In the rapidly evolving world of digital payments, traditional payment methods are continually being challenged by innovative technologies. As part of this transformation, Mastercard has developed a strategy aimed at simplifying online payments, potentially leading to the decline of physical cards. This article, originally published by Matt Jones, Commercial Director at Payments Consulting Network in London, delves into Mastercard’s approach and what it means for the future of online transactions.  

Post Synopsis: Mastercard has announced a plan to eliminate card numbers in Europe by the end of this decade. What developments in payment technology will enable this? They have outlined three key success factors that, together, will work to eliminate card numbers. Read on to learn more about the changes on the horizon and how e-commerce payments will get even easier in the years ahead. 

 

The End Of Card Numbers 

Just last month, Mastercard make public its intention to eliminate card numbers in Europe for e-commerce transactions by 2030. Jorn Lambert, Chief Product Officer at Mastercard, outlined in a blog post that today, when you shop in person, you can tap your card or mobile device on a reader and within a fraction of a second your credentials will be authenticated and your transaction authorised. It should be just as simple, safe and convenient online as it is in store. 

Mastercard is working with banks, FinTech’s, merchants and other partners to phase out manual card entry for e-commerce in Europe by 2030 Instead, they aim to implement a one-click button that will work on any online platform. Europe has long been a leader in payments innovation, and it is anticipated that other markets will follow suit.

“Tokenisation alone won’t transform online checkout. That’s the first step.”
-Jorn Lambert, Chief Product Officer, Mastercard

The blog also highlights the three components that will combine to eliminate the need to enter card details when shopping online. Mastercard is making it easy to embed Click to Pay, its online checkout solution, into merchant sites and enabling bank partners to make Click to Pay a default card feature through cardholder auto-enrollment. Finally, Mastercard is introducing payment passkeys for online transactions, using the on-device biometric authentication most people already use. 

These three elements – Tokenisation, Biometrics, and Click to Pay – represent a concerted effort but the announcement didn’t signify a shift in Mastercard’s strategy. While trends in payments and technology have been moving toward making e-commerce simpler and more secure, this is the first time a major card scheme network has set a target date for moving away from the need to enter card numbers online, at least in one region. Other regions will surely follow in due course. 

If the announcement’s most significant impact is putting a date by which Mastercard expects card numbers to be a thing of the past. In that case, it’s also true to say that the three components of this strategy intersect to make this possible. All three of the key success factors intertwine and help each other provide value in the payment ecosystem.

How do we get to a future in which card numbers are a thing of the past? Let’s examine each of Mastercard’s three key success factors in more detail. 

Key Success Factor 1 – Tokenisation 

Tokenisation has been around in payments for a while. While the concept is straightforward, its benefits are substantial. With tokenisation, card information, such as a card number, is replaced with a series of randomised letters and numbers. And the information which replaces the card details is known as a token. With tokenisation merchants never see the actual card number during an online transaction, and do not store it. 

With tokens, if a user has shopped with a store before there’s no need to enter card details each time. Also, tokenisation helps businesses become PCI-DSS compliant – an essential data security need for businesses handling card data. In addition to the security benefit, tokens have allowed new business models to flourish. Subscription payments are a case in point. Without needing users to enter card information each time, businesses can use tokenisation to draw on the payment details for repeat transactions. At the same time, a user can withdraw their authorisation for the recurring payment whenever they wish to. 

Initially, tokenisation was handled at the level of the payment provider, such as Cybersource, Stripe, or Worldpay. But nowadays, it’s more common for tokens to be handled at the network level (Visa and Mastercard are the two main examples). The network token approach provides businesses greater flexibility compared to operating at the level of the payment provider. With network tokens, migrating from one solution to another becomes much easier as the tokens exist across the payment ecosystem rather than just within a single supplier. 

As e-commerce grows, network tokenisation has become crucial for “card-on-file” transactions. Alex Wilson, Global Product (Digital) Payment Gateway Services Director at Mastercard, highlighted another key benefit of network tokens in his Q&A guide. 

“With network tokenisation, card details are automatically updated when a card is replaced or expired, leading to higher approval rates and a simplified user experience.” – Alex Wilson, Global Product (Digital) Payment Gateway Services Director, Mastercard 

Being able to update a user’s card details automatically when a card expires requires the card issuer to support network tokens. In Europe, most card issuers already do support network tokens. But there will be a push to ensure that every card issuer can meet the 2030 deadline. Additionally, for every business to access network tokens, all payment processors will need to support offer their support. Mastercard will work closely across the payment ecosystem to embed network tokens. And there may be card scheme mandates and other measures to accelerate compliance. Payment processors that do not support network tokens may already be paying higher fees (as mentioned in this report from Deloitte.). 

Key Success Factor 2 – Biometrics 

Biometrics is something we all use these days without thinking too much about it. For instance, on our smartphones, Apple’s FaceID and Touch ID are well-known and used by hundreds of millions of users every day. (Android offers the same biometric capabilities – just with different names.) When we use Apple Pay in-store or online, the device checks our unique characteristics. This can be for our face scan or fingerprint that we added when setting up the device. Biometrics makes the checkout experience with Apple Pay very easy. Tapping the Apple Pay checkout button – when paying on a mobile device – and verifying a transaction with FaceID is as seamless as payments can be. The one caveat is that not all online stores support Apple Pay yet. 

