How Card Numbers Will Disappear
Mastercard's strategy to make it easier to pay online
Post Synopsis: Mastercard has announced a plan to eliminate card numbers in Europe by the end of this decade. What developments in payment technology will enable this? Mastercard has outlined three key success factors that, together, will work to eliminate card numbers. Read on to learn more about the changes on the horizon and how e-commerce payments will get even easier in the years ahead.
The End Of Card Numbers
Last week, Mastercard make public its intention to eliminate card numbers in Europe for e-commerce transactions by 2030. Jorn Lambert, Chief Product Officer at Mastercard, outlined in a blog post:
Today, when you shop in person, you can tap your card or mobile device on a reader and within a fraction of a second your credentials will be authenticated and your transaction authorized. It should be just as simple, safe and convenient online as it is in store.
That’s why we’re working with banks, fintechs, merchants and other partners to phase out manual card entry for e-commerce in Europe by 2030, in favor of a one-click button that will work on any online platform. Europe has long been a leader in payments innovation, and we anticipate other markets following suit.
The post goes on to highlight the three components that will combine to eliminate the need to enter card details when shopping online:
Tokenization alone won’t transform online checkout. That’s the first step. We’re also making it easy to embed Click to Pay, our online checkout solution, into merchant sites and enabling our bank partners to make Click to Pay a default card feature through cardholder auto-enrollment. And finally, we’re introducing payment passkeys for online transactions, using the on-device Biometric authentication most people already use…
These three elements mentioned above can be described simply as Tokenisation, Biometrics, and Click to Pay - the last one is, in fact, a Mastercard product name. The announcement didn’t signify a shift in Mastercard’s strategy. Trends in payments and technology have been moving toward making e-commerce simpler and more secure. But now, for the first time, one of the largest card scheme networks has set a target date for moving away from the need to enter card numbers online, at least in one region. Other regions will surely follow in due course.
How do we get to a future in which card numbers are a thing of the past? Let’s examine each of Mastercard’s three key success factors in more detail.
Key Success Factor 1 - Tokenisation
Tokenisation has been around in payments for a while. While the concept is straightforward, its benefits are substantial. With tokenisation, card information, such as a card number, is replaced with a series of randomised letters and numbers. And the information which replaces the card details is known as a token. With tokenisation merchants never see the actual card number during an online transaction, and do not store it.
With tokens, if a user has shopped with a store before there's no need to enter card details each time. Also, tokenisation helps businesses become PCI-DSS compliant - an essential data security need for businesses handling card data. In addition to the security benefit, tokens have allowed new business models to flourish. Subscription payments are a case in point. Without needing users to enter card information each time, businesses can use tokenisation to draw on the payment details for repeat transactions. At the same time, a user can withdraw their authorisation for the recurring payment whenever they wish to.
Initially, tokenisation was handled at the level of the payment provider, such as Cybersource, Stripe, or Worldpay. But nowadays, it’s more common for tokens to be handled at the network level (Visa and Mastercard are the two main examples). The network token approach provides businesses greater flexibility compared to operating at the level of the payment provider. With network tokens, migrating from one solution to another becomes much easier as the tokens exist across the payment ecosystem rather than just within a single supplier. A Mastercard Q&A guide highlighted another key benefit of network tokens:
With network tokenization, card details are automatically updated when a card is replaced or expired which leads to higher approval rates and a simplified user experience.
Being able to update a user’s card details automatically when a card expires requires the card issuer to support network tokens. In Europe, most card issuers already do support network tokens. But there will be a push to ensure that every card issuer can meet the 2030 deadline. Additionally, for every business to access network tokens, all payment processors will need to support offer their support. Mastercard will work closely across the payment ecosystem to embed network tokens. And there may be card scheme mandates and other measures to accelerate compliance. Payment processors that do not support network tokens may already be paying higher fees (as mentioned in this report from Deloitte).
Key Success Factor 2 - Biometrics
Biometrics is something we all use these days without thinking too much about it. For instance, on our smartphones, Apple’s FaceID and Touch ID are well-known and used by hundreds of millions of users every day. (Android offers the same biometric capabilities - just with different names.) When we use Apple Pay in-store or online, the device checks our unique characteristics. This can be for our face scan or fingerprint that we added when setting up the device. Biometrics make the checkout experience with Apple Pay very easy. Tapping the Apple Pay checkout button - when paying on a mobile device - and verifying a transaction with FaceID is as seamless as payments can be. The one caveat is that not all online stores support Apple Pay yet.
Mastercard aims to bring a biometric checkout experience to a wider range of businesses. In theory, Mastercard’s planned offering would allow all business to offer a checkout experience like Apple Pay, with the ability for biometric authentication across all payment transactions. In Europe, biometric checkout will be possible regardless of the bank that issues the card or the online store where the card is used. Unlike Apple Pay or Google Pay, Mastercard’s biometric solution will likely not need a user to enrol a card into a wallet on the device. Instead cards will be automatically tokenised and enrolled into Click to Pay.
