Mastercard To Phase Out Manual Card Entry For Online Payments In Europe By 2030

storkus shares a report: Starting from 2030, Mastercard will no longer require Europeans to enter their card numbers manually when checking out online -- no matter what platform or device they're using. Mastercard will announce Tuesday in a fireside chat with CNBC that, by 2030, all cards it issues on its network in Europe will be tokenized. In other words, instead of the 16-digit card number we're all accustomed to using for transactions, this will be replaced with a randomly generated "token."

The firm says it's been working with banks, fintechs, merchants and other partners to phase out manual card entry for e-commerce by 2030 in Europe, in favor of a one-click button across all online platforms. This will ensure that consumers' cards are secure against fraud attempts, Mastercard says. Users won't have to keep entering passwords every time they try to make a payment, as Mastercard is introducing passkeys that replace passwords.

storkus comments: "This story, as currently written, says nothing about their plans outside Europe but in the past the USA in particular has been dead last in getting this kind of tech."

Thanks, but

[byronivs]

I don't need a CueCat for my thumb.

Re:

[rsilvergun]

Odds are it just means you key your card in once (or put a password in) and then the business takes it and gets the "token". Basically they're not going to let businesses bill the "real" card anymore, they'll have to get a token which is tied to just that business.

Re:

[nlc]

They are talking about Apple Pay and other similar services. The business never gets your actual card number.. What Mastercard are talking about is rolling out the ability to pay via these methods to every website instead of largely just apps and contactless terminals as now. Visa made a similar announcement last month.

Re:

[jonbryce]

Most websites in the UK support Apple Pay and Google Pay, and Google Pay works on Chrome for Windows, you authenticate using Windows Hello. Amazon is the most popular website that doesn't support it.

Re:

[byronivs]

Last I was looking into online card payments for sites (this was a while ago,) seemed like the tokenization happens when the site requests it from its CC processor, you the vendor create a token by instantiating a connection with your CC processor and use it for reference for the rest of the card session. Then the card number and other info was "simply" for verification, effectively attaching the two together. You add the rest of the transaction details, including amount, name on card, and other business st

Re:

[byronivs]

OK, so with a phone (or whatever) that has a reader, this would work fine. If you are into that sort of thing. The hardware is already there and if you unlock bio-metrically already, should be fine with that on it.
I do my business from a PC (whatever that is now) and not a phone or tablet. Yes, bad form to reply to oneself.

Re:

[AmiMoJo]

It's probably like how Google Pay validates credit cards on your computer.

When you save a card in Chrome, if your OS supports it, authentication is set up with the computer's secure storage, typically a TPM. Then when you are prompted to enter your card details and Chrome offers to auto-fill them for you, it validates the details using the previously set up authentication, and passes a token to the website. The token gives the bank confidence that the transaction was made on your computer, so no further val

Re:

[fahrbot-bot]

I don't need a CueCat for my thumb.

Nope, you need a Mercedes. From TFA:

For example, Mastercard has a partnership with Mercedes-Benz that allows the automaker's customers to use a fingerprint sensor in their car to make digital payments at more than 3,600 service stations across Germany.

Storing payment info on your car 'cause fingerprint scanners can't be spoofed. What could go wrong?

Re:

[byronivs]

I see now how it all fits together now after some refreshing. So, I guess I could market a CueCat repro for the thumb as a print reader fob. So does any part of the skin work for that? That might be an angle.
In car shopping too. Neato.

New comm channel probably

[ereshkigal20]

The random token need not be done every minute.In fact it is likely to be better changing each use with part of the token telling which card account you have and another part telling things about which use you have. A key driver is how the token is transmitted to a computer. Is it assuming that a usb connector, or maybe an RFID chip such as is used for contactless, will be used? Will there be some other communications technology? There also needs to be something that ensures the customer has the card. Selec

token journalism

[Pseudonymous Powers]

It's not clear, from either the summary or the linked article, what the difference between a credit card number and a credit card "token" is.

Re:

[timeOday]

A token is a little device [wikipedia.org] that generates a new pseudorandom number evey minute or so. That essentially becomes your credit card number but only for that minute. The only way for another party to know what number your token will be showing at that time is if they have the secret key loaded into your token.

