Mastercard Australasia division president Richard Wormald says the majority of the rampant fraud will be eliminated over the next few years.
Mastercard Australasia division president Richard Wormald says the majority of the rampant fraud will be eliminated over the next few years.

Three words will save Aussies $140m

"Empty the vault."

That's how payments giant Mastercard says it will help fight the rampant theft committed online after $478 million was pilfered from Australian retailers last year.

So-called "card not present" fraud was up nearly 8 per cent in December, according to the Australian Payments Network, while another survey found the issue was so widespread that more than half of businesses say they don't stand a chance against scammers.

Mastercard Australasia division president Richard Wormald told that the company's new technology would initially cut the amount of online fraud by 30 per cent, or about $143 million.

But he insisted the security measures would then lead to the thieving being nearly wiped out completely in the next few years.


Data being stored by online retailers at payment points is the easiest way for thieves to get what isn't theirs.

At present, your credit card details and numbered security mechanisms are stored when purchases are made on the web.

This makes it simple for hackers to break the security boundaries of retailers and remove the data needed to then take your money or make purchases with your card.

Mr Wormald said an existing security measure, called tokenization, aims to make the data, and therefore money, unavailable to hackers.

"The first thing we do is encrypt the card number itself, and so the number that a retailer stores is unique to that card at that retailer," he said.

"Then when a payment is made, the retailer comes and looks up that card number with us or a competing payment card scheme and we then translate it and approve the payment.

"The second step is we aim to take a broader snapshot of the data in that transaction, so we'll check things like if the consumer's phone is in the same country as they normally live."

Mr Wormald described the process as emptying the vault, meaning there's nothing for the scammers to steal.

"Our focus is not on trying to build higher walls or monitor a network, because the reality is in the technology arms race, smaller retailers in particular are always going to lose that battle," he said.

"The best way to do this is to empty the vault, meaning retailers don't store any card data so even if they get breached there's nothing to steal."


Mr Wormald said the idea of people remembering a security code to confirm sales online is an outdated and unsafe way to protect you from getting money stolen.

Therefore, Mastercard wants to use artificial technology, or what is known as passive biometrics.

That's a lot of headache-inducing language, but basically what passive biometrics does is remember how its user interacts with their phone or computer.

It will remember the style or pattern in the way you type, how you move your mouse across the screen of your computer or phone, where you physically use your phone or portable device.

"So even when they're entering data we can tell the difference between two users on the same device," Mr Wormald told

"That then creates a much clearer picture that it really is me with my card buying something at the retailer.

"So tokenization is the first step, but then as we move forward we're further hardening that credential by looking at how it's being used by the consumer in that particular case."

The process seems alarmingly intrusive, but the division president insists there is no breach of privacy.

"It's things related to the transactions almost in a purely anonymised way and only ever used for the purpose of detecting fraud," Mr Wormald said.

He says the more the technology is rolled out and adopted by retailers, the more effective it will be at stamping our fraud altogether.

"The majority of the fraud issue will be eliminated over the next few years," he said.