To understand the relevance of this proposition further, we need to understand the impact of Payment Service Directive 2 (PSD2). This EU Directive affected the payments industry due to its rules on Strong Customer Authentication (SCA). For a large share of e-commerce transactions, users must now approve the payment within their online banking or card issuer app. Or receive an SMS message with a code to enter on the checkout page. These rules were introduced to reduce fraud, and to some extent, they have worked. Fraud is much less likely on transactions that go through the SCA process. Yet the process can be cumbersome and prone to error. For example, if a user needs to authenticate within an online banking app, an issue with the app may lead to the transaction failing.
This is where passkeys come in. Passkeys eliminate traditional passwords and instead use biometrics such as Face ID. You may already be seeing passkeys as a log-in option on some apps or websites. According to the FIDO Alliance, more than 20% of the top 100 websites in the world already support passkeys, with more soon to follow. The field is still evolving, with new announcements made regularly. The Verge is tracking various announcements in this area. Just last month, Microsoft launched support for passkeys on all consumer-facing applications.
In the coming years, Mastercard will be working with banks and industry organisations - such as the FIDO Alliance - to put in place passkeys. However, there will be some aspects to clarify in the months and years ahead in the lead-up to the 2030 deadline. For instance, Apple and Google allow passkeys to be accessible across all devices that a user has in their respective ecosystems. Will Mastercard utilise the passkeys on the device - say within Goole Password Manager - or develop a different approach? Of course, banks and non-bank card issuers will need to develop their systems to allow passkeys. Effort will be required, but the benefits will be worth it.
Key Success Factor 3 - Click to Pay
The third key success factor in eliminating card numbers, is referred to by Mastercard as Streamlined guest checkout (Click to Pay). To understand what Click to Pay is trying to achieve, we need to take a step back and look at the payments world before tokenisation. There was a time, when the whole card number always had to be entered in full when paying online. Unsurprisingly, rather than going through this process repeatedly, many users soon preferred PayPal over cards. PayPal required just a username and password - which was more intuitive. Over the years, as the popularity of PayPal grew, Visa and Mastercard sought to bring their own solutions to market. Solutions which sought to simplify the checkout process.
Various solutions were launched in the 2010s such as V.Me, and then Visa Checkout (Visa), and Masterpass (Mastercard). In many ways, these solutions were a defensive move against the growth of PayPal, but they failed to achieve widespread adoption. The propositions were not as smooth as PayPal, and due to the branding of each solution, there was confusion about which cards could be added. Additionally, these solutions required businesses, card issuers and payment processors to all sign up. It can be hard work to bring so many third parties to the table, especially if the USP isn’t clear. In essence, too much work was required for insufficient reward. These card network-backed checkout solutions failed to find favour.
A more recent development has been the emergence of other providers offering a fast checkout experience. Shopify is one of the world’s leading e-commerce platforms, and its Shop Pay offering has become a familiar sight when paying online. With Shop Pay, if you’ve shopped at a previous Shopify business, you can easily pre-load your address details and card number. To do this you only need to confirm your phone number or email address at checkout. There is no need to sign in with a username and password. This is an example of the magic of tokenisation. Stripe has a similar offering called Link. Link allows users who have previously shopped with other Stripe merchants to save their checkout details. Whilst merchant checkouts have become more congested, at the same time it's easier than ever to checkout with one or two clicks or taps.
Mastercard is once again making a big push with a solution that optimises the checkout experience - this time, it’s known as Click to Pay. Mastercard is in a better position than before due to the prominence of network-level tokenisation. The plan is to tokenise cards at the point of issuance and also to enrol all cards into Click to Pay. Added to this, biometrics will make the checkout process smooth and secure. Overall this approach will be able to build a fast checkout solution that is agnostic of specific payment provider, e-commerce platform, or card issuer. Merchants will need to integrate Click to Pay within their online checkouts, but given the volume of cards that will be automatically enrolled, the business case will be clear.
Final thoughts: The end of card numbers is coming. Mastercard have outlined their approach - Visa and others will likely follow with similar measures and ambitions. Given PSD2 in Europe, it makes sense to start here before taking the same approach to North America and APAC. In 2030, or even sooner, we’ll see benefits across the payments ecosystem when card numbers become a thing of the past. Payments will become easier and more secure.
If you enjoyed this post, please consider liking this post or leaving a comment. It's much appreciated. Please consider subscribing to receive new posts via email or in the Substack app. If you’re an existing subscriber, you can upgrade your subscription to support this newsletter.
Further Reading (Payments Culture)
Other Interesting Reads 👀
Some articles - not necessarily payments and fintech related - that caught my eye:
How a Bold A.I. Device Flopped (The New York Times)
WWDC, Apple Intelligence, Apple Aggregates AI (Stratechery)
How Gen Zs rebel against Asia’s rigid corporate culture (The Economist)
"Unlike Apple Pay or Google Pay, Mastercard’s biometric solution will likely not need a user to enrol a card into a wallet on the device. Instead cards will be automatically tokenised and enrolled into Click to Pay."
I think this is key. Currently, Click to Pay requires users to enroll with an email and password, and to provision their cards into the wallet. That is tough sledding. The issue is that the card networks don't have access to my PII as a cardholder. The Financial Institutions do. This is where a wallet like Paze has a competitive advantage, at least for now. The Paze wallet is owned by the major banks, and the participating financial institutions provide access to the PII and the card data that enables a no-enrollment and no-provisioning experience.
If Click to Pay is going to have a chance at success, the networks need to figure out the onboarding flow.