the last financial year.

The Card Verification Value (CVV) (or three-digit number on the back of a credit card) aimed to ensure the person making the transaction had the physical card in their hands. But it is clearly ineffective.

Benefits of removing credit card numbers Removing the credit card number is the latest attempt to curb fraud. Removing numbers stops fraudsters processing unauthorised card-not-present transactions.

It also reduces the potential for financial damage of victims exposed in data breaches, if organisations are no longer able to store these payment details.

The storage of personal information is a contested issue. For example, the 2022 Optus data breach exposed information from customers who had previously held accounts with the telco back in 2018.

Removing the ability of organisations to store payment details in the first place, removes the risk of this information being exposed in any future attack.

While any efforts to reduce fraud are welcome, this new approach raises some new issues to consider.

Potential problems with the new system Mastercard has said customers will use tokens generated by the customer’s banking app or biometric authentication instead of card numbers.

This is likely to be an easy transition for customers who use mobile banking.

However, the use of digital banking is not universal. Many senior consumers and those with a disability don’t use digital banking services. They would be excluded from the new protections.

While strengthening the security attached to credit cards, removing numbers shifts the vulnerability to mobile phones and telecommunication providers.

Offenders already access victims’ phones through mobile porting and impersonation scams. These attacks are likely to escalate as new ways to exploit potential vulnerabilities are found.

There are also concerns about biometrics. Unlike credit card details, which can be replaced when exposed in a data breach, biometrics are fixed. Shifting a focus to biometrics will increase the attractiveness of this data, and potentially opens victims up to ongoing, irreversible damage.

While not as common, breaches of biometric data do occur.

For example, web-based security platform BioStar 2 in the UK exposed the fingerprints and facial recognition details of over one million people. Closer to home, IT provider to entertainment companies Outabox is alleged to have exposed facial recognition data of more than one million Australians.

Will we really need cards in the future? While removing the numbers may reduce credit card fraud, emerging smart retail technologies may remove the need for cards all together.

Smartphone payments are already becoming the norm, removing the need for physical cards. GlobalData revealed a 58% growth in mobile wallet payments in Australia in 2023, to $146.9 billion. In October 2024, 44% of payments were “device-present” transactions.

Amazon’s innovative “Just-Walk-Out” technology has also removed the need for consumers to bring a physical credit or debit card all together.

This technology is available at more than 70 Amazon-owned stores, and at more than 85 third-party locations across the US, UK, and Australia. These