When I keyed “mastercard press releases 16-digit card number” into goggle, I was presented with an “AI Overview” along with a “more detailed explanation” – both were drivel! However, I have seen the same drivel in blog posts and LinkedIn posts, and so it’s difficult to say whether the AI was reflecting people drivel, or people were accepting what they were being told by the AI, although I suspect the latter.
What is Mastercard saying?
Mastercard are talking about removing the printed PAN from the plastic payment card as it is seen as one of the major factors at play in online card fraud. They would replace it with “one click”, an online checkout process that isn’t driven by a card number, so there is no need to print the card number on the card. The “one click” solution is a bit like sticking an Open Banking front end on an e-commerce transaction to initiate and authenticate the cardholder, with the PAN appearing, as if by magic, at the back end before the authorisation requests is sent to the issuer.
Mastercard are not proposing to eliminate the PAN from the chip, or from the magnetic stripe, although there are hints that the magnetic stripe may be approaching end of life – maybe not in the US where MSR is still a neat technology.
Mastercard Press Releases
There was a Mastercard press release published on November the 13th, 2024, proclaiming Mastercard is reinventing the checkout with password and number-free checkouts. The news comes out of Purchase, NY, and on the very first line, says that the Mastercard vision is to transform online shopping by the end of the decade. They then go on, immediately, to talk about “a future where no physical card numbers are needed for purchases”, so it’s not surprising that industry experts are confused about the nature of the game. /s
In a press release on 7th April 2025, Mastercard say Goodbye to card numbers. One might be forgiven for not spotting this, but it is only for online, “one-click” checkouts. Follow the link to read the full text about Mastercards plans to dispense with the PAN. This is an attempt to solve Australia’s $1 billion online fraud problem by 2030.
Alternative Facts
On the 18th February, 2025 – less than a fortnight after the Mastercard release – Marcel Van Oost published an article: Mastercard to Phase Out 16-digit Card Numbers by 2030, but appears to have completely missed the point about “one click” and online payments, instead concluding that the physical card may become obsolete. He finishes by saying that we should “Get ready to say goodbye to 16-digit card numbers—and hello to a new era of payments!”
So what’s going on?
Is there more to this than meets the eye? On the one hand, the global card payment ecosystem depends on the PAN for routing and the identification of cardholder accounts, and this is not going to change. On the other, so called tokenisation technologies are money spinners that would be unnecessary if online e-commerce channels were converted to EMV.
EMV over t’internet is no more of a challenge than implementing and supporting PCI or being forced to implement tokenisation solutions as a direct consequence of implementing and supporting PCI. In reality, introducing EMV to e-commerce would probably be a whole lot easier to implement than “one click”.
Transaction Routing
Retail payment services, like POS, rely on the PAN for transaction routing and account identification, as the PAN is used by the card scheme to identify the issuer an by the issuer to identify the cardholder account. If there is any “tokenisation” at the front-end, there will be a translation process hiding somewhere under the surface, which will depend on the nature of the “tokenisation” model. I surround the word with inverted commas because “tokenisation” does not mean the same thing in all situations.
Implications of no PAN
Eliminating the PAN from the chip would necessitate an alternative method of identifying the Issuer and the Cardholder Account – currently, and with current technologies, this would not be possible. Even considering future technologies, where card numbers might be replaced by some random cryptogram device, it would be an expensive and complex solution to a problem that doesn’t exist … and it probably would not run on a card, thereby restricting access to payment services to those people in possession of a smartphone.
Globally, we do around 3-4 billion card transactions every day, according to my friend ChatGPT; there are somewhere in the region of 27 billion cards in issue, projected to reach 31 billion by the end of the decade. Cards provide easy (and cheap) access to secure electronic transaction processing, and the cryptography that supports this volume of payments has never been cracked! Public Key Cryptography may fall foul of quantum computing, but if the payments ecosystem is compromised, so to will that of the military, so it’s goodnight Vienna! Compromised payments would be the least of our concerns, and we could always fall back to cash.
Magstripe Legacies
The weak spot in the card purchase ecosystem is online payments, because online payments essentially use the magstripe transaction model that the US refused to move away from, even though the evidence from across the world indicated that this approach was folly. Had the US, in the mid 2000s, adopted EMV rather than PCI, then the world would have been well on the way to a coherent and universal Face-to-Face payment transaction model.
In the mid 2000s, online payment fraud wasn’t a big thing, although the potential was there, and focus at the time was squarely on F2F payment fraud. Interestingly, the solutions devised to counter magstripe payment fraud (and by association, online payment fraud) were, coincidentally, the same solutions that would be required to allow apple to launch apple pay in a country devoid of chip cards – the US. The apple pay solution is an EMV solution, and it needs EMV data. It would have been much easier to launch apple pay in the UK, but that would have been politically duff. The “tokenisation” model was developed by apple (and others) as a means of bridging the high-tech world of the iPhone with the low-tech world of US card issuing. EMV card data could be delivered to and stored on the Secure Element, turning the iPhone into a virtual EMV card, which would not have been possible for magstripe data.
Tokenisation – whatever that means
Now, the idea of tokenisation is considered to be a clever solution to the potential problems associated with compromised card data, but let’s not forget that the problem only exists because of clever people thinking it might be a good idea to perpetuate the magstripe over the adoption of EMV. The use of “tokenisation” in magstripe land – whatever that means and most people don’t understand what it means – has spread out and is now used interchangeably across online transaction channels, even though it’s not the same thing and the underlying mechanisms are different.
When people look at card transactions, they often fail to make the distinction between EMV, magstripe and online e-commerce, assuming that the terminology is universal and interchangeable. It is no surprise, therefore, that on reading the Mastercard press releases, people assume that the “tokenisation” as applied to apple pay on the iPhone is the same as the “tokenisation” that is applied to existing merchant e-commerce transactions, which is the same as that proposed for future “one click” merchant “tokenisation”, and to complete the chain, would be the same as a “tokenisation” proposition applied to any EMV/POS transaction that was initiated without a PAN.
Thoughts of Chairman Griff
That was hard work, and it’s confusing, but maybe that’s what the card schemes want. Tokenisation is an unnecessary money spinner, developed out of the need to launch apple pay in the US rather than the UK. It is easy to establish that “tokenisation” is not necessary within a transaction framework based on EMV, but we are being gaslit into parting with the cash, and people want to believe!
We have the technology, and we have had it for a long time, to support EMV over t’internet. There are a lot of implementation models that would support this, and eliminating the magstripe (e-comm) transaction would allow for multiple benefits resulting from the rationalisation of the global payments ecosystem.
A billion dollars in Australia would go a long way towards funding the implementation of EMV over t’internet, which would resolve the problem, and eliminate the jumbled complexity that is the current reality of multi-channel card payments.
The solutions are straightforward; complexity does not imply cleverness!
