The 16-digit card number has survived for over 60 years. It outlasted cheques, survived the internet, and adapted to mobile commerce. It is arguably the most successful piece of financial infrastructure ever deployed.

Mastercard just announced it will not survive to 2030.

The company’s plan to phase out manual card entry and static passwords in favour of tokenisation and biometrics is not a routine product update. It is a signal that the architecture of payments is being rewritten at the credential layer. And Mastercard is not alone.

Visa has 16 billion tokens in circulation and is predicting that 2026 will be the first year card credentials account for 50 percent of global consumer payments. The EU Digital Identity Wallet must be offered by every member state by November 2026. Apple is adding passport-based digital IDs to its Wallet. The FIDO Alliance reports that more than one billion people have activated a passkey.

These are not parallel developments. They are converging. Digital identity and payment credentials are merging into a single layer for the first time, and the implications reach far beyond checkout.Digital identity and payment credentials are converging into a single layer. The question is not whether this happens. It is who ends up controlling it.

Mastercard’s 2030 commitment is built on a simple observation: the card number was designed for a world of physical plastic and paper receipts. In a digital economy, it is a liability.

Online fraud is seven times higher than in-store fraud. Twenty-five percent of shoppers abandon their carts because checkout is too complex or too slow. Two-thirds of UK shoppers still type out their full 16-digit card number manually when buying online. The number that was meant to enable commerce is now actively obstructing it.

The replacement is tokenisation: swapping the static card number for a unique, encrypted token that is meaningless if intercepted. The token is device-specific, merchant-specific, or transaction-specific. Steal it and you have nothing.

The numbers already support the shift. Nearly 50 percent of Mastercard’s European e-commerce transactions are tokenised, up by a third over the past year. India’s e-commerce market is approaching 100 percent tokenisation. Globally, tokenised transactions generate $2 billion in additional monthly sales for merchants, driven by higher approval rates and lower cart abandonment.

Mastercard is layering two additional products on top. Click to Pay, now live in 26 European markets with enrolments more than doubled year over year, replaces manual entry with a stored credential. The Mastercard Payment Passkey Service replaces passwords with on-device biometric authentication: the same fingerprint or face scan you use to unlock your phone.

This is not just a European story. In Australia, AMP Bank is partnering with Mastercard on the initial rollout of numberless cards, with other banks expected to follow within 12 months. In India, e-commerce tokenisation is approaching 100 percent. In Latin America and the Caribbean, more than 70 percent of SMBs say they would not survive without digital payments, and tokenisation is how those payments are being secured.

The roadmap is clear. By 2030, the default Mastercard will have no number on it. The credential will be a token. The authentication will be your face or your fingerprint. The card, as a visible artifact, will become invisible.

Visa is running the same playbook from a different starting position, and the scale is staggering.

The network has 16 billion tokens in circulation. Manual guest checkout, once responsible for half of all online transactions in 2019, has collapsed to 16 percent as of 2025. Among the top 25 e-commerce sellers, it is already in the low single digits.

Visa Payment Passkey, built on FIDO2 standards, replaces passwords and one-time passcodes with device-native biometrics. The authentication happens on the consumer’s device. The biometric data never leaves the phone. The merchant never sees it.

The company is also pushing deeper into biometric payments through partnerships. Handwave, a biometric payments scaleup, has integrated its palm recognition technology into Visa’s Token Management Service, enabling consumers to link their Visa card directly to their palm print for wallet-free checkout.

Visa’s 2026 predictions make the convergence explicit. The company identifies tokenised and authenticated credentials, AI-agent-driven payments, and identity fraud as three of its six top themes for the year. It frames 2026 as the first year when card credentials will account for half of the world’s consumer payments.

The language matters. Visa is not describing itself as a card network. It is positioning as a credential and identity infrastructure provider. The token is not a proxy for a card number. It is becoming the primary artifact: a cryptographic link between a verified identity and a payment method.

Visa also sees the convergence extending into AI-driven commerce. The company confirmed in late 2025 that it has completed secure AI-initiated transactions with partners, positioning 2026 as the year agent-driven payments move from experiment to production. In that model, the token is not just a replacement for a card number. It is the mechanism through which an AI agent proves it has permission to spend on your behalf. Identity, authentication, and authorisation are fused into a single credential that works for both humans and machines.

