Mastercard is doubling down on efforts to eliminate the use of credit card numbers when customers make purchases online in a bid to fight fraud.

A decade after it first unveiled a technology that replaces consumers’ card numbers with so-called tokens, the company is now processing a billion such transactions every week, CEO Michael Miebach said in an interview. That’s after it took the payments behemoth three years to process the first billion of such transactions.

Now Mastercard is planning to expand the use of the technology to replace security measures like passwords with biometric data such as fingerprints or face scans, Miebach said. It’s the latest step that the financial industry is taking to combat the rising issue of online payment fraud, which is expected to exceed US$91-billion by 2028.

A decade ago, the common thinking was “if you want to keep it safe, protect data and protect transactions through passwords”, Miebach said at Mastercard’s London offices. “That worked for a while. And then it started to become the vulnerability instead of effective safety and security.”

Mastercard and rival Visa first introduced token technology about a decade ago after fraudsters had targeted the payment systems of retailers. At first, the technology was focused on replacing card numbers with a token that only the networks can unlock, meaning it’s useless if a hacker does get their hands on it.

Fuelled by payment services such as Apple Pay, that helped reduce fraud for in-store purchases. Now, though, criminals are targeting e-commerce sites that require consumers to manually put in their card information to make a purchase.

OTPs vulnerable

Increasingly, hackers are also targeting websites in places including India that rely on one-time passwords to help with security. These passwords — which retailers and banks send to consumers in order to authenticate their identity — have grown increasingly vulnerable to fraudsters, Miebach said.

Mastercard will partner with banks and payment providers around the world to replace these one-time passwords with a token based on consumers’ biometric information. It introduced the service in India this week after inking partnerships with PayU and banks including Axis Bank.

Read: Standard Bank warns ‘vishing’ fraudsters are targeting the elderly

“The source of the problem was that if the data was exposed and somebody penetrated and got into that data, they could use it,” Miebach said. “The digital economy — what is the one thing that’s holding it back? It’s the risk of data breaches of fraud and so forth. And tokenisation is a big lever to curb those.”