It also requires a PIN, so if you lose it, the person who finds it can't use it.

Re:

[Mononymous]

Right now you can keep your credit cards in a wallet. Where do you keep these tokens?

Re:

[GrumpySteen]

In your prison wallet. Only the most determined of thieves will steal it from there.

Re: token journalism

[ArmoredDragon]

Just don't use them at all. They have been long obsoleted by FIDO, which when implemented correctly, is basically phish-proof. I personally keep one of these in my wallet:

https://cryptnox.com/fido2-car... [cryptnox.com]

Also an nfc usb-c yubikey on my keyring, and a thetis key I keep at home always connected to my PC. Basically I register all three to any service that accepts fido or passkey auth. So far that's been Google, GitHub, Amazon, bitwarden, proton, and several others.

I don't really trust smartphone based passkeys

Re:

[AmiMoJo]

What do you use for computers? One of the reasons I like Yubikeys and similar is that you can plug them in to USB, and most computers don't have NFC.

Re:

[ArmoredDragon]

USB is all you need.

https://www.amazon.com/gp/prod... [amazon.com]

It's just plug and play. Unless you're on a mac, then forget about NFC (strangely, iOS supports NFC) but using FIDO for anything other than web auth is definitely a second-class citizen on macOS and not much you can do about it. Linux and Windows you can use it for all kinds of things -- local login, SSH, ldap auth, and many others. You can use a yubikey for these things on macos, but only with the PIV side, and for that you basically have to write your o

Re:

[gweihir]

Looks like key-chain.

Re:

[locofungus]

Years, decades?, ago they had pin sentry:
https://www.barclays.co.uk/way... [barclays.co.uk]

I still have a few of the card readers - and they still work without a battery change - which is impressive!

I really liked these - they are exchangeable between banks - so I had one at work, one at home, other people had them too. But they "failed" because people "forgot" them and couldn't shop online.

So I'm not sure how successful any other solution is going to be unless it's on a mobile. I suspect it's going to be something like a

Re:token journalism

[Pascoea]

We use the term "token" slightly differently in my world. We still need to obtain the customer's credit card number/expiration initially. It's pumped into our processor's "tokenization" system that spits out another random 16 digit (15 for Amex) PAN, which we store internally. (If your card number was 4111 1111 1111 1111, our token would be 9123 9189 5423 1111, or whatever random crap) Any subsequent transactions for that card uses the tokenized number. If someone got ahold of that token it wouldn't do them any good because it's 1) Not an actual valid card number and 2) specific to our merchant number. An alternative system would be merchants encrypting (or not) the customer's PAN, storing it locally, and unencrypting it to be used for a transaction.

It's unclear from the article which system MC is talking about, but the end result is the same thing: Merchants aren't using the actual card number for transactions.

Re:

[jonwil]

I think the idea is that instead of you typing your credit card number into a website or app (as it is now), the website/app would talk directly to MasterCard and/or your bank or whatever and obtain a token that way meaning the merchant never needs to see the credit card number at all and only ever gets a unique-to-them token.

Re:

[gweihir]

Hmm. Maybe they want to cut out the payment processors that are common in Europe and instead do this directly.

Re:

[gweihir]

You reference a hardware token. There are pure soft-token as well, like authenticator apps. They need to be on a different device to give you a reasonable level of security. Personally, I think this will not solve the real problems (I have heard those promises far too often), but it may improve things somewhat compared to simple card data entry or card data entry with password, but only if a hard-token or a separate device is used. I expect attackers will find a way to still do fraud, but it will probably g

Re:

[Darinbob]

The difference is faster one-click poorly thought out purchases! If consumers continue to be slowed down while consuming, the economy might collapse. So heavily push the one-click idea until your portfolios grow to new heights.

Re:

[gweihir]

That is very likely a driving factor, agreed.

Meh

[drinkmorejava]

Great, so now instead of fraud being the card issuers problem, they're going to say that the passkey that I'm now forced to store on all of my devices couldn't have been used by someone else.

Re:

[GoTeam]

What could go wrong? No 2-factor token system has ever been compromised! ...right?