Mastercard aims to bring a biometric checkout experience to a wider range of businesses. In theory, Mastercard’s planned offering would allow all business to offer a checkout experience like Apple Pay, with the ability for biometric authentication across all payment transactions. In Europe, biometric checkout will be possible regardless of the bank that issues the card or the online store where the card is used. Unlike Apple Pay or Google Pay, Mastercard’s biometric solution will likely not need a user to enrol a card into a wallet on the device. Instead, cards will be automatically tokenised and enrolled into Click to Pay. 

To understand the relevance of this proposition further, we need to understand the impact of Payment Service Directive 2 (PSD2). This EU Directive affected the payments industry due to its rules on Strong Customer Authentication (SCA). For a large share of e-commerce transactions, users must now approve the payment within their online banking or card issuer app. Or receive an SMS message with a code to enter on the checkout page. These rules were introduced to reduce fraud, and to some extent, they have worked. Fraud is much less likely on transactions that go through the SCA process. Yet the process can be cumbersome and prone to error. For example, if a user needs to authenticate within an online banking app, an issue with the app may lead to the transaction failing. 

This is where passkeys come in. Passkeys eliminate traditional passwords and instead use biometrics such as Face ID. You may already be seeing passkeys as a log-in option on some apps or websites. According to the FIDO Alliance, more than 20% of the top 100 websites in the world already support passkeys, with more soon to follow. The field is still evolving, with new announcements made regularly. The Verge is tracking various announcements in this area. Just last May, Microsoft launched support for passkeys on all consumer-facing applications. 

In the coming years, Mastercard will be working with banks and industry organisations – such as the FIDO Alliance – to put in place passkeys. However, there will be some aspects to clarify in the months and years ahead in the lead-up to the 2030 deadline. For instance, Apple and Google allow passkeys to be accessible across all devices that a user has in their respective ecosystems. Will Mastercard utilise the passkeys on the device – say within Goole Password Manager – or develop a different approach? Of course, banks and non-bank card issuers will need to develop their systems to allow passkeys. Effort will be required, but the benefits will be worth it. 

Key Success Factor 3 – Click to Pay 

The third key success factor in eliminating card numbers, is referred to by Mastercard as Streamlined guest checkout (Click to Pay). To understand what Click to Pay is trying to achieve, we need to take a step back and look at the payments world before tokenisation. There was a time, when the whole card number always had to be entered in full when paying online. Unsurprisingly, rather than going through this process repeatedly, many users soon preferred PayPal over cards. PayPal required just a username and password – which was more intuitive. Over the years, as the popularity of PayPal grew, Visa and Mastercard sought to bring their own solutions to market. Solutions which sought to simplify the checkout process. 

Various solutions were launched in the 2010s such as V.Me, and then Visa Checkout (Visa), and Masterpass (Mastercard). In many ways, these solutions were a defensive move against the growth of PayPal, but they failed to achieve widespread adoption. The propositions were not as smooth as PayPal, and due to the branding of each solution, there was confusion about which cards could be added. Additionally, these solutions required businesses, card issuers and payment processors to all sign up. It can be hard work to bring so many third parties to the table, especially if the USP isn’t clear. In essence, too much work was required for insufficient reward. These card network-backed checkout solutions failed to find favour. 

Clicking to Pay – Photo by Vojtech Okenka

A more recent development has been the emergence of other providers offering a fast checkout experience. Shopify is one of the world’s leading e-commerce platforms, and its Shop Pay offering has become a familiar sight when paying online. With Shop Pay, if you’ve shopped at a previous Shopify business, you can easily pre-load your address details and card number. To do this you only need to confirm your phone number or email address at checkout. There is no need to sign in with a username and password. This is an example of the magic of tokenisation. Stripe has a similar offering called Link. Link allows users who have previously shopped with other Stripe merchants to save their checkout details. Whilst merchant checkouts have become more congested, at the same time it’s easier than ever to checkout with one or two clicks or taps. 

Mastercard is once again making a big push with a solution that optimises the checkout experience – this time, it’s known as Click to Pay. Mastercard is in a better position than before due to the prominence of network-level tokenisation. The plan is to tokenise cards at the point of issuance and also to enrol all cards into Click to Pay. Added to this, biometrics will make the checkout process smooth and secure. Overall this approach will be able to build a fast checkout solution that is agnostic of specific payment provider, e-commerce platform, or card issuer. Merchants will need to integrate Click to Pay within their online checkouts, but given the volume of cards that will be automatically enrolled, the business case will be clear. 

Final thoughts: The end of card numbers is coming. Mastercard have outlined their approach – Visa and others will likely follow with similar measures and ambitions. Given PSD2 in Europe, it makes sense to start here before taking the same approach to North America and APAC. In 2030, or even sooner, we’ll see benefits across the payments ecosystem when card numbers become a thing of the past. Payments will become easier and more secure. 

Author: Matt Jones, Commercial Director, London, Payments Consulting Network
With over 15 years in the payments industry, Matt has worked with notable organisations like Barclays and Elavon, as well as startups in the fintech space. His expertise spans diverse commercial sectors, including direct engagements with major merchants and banks. Matt excels in procurement-level insights, adeptly handling pricing models, strategic planning, and competitive analysis. He regularly writes on payments related topics at Payments Culture. 

 ***

If you enjoyed reading this article and would like to be notified when future articles are posted, please sign up for our email newsletter.

Are you interested in reading articles on a particular payments topic, company, payments industry executive or author? Click the search icon, it’s that magnifying glass on the top right-hand side of the website and type in the keywords that interest you. You will then be presented with a list of any articles that match your search criteria.