While the card networks are moving voluntarily, Europe is mandating the convergence by law.

The EU Digital Identity Wallet, required under eIDAS 2.0, represents the most ambitious regulatory push to merge identity and payments into a single infrastructure. Every EU member state must offer at least one certified digital identity wallet to citizens by November 2026. By November 2027, large online platforms and regulated sectors must accept it for identification and authentication.

The wallet is not just an ID card on a phone. It is designed to hold identity credentials, payment credentials, age verification, professional qualifications, and more, all in a single, interoperable container. The same wallet that proves you are over 18 can authenticate your bank payment and verify your address for a mortgage application.

The friction reduction is significant. Tink’s research shows that authentication in some EU markets involves up to 14 steps, alternating between websites and apps. Markets with integrated digital identity already see abandonment rates below five percent. The wallet promises to collapse identity verification, strong customer authentication, and payment initiation into a single flow.

eIDAS 2.0 introduces its own terminology, Strong User Authentication (SUA), alongside PSD2’s existing Strong Customer Authentication (SCA). The distinction is subtle but important. SCA authenticates a payment. SUA authenticates a person. When both happen through the same wallet, the boundary between the two dissolves.

The implications for onboarding are equally significant. Today, opening a bank account, applying for credit, and setting up a recurring payment involve separate identity checks, often with different providers. The EU wallet promises to collapse that into a single verified credential that can be presented once and reused across services. For merchants, this means lower abandonment at sign-up. For banks, it means the customer may arrive pre-verified by a wallet they did not issue.

Europe is not alone in forcing the pace. The UAE’s Central Bank has mandated that all licensed financial institutions eliminate SMS and email one-time passwords by March 2026, pushing the entire banking sector toward biometric and passkey-based authentication. In India, Aadhaar has already demonstrated what happens when a government builds identity infrastructure at population scale: it becomes the foundation on which financial services are layered, rather than the other way around.

If tokenisation is replacing the card number and regulation is mandating digital wallets, passkeys are the technology bridging the two.

The FIDO Alliance reports that more than one billion people have activated at least one passkey. Apple, Google, and Microsoft have fully integrated passkey support across their platforms, with the vast majority of iOS and Android devices now passkey-ready.

The mechanics are straightforward. A passkey is a cryptographic key pair. One half lives on your device, protected by your biometric (fingerprint, face, or PIN). The other half sits with the service provider. Authentication happens via a challenge-response protocol. No password is transmitted. No OTP is generated. Nothing is phishable.

What makes passkeys transformative for payments is their extensibility. The FIDO Alliance launched a new Digital Credentials Working Group in December 2025, specifically to work on how passkeys and verifiable digital credentials can coexist. The white paper maps three layers: identity verification (who you are), authentication (proving who you are), and authorisation (what you can do).

Today, these three functions are handled by separate systems. Your government ID verifies your identity. Your bank password authenticates you. Your card token authorises the payment. Each layer has its own credential, its own friction, and its own failure modes. Forget your password and you cannot authenticate. Lose your card and you cannot pay. Leave your ID at home and you cannot prove who you are.

Passkeys, combined with verifiable credentials, collapse all three into a single cryptographic interaction. A consumer presents one biometric. The system confirms their identity against a verifiable credential, authenticates them via the passkey, and authorises the payment through a linked token. Three steps become one. Three points of failure become one point of trust.

Apple is already moving. Digital IDs based on US passports are coming to Apple Wallet, and iOS 26 introduces one-tap passkey sign-up with Face ID confirmation. Google confirmed at I/O 2025 that its wallet can now store state IDs and prove age thresholds without revealing full identity details.

The same biometric that unlocks your phone can now verify your identity, authenticate your payment, and confirm your age. That is not three separate actions. It is one.

The security implications are significant. Passwords can be phished. OTPs can be intercepted. Card numbers can be stolen in data breaches. A passkey tied to a device biometric eliminates all three attack vectors simultaneously. The credential never leaves the device. There is nothing to steal, nothing to intercept, and nothing to phish. In a world where online payment fraud is projected to reach $91 billion by 2028, that is not an incremental improvement. It is a structural upgrade to the trust layer of digital commerce.