Re:

[timeOday]

What you're comparing against is a password (number) stamped onto a card in plaintext.

Re:

[PCM2]

In the U.S., credit card fraud is typically not the card issuer's problem. If you successfully dispute a charge, the blame goes to the vendor who accepted the fraudulent charge, and the vendor eats the cost.

Re:

[geekmux]

In the U.S., credit card fraud is typically not the card issuer's problem. If you successfully dispute a charge, the blame goes to the vendor who accepted the fraudulent charge, and the vendor eats the cost.

And now the obvious question; under this new proposed system, who exactly would valid or invalid fraudulent charges be the responsibility of?

What do I mean by invalid fradulent? Instead of a specific 16-digit number associated to me and a bad credit card charge, I now have to rely on the morality and integrity of a system assigning token numbers "randomly", while everyone else involved gets to accuse [$new_victim] of "fraud" via token "compromise" to pad executive bonuses.

So again, I ask the obvious questi

Re:

[jacks smirking reven]

I don'tr know what the legal issues are in the EU but fairly sure this doesn't change the concept of when you open your credit card statement and there is something on there you don't recognize you can dispute said charge and generally the CC company should handle it from there.

If that changes then one of the big big advantages of using a CC in the first place would be gone, if thats the direction these companies want to go down I think that's pretty foolish, I would absolutely cancel my card if that was th

Re:

[gweihir]

The standard process in Europe is simply that you "request a copy of the original payment proof". This means paper. With that the burden of proof reverses, unless they have that paper proof with your signature and the impression of the card. Hence unless the online vendor can conclusively proof it was you, they just have to refund. This process was given to me by my bank as how to do it. I have needed it 2 times in 25 years.

I do expect that some banks will want to put the user on the hook again and then we

Re:

[Seclusion]

And now the obvious question; under this new proposed system, who exactly would valid or invalid fraudulent charges be the responsibility of?

I disagree with your Flamebait mod. You have a valid concern and it's not a new one. There are always going to be financial institutions that want to put the burden of fraud on end users. You don't have to believe me, believe Citibank. https://www.consumerfinance.go... [consumerfinance.gov]

And New York alleges that instead of complying with the Electronic Fund Transfer Act's protections in circumstances like these, Citibank looked to a law that was intended to govern transactions between commercial entities which does not provide the same level of consumer protection to victims of scams.

Re:Meh

[Shakrai]

In the U.S., credit card fraud is typically not the card issuer's problem. If you successfully dispute a charge, the blame goes to the vendor who accepted the fraudulent charge, and the vendor eats the cost.

That's only true in certain scenarios these days. If your chipped card is stolen and used fraudulently for an in-person transaction, that's not on the merchant; they aren't allowed to ask for ID under the Visa/Mastercard rules and there's no signature these days for them to verify. In the before times, merchants were supposed to compare the signature on the card to the signature on the charge slip. Very few actually did it and consumers almost universally hated it when they did. Today, the card issuers rely on their fraud prevention algorithms to flag suspect transactions and consumers promptly reporting lost/stolen cards to prevent in-person transaction fraud.

If the US had chip and pin, like the EU does, this type of fraud would be much harder to execute. Despite Americans being familiar with the concept -- debit cards prompt for PINs at point-of-sale -- the card issuers universally think we're too stupid to memorize PINs, so we stick with the current system where physical possession of the card serves as the sole factor of authentication. The only chip and pin card I've ever seen from a US issuer was the Target RedCard, issued by TD Bank and rolled out after Target's huge POS data breach. Sadly, a year or so ago, they quietly removed the PIN part, and now it works like a traditional US credit card with single factor authentication. :(

It's a lot of fun when you take your US issued cards to the EU, where chip and pin is the expectation, and now suddenly the cashier has to present you with a charge slip. Doubly fun in settings (e.g., bars/clubs) where you're making a large number of small purchases (each round of drinks) and now it has turned into a huge ordeal for all concerned.

Re:

[flink]

You can call many US issuers and ask that a PIN be added to your account. It will never be used in the US of course, but your card will now work in Europe

Re:

[Shakrai]

Of the cards in my portfolio the only ones that successfully did that for me were American Express and Discover, both of which have limited acceptance overseas.

Capital One claimed they did it but when I got my statement I learned every single POS transaction had posted as a cash advance with related fees and interest. It took six months of arguing, a CFPB complaint, and finally a demand for arbitration to get them to backpedal and credit the fees and interest back to my account. I suspect CrapOne actua

Re:

[IcyWolfy]

Captial One explictly told me, that their system only supports cash-advance transactions with a PIN.

If a PIN were to be applied to the card, and used for a POS sale, it will register as a Cash Advance on their systems. As such, they cannot set a PIN as they are targetted for the US market only, where POS systems will not ask for a PIN. Any transaction that's completed with a status of card-present pin-verified, will be treated as a cash-advance, due to how their system was set up years ago. That's unlike

Re:

[ereshkigal20]

If the service code (one of the fields of the magstripe, and I think available in chips) has bit 6 (as I recall) set the system will ask for a PIN. That has been part of the specs for decades. It can be asked for and no laws need change.

Re:

[PCM2]

It will never be used in the US of course, but your card will now work in Europe

As an American, I have never had a problem using my card in Europe? Has something changed? Almost all cards in the U.S. are chipped today, but the model is chip-and-signature, not chip-and-PIN.

Re:

[thegarbz]

I actually love buying things in America and watching the expression on the face of the person when they get presented with a query to enter a PIN. I actually had one person apologise and say they had to run off to the manager to get the "unlock code" for the machine. The manager had a good laugh when he came out at the expense of the poor person who hadn't seen a machine ask for a PIN before.

Even more funny are the machines that automatically switch to another language when I use my card. Even when it is a

Re:

[IcyWolfy]

I had to get a friend to pay for my motorcycle repair once. The first time any reader had asked for my PIN since moving to the US 6 years prior. I honestly had no idea what my PIN was for the card. I hadn't used it in years.

Always embarassing to tell the mechanic (friend) charging me "Yea, so. (tried twice). I don't actually know my PIN. Can you pay for this and I paypal you / give you cash after work?"

Re:

[gweihir]

That works? Interesting. Especially the language interface switch. Seems we are slowly arriving in a more modern age.

Re:

[mtmra70]

I love buying things in Europe with tap and go that exceeds a few hundred Euro. It's great using contactless payments for ANY transaction, as opposed to every other country who heavily restricts the transaction amount for contactless.

Re:

[registrations_suck]

If a card required me to enter a pin to use it, I would get a different card.

Re: Meh

[Miamicanes]

The problem with PIN codes in the US is, an average American has WAY more credit cards than an average European. Expecting people to remember 6-18+ random numbers that are different for every card & change every few years isn't reasonable. If you made Americans do it, people would either have to carry around a sheet of PIN codes, or would grab a marker & write them on the card itself.

Seriously. 2-5 Mastercards + 2-5 Visa cards + ATM/debit card + Amex + Discover + any store/gas-station cards. That's

Re:

[jafffacake]

I have half a dozen credit and debit cards, and they all have the same PIN. As long as that number is secret there's no problem. The PIN can be changed anytime on any card at any ATM. Your idea of carrying around a PIN spreadsheet is cute though!

Re:

[Shakrai]

Expecting people to remember 6-18+ random numbers that are different for every card & change every few years isn't reasonable.

Every debit card I have allows me to select my own PIN. My credit cards allow me to do the same for the cash advance PIN. This argument is silly.

Seriously. 2-5 Mastercards + 2-5 Visa cards + ATM/debit card + Amex + Discover + any store/gas-station cards. That's the *norm* in the US.

Preaching to the choir, I have 20 credit cards, and oddly, I know the PIN on all of them.

Btw, the purpose of signing charge slips isn't to allow signature verification, it's to amplify the criminal offense and give more things to prosecute if someone commits fraud.