This is where the convergence becomes a contest. If identity and payments merge into a single credential layer, whoever controls that layer controls the customer relationship. Four groups are competing for this position, and their strategies are fundamentally different.

The card networks are building from the payment side up. Mastercard and Visa already own the tokenisation layer. Their tokens sit between the consumer and the merchant, and every transaction flows through them. Adding biometric authentication and identity verification extends their reach from “authorising a payment” to “verifying a person.” The card network becomes an identity network.

The platform companies are building from the device down. Apple and Google control the hardware, the operating system, the biometric sensors, and the wallet infrastructure. They already manage passkey storage and are adding government-issued identity documents. When the phone becomes the credential, the company that makes the phone becomes the credential provider. By 2027, digital wallets are projected to be the de facto alternative payment method for US point-of-sale transactions.

Governments and regulators are building from the top. The EU wallet is a public infrastructure play. India’s Aadhaar has already demonstrated that state-issued digital identity can become the foundation for an entire financial system. These approaches are not commercial. They are mandated. And they carry the force of law.

Banks are the incumbents with the most to lose. Historically, opening a bank account was the act that established financial identity. Your bank knew who you were, held your money, and enabled your payments. That bundling is coming apart. As PYMNTS reports, “instead of mobile money plugging into banking rails, banking rails are plugging into mobile ecosystems.” In markets where telecom operators verified identities before banks did, the bank is already the backend pipe, not the customer-facing relationship.

The geographic variation is instructive. In mature economies, the bank account remains the anchor of financial identity. But across Africa, the Middle East, and South Asia, telecom operators built the largest distributed identity infrastructures through SIM registration mandates that required government ID and in-person verification. M-Pesa in Kenya, now integrated into Visa’s network, demonstrates the endpoint: a telecom-originated identity layer that carries payments, not a bank-originated payment layer that carries identity.

The emerging picture is a layered stack. At the bottom, government-issued credentials provide the legal foundation. In the middle, passkeys and tokens provide the cryptographic verification. At the top, wallets, whether run by Apple, Google, a bank, or a government, provide the consumer interface.

As we explored in our analysis of the delegation problem in agentic commerce, AI agents add another dimension entirely. An agent shopping on your behalf needs both identity credentials (to prove it acts for you) and payment credentials (to complete the transaction). It also needs scoped authorisation: the ability to spend up to a certain amount, on certain categories, within a certain timeframe. The convergence of identity and payment credentials is not just a consumer convenience story. It is a prerequisite for machine-to-machine commerce, and the companies that solve credentialing for humans will have a head start on credentialing for agents.

The convergence is not theoretical. It is already in the infrastructure.

Broadridge’s 2026 Digital Transformation Study found that 54 percent of financial services firms are making moderate to large investments in tokenisation and digital asset infrastructure. Fifty-three percent believe distributed ledger technology will dramatically affect asset settlement. The plumbing is being rebuilt.

By 2030, the customer journey for opening an account, proving an identity, and making a payment will be a single step. Onboarding collapses into authentication. Authentication collapses into payment. The 14-step flows that Tink documented become one biometric scan.

The winners will not be the companies with the fastest rails or the cheapest interchange. They will be the ones who integrate identity, authentication, and payment into a seamless, trusted credential, and then convince consumers to keep that credential in their wallet.

The risks are real. Broadridge’s study found that 64 percent of firms cite cybersecurity risks associated with tokenisation, and 55 percent point to increased valuation risk from digital assets. Interoperability remains an open question: will a token issued by Mastercard work seamlessly with a Visa passkey inside an EU government wallet on an Apple device? The technical standards exist. The commercial agreements do not.

Projected online payment fraud losses of $91 billion by 2028 underscore both the urgency and the stakes. The convergence is not happening because it is elegant. It is happening because the current system is breaking under the weight of fraud, friction, and fragmentation.

The 16-digit card number lasted 60 years because it was simple, universal, and trusted. Whatever replaces it will need to be all three. The difference is that the replacement will not just know your account. It will know who you are.

When identity and payment credentials become inseparable, who do you trust to hold them?