You've never worked retail, have you? The old merchant agreements required the merchant to compare the signature on the charge slip to the signature on the back of the card. It was rarely enforced but it was in there. If the signature didn't match you were supposed to ca

Re:

[ereshkigal20]

The proposed MC system sounds like it is targeted at network or phone transaction, not in-store ones where EMV cards (chip and pin) were intended. EMV is of course useless for network transactions. So hopefully the scheme involves some additional protection. PINs were not used in the US because attempts to use them met with customer resistance. The fraud rate is not so different with or without them. Knowing more requires one to know how they will get the information to the issuer. Some compression of card

Re:

[Njovich]

You are paying every payment for credit card abuse. You think they just magic that money?

sigh.

[wyHunter]

Time to go back to all cash. No more online ordering would s*ck though.

Re:

[jacks smirking reven]

Kids today don't know the patience of having to manually fill out an order form, write an actual check, put it in an envelope and then drop if your mailbox and just go on with your life for 2-3 weeks and one day the items will just show up. No updates, no tracking, if you want to know any of that you gotta call someone up on the phone.

Re:

[LazarusQLong]

2-3 weeks? In the ancient times, the catalogue companies used to all say, "please allow 6 to 8 weeks for shipping" Then there was Sears, in the town I grew up in, we had a Sears reception store, you would order either via catalogue (mailing them an order form and a check) and then the item would eventually show up at the Sears reception store, when it showed up there, those people would email you a letter telling you your item was in, you would then bring that letter to the place and they would go into the

Re:

[jacks smirking reven]

Bring back the layaway desk. Oh you want to pay for this over 6 months? You don't get it up front, we're gonna hold it back here until you're paid in full!

Re:

[LazarusQLong]

yeah, I used to use the layaway desk regularly. It was so convenient when you were only making two Shekels a week, but still wanted a new and exciting widget that all the cool kids were getting... so you'd pay them a couple of drachmas a week and by the end of the year, you too could be sporting a brand new whateverthefuck it was.

Re:

[Fly Swatter]

Ah yes, the old Pay now Buy later. :D

The old days where you actually had to save before buying your new toy. Now it's just thrown on (another) debt card.

Re:

[wyHunter]

In the 21st century I expected orbiting habitats and cities on the moon. What did we get? The internet! I'd rather have had the orbiting habitats and cities on the moon.

Re:

[LazarusQLong]

me too. As a child in the early 60's, I watched every launch I could, my mom bought me space-themed books (lots of pictures, some I imagine by Chesley Bonestell.)

Re:

[Darinbob]

It sure was great that day the secret decoder ring arrived though!

Re:

[antdude]

And going to the stores to get them now. :P

And the USA will get nothing and deserve it

[dirk]

Once again, the EU bypasses the US in terms of security. Because they actually take things seriously and are willing to pass laws to protect people, credit card companies actually take security seriously. Meanwhile in the US, it was years after the EU got chip cards that we finally got them, but of course without the PIN portion. Everything in the US us based on how easy it is for companies to make money instead of how best to protect the citizens from bad things.

Re:And the USA will get nothing and deserve it

[LazarusQLong]

true dat! Having worked in the UK and the EU, it honestly does impress me how little their elected types get paid compared to ours and how frequently their elected types actually do things to ensure the PEOPLE in their countries are protected... It is shocking.

.

Re:

[Fly Swatter]

The problem isn't the companies but us plebs accepting that the cost of theft is just built right into the price of everything in advance of said theft.

The sheep never speak and are all too happy to be screwed harder each time.

Theft should hurt, only then will the sheep actually care to fix the problem of theft tolerance.

Re:

[registrations_suck]

Yes, yes. Europe is awesome and sophisticated. The US sucks ass. We get it. Thanks.

Re:

[jonwil]

The lack of chip-and-pin in the US is because the credit card companies are scared that chip-and-pin would make people less likely to pull out the plastic.

Re:

[AmiMoJo]

One of the major reasons banks are interested in security here is because legally banks are on the hook for fraud unless they can show that the customer was negligent. If malware gets into your computer and you took reasonable steps to protect it, such has having anti-virus software installed which these days is built into Windows, then you get your money back.

That incentivises banks to make sure transactions are secure, rather than just profiting off the fraud like any other payment.

A token effort

[penguinoid]

This is just a token effort to ensure that consumers' cards are secure against fraud attempts.